Errata count

The chart below illustrates the total number of security updates issued for Red Hat Enterprise Linux 6 Server if you had installed 6.1, up to and including the 6.2 release, broken down by severity. It's split into two columns, one for the packages you'd get if you did a default install, and the other if you installed every single package (which is unlikely as it would involve a bit of manual effort to select every one). For a given installation, the number of package updates and vulnerabilities that affected you will depend on exactly what you have installed or removed.

So, for a default install, from release of 6.1 up to and including 6.2, we shipped 36 advisories to address 121 vulnerabilities. 2 advisories were rated critical, 10 were important, and the remaining 24 were moderate and low.

Or, for all packages, from release of 6.1 up to and including 6.2, we shipped 88 advisories to address 218 vulnerabilities. 10 advisories were rated critical, 16 were important, and the remaining 62 were moderate and low.

Critical vulnerabilities

The 10 critical advisories addressed 31 critical vulnerabilities across 3 components:

1. Two updates to the OpenJDK 6 Java Runtime (June 2011, October 2011) where a malicious web site presenting a Java applet could potentially run arbitrary code as the user running a web browser.
2. Four updates to Firefox (June 2011, August 2011, September 2011, November 2011) where a malicious web site could potentially run arbitrary code as the user running Firefox.
3. Four updates to Thunderbird (June 2011, August 2011, September 2011 November 2011) where a malicious email message could potentially run arbitrary code as the user running Thunderbird.

Updates to correct all of the 31 critical vulnerabilities were available via Red Hat Network either the same day or the next calendar day after the issues were public.

Other significant vulnerabilities

Although not in the definition of critical severity, also of interest during this period were a few flaws that were high risk or easily exploitable:

• A flaw in Bind, CVE-2011-4313 fixed by RHSA-2011:1458 where a malicious client could cause Bind to stop responding, a denial of service attack. This flaw was discovered by it being accidentally triggered in the wild.

• A flaw in the Apache HTTP Server, CVE-2011-3192, fixed by RHSA-2011:1245, where a remote attacker could cause a denial of service attack. This was discovered due to a public exploit.

• A flaw in RPM, CVE-2011-3378 fixed by RHSA-2011:1349 where a specially-crafted RPM package that, when queried or installed, would cause rpm to crash or, potentially, execute arbitrary code prior to any signature checking. We're not aware of any working exploits for this issue.

• Updates to blacklist the DigiNotar Certificate Authority.

Previous update releases

To compare these statistics with previous update releases we need to take into account that the time between each update release is different. So looking at a default installation and calculating the number of advisories per month gives the following chart:

This data is interesting to get a feel for the risk of running Enterprise Linux 6 Server, but isn't really useful for comparisons with other major versions, distributions, or operating systems -- for example, a default install of either Red Hat Enterprise Linux 4AS and 6 Server does not include Firefox, but a default install of 5 Server does. You can use our public security measurement data and tools, and run your own custom metrics for any given Red Hat product, package set, timescales, and severity range of interest.

We've now created a page to give acknowledgements to the companies and individuals that report issues in our online services, such as finding a cross-site scripting flaw in a Red Hat web site, or a vulnerability in OpenShift.

So let's take a look at the most common times and days we push advisories for Red Hat Enterprise Linux 4, 5, and 6 (including Supplementary) using a heatmap:

The more advisories pushed for a given date and hour, the darker that section of the graph is. So the most popular times for pushing advisories are Tuesdays at 10am and 2pm Eastern US time, Fridays are pretty light for pushes, and there was nothing during the weekends. The spread of the graph shows that we push advisories when they are ready, rather than waiting to a fixed day and time, in order to reduce the risk to users.

All the data used to create this graph is available as part of our public metrics. Thanks to Sami Kerola for the R code from which I based my graph generation.

"Red Hat knew about 51.5% of the security vulnerabilities that we fixed in advance. The average time between Red Hat knowing about an issue and it being made public was 23 days (median 10 days).... A default installation of Red Hat Enterprise Linux 4 AS was vulnerable to 20 critical security issues over the first six years. "

The data we publish is interesting to get a feel for the risk of running Enterprise Linux, but isn't really useful for comparisons with other distributions, or operating systems. One important difference is that it is Red Hat policy to count vulnerabilities and allocate CVE names to all issues that we fix, including ones that are found internally. This is not true for many other vendors including folks like Microsoft and Adobe who do not count or disclose issues they fix which were found internally.

The table below lists all vulnerabilities which have a CVSS score of 7 or more ('high'), that we fixed in any product during calendar year 2010.

Most common CWE were:

• Buffer Copy without Checking Size of Input (CWE-120): 8 vulnerabilities.
• Race Condition (CWE-362): 5 vulnerabilities.

CVE	CWE	2011 top 25?	CVSS base score	Fixed in
CVE-2007-4567	CWE-476	no	7.8	Red Hat Enterprise Linux 5 (kernel)
CVE-2009-0778	CWE-770	no	7.1	Red Hat Enterprise Linux 5 (kernel)
CVE-2009-1385	CWE-191	no	7.1	Red Hat Enterprise Linux 5 (kernel)
CVE-2009-3080	CWE-129	no	7.2	Red Hat Enterprise Linux 3, 4, 5, MRG (kernel)
CVE-2009-3245	CWE-252	no	7.6	Red Hat Enterprise Linux 3, 4, 5 (openssl)
CVE-2009-3726	CWE-476	no	7.2	Red Hat Enterprise Linux 4, 5, MRG (kernel)
CVE-2009-4005	CWE-127	no	7.1	Red Hat Enterprise Linux 4 (kernel)
CVE-2009-4027	CWE-362	no	7.8	Red Hat Enterprise Linux 5 (kernel)
CVE-2009-4141	CWE-416	no	7.2	Red Hat Enterprise Linux 5, MRG (kernel)
CVE-2009-4212	CWE-191	no	10.0	Red Hat Enterprise Linux 3, 4, 5 (krb5)
CVE-2009-4272	CWE-764	no	7.8	Red Hat Enterprise Linux 5 (kernel)
CVE-2009-4273	CWE-78	yes	7.9	Red Hat Enterprise Linux 5 (systemtap)
CVE-2009-4537	CWE-120	yes	7.1	Red Hat Enterprise Linux 4, 5, MRG (kernel)
CVE-2009-4895	CWE-362	no	7.2	Red Hat Enterprise MRG (kernel)
CVE-2010-0008	CWE-606	no	7.8	Red Hat Enterprise Linux 4, 5 (kernel)
CVE-2010-0291	CWE-822	no	7.2	Red Hat Enterprise Linux 5 (kernel)
CVE-2010-0738	CWE-424	no	7.5	JBoss Enterprise Application Platform 4.2, 4.3
CVE-2010-0741	CWE-20	no	7.1	Red Hat Enterprise Linux 5 (kvm)
CVE-2010-1084	CWE-120	yes	7.2	Red Hat Enterprise Linux 5 (kernel)
CVE-2010-1086	CWE-20	no	7.8	Red Hat Enterprise Linux 4, 5 (kernel)
CVE-2010-1087	CWE-362	no	7.2	Red Hat Enterprise Linux 5 (kernel)
CVE-2010-1166	CWE-823	no	7.6	Red Hat Enterprise Linux 5 (xorg-x11-server)
CVE-2010-1173	CWE-120 *	yes	7.1	Red Hat Enterprise Linux 4, 5 (kernel)
CVE-2010-1188	CWE-416	no	7.8	Red Hat Enterprise Linux 3, 4, 5 (kernel)
CVE-2010-1436	CWE-120	yes	7.2	Red Hat Enterprise Linux 5 (kernel)
CVE-2010-1437	CWE-362	no	7.2	Red Hat Enterprise Linux 4, 5 (kernel)
CVE-2010-2063	CWE-823	no	7.5	Red Hat Enterprise Linux 3, 4, 5 (samba)
CVE-2010-2235	CWE-77	no	7.1	Red Hat Network Satellite Server 5.3 (cobbler)
CVE-2010-2240	CWE-788	no	7.2	Red Hat Enterprise Linux 3, 4, 5, MRG (kernel)
CVE-2010-2248	CWE-682	no	7.1	Red Hat Enterprise Linux 4, 5 (kernel)
CVE-2010-2492	CWE-805	no	7.2	Red Hat Enterprise Linux 5, 6 (kernel)
CVE-2010-2521	CWE-805	no	8.3	Red Hat Enterprise Linux 4, 5, MRG (kernel)
CVE-2010-2798	CWE-476	no	7.2	Red Hat Enterprise Linux 5 (kernel)
CVE-2010-2962	CWE-823	no	7.2	Red Hat Enterprise Linux 6, MRG (kernel)
CVE-2010-3069	CWE-129	no	8.3	Red Hat Enterprise Linux 3, 4, 5, 6 (samba)
CVE-2010-3081	CWE-131	yes	7.2	Red Hat Enterprise Linux 3, 4, 5, 6, MRG (kernel)
CVE-2010-3084	CWE-120	yes	7.2	Red Hat Enterprise Linux 6 (kernel)
CVE-2010-3301	CWE-129	no	7.2	Red Hat Enterprise Linux 6 (kernel)
CVE-2010-3302	CWE-120	yes	7.1	Red Hat Enterprise Linux 6 (openswan)
CVE-2010-3308	CWE-120	yes	7.1	Red Hat Enterprise Linux 6 (openswan)
CVE-2010-3432	CWE-805 *	no	7.8	Red Hat Enterprise Linux 4, 5, 6, MRG (kernel)
CVE-2010-3705	CWE-788	no	8.3	Red Hat Enterprise Linux 6, MRG (kernel)
CVE-2010-3708	CWE-77	no	7.5	JBoss Enterprise Application Platform 4.3, SOA Platform 4.2
CVE-2010-3752	CWE-78	yes	7.1	Red Hat Enterprise Linux 6 (openswan)
CVE-2010-3753	CWE-78	yes	7.1	Red Hat Enterprise Linux 6 (openswan)
CVE-2010-3847	CWE-426	no	7.2	Red Hat Enterprise Linux 5, 6 (glibc)
CVE-2010-3856	CWE-426	no	7.2	Red Hat Enterprise Linux 5, 6 (glibc)
CVE-2010-3864	CWE-362	no	7.6	Red Hat Enterprise Linux 6 (openssl)
CVE-2010-3904	CWE-822	no	7.2	Red Hat Enterprise Linux 5, 6 (kernel)
CVE-2010-4170	CWE-88	no	7.2	Red Hat Enterprise Linux 4, 5, 6 (systemtap)
CVE-2010-4179	CWE-862	yes	7.5	Red Hat Enterprise MRG (cumin)
CVE-2010-4344	CWE-120	yes	7.5	Red Hat Enterprise Linux 4, 5 (exim)

* - in both these cases the outcome is not a buffer overflow as the possible overflow is detected and instead converted into an abort (DoS)

See also our 2010 analysis

Errata count

The chart below illustrates the total number of security updates issued for Red Hat Enterprise Linux 5 Server if you had installed 5.6, up to and including the 5.7 release, broken down by severity. It's split into two columns, one for the packages you'd get if you did a default install, and the other if you installed every single package (which is unlikely as it would involve quite a bit of manual effort to select every one). For a given installation, the number of package updates and vulnerabilities that affected you will depend on exactly what packages you have installed or removed.

So, for a default install, from release of 5.6 up to and including 5.7, we shipped 27 advisories to address 109 vulnerabilities. 3 advisories were rated critical, 12 were important, and the remaining 12 were moderate and low.

Or, for all packages, from release of 5.6 to and including 5.7, we shipped 58 advisories to address 172 vulnerabilities. 4 advisories were rated critical, 20 were important, and the remaining 34 were moderate and low.

Critical vulnerabilities

The 4 critical advisories addressed 34 critical vulnerabilities across just 2 different packages:

1. An update to OpenJDK 6 Java Runtime Environment, (June 2011) where a web site hosting a malicious Java applet could potentially run arbitrary code as the user.
2. Three updates to Firefox (March 2011, April 2011, June 2011) where a malicious web site could potentially run arbitrary code as the user running Firefox.

Updates to correct all of the 34 critical vulnerabilities were available via Red Hat Network either the same day or the next calendar day after the issues were public.

Overall, for Red Hat Enterprise Linux 5 since release until 5.7, 97% of critical vulnerabilities have had an update available to address them available from the Red Hat Network either the same day or the next calendar day after the issue was public.

Other significant vulnerabilities

Although not in the definition of critical severity, also of interest during this period were a couple of flaws that were easily exploitable:

• A flaw in dhcp, CVE-2011-0997, fixed by RHSA-2011:0428, where a malicious DHCP server could send a response that could lead to arbitrary code execution on connecting clients.
• A flaw in glibc, CVE-2011-0536, fixed by RHSA-2011:0412, where a local user could gain root privileges.

In addition, updates to Firefox and NSS were made to blacklist a number of compromised SSL certificates.

Previous update releases

To compare these statistics with previous update releases we need to take into account that the time between each update release is different. So looking at a default installation and calculating the number of advisories per month gives the following chart:

This data is interesting to get a feel for the risk of running Enterprise Linux 5 Server, but isn't really useful for comparisons with other major versions, distributions, or operating systems -- for example, a default install of Red Hat Enterprise Linux 4AS did not include Firefox, but 5 Server does. You can use our public security measurement data and tools, and run your own custom metrics for any given Red Hat product, package set, timescales, and severity range of interest.

See also: 5.5 to 5.6, 5.4 to 5.5, 5.3 to 5.4, 5.2 to 5.3, 5.1 to 5.2, and 5.0 to 5.1 risk reports.

Errata count

The chart below illustrates the total number of security updates issued for Red Hat Enterprise Linux 6 Server if you had installed 6.0, up to and including the 6.1 release, broken down by severity. It's split into two columns, one for the packages you'd get if you did a default install, and the other if you installed every single package (which is unlikely as it would involve a bit of manual effort to select every one). For a given installation, the number of package updates and vulnerabilities that affected you will depend on exactly what you have installed or removed.

So, for a default install, from release of 6.0 up to and including 6.1, we shipped 54 advisories to address 195 vulnerabilities. 2 advisories were rated critical, 29 were important, and the remaining 23 were moderate and low.

Or, for all packages, from release of 6.0 up to and including 6.1, we shipped 102 advisories to address 345 vulnerabilities. 8 advisories were rated critical, 39 were important, and the remaining 55 were moderate and low.

These figures include 10 advisories we released on the day we shipped 6.0. This was because we froze package updates some months before releasing the product. Two of those updates were rated critical, an update to Firefox, and to Samba.

Critical vulnerabilities

The 8 critical advisories addressed 37 critical vulnerabilities across 4 components:

1. An update to Samba (October 2010) where a malicious client could potentially run arbitrary code as the Samba server. Samba is a default install package but the server is not enabled by default.
2. Four updates to Firefox (October 2010, December 2010, March 2011, April 2011) where a malicious web site could potentially run arbitrary code as the user running Firefox.
3. Two updates to Thunderbird (March 2011, April 2011) where a malicious email message could potentially run arbitrary code as the user running Thunderbird.
4. An update to Pango (March 2011) where an application using Pango to parse untrusted font data (such as Firefox) could potentially run arbitrary code as the privileges of the user. Pango is a default install package.

Updates to correct all of the 37 critical vulnerabilities were available via Red Hat Network either the same day or the next calendar day after the issues were public.

This data is interesting to get a feel for the risk of running Enterprise Linux 6 Server, but isn't really useful for comparisons with other major versions, distributions, or operating systems -- for example, a default install of Red Hat Enterprise Linux 4AS and 6 Server did not include Firefox, but 5 Server does. You can use our public security measurement data and tools, and run your own custom metrics for any given Red Hat product, package set, timescales, and severity range of interest.

Errata count

The chart below illustrates the total number of security updates issued for Red Hat Enterprise Linux 5 Server if you had installed 5.5, up to and including the 5.6 release, broken down by severity. It's split into two columns, one for the packages you'd get if you did a default install, and the other if you installed every single package (which is unlikely as it would involve a bit of manual effort to select every one). For a given installation, the number of package updates and vulnerabilities that affected you will depend on exactly what you have installed or removed.

So, for a default install, from release of 5.5 up to and including 5.6, we shipped 57 advisories to address 206 vulnerabilities. 10 advisories were rated critical, 27 were important, and the remaining 20 were moderate and low.

Or, for all packages, from release of 5.5 to and including 5.6, we shipped 80 advisories to address 300 vulnerabilities. 12 advisories were rated critical, 34 were important, and the remaining 34 were moderate and low.

Critical vulnerabilities

The 12 critical advisories addressed 49 critical vulnerabilities across just 3 different packages:

1. An update to the Exim Internet Mailer, (December 2010), where an unauthenticated remote attacker could run arbitrary code as root on a server. Exim is not a default package or enabled by default. There is a public exploit for this issue which worked on Red Hat Enterprise Linux 5.
2. Two updates over three advisories to Samba, (June 2010 for Samba 3.0 and Samba 3.3, September 2010 for Samba 3.0 and Samba 3.3), where a malicious client could send a specially-crafted SMB packet to the Samba server, potentially resulting in arbitrary code execution with the privileges of the Samba server. I'm not aware of any working public exploits for these issues.
3. Eight updates to Firefox (March 2010, June 2010, 20 July 2010, 23 July 2010, September 2010, 19 October 2010, 27 October 2010, December 2010) where a malicious web site could potentially run arbitrary code as the user running Firefox.

Updates to correct 48 out of the 49 critical vulnerabilities were available via Red Hat Network either the same day or the next calendar day after the issues were public. The update to fix Exim took 3 calendar days from the date of the report to the Exim developers.

Overall, for Red Hat Enterprise Linux 5 since release until 5.6, 97% of critical vulnerabilities have had an update available to address them available from the Red Hat Network either the same day or the next calendar day after the issue was public.

Other significant vulnerabilities

• A fix for CVE-2010-2240 was provided by RHSA-2010-0661 (August 2010). The public exploit did not work against Red Hat Enterprise Linux 5, but it may be possible to create one that does.
• A fix for CVE-2010-3081 was provided by RHSA-2010-0704 (September 2010). The public exploit worked against Red Hat Enterprise Linux 5
• A fix for CVE-2010-3904 was provided by RHSA-2010-0792 (October 2010). The public exploit did not work against Red Hat Enterprise Linux 5 but it is possible to create one that does.

Previous updates

To compare these statistics with previous update releases we need to take into account that the time between each update is different. So looking at a default installation and calculating the number of advisories per month gives the following chart:

This data is interesting to get a feel for the risk of running Enterprise Linux 5 Server, but isn't really useful for comparisons with other major versions, distributions, or operating systems -- for example, a default install of Red Hat Enterprise Linux 4AS did not include Firefox, but 5 Server does. You can use our public security measurement data and tools, and run your own custom metrics for any given Red Hat product, package set, timescales, and severity range of interest.

See also: 5.4 to 5.5, 5.3 to 5.4, 5.2 to 5.3, 5.1 to 5.2, and 5.0 to 5.1 risk reports.

Hold on a second. It might be important. I'd better go and read it. Oh it's just a note confirming some meeting for next week. Deleted. Now, what was I working on?

A few years ago, when I was analysing where my time was going, (and why I was working 60+ hour weeks), I figured out that the context switching caused by being unable to concentrate on a task for more than a few minutes was a major productivity drain.

It's hard to resist a new email. My new cellphone takes great delight in having 'push' email and would really like to beep on each new message I receive. The web is full of gmail notifier applications designed specifically to interrupt you to some important new mail. Even my favourite command-line email client, Alpine, likes to ping you about new mail arriving in your inbox even if you're busy in some other mailbox or composing a mail.

Alpine ought to have some sort of "don't notify me" option, but in the meantime I apply the brute-force patch below to disable it.

This 5-minute patch has saved me several hours of task switching every week, and although this means it can sometimes be an hour or two between me checking my inbox, no one has really noticed.

--- alpine-2.00/pith/newmail.c.orig	2010-07-19 16:47:01.127480500 +0100
+++ alpine-2.00/pith/newmail.c	2010-07-19 16:47:35.657602347 +0100
@@ -680,7 +680,7 @@
     }
 
     format_new_mail_msg(folder, number, e, intro, from, subject, subjtext, sizeof(subject));
-
+#if 0
     if(!for_new_mail_win)
       q_status_message5(SM_ASYNC | SM_DING, 0, 60,
 		      "%s%s%s%.80s%.80s", intro,
@@ -706,6 +706,7 @@
 #endif
     }
 #endif
+#endif
 
     if(pith_opt_icon_text){
 	if(F_ON(F_ENABLE_XTERM_NEWMAIL, ps_global)

Between releases there are lots of changes made to improve security and we've not listed everything; just a high-level overview of the things we think are most interesting that help mitigate security risk. We could go into much more detail, breaking out the number of daemons covered by the SELinux default policy, the number of binaries compiled PIE, and so on.

Note that this table is for the most common architectures, x86 and x86_64 only; other supported architectures may vary.

Features	Red Hat Enterprise Linux
	3	4	5	6
	2003 Oct	2005 Feb	2007 Mar	2010 Nov
Firewall by default	Y	Y	Y	Y
Signed updates required by default	Y	Y	Y	Y
NX emulation using segment limits by default	Y(since 9/2004)	Y	Y	Y
Support for Position Independent Executables (PIE)	Y(since 9/2004)	Y	Y	Y
Address Randomization (ASLR) for Stack/mmap by default	Y (since 9/2004)	Y	Y	Y
ASLR for vDSO (if vDSO enabled)	no vDSO	Y	Y	Y
Support for NULL pointer dereference protection	Y(since 11/2009)	Y(since 9/2009)	Y(since 5/2008)	Y
NX for supported processors/kernels by default	Y(since 9/2004)	Y	Y	Y
Support for block module loading via cap-bound sysctl tunable or /proc/sys/kernel/cap-bound	Y	Y	Y	no cap-bound
Restricted access to kernel memory by default		Y	Y	Y
Support for SELinux		Y	Y	Y
SELinux enabled with targeted policy by default		Y	Y	Y
glibc heap/memory checks by default		Y	Y	Y
Support for FORTIFY_SOURCE, used on selected packages		Y	Y	Y
Support for ELF Data Hardening		Y	Y	Y
All packages compiled using FORTIFY_SOURCE			Y	Y
All packages compiled with stack smashing protection			Y	Y
SELinux Executable Memory Protection			Y	Y
glibc pointer encryption by default			Y	Y
Enabled NULL pointer dereference protection by default			Y(since 5/2008)	Y
Enabled write-protection for kernel read-only data structures by default			Y	Y
FORTIFY_SOURCE extensions including C++ coverage				Y
Support for block module loading via modules_disabled sysctl tunable or /proc/sys/kernel/modules_disabled				Y
Support for SELinux to restrict the loading of kernel modules by unprivileged processes in confined domains				Y
Enabled kernel -fstack-protector buffer overflow detection by default				Y
Support for sVirt labelling to provide security over guest instances				Y
Support for SELinux to confine users' access on a system				Y
Support for SELinux to test untrusted content via a sandbox				Y
Support for SELinux X Access Control Extension (XACE)				Y

Hi! I'm Mark Cox. This blog gives my thoughts and opinions on my security work, open source, fedora, home automation, and other topics.

pics from my twitter:

popular tags: [all], apache, apachecon, apacheweek, cve, cvss, fedora, financial, geocaching, ha, metrics, microsoft, nashville, north carolina, red hat summit, redhat, security, trips