[CentOS] EL5 Security Policy for the final 3 years

Johnny Hughes johnny at centos.org
Fri Nov 14 20:22:46 UTC 2014

Red Hat's Security policy for Production 3 Phase of the Life Cycle for
EL5 is that they will only release "Critical impact Security Advisories
(RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be
released as they become available. Other errata advisories may be
delivered as appropriate."


In practice, what that means so far is this:

All Important and Critical security updates have been released for EL5,
but some moderate and below security updates have not been, and are not
going to be released by Red Hat for EL5.

I do not agree with this policy, but it is not one that the CentOS
Project (or I) have any say about.  These updates will not be released
for RHEL-5 ... therefore they will also not be released for CentOS-5.

Due to this security policy, I highly recommend moving CentOS-5 based
workloads to CentOS-6 and that every user stop using CentOS-5 as soon as
possible.  Here is a list of updates that are not done on RHEL-5 and are
not planned to be done at this time by Red Hat for RHEL-5 (and therefore

> ruby 		Moderate	https://access.redhat.com/security/cve/CVE-2014-8080
> python 		Low 		https://access.redhat.com/security/cve/CVE-2014-7185
> libgcrypt 	Moderate 	https://access.redhat.com/security/cve/CVE-2014-5270
> wget 		Moderate 	https://access.redhat.com/security/cve/CVE-2014-4877
> perl-Data-Dumper Low 		https://access.redhat.com/security/cve/CVE-2014-4330
> cups 		Moderate 	https://access.redhat.com/security/cve/CVE-2014-3537
> dbus 		Moderate 	https://access.redhat.com/security/cve/CVE-2014-3477
> dovecot 	Moderate 	https://access.redhat.com/security/cve/CVE-2014-3430
> exim 		Low 		https://access.redhat.com/security/cve/CVE-2014-2972
> cups 		Moderate 	https://access.redhat.com/security/cve/CVE-2014-2856
> openssh 	Moderate 	https://access.redhat.com/security/cve/CVE-2014-2653
> libxml2 	Moderate 	https://access.redhat.com/security/cve/CVE-2014-0191
> qemu 		Moderate 	https://access.redhat.com/security/cve/CVE-2013-6458
> squid 		Moderate 	https://access.redhat.com/security/cve/CVE-2012-5643
> openssh 	Low 		https://access.redhat.com/security/cve/CVE-2014-2532
> libX11 		Moderate 	https://access.redhat.com/security/cve/CVE-2013-1997
> libFS 		Moderate 	https://access.redhat.com/security/cve/CVE-2013-1996
> libXext 	Moderate 	https://access.redhat.com/security/cve/CVE-2013-1982

I wish there was another option, but I just don't see any others .. I
know I would not use packages with moderate security issues unfixed in
production on purpose.  I think this is a ridiculous policy, but it is
what it is.

Johnny Hughes

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20141114/9ea0419b/attachment.sig>

More information about the CentOS mailing list