Did you look at ports if it has patch applied for the vulnerability? The administrator of that OpenBSD machine should already be aware the installed software. It is not an automagical secure system after all.
On Jan 29, 2008 12:05 PM, Richard P. Koett <[EMAIL PROTECTED]> wrote: > Dear Misc: > > I've been asked to look into an issue on a i386 system running OpenBSD 3.7. I > realize this is rather out-of-date, so feel free to ignore this question if > it's inappropriate... > > The machine is running poptop-1.1.4.b4p1. Someone did an audit and declared > "PoPToP servers prior to version 1.1.4-bs are vulnerable to a buffer > overflow". I notice that even the current version of OpenBSD has a package for > poptop-1.1.4.b4p1, so I find it hard to believe that this version contains a > known buffer overflow. My question is - what information can I provide the > auditor to assure them of this? > > Thanks in advance for any comments. For what it's worth I am aware of > alternatives to PoPToP such as OpenVPN. > > RPK.
