Portage is the default Gentoo package management system.
Multiple vulnerabilities have been discovered in Portage. Please review the CVE identifiers referenced below for details.
When using the webrsync mechanism to sync the tree the PGP signatures that protect the integrity of the data in the tree would not be verified. This would allow a man-in-the-middle attack to inject arbitrary content into the tree.
There is no known workaround at this time.
All Portage users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-apps/portage-3.0.47"