On 12/16/2016 08:12 AM, Laurentiu Pancescu wrote: > On 16/12/16 12:08, Karanbir Singh wrote: >> On 16/12/16 10:49, Trevor Hemsley wrote: > >>> The latest https://rhn.redhat.com/errata/RHSA-2016-2946.html which is a >>> critical update for firefox released on the 14th is still not released >>> for CentOS 7 after 2 days. > > The original advisory[3] for Firefox 50.1 lists a few more CVEs than > Red Hat's bulletin (the critical security fixes are backported by > Mozilla in the ESR version "where feasible", which is why the > Canonical Security Team decided to offer the normal Firefox releases > in Ubuntu LTS, not the ESR ones). [4] Firefox 45.6 (firefox-45.6.0-1.el7.centos.x86_64.rpm) coming down through yum as I write this. CentOS has no control over the RHEL package; CentOS rebuilds the exactly as released (even if not exactly when released). If you want CentOS to depart from the ESR train you need to bug Red Hat to change RHEL's package so that the source propagates to CentOS.