Red Hat's Security policy for Production 3 Phase of the Life Cycle for EL5 is that they will only release "Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available. Other errata advisories may be delivered as appropriate."
https://access.redhat.com/support/policy/updates/errata/#Production_3_Phase
In practice, what that means so far is this:
All Important and Critical security updates have been released for EL5, but some moderate and below security updates have not been, and are not going to be released by Red Hat for EL5.
I do not agree with this policy, but it is not one that the CentOS Project (or I) have any say about. These updates will not be released for RHEL-5 ... therefore they will also not be released for CentOS-5.
Due to this security policy, I highly recommend moving CentOS-5 based workloads to CentOS-6 and that every user stop using CentOS-5 as soon as possible. Here is a list of updates that are not done on RHEL-5 and are not planned to be done at this time by Red Hat for RHEL-5 (and therefore CentOS-5):
ruby Moderate https://access.redhat.com/security/cve/CVE-2014-8080 python Low https://access.redhat.com/security/cve/CVE-2014-7185 libgcrypt Moderate https://access.redhat.com/security/cve/CVE-2014-5270 wget Moderate https://access.redhat.com/security/cve/CVE-2014-4877 perl-Data-Dumper Low https://access.redhat.com/security/cve/CVE-2014-4330 cups Moderate https://access.redhat.com/security/cve/CVE-2014-3537 dbus Moderate https://access.redhat.com/security/cve/CVE-2014-3477 dovecot Moderate https://access.redhat.com/security/cve/CVE-2014-3430 exim Low https://access.redhat.com/security/cve/CVE-2014-2972 cups Moderate https://access.redhat.com/security/cve/CVE-2014-2856 openssh Moderate https://access.redhat.com/security/cve/CVE-2014-2653 libxml2 Moderate https://access.redhat.com/security/cve/CVE-2014-0191 qemu Moderate https://access.redhat.com/security/cve/CVE-2013-6458 squid Moderate https://access.redhat.com/security/cve/CVE-2012-5643 openssh Low https://access.redhat.com/security/cve/CVE-2014-2532 libX11 Moderate https://access.redhat.com/security/cve/CVE-2013-1997 libFS Moderate https://access.redhat.com/security/cve/CVE-2013-1996 libXext Moderate https://access.redhat.com/security/cve/CVE-2013-1982
I wish there was another option, but I just don't see any others .. I know I would not use packages with moderate security issues unfixed in production on purpose. I think this is a ridiculous policy, but it is what it is.
Thanks, Johnny Hughes
On 11/14/2014 12:22 PM, Johnny Hughes wrote:
I wish there was another option, but I just don't see any others .. I know I would not use packages with moderate security issues unfixed in production on purpose. I think this is a ridiculous policy, but it is what it is.
its 7 1/2 years old at this point. its had a long useful run, but its time to move on.
On Fri, 14 Nov 2014 14:22:46 -0600 Johnny Hughes johnny@centos.org wrote:
Red Hat's Security policy for Production 3 Phase of the Life Cycle for EL5 is that they will only release "Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available. Other errata advisories may be delivered as appropriate."
This is essentially identical to the level of support you get if you pay for EUS (extended update support). And I guess the thinking is that that is a meaningful level of support to a significant number of customers...
Personally I might had agreed if Important had been included but only Critical is too thin for many use cases.
/Peter
Thanks, Johnny Hughes
On Mon, Nov 17, 2014 at 7:52 AM, Peter Kjellström cap@nsc.liu.se wrote:
On Fri, 14 Nov 2014 14:22:46 -0600 Johnny Hughes johnny@centos.org wrote:
Red Hat's Security policy for Production 3 Phase of the Life Cycle for EL5 is that they will only release "Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available. Other errata advisories may be delivered as appropriate."
This is essentially identical to the level of support you get if you pay for EUS (extended update support). And I guess the thinking is that that is a meaningful level of support to a significant number of customers...
Yes, the support policy for EUS is the same. You can find RH's resoning here:
https://access.redhat.com/articles/rhel-eus (scroll down to the comment section near the bottom)
Personally I might had agreed if Important had been included but only Critical is too thin for many use cases.
I agree. I think the problem is that most users are unaware of the facts. So, they assume their systems are safe security-wise as far as they get all the updates.
Akemi
-
Akemi Yagi -
John R Pierce -
Johnny Hughes -
Peter Kjellström