Never mind, I just found an up-to-date build in CBS, from Jan 18th, with all the security fixes. So they are apparently being closely tracked by the PaaS SIG. http://cbs.centos.org/koji/buildinfo?buildID=15268 On 01/02/17 17:32, Laurentiu Pancescu wrote: > From a quick look at the changelog, that particular CBS build is missing > the security fixes from 2.2.1.0 (CVE-2016-9587, CVE-2016-8647, > CVE-2016-9587 and CVE-2016-8647). I understand that we'd probably like > to have full control over when a version upgrade takes place (not to > break things), but we'd need to backport the security fixes. Or isn't > security an issue since cico is an isolated environment? > > The main reason behind my proposal to adopt whatever Fedora packages was > to get security fixes from the security team that handles EPEL and > Fedora. For me, it's still unclear how fast are security fixes landing > in SIG-provided packages. > > But that's certainly your decision to make, I'm fine with it either way. :)