Per the recent thread on fedora-devel [1], I've pushed perl-MARC-Record-1.02 [2] following upstream's security release before they had a CVE in hand. Now upstream has a CVE (CVE-2014-1626), so if you want to create a security tracking bug and link up bodhi etc to follow the security process [3], please go ahead! Thanks, Dan 1. https://lists.fedoraproject.org/pipermail/devel/2014-January/194225.html 2. https://admin.fedoraproject.org/updates/perl-MARC-XML-1.0.2-1.fc19 and https://admin.fedoraproject.org/updates/perl-MARC-XML-1.0.2-1.fc20 3. https://fedoraproject.org/wiki/Security_Tracking_Bugs ---------- Forwarded message ---------- From: Dan Scott <denials@xxxxxxxxx> Date: Tue, Jan 21, 2014 at 5:09 PM Subject: Re: Security update process without CVEs To: Development discussions related to Fedora <devel@xxxxxxxxxxxxxxxxxxxxxxx>, Kurt Seifried <kseifried@xxxxxxxxxx> Eric: On Tue, Jan 21, 2014 at 4:31 PM, Eric H. Christensen <sparks@xxxxxxxxxxxxxxxxx> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > On Tue, Jan 21, 2014 at 04:26:19PM -0500, Dan Scott wrote: >> I tried following >> https://fedoraproject.org/wiki/Security_Tracking_Bugs?rd=Security/TrackingBugs >> but it appears to depend on waiting on a CVE, which upstream did not >> yet have... but upstream had already pushed the new release to CPAN. > > You may be able to request the CVE yourself. I'm trying to contact the guy that handles those things for FOSS but a netsplit is keeping me from talking to him at the moment. Thanks; upstream had already submitted the request for a CVE. They just hadn't received it yet. -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
