Hi to all,

Am I wrong or the CentOS AppStream repo is heavily lagging behind the RedHat repos?

Some examples here:

- the php:7.2 critical security errata published on 2019-11-06 (that's almost 2 weeks ago) [1] [2] is still unavailable in the CentOS AppStream repo leaving systems vulnerable to an already exploited bug [3];

- (this is less critical IMHO) new yum modules published in EL8.1 on on 2019-11-05 (php:7.3 nginx:1.16, ruby:2.6, nodejs:12) are still unavailable in the CentOS AppStream repo;

I'm wondering if it's unintended and justified by lack of time and resources or it's a sneaky strategy to let users choose RHEL for running production systems instead of CentOS.

I'm really sorry to say that but the issue described here and the lack of a security errata bulletin [4], makes CentOS8 almost unusable on a production environment.

Thanks for your attention.

Regards

Angelo Barney

[1] https://access.redhat.com/errata/RHSA-2019:3735

[2] https://nvd.nist.gov/vuln/detail/CVE-2019-11043

[3] https://nextcloud.com/blog/nextcry-or-how-a-hacker-tried-to-exploit-a-nginx-issue-with-2-nextcloud-servers-out-of-300-000-hit-and-no-payout/

[4] https://lists.centos.org/pipermail/centos-devel/2019-November/018053.html