Hi Dan! On Wed, 22 Jan 2014 09:30:09 -0500 Dan Scott wrote: > Per the recent thread on fedora-devel [1], I've pushed > perl-MARC-Record-1.02 [2] following upstream's security release before > they had a CVE in hand. It is not that uncommon to see update pushed to stable without having CVE assigned. In cases such as yours, when maintainer immediately acts after seeing upstream announcement and builds Fedora updates, update may reach stable before CVE is assigned. > Now upstream has a CVE (CVE-2014-1626), so if you want to create a > security tracking bug and link up bodhi etc to follow the security > process [3], please go ahead! In an other mail sent to the list few minutes ago, I briefly explained how security issue reporting works in Fedora. If we see that Fedora update fixing some issue is already built and pushed to or on the way to stable repositories, we may skip creating bugs for the issue if no other product is affected. We may fail to spot update that is build but not yet in stable, so you may see tracker created. As for updating Bodhi request, we may not be able to do that. Bodhi checks commit ACL for the package and use that to determine if someone can create or update update request for the component. In practice, that implies that folks who are not in the proven_packager group can not change your update request. E.g. if I try to edit your requests for perl-MARC-XML only to mention the CVE in the update description, Bodhi refuses to save my edits because I'm not on the package commit ACL. Feel free to update descriptions of those update requests to include the CVE. That may help users and sites that aggregate info on security updates. -- Tomas Hoger / Red Hat Security Response Team -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
