CentOS Kernel – Why Using EOL Kernel Versions

centoskernellinux

Just noticed that CentOS 7 is using Kernel 3.10 which was maintained from August 2013 to November 2017 so it's basically EOL.

I know that CentOS doesn't update Kernel versions between minor CentOS releases which is the reason for it having this old and now unsupported Kernel.

How does this work in general? What if a vulnerability or a serious bug is found?

When the Kernel was still supported, it would have been fixed by the Kernel maintainers and then I guess CentOS could have backported it.

Now that the Kernel is EOL doesn't this leave all the Enterprises using CentOS 7 kind of screwed?

Could someone explain this?

Best Answer

CentOS backports security patches to it's products throughout it's maintenance lifecycle. CentOS 7 will be supported for maintenance updates through June 2024, which means they will continue security patches until then. Do not confuse upstream kernel support with the support from the distribution maintainers.

Fore more info, see this: https://wiki.centos.org/About/Product

EDIT: here is a (truncated) list of security patches in the most recent CentOS 7 kernel package:

$ rpm -qip --changelog kernel-3.10.0-862.11.6.el7.x86_64.rpm | grep -E '(^\*|CVE)' | grep -B1 CVE
* Fri Aug 10 2018 Jan Stancek <jstancek@redhat.com> [3.10.0-862.11.6.el7]
- [kernel] cpu/hotplug: Fix 'online' sysfs entry with 'nosmt' (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
* Thu Aug 09 2018 Frantisek Hrbata <fhrbata@hrbata.com> [3.10.0-862.11.5.el7]
- [kernel] cpu/hotplug: Enable 'nosmt' as late as possible (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
* Tue Aug 07 2018 Jan Stancek <jstancek@redhat.com> [3.10.0-862.11.4.el7]
- [net] ipv6: fix nospec-related regression in ipv6_addr_prefix() (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3693}
* Mon Aug 06 2018 Jan Stancek <jstancek@redhat.com> [3.10.0-862.11.3.el7]
- [net] tcp: add tcp_ooo_try_coalesce() helper (Paolo Abeni) [1611368 1611369] {CVE-2018-5390}
- [net] tcp: call tcp_drop() from tcp_data_queue_ofo() (Paolo Abeni) [1611368 1611369] {CVE-2018-5390}
- [net] tcp: detect malicious patterns in tcp_collapse_ofo_queue() (Paolo Abeni) [1611368 1611369] {CVE-2018-5390}
- [net] tcp: avoid collapses in tcp_prune_queue() if possible (Paolo Abeni) [1611368 1611369] {CVE-2018-5390}
- [net] tcp: free batches of packets in tcp_prune_ofo_queue() (Paolo Abeni) [1611368 1611369] {CVE-2018-5390}
- [net] net: add rb_to_skb() and other rb tree helpers (Paolo Abeni) [1611368 1611369] {CVE-2018-5390}
- [net] tcp: fix a stale ooo_last_skb after a replace (Paolo Abeni) [1611368 1611369] {CVE-2018-5390}
- [net] tcp: use an RB tree for ooo receive queue (Paolo Abeni) [1611368 1611369] {CVE-2018-5390}
- [net] tcp: refine tcp_prune_ofo_queue() to not drop all packets (Paolo Abeni) [1611368 1611369] {CVE-2018-5390}
- [net] tcp: increment sk_drops for dropped rx packets (Paolo Abeni) [1611368 1611369] {CVE-2018-5390}
- [x86] x86/syscall: Fix regression when using the last syscall (pkey_free) (Lauro Ramos Venancio) [1589033 1589035] {CVE-2018-3693}
<SNIP>

There are many, many more patched that have been introduced since CentOS 7 was originally introduced. This is just a small sample of the most recent ones.

Related Topic