PYSEC-2024-10

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/portage/PYSEC-2024-10.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2024-10

Aliases

Published

2024-01-12T03:15:00Z

Modified

2024-08-30T23:57:56.740609Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

In Gentoo Portage before 3.0.47, there is missing PGP validation of executed code: the standalone emerge-webrsync downloads a .gpgsig file but does not perform signature verification. Unless emerge-webrsync is used, Portage is not vulnerable.

References

Affected packages

PyPI / portage

Package

Name: portage; View open source insights on deps.dev
Purl: pkg:pypi/portage

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.0.47

Affected versions

3.*

3.0.18

3.0.19

3.0.20

3.0.21

3.0.22

3.0.23

3.0.24

3.0.25

3.0.26

3.0.27

3.0.28

3.0.29

3.0.30

3.0.31

3.0.32

3.0.33

3.0.34

3.0.35

3.0.36

3.0.37

3.0.38

3.0.38.1

3.0.39

3.0.40

3.0.41

3.0.42

3.0.43

3.0.44

3.0.45

3.0.45.1

3.0.45.2

3.0.45.3

3.0.46

Database specific

source

"https://github.com/pypa/advisory-database/blob/main/vulns/portage/PYSEC-2024-10.yaml"