tech-security: Dante; what exactly are security mechanisms of pkgsrc?

Subject: Dante; what exactly are security mechanisms of pkgsrc?
To: tech-security <tech-security@netbsd.org>
From: Ing.,BcA. Ivan Dolezal <ivan.dolezal@vsb.cz>
List: tech-security
Date: 07/12/2002 15:13:05

Hello,

FIRST: please don't take the following e-mail for an ironical, neither 
offensive. I am just asking...

    I want to use Socks5 server Dante from the NetBSD package sources. I 
noticed that there is 1.1.9 version, while the original server provides 
1.1.13. I compiled ok the original sources, however it didn't work (an 
internal error was detected at sockd_negotiate.c: 393).

Now to my questions:

[Dante-specific]
I couldn't find any information on vulnerabilities of older Dante 
versions at securityfocus.com and by searching with google "dante socks 
vulnerability". This doesn't mean necessarily that there are no vulns, I 
just couldn't find them. Reading NEWS file in Dante distribution points 
some bugs that seem to be harmless, but maybe I just don't get the 
point. There is not any word "vulne*" or "explo*" anyway. Is this 
software really that bulletproof? I also couldn't find any mailing list 
like "dante-announcement."
Could you give me some hint where to check Dante security?
Is version 1.1.9 considered to be secure? Are all the latter versions 
just some cosmetic improvements?

[pkgsrc]
I don't really follow the sentence: "Note that we no longer issue 
advisories for thirdparty software packages (pkgsrc). Instead, an 
automated mechanism to audit installed binary package is provided in 
pkgsrc/security/audit-packages." I have no idea, what is behind "an 
automated mechanism".

If a package installed from pkgsrc is not audited as vulnerable, it can 
mean basically two things to me in a world of free software:

- either it is not known as vulnerable,
or
- a vulnerabilities database used for an automated mechanism
   wasn't loaded with the up-to-date data from the right place,
   because nobody/nothing felt commited to do it

So, when a less popular package (like Dante) isn't audited by 
audit-packages as vulnerable, does it REALLY mean that 
somebody/something checks some bugtraq-like databases, manufacturer's 
announces and the likes and she haven't found any relevant information 
to put to the 
ftp://ftp.netbsd.org/pub/NetBSD/packages/distfiles/vulnerabilities or 
does it mean that maybe noone cares?

I understand that when somebody creates a package, it doesn't 
necessarily mean that she will keep eye on it in a future, so a 
vulnerable version can lie there calmly for years. Would somebody care then?

Thanks for the patience and responsiveness,

Ivan Dolezal


PS: once again, I am trying to secure a real network, not just playing 
around, so I *need* to know when my boss asks