See the tracker bug. if [[ ${REPLACING_VERSIONS} < 1.1 ]]; then Doesn't account for >1 value in RV. Furthermore, uses lexicographical string comparison on numbers.
Old elog messages deleted. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=105f1116a8bababc99cd1afb437c3df7b1df4ef1
CVE-2016-6354 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6354): Heap-based buffer overflow in the yy_get_next_buffer function in Flex before 2.6.1 might allow context-dependent attackers to cause a denial of service or possibly execute arbitrary code via vectors involving num_to_read.