mark :: blog
Red Hat Enterprise Linux 5.6 was released last week (January 2011), nearly ten
months since the release of 5.5 in March 2010. So let's use this opportunity to
take a quick look back over the vulnerabilities and security updates made in
that time, specifically for Red Hat Enterprise Linux 5 Server.
The chart below illustrates the total number of security updates issued for Red
Hat Enterprise Linux 5 Server if you had installed 5.5, up to and including the
5.6 release, broken down by severity. It's split into two columns, one for
the packages you'd get if you did a default install, and the other if you
installed every single package (which is unlikely as it would involve a bit of
manual effort to select every one). For a given installation, the number of
package updates and vulnerabilities that affected you will depend on exactly what you
have installed or removed.
So, for a default install, from release of 5.5 up to and including
5.6, we shipped 57 advisories to address 206 vulnerabilities. 10
advisories were rated critical, 27 were important, and the remaining
20 were moderate and low.
Or, for all packages, from release of 5.5 to and including 5.6, we
shipped 80 advisories to address 300 vulnerabilities. 12 advisories
were rated critical, 34 were important, and the remaining 34 were
moderate and low.
The 12 critical advisories addressed 49 critical vulnerabilities across just 3 different packages:
- An update to the Exim Internet Mailer,
where an unauthenticated remote attacker could run arbitrary code as root on a
Exim is not a default package or enabled by default. There is a
public exploit for this issue which worked on Red Hat Enterprise Linux 5.
- Two updates over three advisories to Samba,
(June 2010 for
Samba 3.0 and Samba 3.3,
September 2010 for
Samba 3.0 and
where a malicious client could send a specially-crafted SMB packet to the Samba
server, potentially resulting in arbitrary code execution with the privileges of the Samba
server. I'm not aware of any working public exploits for these issues.
- Eight updates to Firefox (March 2010, June 2010, 20 July 2010, 23 July 2010, September 2010, 19 October 2010, 27 October 2010, December 2010)
where a malicious web site could potentially run arbitrary code as the user
Updates to correct 48 out of the 49 critical vulnerabilities were
available via Red Hat Network either the same day or the next
calendar day after the issues were public. The update to fix Exim took
3 calendar days from
the date of the report
to the Exim developers.
Overall, for Red Hat Enterprise Linux 5 since release until 5.6, 97%
of critical vulnerabilities have had an update available to address
them available from the Red Hat Network either the same day or the
next calendar day after the issue was public.
Other significant vulnerabilities
Although not in the definition of critical severity, also of interest during
this period were several kernel flaws that where an local user could gain
root privileges. The following had publicly available exploits:
- A fix
(August 2010). The public exploit did not work against Red Hat Enterprise
Linux 5, but it may be possible to create one that does.
- A fix
(September 2010). The public exploit worked against Red Hat Enterprise
- A fix
(October 2010). The public exploit did not work against Red Hat Enterprise
Linux 5 but it is possible to create one that does.
To compare these statistics with previous update releases we need
to take into account that the time between each update is different.
So looking at a default installation and calculating the number of
advisories per month gives the following chart:
This data is interesting to get a feel for the risk of running Enterprise
Linux 5 Server, but isn't really useful for comparisons with other major
versions, distributions, or operating systems -- for example, a default install
of Red Hat Enterprise Linux 4AS did not include Firefox, but 5 Server does. You
can use our public
security measurement data and tools, and run your own custom metrics for any
given Red Hat product, package set, timescales, and severity range of interest.
5.4 to 5.5,
5.3 to 5.4,
5.2 to 5.3,
5.1 to 5.2, and
5.0 to 5.1
Created: 17 Jan 2011
Tagged as: cve, fedora, metrics, red hat, security
(new comments disabled)
Hi! I'm Mark Cox. This blog gives my
thoughts and opinions on my security
work, open source, fedora, home automation,
and other topics.