url says it all. do we need to do anything other than issue an advisory, or are there PAM thingies which need to be done?
URL Specifies versions prior to 3.4, which have all been removed (by me) from the portage tree. It also specifies that it can gain the privledges of the daemon user which is the unpriveledged sshd user since 3.3 on our system. We are safe.