Is there a big difference between CentOS 6.4 to 6.2 and should I up/down-grade?

web-server centos6

Solution 1:

This has got to be one of the most misunderstood things about RHEL/CentOS (the two are effectively interchangeable for the purposes of this post).

CentOS is an OS. CentOS 6 is a version of that OS; it's very different from CentOS 5. CentOS 6.1 isn't an OS version, it's just a patch level of CentOS 6. To understand that, you have to understand Red Hat's packaging and patching policy.

Red Hat pick the version of any given tool they'll use when they launch a version of RHEL. For RHEL 6, this included Apache 2.2.15, the 2.6.32 kernel, php 5.3.3, and so on. For the rest of the life of RHEL6, these will not be upgraded; Red Hat will instead backport any necessary patches (and occasionally, as dsumsky points out, improvements which are felt to be desirable) to the version they have picked. That means that you'll be running software whose version number suggests it's vulnerable to certain well-known exploits, but which has been patched to avoid those vulnerabilities (in case you want an authoritative reference, Red Hat explain this in their own words here). It's amazing how many security auditors don't understand this, some of them even after it's been explained slowly and in short words.

This patching policy causes lots of people to post to SF asking how they can get the latest PHP on their C6 box, but it also causes great stability.

Now, versioning: on a given day, Red Hat effectively draw a line through the current patch state of RHEL6, and declare that to be (say) RHEL6.4. They make ISOs of it, but it's not really a version of RHEL 6, it's just RHEL 6 at the state of patch on that day. If you want a fully-up-to-date RHEL box, it's quicker to install from the RHEL 6.4 ISOs and patch than it is to install from the RHEL 6.0 ISOs and patch, but you end up with the same thing either way - RHEL 6.4.

CentOS, following upstream as they do, do likewise.

This means that, provided you haven't installed anything off piste (as it were), and you have all your config files safely backed up, you can go from C6.2 to C6.4 without any major fear.

Moreover, not only is it not a bad idea to upgrade, it's a very good one. At this point, C6.2 is effectively past end of life. It's getting no patches, it's unsupportable and unsupported, because if you bring a C6.2 box up to patch, it's C6.4. There's no way to run a fully-patched C6.2 box without it being C6.4 1.

1 This isn't entirely true; you can bend over backwards not to upgrade the redhat-release package, which controls the file that determines version, but the only reason you'd do this is if you're running some batshit insane piece of commercial software that insists on a particular point release of RHEL/CentOS. If you're running such a thing, get rid of it. It's unfit for purpose, and written (or, more likely, marketed) by morons.

Related

Why multiple PTR records in DNS is not recommended?
DNS just started resolving my server.prod addresses to 127.0.53.53
FTP and Apache permission issues
`sudo echo "bla" >> /etc/sysctl.conf` permission denied
Should I use IPv6 only or both IPv4 and IPv6 in my web server?
Find out which process is changing a file
Apache Default/Catch-All Virtual Host?
How can I determine what is taking up so much space? [duplicate]
How to handle relative urls correctly with a nginx reverse proxy
How to configure vsftpd to work with passive mode
vSphere education - What are the downsides of configuring VMs with *too* much RAM?
How to stop people from using my domain to send spam? [duplicate]