Hi
I'm writing here since there are many known bugs (mostly fixed upstream), including at
least one CVE in a bunch of packages critical to Fedora's integrity.
Libgcrypt:
Version 1.7.2 is available:
https://bugzilla.redhat.com/show_bug.cgi?id=1306064 (note that
3 updates were missed)
CVE-2015-7511 libgcrypt: side-channel attack on ECDH with Weierstrass curves [fedora-all]:
https://bugzilla.redhat.com/show_bug.cgi?id=1306185
gnupg2:
gnupg2 hasn't seen an update in 2 months (3 versions) to Fedora stable. According to
this automatically created bug report
https://bugzilla.redhat.com/show_bug.cgi?id=1230986
the maintainer has not managed to ship the latest version in >1 year.
This is not only bad behavior of the maintainer, it also is a bad sign on how security
critical updates are handled in Fedora. Those two packages are effectively unmaintained
although all of Fedora's security is based on them. This is a pretty ugly situation
which needs your attention and (probably) some action.
The second bug report against libgcrypt has an CVE assigned and still it is unfixed for
months. This must not happen too. There should be some mechanism to notify somebody if a
maintainer doesn't act on CVEs within 3 days.