I am not the package maintainer, but I am aware of a software which was recently upgraded to address a security issue. How do I request for the package to be updated? I’m not sure who the package maintainer in fedora is.
I will likely need to do something similar for RHEL, Debian, and friends, too
File a bugzilla report. Note that may distros backport security patches (even before details are made public), so you may find that the bug is already fixed in recent updates. Is there a simple way to demonstrate the bug?
Before becoming formal, I suggest to also check out in the devel mailing list [1] if anyone knows about the maintainer(s), and maybe also check if other people are involved in the very package and talk to them. You can see who is involved in the builds in koji. E.g., here is the koji page of pdfgrep, which shows one further person to be involved (at least in the past): https://koji.fedoraproject.org/koji/packageinfo?packageID=11788
( <username>@fedoraproject.org should usually work, but many users have a wiki page with a preferred email address that is different: https://fedoraproject.org/wiki/User:<username> )
I sent the bug report. I wasn’t sure if that was appropriate for the bug tracker or not.
@gnwiii: Regarding backporting: I know this is not the case as the package maintainer chose not to coordinate disclosure, given the limited exploitability.
@py0xc3: I just saw your message after I submitted the bug report. I’ll do that in the future.
@addisoncrump I hope it is ok for you that I changed the solution because the one you have chosen is not fully compliant to the current policy. Also, it is not the nicest way to file a public bug report before checking out if they are reachable or even on vacation.
But feel free to change the solution again (its your topic )
Understood. There are some notices on the package page indicating that the maintainer may have already been notified (“the-new-hotness saw an update for ‘x’, but release-monitoring.org doesn’t know what that project is called in Fedora land”).