Hi I'm writing here since there are many known bugs (mostly fixed upstream), including at least one CVE in a bunch of packages critical to Fedora's integrity. Libgcrypt: Version 1.7.2 is available: https://bugzilla.redhat.com/show_bug.cgi?id=1306064 (note that 3 updates were missed) CVE-2015-7511 libgcrypt: side-channel attack on ECDH with Weierstrass curves [fedora-all]: https://bugzilla.redhat.com/show_bug.cgi?id=1306185 gnupg2: gnupg2 hasn't seen an update in 2 months (3 versions) to Fedora stable. According to this automatically created bug report https://bugzilla.redhat.com/show_bug.cgi?id=1230986 the maintainer has not managed to ship the latest version in >1 year. This is not only bad behavior of the maintainer, it also is a bad sign on how security critical updates are handled in Fedora. Those two packages are effectively unmaintained although all of Fedora's security is based on them. This is a pretty ugly situation which needs your attention and (probably) some action. The second bug report against libgcrypt has an CVE assigned and still it is unfixed for months. This must not happen too. There should be some mechanism to notify somebody if a maintainer doesn't act on CVEs within 3 days. -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/security@xxxxxxxxxxxxxxxxxxxxxxx
