In the GLSAs, e.g. https://security.gentoo.org/glsa/201709-01 there's always a link to the CVE. It currently links to the HTTP version of the CVE page. This should be changed to HTTPS.
Old links converted: https://gitweb.gentoo.org/data/glsa.git/commit/?id=612f47deca97e8d7ffc2100c1dbc82a602abdf39 We will keep this bug open until we have pushed a fix to GLSAmaker to produce HTTPS link only.
This done for a while, GLSAmaker changes are live.