update status recommending security update for version without security hole

Correct 1.2 is not affected by the security problem.

Update Status can only say whether or not a future version of the module has fixed a security problem, it doesn't know if the current version has a problem.

This is because pathauto has the 2.x branch as the recommended release. This has nothing to do with security updates; update_status is recommending the 2.x version, even though it's just a beta, because that's how the pathauto maintainer has it set. If you look at the pathauto project page, it doesn't even *list* 1.2.

This is probably an error on pathauto's part.

I don't think this is a branch problem - let me restate the scenario.

Let's say you are currently running module 5.x-1.1
In version 5.x-1.2 there was a security issue that was introduced.
In version 5.x-1.3 that security issue was fixed.

What will update status recommend that you do? My belief is that it will say "Security update required!" even though there is no security update required. Right?

So, the feature request is one that touches many modules and infrastructure bits because it requires the ability and the extra effort to:

1) Module maintainers or security team go back and mark a release node as "known security issue"
2) For the update status xml generation tool to take that into account when it generates the xml
3) For the "client" update_status.module to take this into account

i think it's uncommon enough that it can be "postponed" or "won't fixed".