Hello James,
I am looking at old vulnerabilities and package you own, pwgen, currently has three of them: CVE-2013-4440, CVE-2013-4441 and CVE-2013-4442.
I contacted upstream author Theodore Ts`o, who acknowledged CVE-2013-4440 and CVE-2013-4442 are problems, but refused to merge fix proposed on the list (http://marc.info/?l=oss-security&m=137049241132104&w=4) for good reasons. I did analysis on CVE-2013-4441 and I believe it`s basically not fixable without breaking pwgen completely.
For the other two issues I wrote a patch and sent it upstream, but received no response. So, for the time being, could you please look at the patch and see if we can update pwgen in Fedora and EPEL to fix CVE-2013-4440 and CVE-2013-4442 ?
Thank you !