Bonjour, This was posted to SLU in 2012 but didn't get any actual answers. It's reposted in case anyone can firmly say (or no) that the situation has changed or is the same. *Is* it true that CentOS still have a period when they do *not* release security updates for earlier OS dot releases, thus leaving those earlier dot releases vulnerable? (Security is one reason we stuck with SL with Super-Gratitude to them!) My security colleagues said: -------- My reading of the thread surrounding that quote is that CentOS *do* release security patches between "dot" releases, but that they stop in the period between Red Hat releasing an update and the time that they have pushed that update out themselves. Thus, 5.3 has been released by both Red Hat and CentOS and is receiving updates, but when 5.4 comes out from Red Hat, all their security updates will not necessarily work on 5.3 so CentOS stops releasing them. As soon as CentOS gets 5.4 out of the door, the updates will start again (and they will have rolled the missing ones into their 5.4 release). It is significant though (i.e. potentially a couple of months without security fixes when a new CentOS point release is being prepared), and something I wasn't aware of. At the very least, CentOS admins need to be aware of this until and unless the policy changes. -------- Original post: PS I haven't verified the links are still valid! (sorry) -------- In 2009 I was surprised to learn from this useful+informative SL-User's list, that CentOS does not always release security updates in a timely manner: http://listserv.fnal.gov/scripts/wa.exe?A2=ind0908&L=scientific-linux-users&D=0&T=0&P=4484 "It has come to light that the maintainers don't/can't release interim security updates while they are rebuilding a new dot release from upstream" http://listserv.fnal.gov/scripts/wa.exe?A2=ind0908&L=SCIENTIFIC-LINUX-USERS&P=R7106&I=-3 "For example, once Redhat releases a point release, an attacker knows that any subsequent errata can be used against a CentOS box at least until the CentOS project releases the corresponding point release. It is quite literally a sitting duck." http://listserv.fnal.gov/scripts/wa.exe?A2=ind0908&L=scientific-linux-users&D=0&T=0&P=4999 "(About CentOS & why user is switching from CentOS to SL:) So there is a potential delay of weeks and months before security updates are passed on whilst a distribution is being rebuilt, as they currently don't start rebuilding the dependencies of an errata updated package, unless it is part of the release. I am quite happy to wait a few days for a security updates, but I do take issue to an unknown exposure where security updates are delayed for an unspecified length of time." Question: that was in 2009. Does anyone know, is the above still true of CentOS? (Apols - I don't wish to join CentOS list just to find that out & am unable to find out via some searching) (We are debating building some new servers as SL vs CentOS, & timely security updates are relevant to us) Many thanks for pointers/enlightenment.