The release tag won't be moved.  You probably want to update to
netbsd-3-1 which is the tag for the stable branch along which 3.1 was
cut.  I just follow netbsd-3, which has more pullups, but I've never had
trouble from following a post-release stable branch.

'cvs log' on such a file is helpful.  excerpts

RCS file: /cvsroot/src/sys/netiso/clnp_subr.c,v
Working file: clnp_subr.c
head: 1.29
branch:
locks: strict
access list:
symbolic names:
	netbsd-3-1: 1.17.0.6
	netbsd-3-1-RELEASE: 1.17
	netbsd-3-1-1-RELEASE: 1.17.6.1
	netbsd-3-0-3-RELEASE: 1.17.4.1
	netbsd-3-0-1-RELEASE: 1.17
	netbsd-3-0: 1.17.0.4
	netbsd-3-0-RELEASE: 1.17
	netbsd-3-0-RC6: 1.17
	netbsd-3: 1.17.0.2
	netbsd-3-base: 1.17
	netbsd-4: 1.21.0.2
	netbsd-4-base: 1.21


As you can see it's mostly 1.17.

revision 1.17.6.1
date: 2007/03/29 08:53:31;  author: ghen;  state: Exp;  lines: +35 -23
Pull up following revision(s) (requested by adrianp in ticket #1733):
	sys/netiso/clnp_subr.c: revision 1.27 via patch
A number of functions do not validate the length of arguments passed.
As a result of this a user could supply a bad 'sockaddr' structure to
clnp_route() via connect(2).
Issue found by Christer Oberg and patch from christos@ (NetBSD-SA2007-004)