Do old package versions in CentOS mean that they do not have security fixes?

user1421332 asked:

We asked our admin to update SVN on our CentOS 6.5 server. He did so and the result was SVN 1.6.11. However the current version of SVN is 1.8.9.

I know the CentOS yum repository is not always up-to-date. But in that case I am confused: SVN 1.6.x is not officially supported anymore. This means it does not get any security fixes!

How can the official CentOS repository provide such an old (and dangerous) version? Is there something we (or our admin) understood the wrong way?

My answer:


As an enterprise distribution, Red Hat locks packages in the distribution to a specific version, so that the features offered are known and consistent and do not change behavior unexpectedly during the lifetime of the installation.

As you noted, this means the version of software can be “old.”

However, they also backport security fixes when available, applying them to the old version. For instance, a number of security fixes have been made for subversion over the life of the distribution. This allows for keeping a secure system without the risk of breakage caused by the introduction of new functionality (which does happen from time to time).

You can obtain information about specific security fixes at Red Hat’s site by searching for the CVE number.

Or, to see the change history of the package online, try:

rpm -q --changelog subversion

You’ll see the most recent entries first, starting with:

* Wed Feb 12 2014 Joe Orton <jorton@redhat.com> - 1.6.11-10
- add security fixes for CVE-2013-1968, CVE-2013-2112, CVE-2014-0032

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.