NetBSD Problem Report #48381
From mlelstv@serpens.de Sun Nov 17 09:32:30 2013
Return-Path: <mlelstv@serpens.de>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "Postmaster NetBSD.org" (verified OK))
by mollari.NetBSD.org (Postfix) with ESMTPS id C2B40A618E
for <gnats-bugs@gnats.NetBSD.org>; Sun, 17 Nov 2013 09:32:30 +0000 (UTC)
Message-Id: <201311170931.rAH9VsWE023878@serpens.de>
Date: Sun, 17 Nov 2013 10:31:57 +0100 (MET)
From: mlelstv@serpens.de
Reply-To: mlelstv@serpens.de
To: gnats-bugs@gnats.NetBSD.org
Subject: net/vtun dangerous
X-Send-Pr-Version: 3.95
>Number: 48381
>Category: pkg
>Synopsis: net/vtun had security improvements revoked
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: adam
>State: open
>Class: change-request
>Submitter-Id: net
>Arrival-Date: Sun Nov 17 09:35:00 +0000 2013
>Last-Modified: Sun Nov 17 11:20:24 +0000 2013
>Originator: Michael van Elst
>Release: NetBSD 6.1.2_PATCH
>Organization:
--
Michael van Elst
Internet: mlelstv@serpens.de
"A potential Snark may lurk in every tree."
>Environment:
System: NetBSD serpens.de 6.1.2_PATCH NetBSD 6.1.2_PATCH (SERPENS) #1: Sat Oct 26 17:41:31 UTC 2013 spz@amdmin.netbsd.de:/home/netbsd/6/amiga/obj/sys/arch/amiga/compile/SERPENS amiga
Architecture: m68k
Machine: amiga
>Description:
net/vtun is a small program that provides an easy VPN tunnel setup. However, it
was using cryptography in a very insecure way.
In 2003 the package was enhanced with a third party patch:
| 2003-10-27 17:55
| * Makefile (1.22), distinfo (1.7): Update to 2.6nb1. Fixes a few
| security bugs. Patch contributed via the OpenFortress project by
| Rick van Rein <rick@openfortress.nl> in private mail.
all these enhancements were thrown away by an update from upstream:
| 2011-03-18 11:39
| Changes 3.0.1: * fix build for lzo2 * new debian rc scripts
| Changes 3.0.0: * Configure looks for liblzo2 when available
>How-To-Repeat:
Try to update from a package created between 2003-17-27 and 2011-03-18 to
a current package on one side. The protocol changes again incompatibly.
If you update both sides, it probably works again, but all the security
enhancements are gone.
>Fix:
Since noone seems to maintain the patch and without the patch net/vtun
is insecure, drop the package from pkgsrc.
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: pkg-manager->adam
Responsible-Changed-By: wiz@NetBSD.org
Responsible-Changed-When: Sun, 17 Nov 2013 11:20:24 +0000
Responsible-Changed-Why:
Over to last updater as the last committer interested in this package, to decide.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.