pkgsrc-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

pkg/48381: net/vtun dangerous

>Number:         48381
>Category:       pkg
>Synopsis:       net/vtun had security improvements revoked
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    pkg-manager
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Sun Nov 17 09:35:00 +0000 2013
>Originator:     Michael van Elst
>Release:        NetBSD 6.1.2_PATCH
                                Michael van Elst
                                "A potential Snark may lurk in every tree."
System: NetBSD 6.1.2_PATCH NetBSD 6.1.2_PATCH (SERPENS) #1: Sat Oct 
26 17:41:31 UTC 2013
Architecture: m68k
Machine: amiga

net/vtun is a small program that provides an easy VPN tunnel setup. However, it
was using cryptography in a very insecure way.

In 2003 the package was enhanced with a third party patch:

| 2003-10-27 17:55
|         * Makefile (1.22), distinfo (1.7): Update to 2.6nb1. Fixes a few
|           security bugs. Patch contributed via the OpenFortress project by
|           Rick van Rein <> in private mail.

all these enhancements were thrown away by an update from upstream:

| 2011-03-18 11:39
|           Changes 3.0.1: * fix build for lzo2 * new debian rc scripts
|           Changes 3.0.0: * Configure looks for liblzo2 when available

Try to update from a package created between 2003-17-27 and 2011-03-18 to
a current package on one side. The protocol changes again incompatibly.
If you update both sides, it probably works again, but all the security
enhancements are gone.

Since noone seems to maintain the patch and without the patch net/vtun
is insecure, drop the package from pkgsrc.


Home | Main Index | Thread Index | Old Index