A security update for the wget package was announced recently. However according to CVE-2014-4877,

Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates.

According to the RHEL Life Cycle,

During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available. Other errata advisories may be delivered as appropriate.

I see. The wget security update was rated “Moderate” and Red Hat decided to not publish this for RHEL-5. Certainly, it is simple to mitigate the reported security issue. Just edit either /etc/wgetrc or ~/.wgetrc and add the following line (bugzilla 1139181):

retr-symlinks=on

However, this is not about how easy a fix can be done, but rather the fact that not all patches are released once RHEL is in production 3 phase. They are provided at Red Hat’s discretion. Users need to be aware of this policy. We tend to think that, during the 10-year supported period, the system remains free of known vulnerabilities as far as it routinely gets updated.