[CentOS-devel] Fwd: php, cve-2019-11043 and AppStream repo updates

Tue Nov 19 22:20:33 UTC 2019
Angelo Lisco <angystardust at gmail.com>

Hi to all,
Am I wrong or the CentOS AppStream repo is heavily lagging behind the
RedHat repos?
Some examples here:

- the php:7.2 critical security errata published on 2019-11-06 (that's
almost 2 weeks ago) [1] [2] is still unavailable in the CentOS AppStream
repo leaving systems vulnerable to an already exploited bug [3];

- (this is less critical IMHO) new yum modules published in EL8.1 on on
2019-11-05 (php:7.3 nginx:1.16, ruby:2.6, nodejs:12) are still unavailable
in the CentOS AppStream repo;

I'm wondering if it's unintended and justified by lack of time and
resources or it's a sneaky strategy to let users choose RHEL for running
production systems instead of CentOS.
I'm really sorry to say that but the issue described here and the lack of a
security errata bulletin [4], makes CentOS8 almost unusable on a production
environment.

Thanks for your attention.
Regards

Angelo Barney

[1] https://access.redhat.com/errata/RHSA-2019:3735
[2] https://nvd.nist.gov/vuln/detail/CVE-2019-11043
[3]
https://nextcloud.com/blog/nextcry-or-how-a-hacker-tried-to-exploit-a-nginx-issue-with-2-nextcloud-servers-out-of-300-000-hit-and-no-payout/
[4]
https://lists.centos.org/pipermail/centos-devel/2019-November/018053.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20191119/c1d21d29/attachment-0007.html>