Is Rocky Linux 8.x insecure now that 8.(x+1) has been released?

Hi, I have read thru Release 8.5 - Documentation and https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.5_release_notes/overview#overview-major-changes and security enhancements are discussed but I don’t think I see anything about security fixes or anything that explicitly states that 8.4 should be immediately upgraded to 8.5 in order to maintain security.

Maybe because I don’t understand all the security enhancements I also don’t understand if 8.4 should immediately be upgraded to 8.5. Maybe the upgrade is strongly implied and I am just not understanding that.

But my question in general is:
Is running an older minor version secure, if a newer minor version has been released?
Are older minor versions maintained by RHEL and then Rocky Linux for security?

I am wondering if some minor versions are released more for feature enhancements and not security updates, in which case from a security point of view, an upgrade may not be needed.

Sorry if the answer is obvious - I am a grateful personal not commercial user of Rocky Linux workstation and so I dont have the technical training to understand if the answer is obvious.

Thanks ahead of time.

There is not really a “minor” version of Rocky 8.

Tags like “8.4” and “8.5” are just “point releases”. In practice they’re all part of an upgrade path. They’re all “Rocky 8”, just bundled with all updates.

If you have an 8.4 system and apply all patches (with yum or dnf) then you’ll end up with an equivalent 8.5 system. Indeed cat /etc/redhat-release on an upgraded 8.4 system and it’ll say 8.5 :slight_smile:

If you don’t apply patches to 8.4 then, yes, you will be insecure over time. Not today, but maybe tomorrow…

You could try and be clever and only apply security patches, but over time those patches will end up depending on core stuff (like glibc) so that you might as well apply all outstanding patches. It’s normally simpler!

(FWIW I’ve worked in cyber security for a Fortune 20 and a Fortune 200; I always recommend keeping RHEL based systems up to date with a planned internal update process; lab->dev->prod rollout process).

3 Likes

Hi RL 1000,

A very good functionally which is available in RHEL ( and in Oracle Linux also ) but we were missing in Centos Linux is updating the system with only those package which have released their security errata etc

Now thanks to Rocky Linux team this feature is available in Rocky Linux

As per our general practice we do security update on monthly/quarterly basis on all Production servers.

yum update-minimal --security

Complete update ( yum update ) do perform only on need basis where specifically required.

1 Like

Hi @ sweh and @ linuxlover,
Thank you both for taking the time to respond and provide the really helpful answers :slight_smile:
Now I know it is important to always update, and I know how to update for security purposes only, if desired.
Your answers helped me to understand this aspect of RL much better.

I would like to choose both as a solution because both are helpful but the system only allows me to choose one. I dont want to choose one to imply the other is not helpful so I will leave both unselected.

1 Like