lang/go security problem on one but not the other

Julien Laffaye jlaffaye at
Wed Sep 2 21:43:21 UTC 2015

On 9/2/2015 9:49 PM, Kevin Oberman wrote:
> On Wed, Sep 2, 2015 at 9:31 AM, Rob Belics <rob at> wrote:
>> The date for vuln.xml, on the server which it won't build on, is September
>> 1 while the date on the other is July 25.
> OK. So the July 25 system seems to not be updating the vuln.xml file and
> that file is from prior to the discovery of the vulnerabilities in 1.4.2.
> First, you need to find out why one system does not seem to be updating the
> vuln.xml file. It should be updated by
> /usr/local/etc/periodic/security/410.pkg-audit which is installed as part
> of pkg. You can try running it manually (as root) to see what the problem
> might be.
> Second, you should drop the maintainer of go14, jlaffaye@, a request that
> he update go14 to 1.4.3. It is quite likely that he is already aware of the
> issue and just has not gotten it taken care of yet. the vulnerability was
> first reported on Aug. 28, so it is pretty recent. It is not unlikely that
> he has been on vacation at this time of the year.

There is no such release as 1.4.3.
And it is unclear if the Go team would release one as 1.5 is out (they 
dont support old branches).

lang/go14 is only in the PT to bootstrap lang/go, so refusing to build 
this port because it has security issues in the net package is kind of 

> --
> Kevin Oberman, Network Engineer, Retired
> E-mail: rkoberman at
> PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683
> _______________________________________________
> freebsd-ports at mailing list
> To unsubscribe, send any mail to "freebsd-ports-unsubscribe at"

More information about the freebsd-ports mailing list