Date: Wed, 2 Sep 2015 12:49:22 -0700 From: Kevin Oberman <rkoberman@gmail.com> To: Rob Belics <rob@spartantheatre.org> Cc: FreeBSD Ports ML <freebsd-ports@freebsd.org> Subject: Re: lang/go security problem on one but not the other Message-ID: <CAN6yY1sga1S6sA_VLHgKxg3V%2Bzv4k3WQZC=taDK%2BmXRygJd%2B1w@mail.gmail.com> In-Reply-To: <CAPu-kW-gjcRbLv7-w-aqraty5npFyQ0vCqeWdmLnQ%2B%2BXwaf69Q@mail.gmail.com> References: <CAPu-kW-gjcRbLv7-w-aqraty5npFyQ0vCqeWdmLnQ%2B%2BXwaf69Q@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Sep 2, 2015 at 9:31 AM, Rob Belics <rob@spartantheatre.org> wrote: > The date for vuln.xml, on the server which it won't build on, is September > 1 while the date on the other is July 25. > OK. So the July 25 system seems to not be updating the vuln.xml file and that file is from prior to the discovery of the vulnerabilities in 1.4.2. First, you need to find out why one system does not seem to be updating the vuln.xml file. It should be updated by /usr/local/etc/periodic/security/410.pkg-audit which is installed as part of pkg. You can try running it manually (as root) to see what the problem might be. Second, you should drop the maintainer of go14, jlaffaye@, a request that he update go14 to 1.4.3. It is quite likely that he is already aware of the issue and just has not gotten it taken care of yet. the vulnerability was first reported on Aug. 28, so it is pretty recent. It is not unlikely that he has been on vacation at this time of the year. -- Kevin Oberman, Network Engineer, Retired E-mail: rkoberman@gmail.com PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAN6yY1sga1S6sA_VLHgKxg3V%2Bzv4k3WQZC=taDK%2BmXRygJd%2B1w>