Do old package versions in CentOS mean that they do not have security fixes?

svn centos yum

We asked our admin to update SVN on our CentOS 6.5 server. He did so and the result was SVN 1.6.11. However the current version of SVN is 1.8.9.

I know the CentOS yum repository is not always up-to-date. But in that case I am confused: SVN 1.6.x is not officially supported anymore. This means it does not get any security fixes!

How can the official CentOS repository provide such an old (and dangerous) version? Is there something we (or our admin) understood the wrong way?


As an enterprise distribution, Red Hat locks packages in the distribution to a specific version, so that the features offered are known and consistent and do not change behavior unexpectedly during the lifetime of the installation.

As you noted, this means the version of software can be "old."

However, they also backport security fixes when available, applying them to the old version. For instance, a number of security fixes have been made for subversion over the life of the distribution. This allows for keeping a secure system without the risk of breakage caused by the introduction of new functionality (which does happen from time to time).

You can obtain information about specific security fixes at Red Hat's site by searching for the CVE number.

Or, to see the change history of the package online, try:

rpm -q --changelog subversion

You'll see the most recent entries first, starting with:

* Wed Feb 12 2014 Joe Orton <[email protected]> - 1.6.11-10
- add security fixes for CVE-2013-1968, CVE-2013-2112, CVE-2014-0032

CentOS (or really, RHEL with CentOS along for the ride) commits to supporting the version they're distributing until the OS is end of life; they are responsible for backporting security fixes to the old/unsupported version.

The reason for this is stability; they don't upgrade major versions of software within a major OS version in order to not break application compatibility on regular updates. EL 6 is definitely getting to the point where some of those packages are pretty old simply due to its age and when those package versions were locked in; EL 7 is just around the corner.

Related

Determine Linux Server's Architecture (32 or 64 bit) [duplicate]
How can I log users' bash commands?
"Unballooning" RAM that's been ballooned by VMware
Disable CPU cores in bios?
Is calculating IOPS for ZFS RAIDZ different then calculating IOPS for RAID5 & RAID6?
Upgrade CentOS 5.x to CentOS 6.x - tips and techniques
Why did rebooting cause one side of my ZFS mirror to become UNAVAIL?
Pros and Cons of a Decentralized Puppet Architecture
$AB-BA=I$ having no solutions
Do values attached to integers have implicit parentheses?
Is it true that the order of $ab$ is always equal to the order of $ba$?
Finite Sum of Power?