NetBSD Problem Report #48381

From mlelstv@serpens.de  Sun Nov 17 09:32:30 2013
Return-Path: <mlelstv@serpens.de>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "Postmaster NetBSD.org" (verified OK))
	by mollari.NetBSD.org (Postfix) with ESMTPS id C2B40A618E
	for <gnats-bugs@gnats.NetBSD.org>; Sun, 17 Nov 2013 09:32:30 +0000 (UTC)
Message-Id: <201311170931.rAH9VsWE023878@serpens.de>
Date: Sun, 17 Nov 2013 10:31:57 +0100 (MET)
From: mlelstv@serpens.de
Reply-To: mlelstv@serpens.de
To: gnats-bugs@gnats.NetBSD.org
Subject: net/vtun dangerous
X-Send-Pr-Version: 3.95

>Number:         48381
>Category:       pkg
>Synopsis:       net/vtun had security improvements revoked
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    adam
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Sun Nov 17 09:35:00 +0000 2013
>Last-Modified:  Sun Nov 17 11:20:24 +0000 2013
>Originator:     Michael van Elst
>Release:        NetBSD 6.1.2_PATCH
>Organization:
-- 
                                Michael van Elst
Internet: mlelstv@serpens.de
                                "A potential Snark may lurk in every tree."
>Environment:


System: NetBSD serpens.de 6.1.2_PATCH NetBSD 6.1.2_PATCH (SERPENS) #1: Sat Oct 26 17:41:31 UTC 2013 spz@amdmin.netbsd.de:/home/netbsd/6/amiga/obj/sys/arch/amiga/compile/SERPENS amiga
Architecture: m68k
Machine: amiga
>Description:

net/vtun is a small program that provides an easy VPN tunnel setup. However, it
was using cryptography in a very insecure way.

In 2003 the package was enhanced with a third party patch:

| 2003-10-27 17:55
|         * Makefile (1.22), distinfo (1.7): Update to 2.6nb1. Fixes a few
|           security bugs. Patch contributed via the OpenFortress project by
|           Rick van Rein <rick@openfortress.nl> in private mail.

all these enhancements were thrown away by an update from upstream:

| 2011-03-18 11:39
|           Changes 3.0.1: * fix build for lzo2 * new debian rc scripts
|           Changes 3.0.0: * Configure looks for liblzo2 when available


>How-To-Repeat:
Try to update from a package created between 2003-17-27 and 2011-03-18 to
a current package on one side. The protocol changes again incompatibly.
If you update both sides, it probably works again, but all the security
enhancements are gone.

>Fix:
Since noone seems to maintain the patch and without the patch net/vtun
is insecure, drop the package from pkgsrc.

>Release-Note:

>Audit-Trail:

Responsible-Changed-From-To: pkg-manager->adam
Responsible-Changed-By: wiz@NetBSD.org
Responsible-Changed-When: Sun, 17 Nov 2013 11:20:24 +0000
Responsible-Changed-Why:
Over to last updater as the last committer interested in this package, to decide.


>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.