Gentoo security

Security in Gentoo Linux

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our user's machines is of utmost importance to us. The Security Project is tasked with providing timely information about security vulnerabilities in Gentoo Linux, along with patches to secure those vulnerabilities. We work directly with vendors, end users, and other OSS projects to ensure all security incidents are responded to quickly and professionally.

Documentation describing security team vulnerability treatment can be found in our Vulnerability Treatment Policy.

Installing a secure Gentoo system

The Gentoo Security Handbook gives information and tips for building a secure system and hardening existing systems.

Keeping Gentoo secure

Community members who wish to stay up-to-date with the security fixes should subscribe to GLSAs and apply GLSA instructions whenever an affected package is installed. Alternatively, regularly syncing the Gentoo ebuild repository and upgrading every package should also keep the system up-to-date security-wise.

The glsa-check tool can be used to:

  • Check if a specific GLSA applies to a system (-p option)
  • List all GLSAs with applied/affected/unaffected status (-l option)
  • Apply a given GLSA to a system (-f option).

Gentoo Linux Security Announcements (GLSAs)

Gentoo Linux Security Announcements are notifications that we send out to the community to inform them of security vulnerabilities related to Gentoo Linux or the packages contained in the Gentoo ebuild repository.

Recent advisories

GLSA 202403-03 UltraJSON: Multiple Vulnerabilities normal
GLSA 202403-02 Blender: Multiple Vulnerabilities normal
GLSA 202403-01 Tox: Remote Code Execution normal
GLSA 202402-33 PyYAML: Arbitrary Code Execution normal
GLSA 202402-32 btrbk: Remote Code Execution normal

For a full list of all published GLSAs, please see our GLSA index page.

How to receive GLSAs

GLSA announcements are sent to the gentoo-announce@gentoo.org mailing-list, and are published via RSS and Atom feeds.

Security team contact information

Gentoo Linux takes security vulnerability reports very seriously. Please file new vulnerability reports on Gentoo Bugzilla and assign them to the Gentoo Security product and Vulnerabilities component. The Gentoo Linux Security Team will ensure all security-related bug reports are responded to in a timely fashion.

If errors or omissions are found in published GLSAs, please file a bug in Gentoo Bugzilla in the Gentoo Security product, with the GLSA Errors component.

Report security vulnerability Report GLSA error

Confidential contacts

You have two options to submit non-public vulnerabilities to the security team. You may submit a bug in Gentoo Bugzilla using the New-Expert action, or the Enter a new bug report (advanced) link, and check the Gentoo Security checkbox in the Only users in all of the selected groups can view this bug section. You may also contact directly using encrypted mail one of the following security contacts:

Name Responsibility Email OpenPGP key ID (click to retrieve public key)
John Helmert III Security lead ajak@gentoo.org 0x39333C79B7BD85CD55C02E4C812BDFCB974B5783
Sam James Security member sam@gentoo.org 0x5EF3A41171BB77E6110ED2D01F3D03348DB1A3E2
Hans de Graaff Security member graaff@gentoo.org 0x818B58784EB13C5DD8CF401BBB1FE687EFDBB3EC
Note: In order to ensure the reception and fastest possible response for any confidential situation, we strongly encourage senders to email to at least two of the security contacts listed above.
Note: A full list of Gentoo developers, including their OpenPGP key ID, is visible in our active developers list.

Resources

Security pages

Links