I received a security notice via email for ctools this morning. When I went to "Available updates" in one of my D7 sites and selected "Check manually" the new version wasn't found. However, the ctools project page listed the update so I installed it manually.
When I returned to "Available updates" and selected "Check manually" I was told:
This project has been revoked, and is no longer available for download. Disabling everything included by this project is strongly recommended!
That turned out to be incorrect. Went I later repeated the "Check manually" it found the update.
The above message is both incorrect and, therefore, way too strongly worded...
I reverted to the previous version of ctools. Given that I had just refreshed "Available updates", unless I proactively went and did a manual check, I wouldn't have found out for another week (when the next automated check would be scheduled) that the security update I had reverted was a real update and had not been revoked. That's suboptimal. :-(
In the best case, I think update.module needs to be able to distinguish between updates that have really been revoked and updates for which the relevant metadata hasn't been updated yet. A compromise might be to tone down the message... :-)
I tried to understand the relevant code but couldn't make sense of it, sorry...
I guess this could be considered a security issue, but that's a long bow to draw. It is more of a meta security issue...