Ebuilds that are vulnerable to security issues should be removed from the tree when newer versions are stable that are not vulnerable. Maintainers are encouraged to remove ebuilds as soon as fixed ebuilds do not have any keyword regressions and it has been found that they do not introduce severe bugs. Please mark all ebuild removal requests as a blocker of this bug if it was found an ebuild has not been removed after a reasonable timeframe.
Remaining status (open bugs): bug 271708: please review, no vuln versions in tree with referenced GLSA. bug 271712: removed stabled keywords, left ~x86-fbsd bug 271746: keyword req filed, one vuln version in tree still. bug 271755: keyword req filed
no open bugs left, for now
This is apart of the standard Gentoo Security workflow now [0]. Trackers are used for multiple packages that are effected by a single CVE. [0]: https://wiki.gentoo.org/wiki/Project:Security/GLSA_Coordinator_Guide