I don't mean it's a problem for us, but probably for the fedora maintainers, because having two different sources (one for the official shared library and one inside C::B's sources) can be a problem.
The package maintainers normally have to react if possible security risks (or other system-relevant issues) are discovered, and they normally do not wait until upstream fixes the problem, they have to fix this immediately and that can be a problem for the person who maintains the C::B package for fedora.
But maybe they say, unless it's restricted to C::B, because of using a statically linked lib, it's no problem.