From owner-freebsd-ports@freebsd.org Wed Sep 2 21:43:21 2015 Return-Path: Delivered-To: freebsd-ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 903A79C8644 for ; Wed, 2 Sep 2015 21:43:21 +0000 (UTC) (envelope-from jlaffaye.freebsd@gmail.com) Received: from mail-wi0-x22c.google.com (mail-wi0-x22c.google.com [IPv6:2a00:1450:400c:c05::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 26790EA2 for ; Wed, 2 Sep 2015 21:43:21 +0000 (UTC) (envelope-from jlaffaye.freebsd@gmail.com) Received: by wicmc4 with SMTP id mc4so603798wic.0 for ; Wed, 02 Sep 2015 14:43:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-type:content-transfer-encoding; bh=x4qjQniL8c19dFaUVf9Q4ujBcDa8g9tB1Sj1bpZQSx0=; b=jbFJQQNVSIQi2i3Ycyrrmgylp6tZT6EGSZq3HWHexgMafy69cuhQL7ihp4Cue/TaaO 6h/3sI0WdZHYB7UwqezFgF1vxTRErPWdi07uQXemyPt0v+3RNbAugClapRFy8mbMLECK wCOm4FLgkAnatUJCVoe14demPR4QSmwSw6brcDslqnTIUrDfgkVbebyGTbbey5dMs1hC /jjlG/6zJg3l4CtlGc+KrYj/khbetX6VxmxY3U1u7rORcXRfwXOBQeDC3tbwbE6axJhH j2d72Q0UnbgfOrhKJYXZKPhL8G8yKJ+D8BRzgEEbbamlPuP4r6jZh39DKOz1EgZMyhta nRkA== X-Received: by 10.194.83.101 with SMTP id p5mr35214200wjy.19.1441230199719; Wed, 02 Sep 2015 14:43:19 -0700 (PDT) Received: from [192.168.1.65] (ALille-654-1-106-57.w90-47.abo.wanadoo.fr. [90.47.213.57]) by smtp.googlemail.com with ESMTPSA id im10sm34356443wjb.40.2015.09.02.14.43.18 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 02 Sep 2015 14:43:18 -0700 (PDT) Sender: Julien Laffaye Subject: Re: lang/go security problem on one but not the other To: Kevin Oberman , Rob Belics References: Cc: FreeBSD Ports ML From: Julien Laffaye Message-ID: <55E76D78.8020209@freebsd.org> Date: Wed, 2 Sep 2015 23:43:20 +0200 User-Agent: Thunderbird/7.0.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Sep 2015 21:43:21 -0000 On 9/2/2015 9:49 PM, Kevin Oberman wrote: > On Wed, Sep 2, 2015 at 9:31 AM, Rob Belics wrote: > >> The date for vuln.xml, on the server which it won't build on, is September >> 1 while the date on the other is July 25. >> > OK. So the July 25 system seems to not be updating the vuln.xml file and > that file is from prior to the discovery of the vulnerabilities in 1.4.2. > > First, you need to find out why one system does not seem to be updating the > vuln.xml file. It should be updated by > /usr/local/etc/periodic/security/410.pkg-audit which is installed as part > of pkg. You can try running it manually (as root) to see what the problem > might be. > > Second, you should drop the maintainer of go14, jlaffaye@, a request that > he update go14 to 1.4.3. It is quite likely that he is already aware of the > issue and just has not gotten it taken care of yet. the vulnerability was > first reported on Aug. 28, so it is pretty recent. It is not unlikely that > he has been on vacation at this time of the year. There is no such release as 1.4.3. And it is unclear if the Go team would release one as 1.5 is out (they dont support old branches). lang/go14 is only in the PT to bootstrap lang/go, so refusing to build this port because it has security issues in the net package is kind of annoying. > -- > Kevin Oberman, Network Engineer, Retired > E-mail: rkoberman@gmail.com > PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683 > _______________________________________________ > freebsd-ports@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-ports > To unsubscribe, send any mail to "freebsd-ports-unsubscribe@freebsd.org"