A vulnerability has been discovered in Portage, where PGP signatures would not be verified.
Package | sys-apps/portage on all architectures |
---|---|
Affected versions | < 3.0.47 |
Unaffected versions | >= 3.0.47 |
Portage is the default Gentoo package management system.
Multiple vulnerabilities have been discovered in Portage. Please review the CVE identifiers referenced below for details.
When using the webrsync mechanism to sync the tree the PGP signatures that protect the integrity of the data in the tree would not be verified. This would allow a man-in-the-middle attack to inject arbitrary content into the tree.
There is no known workaround at this time.
All Portage users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=sys-apps/portage-3.0.47"
Release date
September 22, 2024
Latest revision
September 22, 2024: 1
Severity
normal
Exploitable
local
Bugzilla entries