Axton wrote: > On Jan 28, 2008 11:05 PM, Richard P. Koett <[EMAIL PROTECTED]> wrote: >> Dear Misc: >> >> I've been asked to look into an issue on a i386 system running >> OpenBSD 3.7. I realize this is rather out-of-date, so feel free to >> ignore this question if it's inappropriate... >> >> The machine is running poptop-1.1.4.b4p1. Someone did an audit and >> declared "PoPToP servers prior to version 1.1.4-bs are vulnerable to >> a buffer overflow". I notice that even the current version of >> OpenBSD has a package for poptop-1.1.4.b4p1, so I find it hard to >> believe that this version contains a known buffer overflow. My >> question is - what information can I provide the auditor to assure >> them of this? >> >> Thanks in advance for any comments. For what it's worth I am aware of >> alternatives to PoPToP such as OpenVPN. >> >> RPK. > > http://www.openbsd.org/faq/faq15.html#Intro > > See the third paragraph in this section.
Yes, I understand that packages are not audited as the base system is. It just seemed unlikely to me that the PoPToP version in packages would remain unchanged through 6 different releases of OpenBSD if it was known to have a buffer overflow.
