GLSA-201904-11 : Portage: Man-in-the-middle

medium Nessus Plugin ID 123983

Synopsis

The remote Gentoo host is missing one or more security-related patches.

Description

The remote host is affected by the vulnerability described in GLSA-201904-11 (Portage: Man-in-the-middle)

A vulnerability was discovered in emerge-delta-webrsync and Portage that did not properly validate the revocation status of GPG keys.
Impact :

A remote attacker could conduct a man-in-the-middle attack. Please review the referenced bug for specific details.
Workaround :

There is no known workaround at this time.

Solution

All emerge-delta-webrsync users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose '>=app-portage/emerge-delta-webrsync-3.7.4' All Portage users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose '>=sys-apps/portage-2.3.22'

See Also

https://security.gentoo.org/glsa/201904-11

Plugin Details

Severity: Medium

ID: 123983

File Name: gentoo_GLSA-201904-11.nasl

Version: 1.2

Type: local

Published: 4/11/2019

Updated: 8/12/2019

Supported Sensors: Nessus

Vulnerability Information

CPE: p-cpe:/a:gentoo:linux:emerge-delta-webrsync, p-cpe:/a:gentoo:linux:portage, cpe:/o:gentoo:linux

Required KB Items: Host/local_checks_enabled, Host/Gentoo/release, Host/Gentoo/qpkg-list

Patch Publication Date: 4/8/2019

Vulnerability Publication Date: 4/8/2019

Reference Information

GLSA: 201904-11