Subject: Dante; what exactly are security mechanisms of pkgsrc?
To: tech-security <firstname.lastname@example.org>
From: Ing.,BcA. Ivan Dolezal <email@example.com>
Date: 07/12/2002 15:13:05
FIRST: please don't take the following e-mail for an ironical, neither
offensive. I am just asking...
I want to use Socks5 server Dante from the NetBSD package sources. I
noticed that there is 1.1.9 version, while the original server provides
1.1.13. I compiled ok the original sources, however it didn't work (an
internal error was detected at sockd_negotiate.c: 393).
Now to my questions:
I couldn't find any information on vulnerabilities of older Dante
versions at securityfocus.com and by searching with google "dante socks
vulnerability". This doesn't mean necessarily that there are no vulns, I
just couldn't find them. Reading NEWS file in Dante distribution points
some bugs that seem to be harmless, but maybe I just don't get the
point. There is not any word "vulne*" or "explo*" anyway. Is this
software really that bulletproof? I also couldn't find any mailing list
Could you give me some hint where to check Dante security?
Is version 1.1.9 considered to be secure? Are all the latter versions
just some cosmetic improvements?
I don't really follow the sentence: "Note that we no longer issue
advisories for thirdparty software packages (pkgsrc). Instead, an
automated mechanism to audit installed binary package is provided in
pkgsrc/security/audit-packages." I have no idea, what is behind "an
If a package installed from pkgsrc is not audited as vulnerable, it can
mean basically two things to me in a world of free software:
- either it is not known as vulnerable,
- a vulnerabilities database used for an automated mechanism
wasn't loaded with the up-to-date data from the right place,
because nobody/nothing felt commited to do it
So, when a less popular package (like Dante) isn't audited by
audit-packages as vulnerable, does it REALLY mean that
somebody/something checks some bugtraq-like databases, manufacturer's
announces and the likes and she haven't found any relevant information
to put to the
does it mean that maybe noone cares?
I understand that when somebody creates a package, it doesn't
necessarily mean that she will keep eye on it in a future, so a
vulnerable version can lie there calmly for years. Would somebody care then?
Thanks for the patience and responsiveness,
PS: once again, I am trying to secure a real network, not just playing
around, so I *need* to know when my boss asks