mark :: blog
Red Hat Enterprise Linux 6.2 was released this week (Dec 2011), just
over six months since the release of 6.1 in May 2011. So let's
use this opportunity to take a quick look back over the
vulnerabilities and security updates made in that time, specifically
for Red Hat Enterprise Linux 6 Server.
The chart below illustrates the total number of security updates issued for Red
Hat Enterprise Linux 6 Server if you had installed 6.1, up to and including the
6.2 release, broken down by severity. It's split into two columns, one for
the packages you'd get if you did a default install, and the other if you
installed every single package (which is unlikely as it would involve a bit of
manual effort to select every one). For a given installation, the number of
package updates and vulnerabilities that affected you will depend on exactly what you
have installed or removed.
So, for a default install, from release of 6.1 up to and including 6.2, we
shipped 36 advisories to address 121 vulnerabilities. 2 advisories were rated
critical, 10 were important, and the remaining 24 were moderate and low.
Or, for all packages, from release of 6.1 up to and including 6.2, we shipped
88 advisories to address 218 vulnerabilities. 10 advisories were rated critical,
16 were important, and the remaining 62 were moderate and low.
The 10 critical advisories addressed 31 critical vulnerabilities across 3 components:
- Two updates to the OpenJDK 6 Java Runtime
where a malicious web site presenting a Java applet could potentially run arbitrary code as the user
running a web browser.
- Four updates to Firefox (June
2011, August 2011,
where a malicious web site could potentially run arbitrary code as the user
- Four updates to Thunderbird (June
where a malicious email message could potentially run arbitrary code as the user
Updates to correct all of the 31 critical vulnerabilities were
available via Red Hat Network either the same day or the next calendar
day after the issues were public.
Other significant vulnerabilities
Although not in the definition of critical severity, also of interest during
this period were a few flaws that were high risk or easily exploitable:
A flaw in Bind, CVE-2011-4313
fixed by RHSA-2011:1458
where a malicious client could cause Bind to stop responding, a denial
of service attack. This flaw was discovered by it being accidentally
triggered in the wild.
A flaw in the Apache HTTP Server, CVE-2011-3192,
fixed by RHSA-2011:1245, where a remote attacker could
cause a denial of service attack. This was discovered due to a public exploit.
A flaw in RPM, CVE-2011-3378
fixed by RHSA-2011:1349
where a specially-crafted RPM package that, when queried or installed,
would cause rpm to crash or, potentially, execute arbitrary code prior to any
signature checking. We're not aware of any working exploits for this issue.
Updates to blacklist the DigiNotar Certificate Authority.
Previous update releases
To compare these statistics with previous update releases we need to take into
account that the time between each update release is different. So looking at
a default installation and calculating the number of advisories per month
gives the following chart:
This data is interesting to get a feel for the risk of running Enterprise
Linux 6 Server, but isn't really useful for comparisons with other major
versions, distributions, or operating systems -- for example, a default install
of either Red Hat Enterprise Linux 4AS and 6 Server does not include Firefox, but a
default install of 5 Server does. You can use
our public security
measurement data and tools, and run your own custom metrics for any given
Red Hat product, package set, timescales, and severity range of interest.
Created: 08 Dec 2011
Tagged as: metrics, red hat, rhel6, security
(new comments disabled)
Hi! I'm Mark Cox. This blog gives my
thoughts and opinions on my security
work, open source, fedora, home automation,
and other topics.