glsa-check -l includes 201412-39 and re-checking with glsa-check -p 201412-39 reports that No upgrade path exists for dev-libs/openssl-0.9.8z_p3 although the glsa says <unaffected range="rge">0.9.8z_p2</unaffected> Both app-portage/gentoolkit-0.3.0.9-r2 and older app-portage/gentoolkit-0.3.0.7 are doing it. I think that some even older wasn't but I'm not sure. Reproducible: Always Steps to Reproduce: 1. emerge openssl 2. emerge =openssl-0* 3. glsa-check -p 201412-39 Actual Results: Checking GLSA 201412-39 >>> No upgrade path exists for these packages: dev-libs/openssl-0.9.8z_p3 Expected Results: Checking GLSA 201412-39 >>> no vulnerable packages installed Portage 2.2.14 (python 2.7.7-final-0, hardened/linux/x86, gcc-4.6.3, glibc-2.11.2-r3, 2.6.32-22-generic i686) ================================================================= System uname: Linux-2.6.32-22-generic-i686-AMD_Athlon-tm-_64_Processor_3500+-with-gentoo-2.2 KiB Mem: 993028 total, 86392 free KiB Swap: 1048568 total, 938552 free Timestamp of tree: Tue, 06 Jan 2015 22:45:01 +0000 ld GNU ld (GNU Binutils) 2.20.1.20100303 distcc 2.16 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] app-shells/bash: 4.2_p53 dev-java/java-config: 1.3.7::<unknown repository>, 2.1.12-r1 dev-lang/perl: 5.18.2-r2 dev-lang/python: 2.6.8-r3, 2.7.7 dev-util/cmake: 2.8.12.2-r1 dev-util/pkgconfig: 0.28-r1 sys-apps/baselayout: 2.2 sys-apps/openrc: 0.11.8 sys-apps/sandbox: 2.5 sys-devel/autoconf: 2.13::<unknown repository>, 2.69 sys-devel/automake: 1.4_p6-r1, 1.5-r1, 1.6.3-r1, 1.7.9-r2, 1.8.5-r4, 1.9.6-r3, 1.10.3, 1.11.6, 1.12.6, 1.13.4 sys-devel/binutils: 2.16.1-r3::<unknown repository>, 2.18-r3, 2.20.1-r1 sys-devel/gcc: 2.95.3-r8::<unknown repository>, 3.4.6-r2, 4.3.4, 4.6.3 sys-devel/gcc-config: 1.7.3 sys-devel/libtool: 1.4.3-r4::<unknown repository>, 2.4.2 sys-devel/make: 3.82-r4 sys-kernel/linux-headers: 3.2-r1 (virtual/os-headers) sys-libs/glibc: 2.11.2-r3 Repositories: gentoo voip sunrise x-portage ACCEPT_KEYWORDS="x86" ACCEPT_LICENSE="* -@EULA skype-eula" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -mtune=athlon -march=i686 -fomit-frame-pointer -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/config /usr/share/easy-rsa /usr/share/gnupg/qualified.txt /var/bind" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.3/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-O2 -mtune=athlon -march=i686 -fomit-frame-pointer -pipe" DISTDIR="/usr/portage/distfiles" FCFLAGS="-march=i686 -O2 -pipe" FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-march=i686 -O2 -pipe" GENTOO_MIRRORS="ftp://ftp.tu-clausthal.de/pub/linux/gentoo http://www.mirror.ac.uk/sites/www.ibiblio.org/gentoo/ http://gentoo.oregonstate.edu http://www.ibiblio.org/pub/Linux/distributions/gentoo" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/portage/local/layman/voip /usr/portage/local/layman/sunrise /usr/local/portage" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="3dnow 3dnowex 3dnowext X Xaw3d a52 aalib acl apache2 apm avi berkdb bittorrent bzip2 caps cdr cli cracklib crypt curl cxx dga divx4linux djvu doc dri dvd dvdread encode erandom esd flac fpx gcj gd gdbm ggi gif gnutls gpm graphviz gtk hardened iconv idea imagemagick imlib innodb ipv6 java javascript jbig jpeg lcms lesstif libcaca libwww live logrotate loop-aes lua lzo mad mailwrapper mbox mcal memlimit mikmod mmx mng modules motif mozilla mpeg multislot mysql ncurses network nls nptl oggvorbis old-linux openal openmp oss pam pax_kernel pcre pdflib perl pic png postscript python qt quicktime readline real samba sdl session snmp spell sqlite sse sse2 ssl tcpd tetex theora tiff truetype unicode urandom usb userlocales vhosts videos wav wmf x264 x86 xattr xgetdefault xml xosd xtpax xv xvid zlib" ABI_X86="32" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="access auth auth_dbm auth_anon auth_basic auth_digest authz_host authz_default authz_user alias file-cache echo charset-lite cache disk-cache mem-cache ext-filter case_filter case-filter-in deflate mime-magic cern-meta expires headers usertrack unique-id proxy proxy-connect proxy-ftp proxy-http info include cgi cgid dav dav-fs vhost-alias speling rewrite log_config logio env setenvif mime status autoindex asis negotiation dir imap actions userdir so mem_cache mime_magic vhost_alias filter" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="evdev keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LIRC_DEVICES="audio audio_alsa avermedia avermedia98 dsp" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python2_6" RUBY_TARGETS="ruby19 ruby20" USERLAND="GNU" VIDEO_CARDS="nv vesa r128 fbdev" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" USE_PYTHON="2.6 2.7" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
I think I'm running into the same problem, being told that I'm hitting a GLSA security issue where I think I'm not: The GLSA says: Vulnerable: <1.0.1j Unaffected: >=1.0.1j, >=~0.9.8z_p2 Installed are 0.9.8z_p5 and 1.0.2-r1 [I] dev-libs/openssl Available versions: (0.9.8) 0.9.8z_p1-r2 0.9.8z_p2 0.9.8z_p3{tbz2} 0.9.8z_p4{tbz2} (~)0.9.8z_p5{tbz2} (0) (~)1.0.0q 1.0.1j{tbz2} 1.0.1k{tbz2} (~)1.0.1l{tbz2} (~)1.0.2-r1{tbz2} {bindist gmp kerberos rfc3779 sctp static-libs test +tls-heartbeat vanilla zlib ABI_MIPS="n32 n64 o32" ABI_PPC="32 64" ABI_S390="32 64" ABI_X86="32 64 x32" CPU_FLAGS_X86="sse2"} Installed versions: 0.9.8z_p5(0.9.8){tbz2}(06:38:22 PM 02/11/2015)(zlib -bindist -gmp -kerberos -test ABI_MIPS="-n32 -n64 -o32" ABI_PPC="-32 -64" ABI_S390="-32 -64" ABI_X86="32 64 -x32" CPU_FLAGS_X86="sse2") 1.0.2-r1{tbz2}(06:51:54 PM 02/11/2015)(tls-heartbeat zlib -bindist -gmp -kerberos -rfc3779 -sctp -static-libs -test -vanilla ABI_MIPS="-n32 -n64 -o32" ABI_PPC="-32 -64" ABI_S390="-32 -64" ABI_X86="32 64 -x32" CPU_FLAGS_X86="sse2") Homepage: http://www.openssl.org/ Description: full-strength general purpose cryptography library (including SSL and TLS)
*** This bug has been marked as a duplicate of bug 533702 ***