Gentoo · Gentoo Portage · CVE-2016-20021
**Name of the Vulnerable Software and Affected Versions**
Gentoo Portage versions prior to 3.0.47
**Description**
The issue concerns missing PGP validation of executed code. Specifically, the standalone emerge-webrsync downloads a .gpgsig file but does not perform signature verification. This issue does not affect Portage unless emerge-webrsync is used.
**Recommendations**
For Gentoo Portage versions prior to 3.0.47, update to version 3.0.47 or later to resolve the issue. As a temporary workaround, consider avoiding the use of emerge-webrsync until a patch is applied.