[CentOS] URGENT! Shellshock fix DOES NOT fix the bug on CentOS 5.4

Sat Sep 27 21:53:52 UTC 2014
Greg Lindahl <lindahl at pbm.com>

On Sat, Sep 27, 2014 at 08:28:48AM -0500, Johnny Hughes wrote:
> On 09/26/2014 06:23 PM, Greg Lindahl wrote:
>
> > Do we have a FAQ we can point people to that explains this? It's not
> > obvious, and we need to educate anyone who shows up here not knowing
> > the insecure nature of point releases older than tip.
> 
> How is this:
> 
> http://bit.ly/1rAbtoT

That's good, but I suspect that the question might not make it obvious that
people need to read it. How about this additional Q/A?

Q. I want to run an old minor release of CentOS, for example staying
with CentOS 5.4 when the latest version is 5.10. Is that smart?

A. No. CentOS only updates the most recent of each of the major
versions. For example, for CentOS 5, if the most recent minor version
is 5.10, then that is the only version that is receiving security
updates.  CentOS 5.4 is frozen and never gets any updates. That means
that CentOS 5.4 is vulnerable to the "shellshock" problem.

If you really need to run an old minor version, you should consider
paying for the upstream Enterprise Linux. They keep all the old minor
versions up-to-date with regard to security fixes. CentOS does not.

-- greg