Axton wrote:

quoted text
> On Jan 28, 2008 11:05 PM, Richard P. Koett  wrote:

>> Dear Misc:

>>

>> I've been asked to look into an issue on a i386 system running

>> OpenBSD 3.7. I realize this is rather out-of-date, so feel free to

>> ignore this question if it's inappropriate...

>>

>> The machine is running poptop-1.1.4.b4p1. Someone did an audit and

>> declared "PoPToP servers prior to version 1.1.4-bs are vulnerable to

>> a buffer overflow". I notice that even the current version of

>> OpenBSD has a package for poptop-1.1.4.b4p1, so I find it hard to

>> believe that this version contains a known buffer overflow. My

>> question is - what information can I provide the auditor to assure

>> them of this?

>>

>> Thanks in advance for any comments. For what it's worth I am aware of

>> alternatives to PoPToP such as OpenVPN.

>>

>> RPK.

>

> http://www.openbsd.org/faq/faq15.html#Intro

>

> See the third paragraph in this section.

Yes, I understand that packages are not audited as the base system is.

It just seemed unlikely to me that the PoPToP version in packages would

remain unchanged through 6 different releases of OpenBSD if it was known

to have a buffer overflow.