vulnerability

Gentoo Linux: CVE-2016-20021: Portage: Unverified PGP Signatures

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
10	(AV:N/AC:L/Au:N/C:C/I:C/A:C)	Jan 12, 2024	Sep 23, 2024	Aug 13, 2025

Severity

CVSS

(AV:N/AC:L/Au:N/C:C/I:C/A:C)

Published

Jan 12, 2024

Added

Sep 23, 2024

Modified

Aug 13, 2025

Description

In Gentoo Portage before 3.0.47, there is missing PGP validation of executed code: the standalone emerge-webrsync downloads a .gpgsig file but does not perform signature verification. Unless emerge-webrsync is used, Portage is not vulnerable.

Solution

gentoo-linux-upgrade-sys-apps-portage

References

CVE-2016-20021
https://attackerkb.com/topics/CVE-2016-20021
CWE-347
GENTOO-202409-01

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today