This page is to address major security issues and what versions of CentOS (or specific updates in CentOS) fix these major issues.
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
Shellshock, also known as Bashdoor, is a family of security bugs (with 6 CVE's filed at the time of this page) in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet daemons, such as web servers, use Bash to process certain commands, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.
The POODLE attack (which stands for Padding Oracle On Downgraded Legacy Encryption) is a man in the middle exploit which takes advantage of web browsers' fallback to SSL 3.0. If attackers successfully exploit this vulnerability, on average, they only need to make 256 SSL 3.0 requests to reveal one byte of encrypted messages. This attack was discovered by Bodo Möller, Thai Duong and Krzysztof Kotowicz from Google Security Team. The attack is not considered as serious as the Heartbleed and Shellshock attacks.