Red Hat Enterprise Linux 5.9 was released this month (January 2013), just under a year since the release of 5.8 in February 2012. So let’s use this opportunity to take a quick look back over the vulnerabilities and security updates made in that time, specifically for Red Hat Enterprise Linux 5 Server.
Red Hat Enterprise Linux 5 is coming up to its sixth year since release, and will receive security updates until March 31st 2017.
The chart below illustrates the total number of security updates issued for Red Hat Enterprise Linux 5 Server if you had installed 5.8, up to and including the 5.9 release, broken down by severity. It’s split into two columns, one for the packages you’d get if you did a default install, and the other if you installed every single package. For a given installation, the number of package updates and vulnerabilities that affected you will depend on exactly what packages you have installed or removed.
So, for a default install, from release of 5.8 up to and including 5.9, we shipped 60 advisories to address 214 vulnerabilities. 13 advisories were rated critical, 18 were important, and the remaining 29 were moderate and low.
Or, for all packages, from release of 5.8 up to and including 5.9, we shipped 101 advisories to address 332 vulnerabilities. 16 advisories were rated critical, 30 were important, and the remaining 55 were moderate and low.
The 16 critical advisories addressed 88 critical vulnerabilities across just 3 different projects:
Updates to Samba, RHSA-2012:0332 (Feb 2012), Samba RHSA-2012:0465 and Samba3x RHSA-2012:0466 (April 2012) where a remote, unauthenticated attacker could send a specially-crafted RPC request that would cause the Samba daemon to crash or, possibly, execute arbitrary code as root.
An update to PHP RHSA-2012:0546and PHP 5.3 RHSA-2012:0547 (May 2012) affecting PHP if run in CGI mode. A remote attacker could send a specially-crafted request and cause the PHP interpreter to execute arbitrary code. A public exploit is available for this issue, but it did not affect the default configuration in Red Hat Enterprise Linux 5 which uses the PHP module for Apache httpd to handle PHP scripts.
Updates to Firefox/XULRunner, RHSA-2012:0079 (Jan 2012), RHSA-2012:0143 (Feb 2012), RHSA-2012:0387 (Mar 2012), RHSA-2012:0515 (Apr 2012), RHSA-2012:0710 (Jun 2012), RHSA-2012:1088 (Jul 2012), RHSA-2012:1210 (Aug 2012), RHSA-2012:1350, RHSA-2012:1361, RHSA-2012:1407 (Oct 2012), RHSA-2012:1482 (Nov 2012) where a malicious web site could potentially run arbitrary code as the user running Firefox.
Updates to correct 86 out of the 88 critical vulnerabilities were available via Red Hat Network either the same day or the next calendar day after the issues were public. The Samba issue CVE-2012-0870 took an extra day due to timezones, and the PHP issue CVE-2012-1823 took 4 calendar days (over a weekend) as the initial fix released upstream was incomplete.
Overall, for Red Hat Enterprise Linux 5 since release until 5.9, 97% of critical vulnerabilities have had an update available to address them available from the Red Hat Network either the same day or the next calendar day after the issue was public.
Other significant vulnerabilities
Although not in the definition of critical severity, also of interest during this period were:
Several flaws in RPM, fixed by RHSA-2012:0451 (Apr 2012) where a specially-crafted RPM package that, when queried or installed, would cause rpm to crash or, potentially, execute arbitrary code prior to any signature checking. We are not aware of any working exploits for these issues.
Two flaws in the Xen hypervisor implementation: CVE-2012-0217 fixed by RHSA-2012:0721 (Jun 2012), and CVE-2012-5513 fixed by RHSA-2012:1540 (Dec 2012). A guest user, given certain circumstances, could use this flaw to crash the host or escalate their privileges to execute arbitrary code at the hypervisor level. We are aware of working public exploits for CVE-2012-0217.
A flaw in BIND, CVE-2012-5166 fixed by RHSA-2012:1363 (bind) and RHSA-2012:1364 (bind97) (Oct 2012). A remote attacker could use this flaw to cause a recursive resolver, or an authoritative server in certain configurations, to lockup. We are not aware of a specific exploit for this issue, but one could be easily created.
Previous update releases
To compare these statistics with previous update releases we need to take into account that the time between each update release is different. So looking at a default installation and calculating the number of advisories per month gives the following chart:
This data is interesting to get a feel for the risk of running Enterprise Linux 5 Server, but isn’t really useful for comparisons with other major versions, distributions, or operating systems — for example, a default install of Red Hat Enterprise Linux 4AS did not include Firefox, but 5 Server does. You can use our public security measurement data and tools, and run your own custom metrics for any given Red Hat product, package set, timescales, and severity range of interest.