| |
mark :: blog :: red hat
Red Hat Enterprise Linux 6.2 was released this week (Dec 2011), just
over six months since the release of 6.1 in May 2011. So let's
use this opportunity to take a quick look back over the
vulnerabilities and security updates made in that time, specifically
for Red Hat Enterprise Linux 6 Server.
Errata count
The chart below illustrates the total number of security updates issued for Red
Hat Enterprise Linux 6 Server if you had installed 6.1, up to and including the
6.2 release, broken down by severity. It's split into two columns, one for
the packages you'd get if you did a default install, and the other if you
installed every single package (which is unlikely as it would involve a bit of
manual effort to select every one). For a given installation, the number of
package updates and vulnerabilities that affected you will depend on exactly what you
have installed or removed.
So, for a default install, from release of 6.1 up to and including 6.2, we
shipped 36 advisories to address 121 vulnerabilities. 2 advisories were rated
critical, 10 were important, and the remaining 24 were moderate and low.
Or, for all packages, from release of 6.1 up to and including 6.2, we shipped
88 advisories to address 218 vulnerabilities. 10 advisories were rated critical,
16 were important, and the remaining 62 were moderate and low.
Critical vulnerabilities
The 10 critical advisories addressed 31 critical vulnerabilities across 3 components:
- Two updates to the OpenJDK 6 Java Runtime
(June 2011,
October 2011)
where a malicious web site presenting a Java applet could potentially run arbitrary code as the user
running a web browser.
- Four updates to Firefox (June
2011, August 2011,
September 2011,
November 2011)
where a malicious web site could potentially run arbitrary code as the user
running Firefox.
- Four updates to Thunderbird (June
2011,
August 2011,
September 2011
November 2011)
where a malicious email message could potentially run arbitrary code as the user
running Thunderbird.
Updates to correct all of the 31 critical vulnerabilities were
available via Red Hat Network either the same day or the next calendar
day after the issues were public.
Other significant vulnerabilities
Although not in the definition of critical severity, also of interest during
this period were a few flaws that were high risk or easily exploitable:
A flaw in Bind, CVE-2011-4313
fixed by RHSA-2011:1458
where a malicious client could cause Bind to stop responding, a denial
of service attack. This flaw was discovered by it being accidentally
triggered in the wild.
A flaw in the Apache HTTP Server, CVE-2011-3192,
fixed by RHSA-2011:1245, where a remote attacker could
cause a denial of service attack. This was discovered due to a public exploit.
A flaw in RPM, CVE-2011-3378
fixed by RHSA-2011:1349
where a specially-crafted RPM package that, when queried or installed,
would cause rpm to crash or, potentially, execute arbitrary code prior to any
signature checking. We're not aware of any working exploits for this issue.
Updates to blacklist the DigiNotar Certificate Authority.
Previous update releases
To compare these statistics with previous update releases we need to take into
account that the time between each update release is different. So looking at
a default installation and calculating the number of advisories per month
gives the following chart:
This data is interesting to get a feel for the risk of running Enterprise
Linux 6 Server, but isn't really useful for comparisons with other major
versions, distributions, or operating systems -- for example, a default install
of either Red Hat Enterprise Linux 4AS and 6 Server does not include Firefox, but a
default install of 5 Server does. You can use
our public security
measurement data and tools, and run your own custom metrics for any given
Red Hat product, package set, timescales, and severity range of interest.
When we get notified of a security issue affecting a Red Hat product
in advance we give an acknowledgement in the security advisory and in our
CVE database.
We've now created a
page to give acknowledgements to the companies and individuals that
report issues in our online services, such as finding a cross-site scripting
flaw in a Red Hat web site, or a vulnerability in OpenShift.
We pushed an
update to Flash Player for Red Hat Enterprise Linux Supplementary today, on
a Friday, because it fixed Critical vulnerabilities. But we try not to push
updates on a Friday unless they are critical and already public.
So let's take a look at the most common times and days we push
advisories for Red Hat Enterprise Linux 4, 5, and 6 (including
Supplementary) using a heatmap:
The more advisories pushed for a given date and hour, the darker
that section of the graph is. So the most popular times
for pushing advisories are Tuesdays at 10am and 2pm Eastern US time,
Fridays are pretty light for pushes, and there was nothing
during the weekends. The spread of the graph shows that we push advisories when
they are ready, rather than waiting to a fixed day and time, in order to reduce
the risk to users.
All the data used to create this graph is available as part of
our public metrics.
Thanks to Sami Kerola for
the R code from which I based my
graph generation.
Every year since Red Hat Enterprise Linux 4 was released we've
published a risk report where we look at the state of security
of the distribution. We investigate the key vulnerabilities,
metrics on vulnerability counts, and how users could have been
exploited by them. The
Six
Years
of Red Hat Enterprise Linux 4 report (PDF) covering Feb 2005-2011
was published today.
"Red Hat knew about 51.5% of the security vulnerabilities
that we fixed in advance. The
average time between Red Hat knowing about an issue and it being made
public was 23 days (median 10 days).... A default installation of Red
Hat Enterprise Linux 4 AS was vulnerable to 20 critical security
issues over the first six years. "
The data we publish is interesting to get a feel for the risk of running
Enterprise Linux, but isn't really useful for comparisons with other
distributions, or operating systems. One important difference is that it is Red
Hat policy to count vulnerabilities and allocate CVE names to all issues that
we fix, including ones that are found internally. This is not true for many
other vendors including folks like
Microsoft
and
Adobe
who do not count or disclose issues they fix which were found internally.
A few weeks ago the 2011 update to
the CWE/SANS Top 25 Most Dangerous
Software Errors was published. As part of our contribution to this
update we analysed the most severe vulnerabilities that affected Red Hat
since the last update and mapped each one to the appropriate Common
Weakness Enumeration (CWE) type.
The table below lists all vulnerabilities which have a CVSS score of 7
or more ('high'), that we fixed in any product during calendar year 2010.
Most common CWE were: - Buffer Copy without Checking
Size of Input
(CWE-120): 8 vulnerabilities.
-
Race Condition
(CWE-362): 5 vulnerabilities.
| CVE | CWE | 2011 top 25? | CVSS base score | Fixed in |
|
CVE-2007-4567
| CWE-476 | no
| 7.8
| Red Hat Enterprise Linux 5 (kernel)
|
|
CVE-2009-0778
| CWE-770 | no
| 7.1
| Red Hat Enterprise Linux 5 (kernel)
|
|
CVE-2009-1385
| CWE-191 | no
| 7.1
| Red Hat Enterprise Linux 5 (kernel)
|
|
CVE-2009-3080
| CWE-129 | no
| 7.2
| Red Hat Enterprise Linux 3, 4, 5, MRG (kernel)
|
|
CVE-2009-3245
| CWE-252 | no
| 7.6
| Red Hat Enterprise Linux 3, 4, 5 (openssl)
|
|
CVE-2009-3726
| CWE-476 | no
| 7.2
| Red Hat Enterprise Linux 4, 5, MRG (kernel)
|
|
CVE-2009-4005
| CWE-127 | no
| 7.1
| Red Hat Enterprise Linux 4 (kernel)
|
|
CVE-2009-4027
| CWE-362 | no
| 7.8
| Red Hat Enterprise Linux 5 (kernel)
|
|
CVE-2009-4141
| CWE-416 | no
| 7.2
| Red Hat Enterprise Linux 5, MRG (kernel)
|
|
CVE-2009-4212
| CWE-191 | no
| 10.0
| Red Hat Enterprise Linux 3, 4, 5 (krb5)
|
|
CVE-2009-4272
| CWE-764 | no
| 7.8
| Red Hat Enterprise Linux 5 (kernel)
|
|
CVE-2009-4273
| CWE-78 | yes
| 7.9
| Red Hat Enterprise Linux 5 (systemtap)
|
|
CVE-2009-4537
| CWE-120 | yes
| 7.1
| Red Hat Enterprise Linux 4, 5, MRG (kernel)
|
|
CVE-2009-4895
| CWE-362 | no
| 7.2
| Red Hat Enterprise MRG (kernel)
|
|
CVE-2010-0008
| CWE-606 | no
| 7.8
| Red Hat Enterprise Linux 4, 5 (kernel)
|
|
CVE-2010-0291
| CWE-822 | no
| 7.2
| Red Hat Enterprise Linux 5 (kernel)
|
|
CVE-2010-0738
| CWE-424 | no
| 7.5
| JBoss Enterprise Application Platform 4.2, 4.3
|
|
CVE-2010-0741
| CWE-20 | no
| 7.1
| Red Hat Enterprise Linux 5 (kvm)
|
|
CVE-2010-1084
| CWE-120 | yes
| 7.2
| Red Hat Enterprise Linux 5 (kernel)
|
|
CVE-2010-1086
| CWE-20 | no
| 7.8
| Red Hat Enterprise Linux 4, 5 (kernel)
|
|
CVE-2010-1087
| CWE-362 | no
| 7.2
| Red Hat Enterprise Linux 5 (kernel)
|
|
CVE-2010-1166
| CWE-823 | no
| 7.6
| Red Hat Enterprise Linux 5 (xorg-x11-server)
|
|
CVE-2010-1173
| CWE-120 * | yes
| 7.1
| Red Hat Enterprise Linux 4, 5 (kernel)
|
|
CVE-2010-1188
| CWE-416 | no
| 7.8
| Red Hat Enterprise Linux 3, 4, 5 (kernel)
|
|
CVE-2010-1436
| CWE-120 | yes
| 7.2
| Red Hat Enterprise Linux 5 (kernel)
|
|
CVE-2010-1437
| CWE-362 | no
| 7.2
| Red Hat Enterprise Linux 4, 5 (kernel)
|
|
CVE-2010-2063
| CWE-823 | no
| 7.5
| Red Hat Enterprise Linux 3, 4, 5 (samba)
|
|
CVE-2010-2235
| CWE-77 | no
| 7.1
| Red Hat Network Satellite Server 5.3 (cobbler)
|
|
CVE-2010-2240
| CWE-788 | no
| 7.2
| Red Hat Enterprise Linux 3, 4, 5, MRG (kernel)
|
|
CVE-2010-2248
| CWE-682 | no
| 7.1
| Red Hat Enterprise Linux 4, 5 (kernel)
|
|
CVE-2010-2492
| CWE-805 | no
| 7.2
| Red Hat Enterprise Linux 5, 6 (kernel)
|
|
CVE-2010-2521
| CWE-805 | no
| 8.3
| Red Hat Enterprise Linux 4, 5, MRG (kernel)
|
|
CVE-2010-2798
| CWE-476 | no
| 7.2
| Red Hat Enterprise Linux 5 (kernel)
|
|
CVE-2010-2962
| CWE-823 | no
| 7.2
| Red Hat Enterprise Linux 6, MRG (kernel)
|
|
CVE-2010-3069
| CWE-129 | no
| 8.3
| Red Hat Enterprise Linux 3, 4, 5, 6 (samba)
|
|
CVE-2010-3081
| CWE-131 | yes
| 7.2
| Red Hat Enterprise Linux 3, 4, 5, 6, MRG (kernel)
|
|
CVE-2010-3084
| CWE-120 | yes
| 7.2
| Red Hat Enterprise Linux 6 (kernel)
|
|
CVE-2010-3301
| CWE-129 | no
| 7.2
| Red Hat Enterprise Linux 6 (kernel)
|
|
CVE-2010-3302
| CWE-120 | yes
| 7.1
| Red Hat Enterprise Linux 6 (openswan)
|
|
CVE-2010-3308
| CWE-120 | yes
| 7.1
| Red Hat Enterprise Linux 6 (openswan)
|
|
CVE-2010-3432
| CWE-805 * | no
| 7.8
| Red Hat Enterprise Linux 4, 5, 6, MRG (kernel)
|
|
CVE-2010-3705
| CWE-788 | no
| 8.3
| Red Hat Enterprise Linux 6, MRG (kernel)
|
|
CVE-2010-3708
| CWE-77 | no
| 7.5
| JBoss Enterprise Application Platform 4.3, SOA Platform 4.2
|
|
CVE-2010-3752
| CWE-78 | yes
| 7.1
| Red Hat Enterprise Linux 6 (openswan)
|
|
CVE-2010-3753
| CWE-78 | yes
| 7.1
| Red Hat Enterprise Linux 6 (openswan)
|
|
CVE-2010-3847
| CWE-426 | no
| 7.2
| Red Hat Enterprise Linux 5, 6 (glibc)
|
|
CVE-2010-3856
| CWE-426 | no
| 7.2
| Red Hat Enterprise Linux 5, 6 (glibc)
|
|
CVE-2010-3864
| CWE-362 | no
| 7.6
| Red Hat Enterprise Linux 6 (openssl)
|
|
CVE-2010-3904
| CWE-822 | no
| 7.2
| Red Hat Enterprise Linux 5, 6 (kernel)
|
|
CVE-2010-4170
| CWE-88 | no
| 7.2
| Red Hat Enterprise Linux 4, 5, 6 (systemtap)
|
|
CVE-2010-4179
| CWE-862 | yes
| 7.5
| Red Hat Enterprise MRG (cumin)
|
|
CVE-2010-4344
| CWE-120 | yes
| 7.5
| Red Hat Enterprise Linux 4, 5 (exim)
|
* - in both these cases the outcome is not a buffer overflow as the possible
overflow is detected and instead converted into an abort (DoS)
See also our 2010 analysis
Red Hat Enterprise Linux 5.7 was released last week (July 2011), six months
since the release of 5.6 in January 2011. So let's use this opportunity to take
a quick look back over the vulnerabilities and security updates made in that
time, specifically for Red Hat Enterprise Linux 5 Server.
Errata count
The chart below illustrates the total number of security updates issued for Red
Hat Enterprise Linux 5 Server if you had installed 5.6, up to and including the
5.7 release, broken down by severity. It's split into two columns, one for
the packages you'd get if you did a default install, and the other if you
installed every single package (which is unlikely as it would involve quite a bit of
manual effort to select every one). For a given installation, the number of
package updates and vulnerabilities that affected you will depend on exactly
what packages you have installed or removed.

So, for a default install, from release of 5.6 up to and including
5.7, we shipped 27 advisories to address 109 vulnerabilities. 3
advisories were rated critical, 12 were important, and the remaining
12 were moderate and low.
Or, for all packages, from release of 5.6 to and including 5.7, we
shipped 58 advisories to address 172 vulnerabilities. 4 advisories
were rated critical, 20 were important, and the remaining 34 were
moderate and low.
Critical vulnerabilities
The 4 critical advisories addressed 34 critical vulnerabilities across just 2 different packages:
- An update to OpenJDK 6 Java Runtime Environment,
(June 2011)
where a web site hosting a malicious Java applet could potentially run
arbitrary code as the user.
- Three updates to Firefox (March 2011, April 2011, June 2011)
where a malicious web site could potentially run arbitrary code as the user
running Firefox.
Updates to correct all of the 34 critical vulnerabilities were
available via Red Hat Network either the same day or the next
calendar day after the issues were public.
Overall, for Red Hat Enterprise Linux 5 since release until 5.7, 97%
of critical vulnerabilities have had an update available to address
them available from the Red Hat Network either the same day or the
next calendar day after the issue was public.
Other significant vulnerabilities
Although not in the definition of critical severity, also of interest during
this period were a couple of flaws that were easily exploitable:
- A flaw in dhcp,
CVE-2011-0997,
fixed by
RHSA-2011:0428, where a malicious DHCP
server could send a response that could lead to arbitrary code execution on connecting clients.
- A flaw in glibc,
CVE-2011-0536,
fixed by
RHSA-2011:0412,
where a local user could gain root privileges.
In addition, updates to Firefox
and NSS were
made to blacklist a number of
compromised
SSL certificates.
Previous update releases
To compare these statistics with previous update releases we need
to take into account that the time between each update release is different.
So looking at a default installation and calculating the number of
advisories per month gives the following chart:

This data is interesting to get a feel for the risk of running Enterprise
Linux 5 Server, but isn't really useful for comparisons with other major
versions, distributions, or operating systems -- for example, a default install
of Red Hat Enterprise Linux 4AS did not include Firefox, but 5 Server does. You
can use our public
security measurement data and tools, and run your own custom metrics for any
given Red Hat product, package set, timescales, and severity range of interest.
See also:
5.5 to 5.6,
5.4 to 5.5,
5.3 to 5.4,
5.2 to 5.3,
5.1 to 5.2, and
5.0 to 5.1
risk reports.
Red Hat Enterprise Linux 6.1 was released this week (May 2011), just
over six months since the release of 6.0 in October 2010. So let's
use this opportunity to take a quick look back over the
vulnerabilities and security updates made in that time, specifically
for Red Hat Enterprise Linux 6 Server.
Errata count
The chart below illustrates the total number of security updates issued for Red
Hat Enterprise Linux 6 Server if you had installed 6.0, up to and including the
6.1 release, broken down by severity. It's split into two columns, one for
the packages you'd get if you did a default install, and the other if you
installed every single package (which is unlikely as it would involve a bit of
manual effort to select every one). For a given installation, the number of
package updates and vulnerabilities that affected you will depend on exactly what you
have installed or removed.
So, for a default install, from release of 6.0 up to and including 6.1, we
shipped 54 advisories to address 195 vulnerabilities. 2 advisories were rated
critical, 29 were important, and the remaining 23 were moderate and low.
Or, for all packages, from release of 6.0 up to and including 6.1, we shipped
102 advisories to address 345 vulnerabilities. 8 advisories were rated critical,
39 were important, and the remaining 55 were moderate and low.
These figures include 10 advisories we released on the day we shipped
6.0. This was because we froze package updates some months before
releasing the product. Two of those updates were rated critical,
an update to Firefox, and to Samba.
Critical vulnerabilities
The 8 critical advisories addressed 37 critical vulnerabilities across 4 components:
- An update to Samba (October 2010)
where a malicious client could potentially run arbitrary code as the Samba
server. Samba is a default install package but the server is not enabled by default.
- Four updates to Firefox (October 2010, December 2010, March 2011, April 2011)
where a malicious web site could potentially run arbitrary code as the user
running Firefox.
- Two updates to Thunderbird (March 2011, April 2011)
where a malicious email message could potentially run arbitrary code as the user
running Thunderbird.
- An update to Pango (March 2011)
where an application using Pango to parse untrusted font data (such as
Firefox) could potentially run
arbitrary code as the privileges of the user. Pango is a default install package.
Updates to correct all of the 37 critical vulnerabilities were
available via Red Hat Network either the same day or the next calendar
day after the issues were public.
This data is interesting to get a feel for the risk of running Enterprise
Linux 6 Server, but isn't really useful for comparisons with other major
versions, distributions, or operating systems -- for example, a default install
of Red Hat Enterprise Linux 4AS and 6 Server did not include Firefox, but 5
Server does. You can use
our public security
measurement data and tools, and run your own custom metrics for any given
Red Hat product, package set, timescales, and severity range of interest.
Red Hat Enterprise Linux 5.6 was released last week (January 2011), nearly ten
months since the release of 5.5 in March 2010. So let's use this opportunity to
take a quick look back over the vulnerabilities and security updates made in
that time, specifically for Red Hat Enterprise Linux 5 Server.
Errata count
The chart below illustrates the total number of security updates issued for Red
Hat Enterprise Linux 5 Server if you had installed 5.5, up to and including the
5.6 release, broken down by severity. It's split into two columns, one for
the packages you'd get if you did a default install, and the other if you
installed every single package (which is unlikely as it would involve a bit of
manual effort to select every one). For a given installation, the number of
package updates and vulnerabilities that affected you will depend on exactly what you
have installed or removed.

So, for a default install, from release of 5.5 up to and including
5.6, we shipped 57 advisories to address 206 vulnerabilities. 10
advisories were rated critical, 27 were important, and the remaining
20 were moderate and low.
Or, for all packages, from release of 5.5 to and including 5.6, we
shipped 80 advisories to address 300 vulnerabilities. 12 advisories
were rated critical, 34 were important, and the remaining 34 were
moderate and low.
Critical vulnerabilities
The 12 critical advisories addressed 49 critical vulnerabilities across just 3 different packages:
- An update to the Exim Internet Mailer,
(December 2010),
where an unauthenticated remote attacker could run arbitrary code as root on a
server.
Exim is not a default package or enabled by default. There is a
public exploit for this issue which worked on Red Hat Enterprise Linux 5.
- Two updates over three advisories to Samba,
(June 2010 for
Samba 3.0 and Samba 3.3,
September 2010 for
Samba 3.0 and
Samba 3.3),
where a malicious client could send a specially-crafted SMB packet to the Samba
server, potentially resulting in arbitrary code execution with the privileges of the Samba
server. I'm not aware of any working public exploits for these issues.
- Eight updates to Firefox (March 2010, June 2010, 20 July 2010, 23 July 2010, September 2010, 19 October 2010, 27 October 2010, December 2010)
where a malicious web site could potentially run arbitrary code as the user
running Firefox.
Updates to correct 48 out of the 49 critical vulnerabilities were
available via Red Hat Network either the same day or the next
calendar day after the issues were public. The update to fix Exim took
3 calendar days from
the date of the report
to the Exim developers.
Overall, for Red Hat Enterprise Linux 5 since release until 5.6, 97%
of critical vulnerabilities have had an update available to address
them available from the Red Hat Network either the same day or the
next calendar day after the issue was public.
Other significant vulnerabilities
Although not in the definition of critical severity, also of interest during
this period were several kernel flaws that where an local user could gain
root privileges. The following had publicly available exploits:
- A fix
for CVE-2010-2240
was provided
by RHSA-2010-0661
(August 2010). The public exploit did not work against Red Hat Enterprise
Linux 5, but it may be possible to create one that does.
- A fix
for CVE-2010-3081
was provided
by RHSA-2010-0704
(September 2010). The public exploit worked against Red Hat Enterprise
Linux 5
- A fix
for CVE-2010-3904
was provided
by RHSA-2010-0792
(October 2010). The public exploit did not work against Red Hat Enterprise
Linux 5 but it is possible to create one that does.
Previous updates
To compare these statistics with previous update releases we need
to take into account that the time between each update is different.
So looking at a default installation and calculating the number of
advisories per month gives the following chart:

This data is interesting to get a feel for the risk of running Enterprise
Linux 5 Server, but isn't really useful for comparisons with other major
versions, distributions, or operating systems -- for example, a default install
of Red Hat Enterprise Linux 4AS did not include Firefox, but 5 Server does. You
can use our public
security measurement data and tools, and run your own custom metrics for any
given Red Hat product, package set, timescales, and severity range of interest.
See also:
5.4 to 5.5,
5.3 to 5.4,
5.2 to 5.3,
5.1 to 5.2, and
5.0 to 5.1
risk reports.
You have a new email! (ping!)
Hold on a second. It might be important. I'd better go and read it. Oh it's just a note
confirming some meeting for next week. Deleted. Now, what was I working on?
A few years ago, when I was analysing where my time was going, (and why I was
working 60+ hour weeks), I figured out that the context switching caused by
being unable to concentrate on a task for more than a few minutes was a major
productivity drain.
It's hard to resist a new email. My new cellphone takes great delight in having
'push' email and would really like to beep on each new message I receive. The web
is full of gmail notifier applications designed specifically to interrupt you
to some important new mail. Even my favourite command-line email client, Alpine,
likes to ping you about new mail arriving in your inbox even if you're busy
in some other mailbox or composing a mail.
Alpine ought to have some sort of "don't notify me" option, but in the meantime
I apply the brute-force patch below to disable it.
This 5-minute patch has saved me several hours of task switching
every week, and although this means it can sometimes be an hour or two between
me checking my inbox, no one has really noticed.
--- alpine-2.00/pith/newmail.c.orig 2010-07-19 16:47:01.127480500 +0100
+++ alpine-2.00/pith/newmail.c 2010-07-19 16:47:35.657602347 +0100
@@ -680,7 +680,7 @@
}
format_new_mail_msg(folder, number, e, intro, from, subject, subjtext, sizeof(subject));
-
+#if 0
if(!for_new_mail_win)
q_status_message5(SM_ASYNC | SM_DING, 0, 60,
"%s%s%s%.80s%.80s", intro,
@@ -706,6 +706,7 @@
#endif
}
#endif
+#endif
if(pith_opt_icon_text){
if(F_ON(F_ENABLE_XTERM_NEWMAIL, ps_global)
Two years ago I published a table
of Vulnerability and
threat mitigation features in Red Hat Enterprise Linux and Fedora. Now that
we've released Red Hat Enterprise Linux 6, it's time to update the table. Thanks
to Eugene Teo for collating this information.
Between releases there are lots of changes made to improve security and we've not
listed everything; just a high-level overview of the things we think are most
interesting that help mitigate security risk. We could go into much more
detail, breaking out the number of daemons covered by the SELinux default
policy, the number of binaries compiled PIE, and so on.
Note that this table is for the most common architectures, x86 and x86_64 only; other supported architectures may vary.
|
|
|
Hi! I'm Mark Cox. This blog gives my
thoughts and opinions on my security
work, open source, fedora, home automation,
and other topics.
pics from my twitter:
popular tags:
[all],
apache,
apachecon,
apacheweek,
cve,
cvss,
fedora,
financial,
geocaching,
ha,
metrics,
microsoft,
nashville,
north carolina,
red hat summit,
redhat,
security,
trips

|
|