Date: Sun, 12 Jun 2022 15:29:22 -0500 From: Tim Daneliuk <tundra@tundraware.com> To: FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: Curious Ports Behavior Message-ID: <65f8e318-3a03-3983-0fad-b9072dd62312@tundraware.com> In-Reply-To: <e06cf4d2-4711-ec12-0a36-19243f6c1591@tundraware.com> References: <e06cf4d2-4711-ec12-0a36-19243f6c1591@tundraware.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 6/12/22 14:49, Tim Daneliuk wrote: > Two machines, one physical running on an older i5. > > The other is a cloud based virtual machine. > > Both running 13.1-STABLE as of 6/1/2022 > > I just did a fresh clone of the ports tree on both machines before asking here. > > When I attempt to compile www/apache23 on the VM, I have no problems. > > But attempting to compile www/apach23 on the physical machine emits this: > > ===> apache24-2.4.54 has known vulnerabilities: > apache24-2.4.54 is vulnerable: > Apache httpd -- Multiple vulnerabilities > CVE: CVE-2022-26377 > CVE: CVE-2022-28330 > CVE: CVE-2022-28614 > CVE: CVE-2022-28615 > CVE: CVE-2022-29404 > CVE: CVE-2022-30522 > CVE: CVE-2022-30556 > CVE: CVE-2022-31813 > WWW: https://vuxml.FreeBSD.org/freebsd/49adfbe5-e7d1-11ec-8fbd-d4c9ef517024.html > > > IOW, the physical machine port installation stops because of known vulnerabilities, > but the VM instance works fine. > > There is no evidence of "DISABLE_VULNERABILITIES" in the VM's environment or /etc/make.conf > > > Can anyone suggest a reason for this difference of behavior and/or a possible remediation. > > I don't want servers running with high severity vulnerabilities ... > According to this, only versions prior 2.4.54 have these vulnerabilities, but that's the version I am trying to install on the physical machine - and it's refusing to compile and install claiming the CVEs apply. I've resorted to using DISABLE_VULNERABILITIES thinking that maybe there is some cruft left behind, to force the upgrade from 2.4.53_2 to 2.4.54. That worked, but just for fun, I tried another make in www/apache24 and STILL get this warning. This is very strange ... -- ---------------------------------------------------------------------------- Tim Daneliuk tundra@tundraware.com PGP Key: http://www.tundraware.com/PGP/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?65f8e318-3a03-3983-0fad-b9072dd62312>