Per the recent thread on fedora-devel [1], I've pushed perl-MARC-Record-1.02 [2] following upstream's security release before they had a CVE in hand.
Now upstream has a CVE (CVE-2014-1626), so if you want to create a security tracking bug and link up bodhi etc to follow the security process [3], please go ahead!
Thanks, Dan
1. https://lists.fedoraproject.org/pipermail/devel/2014-January/194225.html 2. https://admin.fedoraproject.org/updates/perl-MARC-XML-1.0.2-1.fc19 and https://admin.fedoraproject.org/updates/perl-MARC-XML-1.0.2-1.fc20 3. https://fedoraproject.org/wiki/Security_Tracking_Bugs
---------- Forwarded message ---------- From: Dan Scott denials@gmail.com Date: Tue, Jan 21, 2014 at 5:09 PM Subject: Re: Security update process without CVEs To: Development discussions related to Fedora devel@lists.fedoraproject.org, Kurt Seifried kseifried@redhat.com
Eric:
On Tue, Jan 21, 2014 at 4:31 PM, Eric H. Christensen sparks@fedoraproject.org wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On Tue, Jan 21, 2014 at 04:26:19PM -0500, Dan Scott wrote:
I tried following https://fedoraproject.org/wiki/Security_Tracking_Bugs?rd=Security/TrackingBu... but it appears to depend on waiting on a CVE, which upstream did not yet have... but upstream had already pushed the new release to CPAN.
You may be able to request the CVE yourself. I'm trying to contact the guy that handles those things for FOSS but a netsplit is keeping me from talking to him at the moment.
Thanks; upstream had already submitted the request for a CVE. They just hadn't received it yet.