Portage

This hub aggregates every CVE we track for Portage, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 7 most recently published vulnerabilities affecting Portage.

• CVE-2016-20021In Gentoo Portage before 3.0.47, there is missing PGP validation of executed code: the standalone emerge-webrsync downloads a .gpgsig file but does not perform signature verification. Unless emerge...9.8Jan 12, 2024
• CVE-2019-20384Gentoo Portage through 2.3.84 allows local users to place a Trojan horse plugin in the /usr/lib64/nagios/plugins directory by leveraging access to the nagios user account, because this directory is...5.5Jan 20, 2020
• CVE-2004-2778Ebuild in Gentoo may change directory and file permissions depending on the order of installed packages, which allows local users to read or write to restricted directories or execute restricted co...7.1Jun 27, 2017
• CVE-2013-2100The urlopen function in pym/portage/util/_urlopen.py in Gentoo Portage 2.1.12, when using HTTPS, does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spo...9.3Sep 29, 2014
• CVE-2008-4394Multiple untrusted search path vulnerabilities in Portage before 2.1.4.5 include the current working directory in the Python search path, which allows local users to execute arbitrary code via a mo...6.9Oct 10, 2008
• CVE-2007-6249etc-update in Portage before 2.1.3.11 on Gentoo Linux relies on the umask to set permissions for the merge file, often resulting in permissions weaker than those of the original files, which might ...2.1Dec 15, 2007
• CVE-2004-1901Portage before 2.0.50-r3 allows local users to overwrite arbitrary files via a hard link attack on the lockfiles.5.5May 10, 2005