Current stable version sys-apps/acl-2.2.47 has a critical bug about symlink handling. This leads to infinite loops and security problems.
See bug #265425 about info.
So please stabilize version 2.2.47-r1 which contains this fix for half a year now.
base-system, are you okay with stabilization?
Also, acl has a new home and version 2.2.49:
The (1) setfacl and (2) getfacl commands in XFS acl 2.2.47, when
running in recursive (-R) mode, follow symbolic links even when the
--physical (aka -P) or -L option is specified, which might allow
local users to modify the ACL for arbitrary files or directories via
a symlink attack.
some people seem to think the symlink fix didnt work completely in 2.2.47-r1 (see the referenced bug report)
at any rate, 2.2.49 is in the tree now
Archs, please stabilize 2.2.49, targets:
alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86
Stable for HPPA.
ppc and ppc64 done
Thanks, everyone. GLSA request filed.
This issue was resolved and addressed in
GLSA 201412-08 at http://security.gentoo.org/glsa/glsa-201412-08.xml
by GLSA coordinator Sean Amoss (ackle).