5.1. About Patching Mechanisms
Deciding whether a patch is released as part of a planned update or an out-of-cycle one-off depends on the severity of the flaw being fixed. Flaws of low impact are typically deferred, to be resolved in the next minor release of the affected products. Flaws of moderate or higher impact are typically addressed in order of importance as an update to the product with an asynchronous release and contain only a resolution to the flaw at hand.
The severity of a security flaw is based on the assessment of the bug by the Security Response Team at Red Hat, combined with several consistent factors: