Re: Curious Ports Behavior

From: Herbert J. Skuhra <herbert_at_gojira.at>
Date: Sun, 12 Jun 2022 20:32:15 UTC
On Sun, Jun 12, 2022 at 02:49:35PM -0500, Tim Daneliuk wrote:
> Two machines, one physical running on an older i5.
> 
> The other is a cloud based virtual machine.
> 
> Both running 13.1-STABLE as of 6/1/2022
> 
> I just did a fresh clone of the ports tree on both machines before asking here.
> 
> When I attempt to compile www/apache23 on the VM, I have no problems.
> 
> But attempting to compile www/apach23 on the physical machine emits this:
> 
> ===>  apache24-2.4.54 has known vulnerabilities:
> apache24-2.4.54 is vulnerable:
>   Apache httpd -- Multiple vulnerabilities
>   CVE: CVE-2022-26377
>   CVE: CVE-2022-28330
>   CVE: CVE-2022-28614
>   CVE: CVE-2022-28615
>   CVE: CVE-2022-29404
>   CVE: CVE-2022-30522
>   CVE: CVE-2022-30556
>   CVE: CVE-2022-31813
>   WWW: https://vuxml.FreeBSD.org/freebsd/49adfbe5-e7d1-11ec-8fbd-d4c9ef517024.html
> 
> 
> IOW, the physical machine port installation stops because of known vulnerabilities,
> but the VM instance works fine.
> 
> There is no evidence of "DISABLE_VULNERABILITIES" in the VM's environment or /etc/make.conf
> 
> 
> Can anyone suggest a reason for this difference of behavior and/or a possible remediation.
> 
> I don't want servers running with high severity vulnerabilities ...

Run 'pkg audit -F' and try again.

-- 
Herbert