mark :: blog
Red Hat Enterprise Linux 5.7 was released last week (July 2011), six months
since the release of 5.6 in January 2011. So let's use this opportunity to take
a quick look back over the vulnerabilities and security updates made in that
time, specifically for Red Hat Enterprise Linux 5 Server.
The chart below illustrates the total number of security updates issued for Red
Hat Enterprise Linux 5 Server if you had installed 5.6, up to and including the
5.7 release, broken down by severity. It's split into two columns, one for
the packages you'd get if you did a default install, and the other if you
installed every single package (which is unlikely as it would involve quite a bit of
manual effort to select every one). For a given installation, the number of
package updates and vulnerabilities that affected you will depend on exactly
what packages you have installed or removed.
So, for a default install, from release of 5.6 up to and including
5.7, we shipped 27 advisories to address 109 vulnerabilities. 3
advisories were rated critical, 12 were important, and the remaining
12 were moderate and low.
Or, for all packages, from release of 5.6 to and including 5.7, we
shipped 58 advisories to address 172 vulnerabilities. 4 advisories
were rated critical, 20 were important, and the remaining 34 were
moderate and low.
The 4 critical advisories addressed 34 critical vulnerabilities across just 2 different packages:
- An update to OpenJDK 6 Java Runtime Environment,
where a web site hosting a malicious Java applet could potentially run
arbitrary code as the user.
- Three updates to Firefox (March 2011, April 2011, June 2011)
where a malicious web site could potentially run arbitrary code as the user
Updates to correct all of the 34 critical vulnerabilities were
available via Red Hat Network either the same day or the next
calendar day after the issues were public.
Overall, for Red Hat Enterprise Linux 5 since release until 5.7, 97%
of critical vulnerabilities have had an update available to address
them available from the Red Hat Network either the same day or the
next calendar day after the issue was public.
Other significant vulnerabilities
Although not in the definition of critical severity, also of interest during
this period were a couple of flaws that were easily exploitable:
- A flaw in dhcp,
RHSA-2011:0428, where a malicious DHCP
server could send a response that could lead to arbitrary code execution on connecting clients.
- A flaw in glibc,
where a local user could gain root privileges.
In addition, updates to Firefox
and NSS were
made to blacklist a number of
Previous update releases
To compare these statistics with previous update releases we need
to take into account that the time between each update release is different.
So looking at a default installation and calculating the number of
advisories per month gives the following chart:
This data is interesting to get a feel for the risk of running Enterprise
Linux 5 Server, but isn't really useful for comparisons with other major
versions, distributions, or operating systems -- for example, a default install
of Red Hat Enterprise Linux 4AS did not include Firefox, but 5 Server does. You
can use our public
security measurement data and tools, and run your own custom metrics for any
given Red Hat product, package set, timescales, and severity range of interest.
5.5 to 5.6,
5.4 to 5.5,
5.3 to 5.4,
5.2 to 5.3,
5.1 to 5.2, and
5.0 to 5.1
Created: 27 Jul 2011
Tagged as: cve, fedora, metrics, red hat, security
(new comments disabled)
Hi! I'm Mark Cox. This blog gives my
thoughts and opinions on my security
work, open source, fedora, home automation,
and other topics.
pics from my twitter:
red hat summit,