Red Hat's Security policy for Production 3 Phase of the Life Cycle for EL5 is that they will only release "Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available. Other errata advisories may be delivered as appropriate."
https://access.redhat.com/support/policy/updates/errata/#Production_3_Phase In practice, what that means so far is this: All Important and Critical security updates have been released for EL5, but some moderate and below security updates have not been, and are not going to be released by Red Hat for EL5. I do not agree with this policy, but it is not one that the CentOS Project (or I) have any say about. These updates will not be released for RHEL-5 ... therefore they will also not be released for CentOS-5. Due to this security policy, I highly recommend moving CentOS-5 based workloads to CentOS-6 and that every user stop using CentOS-5 as soon as possible. Here is a list of updates that are not done on RHEL-5 and are not planned to be done at this time by Red Hat for RHEL-5 (and therefore CentOS-5): > ruby Moderate > https://access.redhat.com/security/cve/CVE-2014-8080 > python Low > https://access.redhat.com/security/cve/CVE-2014-7185 > libgcrypt Moderate > https://access.redhat.com/security/cve/CVE-2014-5270 > wget Moderate > https://access.redhat.com/security/cve/CVE-2014-4877 > perl-Data-Dumper Low > https://access.redhat.com/security/cve/CVE-2014-4330 > cups Moderate > https://access.redhat.com/security/cve/CVE-2014-3537 > dbus Moderate > https://access.redhat.com/security/cve/CVE-2014-3477 > dovecot Moderate > https://access.redhat.com/security/cve/CVE-2014-3430 > exim Low > https://access.redhat.com/security/cve/CVE-2014-2972 > cups Moderate > https://access.redhat.com/security/cve/CVE-2014-2856 > openssh Moderate > https://access.redhat.com/security/cve/CVE-2014-2653 > libxml2 Moderate > https://access.redhat.com/security/cve/CVE-2014-0191 > qemu Moderate > https://access.redhat.com/security/cve/CVE-2013-6458 > squid Moderate > https://access.redhat.com/security/cve/CVE-2012-5643 > openssh Low > https://access.redhat.com/security/cve/CVE-2014-2532 > libX11 Moderate > https://access.redhat.com/security/cve/CVE-2013-1997 > libFS Moderate > https://access.redhat.com/security/cve/CVE-2013-1996 > libXext Moderate > https://access.redhat.com/security/cve/CVE-2013-1982 > I wish there was another option, but I just don't see any others .. I know I would not use packages with moderate security issues unfixed in production on purpose. I think this is a ridiculous policy, but it is what it is. Thanks, Johnny Hughes
signature.asc
Description: OpenPGP digital signature
_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
