Fixing vulnerabilities on long term support distributions can be a challenging task. Constraints such as protocol compatibility or ABI stability often get in the way of backporting security fixes. When a fix simply is incompatible with an older OS version, designing a new one taking advantage of the limited processes and data available might be required.

I will illustrate this with the case of the Bronze-Bit Kerberos vulnerability, which affected FreeIPA and couldn't be fixed the expected way on CentOS 8 Stream and RHEL 8.