diff -Nru tcpdump-4.6.2/debian/changelog tcpdump-4.6.2/debian/changelog
--- tcpdump-4.6.2/debian/changelog	2014-12-03 17:22:51.000000000 +0100
+++ tcpdump-4.6.2/debian/changelog	2015-03-23 00:46:37.000000000 +0100
@@ -1,3 +1,27 @@
+tcpdump (4.6.2-4ubuntu1) vivid; urgency=low
+
+  * Merge from Debian unstable. (LP: #1433815) Remaining changes:
+    - debian/{control, README.Debian, tcpdump.dirs, usr.sbin.tcpdump,
+      install, rules, patches/patches/90_man_apparmor.diff}:
+      + Add AppArmor profile.
+    - debian/usr.sbin.tcpdump:
+      + Allow capability net_admin to support '-j'.
+  * debian/patches/60_cve-2015-2153-fix-regression.diff:
+    - Fix regression due to 60_cve-2015-2153.diff
+
+ -- Artur Rona <ari-tczew@ubuntu.com>  Mon, 23 Mar 2015 00:42:29 +0100
+
+tcpdump (4.6.2-4) unstable; urgency=high
+
+  * Cherry-pick changes from upstream Git to fix the following security
+    issues:
+    + CVE-2015-0261: missing bounds checks in IPv6 Mobility printer.
+    + CVE-2015-2153: missing bounds checks in RPKI/RTR printer.
+    + CVE-2015-2154: missing bounds checks in ISOCLNS printer.
+    + CVE-2015-2155: missing bounds checks in ForCES printer.
+
+ -- Romain Francoise <rfrancoise@debian.org>  Sat, 14 Mar 2015 18:43:44 +0100
+
 tcpdump (4.6.2-3ubuntu1) vivid; urgency=low
 
   * Merge from Debian unstable (LP: #1397558).  Remaining changes:
@@ -894,6 +918,7 @@
 
  -- Peter Tobias <tobias@et-inf.fho-emden.de>  Mon, 30 Mar 1998 02:28:39 +0200
 
+
 tcpdump (3.4a6-2) frozen unstable; urgency=low
 
   * rebuild with latest debmake, fixes #19415
@@ -902,6 +927,7 @@
 
  -- Peter Tobias <tobias@et-inf.fho-emden.de>  Mon, 30 Mar 1998 00:28:39 +0200
 
+
 tcpdump (3.4a6-1) unstable; urgency=low
 
   * updated to latest upstream version, fixes: Bug#17163
@@ -909,6 +935,7 @@
 
  -- Peter Tobias <tobias@et-inf.fho-emden.de>  Sun,  1 Feb 1998 00:08:31 +0100
 
+
 tcpdump (3.4a4-1) unstable; urgency=low
 
   * updated to latest upstream version
@@ -916,21 +943,25 @@
 
  -- Peter Tobias <tobias@et-inf.fho-emden.de>  Wed, 17 Sep 1997 23:22:54 +0200
 
+
 tcpdump (3.3.1a2-1) frozen stable unstable; urgency=medium
 
   * updated to latest upstream version (works with new libpcap now)
 
  -- Peter Tobias <tobias@et-inf.fho-emden.de>  Sat, 24 May 1997 00:49:17 +0200
 
+
 tcpdump (3.3-2) unstable; urgency=low
 
   * fixed SLIP support
 
  -- Peter Tobias <tobias@et-inf.fho-emden.de>  Sun, 16 Feb 1997 21:06:51 +0100
 
+
 tcpdump (3.3-1) unstable; urgency=low
 
   * updated to latest upstream version
 
  -- Peter Tobias <tobias@et-inf.fho-emden.de>  Thu, 16 Jan 1997 01:34:00 +0100
 
+
diff -Nru tcpdump-4.6.2/debian/control tcpdump-4.6.2/debian/control
--- tcpdump-4.6.2/debian/control	2014-12-03 17:22:51.000000000 +0100
+++ tcpdump-4.6.2/debian/control	2015-03-23 00:18:29.000000000 +0100
@@ -9,7 +9,7 @@
                libssl-dev,
                autotools-dev,
                autoconf,
-               dh-apparmor,
+               dh-apparmor
 Standards-Version: 3.9.5
 Homepage: http://www.tcpdump.org/
 Vcs-Browser: http://anonscm.debian.org/gitweb/?p=users/rfrancoise/tcpdump.git
diff -Nru tcpdump-4.6.2/debian/patches/60_cve-2015-0261.diff tcpdump-4.6.2/debian/patches/60_cve-2015-0261.diff
--- tcpdump-4.6.2/debian/patches/60_cve-2015-0261.diff	1970-01-01 01:00:00.000000000 +0100
+++ tcpdump-4.6.2/debian/patches/60_cve-2015-0261.diff	2015-03-14 18:31:07.000000000 +0100
@@ -0,0 +1,56 @@
+diff --git a/print-mobility.c b/print-mobility.c
+index 83447cf..b6fa61e 100644
+--- a/print-mobility.c
++++ b/print-mobility.c
+@@ -69,6 +69,18 @@ struct ip6_mobility {
+ #define IP6M_BINDING_UPDATE	5	/* Binding Update */
+ #define IP6M_BINDING_ACK	6	/* Binding Acknowledgement */
+ #define IP6M_BINDING_ERROR	7	/* Binding Error */
++#define IP6M_MAX		7
++
++static const unsigned ip6m_hdrlen[IP6M_MAX + 1] = {
++	IP6M_MINLEN,      /* IP6M_BINDING_REQUEST  */
++	IP6M_MINLEN + 8,  /* IP6M_HOME_TEST_INIT   */
++	IP6M_MINLEN + 8,  /* IP6M_CAREOF_TEST_INIT */
++	IP6M_MINLEN + 16, /* IP6M_HOME_TEST        */
++	IP6M_MINLEN + 16, /* IP6M_CAREOF_TEST      */
++	IP6M_MINLEN + 4,  /* IP6M_BINDING_UPDATE   */
++	IP6M_MINLEN + 4,  /* IP6M_BINDING_ACK      */
++	IP6M_MINLEN + 16, /* IP6M_BINDING_ERROR    */
++};
+ 
+ /* XXX: unused */
+ #define IP6MOPT_BU_MINLEN	10
+@@ -95,16 +107,20 @@ mobility_opt_print(netdissect_options *ndo,
+ 	unsigned i, optlen;
+ 
+ 	for (i = 0; i < len; i += optlen) {
++		ND_TCHECK(bp[i]);
+ 		if (bp[i] == IP6MOPT_PAD1)
+ 			optlen = 1;
+ 		else {
+-			if (i + 1 < len)
++			if (i + 1 < len) {
++				ND_TCHECK(bp[i + 1]);
+ 				optlen = bp[i + 1] + 2;
++			}
+ 			else
+ 				goto trunc;
+ 		}
+ 		if (i + optlen > len)
+ 			goto trunc;
++		ND_TCHECK(bp[i + optlen]);
+ 
+ 		switch (bp[i]) {
+ 		case IP6MOPT_PAD1:
+@@ -203,6 +219,10 @@ mobility_print(netdissect_options *ndo,
+ 
+ 	ND_TCHECK(mh->ip6m_type);
+ 	type = mh->ip6m_type;
++	if (type <= IP6M_MAX && mhlen < ip6m_hdrlen[type]) {
++		ND_PRINT((ndo, "(header length %u is too small for type %u)", mhlen, type));
++		goto trunc;
++	}
+ 	switch (type) {
+ 	case IP6M_BINDING_REQUEST:
+ 		ND_PRINT((ndo, "mobility: BRR"));
diff -Nru tcpdump-4.6.2/debian/patches/60_cve-2015-2153.diff tcpdump-4.6.2/debian/patches/60_cve-2015-2153.diff
--- tcpdump-4.6.2/debian/patches/60_cve-2015-2153.diff	1970-01-01 01:00:00.000000000 +0100
+++ tcpdump-4.6.2/debian/patches/60_cve-2015-2153.diff	2015-03-14 18:31:07.000000000 +0100
@@ -0,0 +1,24 @@
+diff --git a/print-rpki-rtr.c b/print-rpki-rtr.c
+index 5bb5df7..8847c53 100644
+--- a/print-rpki-rtr.c
++++ b/print-rpki-rtr.c
+@@ -178,6 +178,7 @@ rpki_rtr_pdu_print (netdissect_options *ndo, const u_char *tptr, u_int indent)
+     pdu_header = (rpki_rtr_pdu *)tptr;
+     pdu_type = pdu_header->pdu_type;
+     pdu_len = EXTRACT_32BITS(pdu_header->length);
++    ND_TCHECK2(tptr, pdu_len);
+     hexdump = FALSE;
+ 
+     ND_PRINT((ndo, "%sRPKI-RTRv%u, %s PDU (%u), length: %u",
+@@ -306,6 +307,11 @@ rpki_rtr_pdu_print (netdissect_options *ndo, const u_char *tptr, u_int indent)
+     if (ndo->ndo_vflag > 1 || (ndo->ndo_vflag && hexdump)) {
+ 	print_unknown_data(ndo,tptr,"\n\t  ", pdu_len);
+     }
++    return;
++
++ trunc:
++    ND_PRINT((ndo, "|trunc"));
++    return;
+ }
+ 
+ void
diff -Nru tcpdump-4.6.2/debian/patches/60_cve-2015-2153-fix-regression.diff tcpdump-4.6.2/debian/patches/60_cve-2015-2153-fix-regression.diff
--- tcpdump-4.6.2/debian/patches/60_cve-2015-2153-fix-regression.diff	1970-01-01 01:00:00.000000000 +0100
+++ tcpdump-4.6.2/debian/patches/60_cve-2015-2153-fix-regression.diff	2015-03-23 00:40:44.000000000 +0100
@@ -0,0 +1,53 @@
+Description: RPKI to Router Protocol: Fix Segmentation Faults and other problems.
+                 - Fix/add ND_TCHECK2 tests,
+                 - Fix a buffer overflow,
+                 - Remove a debug printf
+Origin: upstream, https://github.com/the-tcpdump-group/tcpdump/commit/fb6e5377f392555b8c725f66b8b701f0061a3695
+
+diff -pruN -x '*~' tcpdump-4.6.2.orig/print-rpki-rtr.c tcpdump-4.6.2/print-rpki-rtr.c
+--- tcpdump-4.6.2.orig/print-rpki-rtr.c	2015-03-22 12:55:55.349173971 +0100
++++ tcpdump-4.6.2/print-rpki-rtr.c	2015-03-22 12:49:56.987396951 +0100
+@@ -178,7 +178,7 @@ rpki_rtr_pdu_print (netdissect_options *
+     pdu_header = (rpki_rtr_pdu *)tptr;
+     pdu_type = pdu_header->pdu_type;
+     pdu_len = EXTRACT_32BITS(pdu_header->length);
+-    ND_TCHECK2(tptr, pdu_len);
++    ND_TCHECK2(*tptr, pdu_len);
+     hexdump = FALSE;
+ 
+     ND_PRINT((ndo, "%sRPKI-RTRv%u, %s PDU (%u), length: %u",
+@@ -255,6 +255,7 @@ rpki_rtr_pdu_print (netdissect_options *
+ 
+ 	    pdu = (rpki_rtr_pdu_error_report *)tptr;
+ 	    encapsulated_pdu_length = EXTRACT_32BITS(pdu->encapsulated_pdu_length);
++	    ND_TCHECK2(*tptr, encapsulated_pdu_length);
+ 	    tlen = pdu_len;
+ 
+ 	    error_code = EXTRACT_16BITS(pdu->pdu_header.u.error_code);
+@@ -287,9 +288,10 @@ rpki_rtr_pdu_print (netdissect_options *
+ 		tptr += 4;
+ 		tlen -= 4;
+ 	    }
++	    ND_TCHECK2(*tptr, text_length);
+ 	    if (text_length && (text_length <= tlen )) {
+ 		memcpy(buf, tptr, min(sizeof(buf)-1, text_length));
+-		buf[text_length] = '\0';
++		buf[min(sizeof(buf) - 1, text_length)] = '\0';
+ 		ND_PRINT((ndo, "%sError text: %s", indent_string(indent+2), buf));
+ 	    }
+ 	}
+@@ -336,13 +338,13 @@ rpki_rtr_print(netdissect_options *ndo,
+ 	pdu_header = (rpki_rtr_pdu *)tptr;
+         pdu_type = pdu_header->pdu_type;
+         pdu_len = EXTRACT_32BITS(pdu_header->length);
++	ND_TCHECK2(*tptr, pdu_len);
+ 
+         /* infinite loop check */
+         if (!pdu_type || !pdu_len) {
+             break;
+         }
+ 
+-        ND_TCHECK2(*tptr, pdu_len);
+         if (tlen < pdu_len) {
+             goto trunc;
+         }
diff -Nru tcpdump-4.6.2/debian/patches/60_cve-2015-2154.diff tcpdump-4.6.2/debian/patches/60_cve-2015-2154.diff
--- tcpdump-4.6.2/debian/patches/60_cve-2015-2154.diff	1970-01-01 01:00:00.000000000 +0100
+++ tcpdump-4.6.2/debian/patches/60_cve-2015-2154.diff	2015-03-14 18:31:07.000000000 +0100
@@ -0,0 +1,31 @@
+diff --git a/print-isoclns.c b/print-isoclns.c
+index bc710e4..54eed7c 100644
+--- a/print-isoclns.c
++++ b/print-isoclns.c
+@@ -1057,7 +1057,7 @@ esis_print(netdissect_options *ndo,
+ 
+ 	if (li < sizeof(struct esis_header_t) + 2) {
+             ND_PRINT((ndo, " length indicator < min PDU size %d:", li));
+-            while (--length != 0)
++            while (pptr < ndo->ndo_snapend)
+                 ND_PRINT((ndo, "%02X", *pptr++));
+             return;
+ 	}
+@@ -3084,8 +3084,15 @@ osi_print_cksum(netdissect_options *ndo,
+ {
+         uint16_t calculated_checksum;
+ 
+-        /* do not attempt to verify the checksum if it is zero */
+-        if (!checksum) {
++        /* do not attempt to verify the checksum if it is zero,
++         * if the total length is nonsense,
++         * if the offset is nonsense,
++         * or the base pointer is not sane
++         */
++        if (!checksum
++            || length > ndo->ndo_snaplen
++            || checksum_offset > ndo->ndo_snaplen
++            || checksum_offset > length) {
+                 ND_PRINT((ndo, "(unverified)"));
+         } else {
+                 calculated_checksum = create_osi_cksum(pptr, checksum_offset, length);
diff -Nru tcpdump-4.6.2/debian/patches/60_cve-2015-2155.diff tcpdump-4.6.2/debian/patches/60_cve-2015-2155.diff
--- tcpdump-4.6.2/debian/patches/60_cve-2015-2155.diff	1970-01-01 01:00:00.000000000 +0100
+++ tcpdump-4.6.2/debian/patches/60_cve-2015-2155.diff	2015-03-14 18:31:07.000000000 +0100
@@ -0,0 +1,15 @@
+diff --git a/print-forces.c b/print-forces.c
+index 45bd74f..c5ec13c 100644
+--- a/print-forces.c
++++ b/print-forces.c
+@@ -1203,7 +1203,9 @@ otlv_print(netdissect_options *ndo,
+ 
+ 	}
+ 
+-	rc = ops->print(ndo, dp, tll, ops->op_msk, indent + 1);
++        if(ops->print) {
++                rc = ops->print(ndo, dp, tll, ops->op_msk, indent + 1);
++        }
+ 	return rc;
+ 
+ trunc:
diff -Nru tcpdump-4.6.2/debian/patches/series tcpdump-4.6.2/debian/patches/series
--- tcpdump-4.6.2/debian/patches/series	2014-12-03 17:22:51.000000000 +0100
+++ tcpdump-4.6.2/debian/patches/series	2015-03-23 00:20:55.000000000 +0100
@@ -4,8 +4,13 @@
 50_hurd.diff
 50_kfreebsd.diff
 50_autotools-dev.diff
-90_man_apparmor.diff
 60_cve-2014-8767.diff
 60_cve-2014-8768.diff
 60_cve-2014-8769.diff
 60_cve-2014-9140.diff
+60_cve-2015-0261.diff
+60_cve-2015-2153.diff
+60_cve-2015-2154.diff
+60_cve-2015-2155.diff
+90_man_apparmor.diff
+60_cve-2015-2153-fix-regression.diff