Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
This issue affects perl-Sereal-Decoder 4.x versions prior to version 4.010 (see Bug #2453333). EPEL-8 has version 4.018 EPEL-9 has version 4.018 EPEL-10.* has version 5.004 Hence, no current EPEL release is affected by this issue.
We are unbundling the Zstandard library (and other) in Fedora and EPEL. So, this kind of reports about issue in bundling is a bit weird.
(In reply to Michal Josef Spacek from comment #2) > We are unbundling the Zstandard library (and other) in Fedora and EPEL. > > So, this kind of reports about issue in bundling is a bit weird. Figuring that out requires looking in a little depth at how the package is built, and is not the upstream default way of doing things, so it's understandable. I also look after libssh2 and get bugs raised on that whenever libssh (a completely different codebase) has a security issue, so I don't think anyone's looking at things in any detail at all.