pkg/48381: net/vtun dangerous

[mlelstv%serpens.de@localhost]

>Number:         48381
>Category:       pkg
>Synopsis:       net/vtun had security improvements revoked
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    pkg-manager
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Sun Nov 17 09:35:00 +0000 2013
>Originator:     Michael van Elst
>Release:        NetBSD 6.1.2_PATCH
>Organization:
-- 
                                Michael van Elst
Internet: mlelstv%serpens.de@localhost
                                "A potential Snark may lurk in every tree."
>Environment:
        
        
System: NetBSD serpens.de 6.1.2_PATCH NetBSD 6.1.2_PATCH (SERPENS) #1: Sat Oct 
26 17:41:31 UTC 2013 
spz%amdmin.netbsd.de@localhost:/home/netbsd/6/amiga/obj/sys/arch/amiga/compile/SERPENS
 amiga
Architecture: m68k
Machine: amiga
>Description:

net/vtun is a small program that provides an easy VPN tunnel setup. However, it
was using cryptography in a very insecure way.

In 2003 the package was enhanced with a third party patch:

| 2003-10-27 17:55
|         * Makefile (1.22), distinfo (1.7): Update to 2.6nb1. Fixes a few
|           security bugs. Patch contributed via the OpenFortress project by
|           Rick van Rein <rick%openfortress.nl@localhost> in private mail.

all these enhancements were thrown away by an update from upstream:

| 2011-03-18 11:39
|           Changes 3.0.1: * fix build for lzo2 * new debian rc scripts
|           Changes 3.0.0: * Configure looks for liblzo2 when available


>How-To-Repeat:
Try to update from a package created between 2003-17-27 and 2011-03-18 to
a current package on one side. The protocol changes again incompatibly.
If you update both sides, it probably works again, but all the security
enhancements are gone.

>Fix:
Since noone seems to maintain the patch and without the patch net/vtun
is insecure, drop the package from pkgsrc.

>Unformatted: