LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

February 2020

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS February 2020

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Who Uses Scientific Linux, and How/Why?
From:	Winnie Lacesso <[log in to unmask]>
Reply To:	Winnie Lacesso <[log in to unmask]>
Date:	Tue, 25 Feb 2020 09:49:55 +0000
Content-Type:	text/plain
Parts/Attachments:	text/plain (63 lines)

Bonjour,

This was posted to SLU in 2012 but didn't get any actual answers. It's
reposted in case anyone can firmly say (or no) that the situation has
changed or is the same. *Is* it true that CentOS still have a period when
they do *not* release security updates for earlier OS dot releases, thus
leaving those earlier dot releases vulnerable?

(Security is one reason we stuck with SL with Super-Gratitude to them!)


My security colleagues said:
--------
My reading of the thread surrounding that quote is that CentOS *do* 
release security patches between "dot" releases, but that they stop in the 
period between Red Hat releasing an update and the time that they have 
pushed that update out themselves. Thus, 5.3 has been released by both Red 
Hat and CentOS and is receiving updates, but when 5.4 comes out from Red 
Hat, all their security updates will not necessarily work on 5.3 so CentOS 
stops releasing them. As soon as CentOS gets 5.4 out of the door, the 
updates will start again (and they will have rolled the missing ones into 
their 5.4 release). 

It is significant though (i.e. potentially a couple of months without
security fixes when a new CentOS point release is being prepared), and
something I wasn't aware of. At the very least, CentOS admins need to be
aware of this until and unless the policy changes.
--------

Original post: PS I haven't verified the links are still valid! (sorry)
--------
In 2009 I was surprised to learn from this useful+informative SL-User's 
list, that CentOS does not always release security updates in a timely 
manner: 

http://listserv.fnal.gov/scripts/wa.exe?A2=ind0908&L=scientific-linux-users&D=0&T=0&P=4484
"It has come to light that the maintainers don't/can't release interim  
security updates while they are rebuilding a new dot release from 
upstream" 

http://listserv.fnal.gov/scripts/wa.exe?A2=ind0908&L=SCIENTIFIC-LINUX-USERS&P=R7106&I=-3
"For example, once Redhat releases a point release, an attacker knows that
any subsequent errata can be used against a CentOS box at least until the 
CentOS project releases the corresponding point release. It is quite 
literally a sitting duck."

http://listserv.fnal.gov/scripts/wa.exe?A2=ind0908&L=scientific-linux-users&D=0&T=0&P=4999
"(About CentOS & why user is switching from CentOS to SL:) So there is a
potential delay of weeks and months before security updates are passed on 
whilst a distribution is being rebuilt, as they currently don't start 
rebuilding the dependencies of an errata updated package, unless it is
part of the release. I am quite happy to wait a few days for a security 
updates, but I do take issue to an unknown exposure where security updates
are delayed for an unspecified length of time."

Question: that was in 2009. Does anyone know, is the above still true of 
CentOS? (Apols - I don't wish to join CentOS list just to find that out & 
am unable to find out via some searching)
(We are debating building some new servers as SL vs CentOS, & timely
security updates are relevant to us)

Many thanks for pointers/enlightenment.

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV