we need to distinguish between different types of security vulnerabilities here.
In case Core Update 150 fixed a security vulnerability which could be exploited remotely, IPFire systems were exposed to a risk of being compromised becoming greater as they stayed online without being patched. At the time of writing, I am unaware of such a vulnerability. However, I cannot guarantee there wasn’t any - not every security vulnerability gets a CVE assigned and is tracked like one.
Needless to say, we release Core Updates fixing RCEs as fast as possible. Since we are unable to test all exotic hardware or environments, we have to rely on testing feedback, thus delaying releases for usually about two weeks.
Running a testing release for security reasons would contradict the problem.
To sum it up: Please install released Core Updates as fast as possible. We will let you know if they fix vulnerabilities actively exploited in the wild.
Thanks, and best regards,