On the system i've installed the following packages: - dev-lang/php-4.4.8_pre20070816 - dev-lang/php-5.2.6_rc1-r1 But now i've the problem that the following glsa's will be detected (see additional information). But for example by the glsa '200610-14' [1] no version i've installed is vulnerable. I'm not sure but i think the problem is that in the file '/usr/portage/metadata/glsa/glsa-200610-14.xml' there are missing an: <unaffected range="rge">4.4.8_pre20070816</unaffected> [1] http://www.gentoo.org/security/en/glsa/glsa-200610-14.xml Reproducible: Always Steps to Reproduce: 1. Unmask (i know it's bad :P) dev-lang/php-4.4.8_pre20070816 2. Install php version 4.4.8_pre20070816 and 5.2.6_rc1-r1 3. Run glsa-check glsa-check -t affected 2>/dev/null | xargs glsa-check -p Actual Results: Display the glsa's, see the additional information. Checking GLSA 200610-14 The following updates will be performed for this GLSA: dev-lang/php-5.2.5-r1 (5.2.6_rc1-r1) Checking GLSA 200608-28 The following updates will be performed for this GLSA: dev-lang/php-5.2.5-r1 (5.2.6_rc1-r1) Checking GLSA 200703-21 The following updates will be performed for this GLSA: dev-lang/php-5.2.5-r1 (5.2.6_rc1-r1) Checking GLSA 200705-19 The following updates will be performed for this GLSA: dev-lang/php-5.2.5-r1 (5.2.6_rc1-r1)
I strongly advise you to upgrade to the latest version of php available in Gentoo, currently dev-lang/php-5.2.6_rc3. The 4 major of PHP is neither supported upstream nor by us anymore. However, you are right in that these GLSAs do not affect the 4.4.8 version you are using. I fixed that in CVS, please emerge --sync and retry.
