From owner-freebsd-ports@freebsd.org Wed Sep 2 19:49:23 2015 Return-Path: Delivered-To: freebsd-ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C3A5A9C8EB7 for ; Wed, 2 Sep 2015 19:49:23 +0000 (UTC) (envelope-from kob6558@gmail.com) Received: from mail-oi0-x236.google.com (mail-oi0-x236.google.com [IPv6:2607:f8b0:4003:c06::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8A89B8F2 for ; Wed, 2 Sep 2015 19:49:23 +0000 (UTC) (envelope-from kob6558@gmail.com) Received: by oibi136 with SMTP id i136so12534474oib.3 for ; Wed, 02 Sep 2015 12:49:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=mftStXqQ5Irp0JGiPce4ifbC811091Zoh13laEFWPFM=; b=wgPI+qfeZgBnXPRz2Wjb1PbNsQDjR85GYiS9+HkK2APZLDEkf2NwUfkQfyHlr0TXfp LSW0yEC0vNAKKKeHqB1D0J4BKggcNC1uG6ehDr2YzW8jhpHsBFzxuAb8rI4FagW/H1ME xM/rV3CHvQLCPexT/L3cbYuL/hN6AEaIXtTvpigI0B1VHS51lh+ZI+NNWYBbj6OZTca6 c46Jfso6Q+J7BOaubm7E90I/QSDktTPQ4cCgCP64rh+NdgzYOSyVWoXZL2+4Y9yD60wI G/OSSCBTWxsdh8srRAWX2mFIq+KriLM/RLonwXRtvcevjqcLWfO4crWoEebnP5t9/1jY 2hhw== MIME-Version: 1.0 X-Received: by 10.202.97.196 with SMTP id v187mr2219488oib.91.1441223362877; Wed, 02 Sep 2015 12:49:22 -0700 (PDT) Sender: kob6558@gmail.com Received: by 10.202.102.9 with HTTP; Wed, 2 Sep 2015 12:49:22 -0700 (PDT) In-Reply-To: References: Date: Wed, 2 Sep 2015 12:49:22 -0700 X-Google-Sender-Auth: mUIsDCEXLzKvpYI3Az2jW7PiTEU Message-ID: Subject: Re: lang/go security problem on one but not the other From: Kevin Oberman To: Rob Belics Cc: FreeBSD Ports ML Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Sep 2015 19:49:24 -0000 On Wed, Sep 2, 2015 at 9:31 AM, Rob Belics wrote: > The date for vuln.xml, on the server which it won't build on, is September > 1 while the date on the other is July 25. > OK. So the July 25 system seems to not be updating the vuln.xml file and that file is from prior to the discovery of the vulnerabilities in 1.4.2. First, you need to find out why one system does not seem to be updating the vuln.xml file. It should be updated by /usr/local/etc/periodic/security/410.pkg-audit which is installed as part of pkg. You can try running it manually (as root) to see what the problem might be. Second, you should drop the maintainer of go14, jlaffaye@, a request that he update go14 to 1.4.3. It is quite likely that he is already aware of the issue and just has not gotten it taken care of yet. the vulnerability was first reported on Aug. 28, so it is pretty recent. It is not unlikely that he has been on vacation at this time of the year. -- Kevin Oberman, Network Engineer, Retired E-mail: rkoberman@gmail.com PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683