On Sat, Sep 27, 2014 at 08:28:48AM -0500, Johnny Hughes wrote:
On 09/26/2014 06:23 PM, Greg Lindahl wrote:
Do we have a FAQ we can point people to that explains this? It's not obvious, and we need to educate anyone who shows up here not knowing the insecure nature of point releases older than tip.
How is this:
That's good, but I suspect that the question might not make it obvious that people need to read it. How about this additional Q/A?
Q. I want to run an old minor release of CentOS, for example staying with CentOS 5.4 when the latest version is 5.10. Is that smart?
A. No. CentOS only updates the most recent of each of the major versions. For example, for CentOS 5, if the most recent minor version is 5.10, then that is the only version that is receiving security updates. CentOS 5.4 is frozen and never gets any updates. That means that CentOS 5.4 is vulnerable to the "shellshock" problem.
If you really need to run an old minor version, you should consider paying for the upstream Enterprise Linux. They keep all the old minor versions up-to-date with regard to security fixes. CentOS does not.
-- greg