rsync is a server and client utility that provides fast incremental file transfers. It is used to efficiently synchronize files between hosts and is used by emerge to fetch Gentoo's Portage tree.
+Multiple vulnerabilities have been discovered in rsync. Please review the CVE identifiers referenced below for details.
+Please review the referenced CVE identifiers for details.
+There is no known workaround at this time.
+All rsync users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=net-misc/rsync-3.3.0-r2"
+
+ GIMP is the GNU Image Manipulation Program. XCF is the native image file format used by GIMP.
+Multiple vulnerabilities have been discovered in GIMP. Please review the CVE identifiers referenced below for details.
+Please review the referenced CVE identifiers for details.
+There is no known workaround at this time.
+All GIMP users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=media-gfx/gimp-2.10.36"
+
+ pip is a tool for installing and managing Python packages.
+Multiple vulnerabilities have been discovered in pip. Please review the CVE identifiers referenced below for details.
+When installing a package from a Mercurial VCS URL (ie "pip install hg+..."), the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.
+There is no known workaround at this time.
+All pip users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-python/pip-23.3"
+
+ Yubico pam-u2f is a PAM module for FIDO2 and U2F keys.
+Multiple vulnerabilities have been discovered in Yubico pam-u2f. Please review the CVE identifiers referenced below for details.
+Depending on specific settings and usage scenarios the result of the pam-u2f module may be altered or ignored.
+There is no known workaround at this time.
+All Yubico pam-u2f users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=sys-auth/pam_u2f-1.3.2"
+
+ libuv is a multi-platform support library with a focus on asynchronous I/O.
+Multiple vulnerabilities have been discovered in libuv. Please review the CVE identifiers referenced below for details.
+The uv_getaddrinfo function in src/unix/getaddrinfo.c truncates hostnames to 256 characters before calling getaddrinfo. This behavior can be exploited to create addresses like 0x00007f000001, which are considered valid by getaddrinfo and could allow an attacker to craft payloads that resolve to unintended IP addresses, bypassing developer checks.
+There is no known workaround at this time.
+All libuv users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-libs/libuv-1.48.0"
+
+ Ghostscript is an interpreter for the PostScript language and for PDF.
+Multiple vulnerabilities have been discovered in GPL Ghostscript. Please review the CVE identifiers referenced below for details.
+Please review the referenced CVE identifiers for details.
+There is no known workaround at this time.
+All GPL Ghostscript users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=app-text/ghostscript-gpl-10.04.0"
+
+ The GNOME Structured File Library is an I/O library that can read and write common file types and handle structured formats that provide file-system-in-a-file semantics.
+Multiple vulnerabilities have been discovered in libgsf. Please review the CVE identifiers referenced below for details.
+Please review the referenced CVE identifiers for details.
+There is no known workaround at this time.
+All libgsf users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=gnome-extra/libgsf-1.14.53"
+
+ Qt is a cross-platform application development framework.
+When given specifically crafted data then QXmlStreamReader can end up causing a buffer overflow and subsequently a crash or freeze or get out of memory on recursive entity expansion, with DTD tokens in XML body.
+Please review the referenced CVE identifiers for details.
+There is no known workaround at this time.
+All Qt users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-qt/qtcore-5.15.10-r1"
+ # emerge --ask --oneshot --verbose ">=dev-qt/qtbase-6.5.2"
+
+ QtWebEngine is a library for rendering dynamic web content in Qt5 and Qt6 C++ and QML applications.
+Multiple vulnerabilities have been discovered in QtWebEngine. Please review the CVE identifiers referenced below for details.
+Please review the referenced CVE identifiers for details.
+There is no known workaround at this time.
+All QtWebEngine users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-qt/qtwebengine-5.15.16_p20241115"
+
+ Mozilla Firefox is a popular open-source web browser from the Mozilla project.
+Multiple vulnerabilities have been discovered in Mozilla Firefox. Please review the CVE identifiers referenced below for details.
+Please review the referenced CVE identifiers for details.
+There is no known workaround at this time.
+All Mozilla Firefox users should upgrade to the latest version in their release channel:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-134.0:rapid"
+ # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-128.6.0:esr"
+
+
+ All Mozilla Firefox users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=www-client/firefox-134.0:rapid"
+ # emerge --ask --oneshot --verbose ">=www-client/firefox-128.6.0:esr"
+
+ PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML.
+Multiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below for details.
+Please review the referenced CVE identifiers for details.
+There is no known workaround at this time.
+All PHP users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-lang/php-8.2.24:8.2"
+ # emerge --ask --oneshot --verbose ">=dev-lang/php-8.3.12:8.3"
+
+
+ Gentoo has discontinued support for php 8.1:
+ +
+ # emerge --ask --verbose --depclean "dev-lang/php:8.1"
+
+