So, having upgraded an install to 6.7 I’m still left with the question of… when are we going to push the upstream updates for apache, openssl, openssh, samba…
The answer is: updates are released at same moment upstream does.
In fact, centos-updates repository always point to upstream.
The problem arises when there is a new CentOS release and we are not ready to quickly build a new version.
BUT, you can always enable the updates repo which IS the upstream repo and get all upstream updates.
We usually delay this switch only because we want to test various modules.