Mark J Cox, mark@awe.com  
   
mark :: blog


Every year since Red Hat Enterprise Linux 4 was released we've published a risk report where we look at the state of security of the distribution. We investigate the key vulnerabilities, metrics on vulnerability counts, and how users could have been exploited by them. The Six Years of Red Hat Enterprise Linux 4 report (PDF) covering Feb 2005-2011 was published today.

"Red Hat knew about 51.5% of the security vulnerabilities that we fixed in advance. The average time between Red Hat knowing about an issue and it being made public was 23 days (median 10 days).... A default installation of Red Hat Enterprise Linux 4 AS was vulnerable to 20 critical security issues over the first six years. "

The data we publish is interesting to get a feel for the risk of running Enterprise Linux, but isn't really useful for comparisons with other distributions, or operating systems. One important difference is that it is Red Hat policy to count vulnerabilities and allocate CVE names to all issues that we fix, including ones that are found internally. This is not true for many other vendors including folks like Microsoft and Adobe who do not count or disclose issues they fix which were found internally.

Created: 17 Aug 2011
Tagged as: , , ,

3 comments (new comments disabled)

Title: Re: Six years of Red Hat Enterprise Linux 4
Posted by: PaX Team
Time: Wed, 17 Aug 2011 18:49

> One important difference is that it is Red Hat policy to > count vulnerabilities and allocate CVE names to all issues > that we fix, including ones that are found internally. what's that mean? do you guys evaluate every change you make or receive to any code for security impact? last i heard on lkml, that's not what happens for the kernel at least ;). the same source also confirmed that it is kernel policy to explicitly not to do what you claim above. how do you reconcile this apparent contradiction? or did you since fire Ingo? ;)

Title: Re: Six years of Red Hat Enterprise Linux 4
Posted by: Mark Cox
Time: Wed, 17 Aug 2011 19:09

If some upstream project decides to silently fix a security issue we may not know that we're fixing a security issue when we update. So I should clarify that as "that we knowingly fix", it's our policy to assign a CVE if we fix a security issue we found internally.

Title: Re: Six years of Red Hat Enterprise Linux 4
Posted by: PaX Team
Time: Wed, 17 Aug 2011 21:09

and what happens when said upstream is employed (at least partially) by Red Hat and also sits on the kernel security list, etc? unresolved conflict of interest? how does Red Hat reconcile the policy you stated with what Ingo said in the not so distant past?

       


Hi! I'm Mark Cox. This blog gives my thoughts and opinions on my security work, open source, fedora, home automation, and other topics.


popular tags: [all], apache, apacheweek, cve, cvss, fedora, ha, metrics, microsoft, redhat, security, trips


Subscribe to RSS feed