Never mind, I just found an up-to-date build in CBS, from Jan 18th, with all the security fixes. So they are apparently being closely tracked by the PaaS SIG.
http://cbs.centos.org/koji/buildinfo?buildID=15268
On 01/02/17 17:32, Laurentiu Pancescu wrote:
From a quick look at the changelog, that particular CBS build is missing the security fixes from 2.2.1.0 (CVE-2016-9587, CVE-2016-8647, CVE-2016-9587 and CVE-2016-8647). I understand that we'd probably like to have full control over when a version upgrade takes place (not to break things), but we'd need to backport the security fixes. Or isn't security an issue since cico is an isolated environment?
The main reason behind my proposal to adopt whatever Fedora packages was to get security fixes from the security team that handles EPEL and Fedora. For me, it's still unclear how fast are security fixes landing in SIG-provided packages.
But that's certainly your decision to make, I'm fine with it either way. :)