On 12/28/2011 01:44 AM, Bennett Haselton wrote:
On Tue, Dec 27, 2011 at 10:08 PM, Ken godee ken@perfect-image.com wrote:
password"? That's what I'm talking about -- how often does this sort of thing happen, where you need to be subscribed to be a security mailing
list
in order to know what workaround to make to stay safe, as opposed to
simply
running yum-updatesd to install latest patches automatically.
Happens all the time!
Really? An exploit is released in the wild, and there's a lag of several days before a patch is available through updates -- "all the time"? How often? Every week?
Since Gilbert and "supergiantpotato" seemed to be saying the opposite (that unpatched OS- and web-server-level exploits were pretty rare), what data were you relying on when you said that it "happens all the time"?
Count on it! If running any server available to the public there is no "set and forget" if you're responsible for that server you best stay informed/subscribed and ready to take action be it a work around, update or whatever.
This website deals specifically with RHEL and security metrics:
http://www.awe.com/mark/blog/tags/metrics
CentOS will usually release security updates within 24 hours of upstream during normal security updates and within 2 weeks on a "Point Release" (a point release is a move from 5.6 to 5.7 or 6.1 to 6.2, etc.).
If you need faster updates than CentOS can provide, then RHEL is the logical alternative.