NetBSD Problem Report #48381

From  Sun Nov 17 09:32:30 2013
Return-Path: <>
Received: from ( [])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client CN "", Issuer "Postmaster" (verified OK))
	by (Postfix) with ESMTPS id C2B40A618E
	for <>; Sun, 17 Nov 2013 09:32:30 +0000 (UTC)
Message-Id: <>
Date: Sun, 17 Nov 2013 10:31:57 +0100 (MET)
Subject: net/vtun dangerous
X-Send-Pr-Version: 3.95

>Number:         48381
>Category:       pkg
>Synopsis:       net/vtun had security improvements revoked
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    adam
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Sun Nov 17 09:35:00 +0000 2013
>Last-Modified:  Sun Nov 17 11:20:24 +0000 2013
>Originator:     Michael van Elst
>Release:        NetBSD 6.1.2_PATCH
                                Michael van Elst
                                "A potential Snark may lurk in every tree."

System: NetBSD 6.1.2_PATCH NetBSD 6.1.2_PATCH (SERPENS) #1: Sat Oct 26 17:41:31 UTC 2013 amiga
Architecture: m68k
Machine: amiga

net/vtun is a small program that provides an easy VPN tunnel setup. However, it
was using cryptography in a very insecure way.

In 2003 the package was enhanced with a third party patch:

| 2003-10-27 17:55
|         * Makefile (1.22), distinfo (1.7): Update to 2.6nb1. Fixes a few
|           security bugs. Patch contributed via the OpenFortress project by
|           Rick van Rein <> in private mail.

all these enhancements were thrown away by an update from upstream:

| 2011-03-18 11:39
|           Changes 3.0.1: * fix build for lzo2 * new debian rc scripts
|           Changes 3.0.0: * Configure looks for liblzo2 when available

Try to update from a package created between 2003-17-27 and 2011-03-18 to
a current package on one side. The protocol changes again incompatibly.
If you update both sides, it probably works again, but all the security
enhancements are gone.

Since noone seems to maintain the patch and without the patch net/vtun
is insecure, drop the package from pkgsrc.



Responsible-Changed-From-To: pkg-manager->adam
Responsible-Changed-When: Sun, 17 Nov 2013 11:20:24 +0000
Over to last updater as the last committer interested in this package, to decide.


NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD:,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.