CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2016-20021 – Gentoo Linux Security Advisory 202409-01
https://notcve.org/view.php?id=CVE-2016-20021
12 Jan 2024 — In Gentoo Portage before 3.0.47, there is missing PGP validation of executed code: the standalone emerge-webrsync downloads a .gpgsig file but does not perform signature verification. Unless emerge-webrsync is used, Portage is not vulnerable. En Gentoo Portage anterior a 3.0.47, falta la validación PGP del código ejecutado: el emerge-webrsync independiente descarga un archivo .gpgsig pero no realiza la verificación de firma. A vulnerability has been discovered in Portage, where PGP signatures would not be v... • https://bugs.gentoo.org/597800 • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 2CVE-2019-20384
https://notcve.org/view.php?id=CVE-2019-20384
20 Jan 2020 — Gentoo Portage through 2.3.84 allows local users to place a Trojan horse plugin in the /usr/lib64/nagios/plugins directory by leveraging access to the nagios user account, because this directory is writable in between a call to emake and a call to fowners. Gentoo Portage versiones hasta 2.3.84, permite a usuarios locales colocar un complemento de tipo caballo de Troya en el directorio /usr/lib64/nagios/plugins al aprovechar el acceso a la cuenta de usuario nagios, porque este directorio es escribible entre ... • http://www.openwall.com/lists/oss-security/2020/01/21/1 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 1CVE-2013-2100 – Gentoo Linux Security Advisory 201507-16
https://notcve.org/view.php?id=CVE-2013-2100
29 Sep 2014 — The urlopen function in pym/portage/util/_urlopen.py in Gentoo Portage 2.1.12, when using HTTPS, does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and modify binary package lists via a crafted certificate. La función urlopen en pym/portage/util/_urlopen.py en Gentoo Portage 2.1.12, cuando utiliza HTTPS, no verifica los certificados X.509 de los servidores SSL, lo que permite a atacantes man-in-the-middle falsificar servidores y modificar listas de... • http://openwall.com/lists/oss-security/2013/05/15/5 • CWE-310: Cryptographic Issues •