Curious Ports Behavior

From: Tim Daneliuk <tundra_at_tundraware.com>
Date: Sun, 12 Jun 2022 19:49:35 UTC
Two machines, one physical running on an older i5.

The other is a cloud based virtual machine.

Both running 13.1-STABLE as of 6/1/2022

I just did a fresh clone of the ports tree on both machines before asking here.

When I attempt to compile www/apache23 on the VM, I have no problems.

But attempting to compile www/apach23 on the physical machine emits this:

===>  apache24-2.4.54 has known vulnerabilities:
apache24-2.4.54 is vulnerable:
   Apache httpd -- Multiple vulnerabilities
   CVE: CVE-2022-26377
   CVE: CVE-2022-28330
   CVE: CVE-2022-28614
   CVE: CVE-2022-28615
   CVE: CVE-2022-29404
   CVE: CVE-2022-30522
   CVE: CVE-2022-30556
   CVE: CVE-2022-31813
   WWW: https://vuxml.FreeBSD.org/freebsd/49adfbe5-e7d1-11ec-8fbd-d4c9ef517024.html


IOW, the physical machine port installation stops because of known vulnerabilities,
but the VM instance works fine.

There is no evidence of "DISABLE_VULNERABILITIES" in the VM's environment or /etc/make.conf


Can anyone suggest a reason for this difference of behavior and/or a possible remediation.

I don't want servers running with high severity vulnerabilities ...