>> 2. Is there a page like Ubuntu's CVE Tracker site where it shows the >> CVE, the package name, and the status > > Red Hat (CentOS's upsream) posts advisories for these sorts of things: > > https://access.redhat.com/errata/RHSA-2020:2969 > > This is the security advisory for this package. Yeah, I found this page cause harbor even links these, I apparently left out the important piece in this question "and the status per OS" - e.g. CentOS 7 "pending", CentOS 8 "released" I'm guessing there's not a central place? >> 3. If 2 is no, How can I look up the status of a package that has >> been released by upstream on CentOS? (e.g. it's been released in >> Upstream, it's available in CentOS, it's pending backport for CentOS 7) > As I mentioned earlier, the Red Hat errata site is a good place to > look. You can search for CVEs there too. This doesn't show the more critical piece though: "What is the status of the package being released per CentOS?" Leon mentioned: > https://git.centos.org/rpms/java-11-openjdk/releases Which (assuming I'm reading this right) seems like 11.0.8 was released for CentOS 7 15 days ago...? c7 = CentOS 7 But 11.0.8 isn't in the YUM repo, so that doesn't seem accurate. I'm trying to find out "Ok, it's been released for CentOS 8, what's the status of CentOS 7 - is it not vulnerable? Is it deferred? Is it pending?" Essentially I want to find out how you know that "No, but it's in the process of being built and distributed." - cause I can't tell that based on any info I've found so far.