mark :: blog
Red Hat Enterprise Linux 5.8 was released today (February 2012), seven
months since the release of 5.7 in July 2011. So let's use this opportunity to
take a quick look back over the vulnerabilities and security updates made in
that time, specifically for Red Hat Enterprise Linux 5 Server.
Red Hat Enterprise Linux 5 is coming up to its fifth year since release, and is
another five years, until 2017.
The chart below illustrates the total number of security updates issued for Red
Hat Enterprise Linux 5 Server if you had installed 5.7, up to and including the
5.8 release, broken down by severity. It's split into two columns, one for
the packages you'd get if you did a default install, and the other if you
installed every single package (which is unlikely as it would involve quite a bit of
manual effort to select every one). For a given installation, the number of
package updates and vulnerabilities that affected you will depend on exactly
what packages you have installed or removed.
So, for a default install, from release of 5.7 up to and including
5.8, we shipped 42 advisories to address 118 vulnerabilities. 4
rated critical, 13 were important, and the remaining
25 were moderate and low.
Or, for all packages, from release of 5.7 up to and including 5.8, we
shipped 71 advisories to address 177 vulnerabilities. 7 advisories
were rated critical, 16 were important, and the remaining 48 were
moderate and low.
The 7 critical advisories addressed 20 critical vulnerabilities across 4 different packages:
- An update to
OpenJDK 6 Java Runtime Environment,
where a web site hosting a malicious Java applet could potentially run
arbitrary code as the user.
- An update to the
MIT krb5 telnet daemon
(December 2011) where
a remote attacker who can access the telnet port of a target machine could use
this flaw to execute arbitrary code as root. Note that the krb5 telnet daemon
is not installed or enabled by default, and the default firewall rules block remote access to
the telnet port. This flaw did not affect the more commonly used telnet daemon distributed in the
- Updates to
where a remote attacker could send a specially-crafted HTTP request to cause the
PHP interpreter to crash or, possibly, execute arbitrary code. This flaw was
caused by the fix for CVE-2011-4885.
- Three updates to Firefox (August 2011, September 2011, November 2011)
where a malicious web site could potentially run arbitrary code as the user
Updates to correct 19 out of the 20 critical vulnerabilities were
available via Red Hat Network either the same day or the next
calendar day after the issues were public. The update to krb5
took 2 calendar days because it was public on Christmas day.
Overall, for Red Hat Enterprise Linux 5 since release until 5.8, 98%
of critical vulnerabilities have had an update available to address
them available from the Red Hat Network either the same day or the
next calendar day after the issue was public.
Other significant vulnerabilities
Although not in the definition of critical severity, also of interest during
this period were a couple of remote denial of service flaws that were easily exploitable:
In addition, updates to
were made to blacklist a compromised Certificate Authority.
Previous update releases
To compare these statistics with previous update releases we need
to take into account that the time between each update release is different.
So looking at a default installation and calculating the number of
advisories per month gives the following chart:
This data is interesting to get a feel for the risk of running Enterprise
Linux 5 Server, but isn't really useful for comparisons with other major
versions, distributions, or operating systems -- for example, a default install
of Red Hat Enterprise Linux 4AS did not include Firefox, but 5 Server does. You
can use our public
security measurement data and tools, and run your own custom metrics for any
given Red Hat product, package set, timescales, and severity range of interest.
Created: 21 Feb 2012
Tagged as: cve, fedora, metrics, red hat, security
(new comments disabled)
Hi! I'm Mark Cox. This blog gives my
thoughts and opinions on my security
work, open source, fedora, home automation,
and other topics.