CVE-2016-20021 Information

Description

In Gentoo Portage before 3.0.47 there is missing PGP validation of executed code: the standalone emerge-webrsync downloads a .gpgsig file but does not perform signature verification.

Reference

https://wiki.gentoo.org/wiki/Portage https://gitweb.gentoo.org/proj/portage.git/tree/NEWS https://bugs.gentoo.org/597800