From nobody Sun Jun 12 20:32:15 2022
X-Original-To: questions@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 6764B855138
	for <questions@mlmmj.nyi.freebsd.org>; Sun, 12 Jun 2022 20:32:24 +0000 (UTC)
	(envelope-from herbert@gojira.at)
Received: from mail.bsd4all.net (mail.bsd4all.net [94.130.200.20])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature ECDSA (P-384) client-digest SHA384)
	(Client CN "mail.bsd4all.net", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4LLmbB4xymz3hvc
	for <questions@freebsd.org>; Sun, 12 Jun 2022 20:32:22 +0000 (UTC)
	(envelope-from herbert@gojira.at)
Date: Sun, 12 Jun 2022 22:32:15 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=gojira.at;
	s=mail202005; t=1655065935;
	bh=p+9HDBSzpGyg/W/L4G0fttZlXfZxGqyw5B9WMG4Vxmc=;
	h=Date:From:To:Subject:Message-ID:MIME-Version:Content-Type;
	b=k9PHZKinyMfrg5NtFnq3Gypr8XwAjtuA3yM4OWLoTU8avMvIsWKfbtRI22AiNzGMX
	 tUN7axyaKPdE2DlcJ64ayETvBWvmm/26h94y0ipN1UndW9+PiZ91LozUH5liwURNnr
	 OgqdcSRo63nmyAEPA2ZMg1U0ILRItldf2cn8ZoWWUveVaAdaYl16I7VKg1ZwoHvtxj
	 HrDrs7aEiUVcPOl9ChZsGPPfklH86x3teuPu65gOcfRK5P0cwWNPrd5bRJY9kyHdKF
	 532+nkkdoAVwjNAfqD27iwqRTbVaFRx1gSTvTE9aS0KInldbH8XbxiNiK94fVUtL8w
	 KUACH4ugqOE5Q==
From: "Herbert J. Skuhra" <herbert@gojira.at>
To: questions@freebsd.org
Subject: Re: Curious Ports Behavior
Message-ID: <YqZNT4HXzVU2/YLK@mail.bsd4all.net>
References: <e06cf4d2-4711-ec12-0a36-19243f6c1591@tundraware.com>
List-Id: User questions <freebsd-questions.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-questions
List-Help: <mailto:questions+help@freebsd.org>
List-Post: <mailto:questions@freebsd.org>
List-Subscribe: <mailto:questions+subscribe@freebsd.org>
List-Unsubscribe: <mailto:questions+unsubscribe@freebsd.org>
Sender: owner-freebsd-questions@freebsd.org
X-BeenThere: freebsd-questions@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <e06cf4d2-4711-ec12-0a36-19243f6c1591@tundraware.com>
X-Rspamd-Queue-Id: 4LLmbB4xymz3hvc
X-Spamd-Bar: ---
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=gojira.at header.s=mail202005 header.b=k9PHZKin;
	dmarc=none;
	spf=pass (mx1.freebsd.org: domain of herbert@gojira.at designates 94.130.200.20 as permitted sender) smtp.mailfrom=herbert@gojira.at
X-Spamd-Result: default: False [-3.05 / 15.00];
	 ARC_NA(0.00)[];
	 NEURAL_HAM_MEDIUM(-0.99)[-0.993];
	 R_DKIM_ALLOW(-0.20)[gojira.at:s=mail202005];
	 FROM_HAS_DN(0.00)[];
	 TO_MATCH_ENVRCPT_ALL(0.00)[];
	 R_SPF_ALLOW(-0.20)[+ip4:94.130.200.20];
	 MIME_GOOD(-0.10)[text/plain];
	 TO_DN_NONE(0.00)[];
	 DMARC_NA(0.00)[gojira.at];
	 RCPT_COUNT_ONE(0.00)[1];
	 NEURAL_HAM_LONG(-1.00)[-1.000];
	 DKIM_TRACE(0.00)[gojira.at:+];
	 NEURAL_HAM_SHORT(-0.56)[-0.562];
	 MLMMJ_DEST(0.00)[questions];
	 RCVD_COUNT_ZERO(0.00)[0];
	 FROM_EQ_ENVFROM(0.00)[];
	 MIME_TRACE(0.00)[0:+];
	 ASN(0.00)[asn:24940, ipnet:94.130.0.0/16, country:DE]
X-ThisMailContainsUnwantedMimeParts: N

On Sun, Jun 12, 2022 at 02:49:35PM -0500, Tim Daneliuk wrote:
> Two machines, one physical running on an older i5.
> 
> The other is a cloud based virtual machine.
> 
> Both running 13.1-STABLE as of 6/1/2022
> 
> I just did a fresh clone of the ports tree on both machines before asking here.
> 
> When I attempt to compile www/apache23 on the VM, I have no problems.
> 
> But attempting to compile www/apach23 on the physical machine emits this:
> 
> ===>  apache24-2.4.54 has known vulnerabilities:
> apache24-2.4.54 is vulnerable:
>   Apache httpd -- Multiple vulnerabilities
>   CVE: CVE-2022-26377
>   CVE: CVE-2022-28330
>   CVE: CVE-2022-28614
>   CVE: CVE-2022-28615
>   CVE: CVE-2022-29404
>   CVE: CVE-2022-30522
>   CVE: CVE-2022-30556
>   CVE: CVE-2022-31813
>   WWW: https://vuxml.FreeBSD.org/freebsd/49adfbe5-e7d1-11ec-8fbd-d4c9ef517024.html
> 
> 
> IOW, the physical machine port installation stops because of known vulnerabilities,
> but the VM instance works fine.
> 
> There is no evidence of "DISABLE_VULNERABILITIES" in the VM's environment or /etc/make.conf
> 
> 
> Can anyone suggest a reason for this difference of behavior and/or a possible remediation.
> 
> I don't want servers running with high severity vulnerabilities ...

Run 'pkg audit -F' and try again.

-- 
Herbert