CVE-2018-20685 (https://nvd.nist.gov/vuln/detail/CVE-2018-20685): In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions via the filename of . or an empty filename.
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=45084b9a615f719976434938be717dfde3075133
Since R2 is gone from the tree and R4 is going through stabilization under 675522, making this bug dependent.
This issue was resolved and addressed in GLSA 201903-16 at https://security.gentoo.org/glsa/201903-16 by GLSA coordinator Aaron Bauman (b-man).