lang/go security problem on one but not the other

Kevin Oberman rkoberman at
Wed Sep 2 19:49:24 UTC 2015

On Wed, Sep 2, 2015 at 9:31 AM, Rob Belics <rob at> wrote:

> The date for vuln.xml, on the server which it won't build on, is September
> 1 while the date on the other is July 25.

OK. So the July 25 system seems to not be updating the vuln.xml file and
that file is from prior to the discovery of the vulnerabilities in 1.4.2.

First, you need to find out why one system does not seem to be updating the
vuln.xml file. It should be updated by
/usr/local/etc/periodic/security/410.pkg-audit which is installed as part
of pkg. You can try running it manually (as root) to see what the problem
might be.

Second, you should drop the maintainer of go14, jlaffaye@, a request that
he update go14 to 1.4.3. It is quite likely that he is already aware of the
issue and just has not gotten it taken care of yet. the vulnerability was
first reported on Aug. 28, so it is pretty recent. It is not unlikely that
he has been on vacation at this time of the year.
Kevin Oberman, Network Engineer, Retired
E-mail: rkoberman at
PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683

More information about the freebsd-ports mailing list