Weekly Edition
Return to the Security page
| |||||||||||||
|
| |||||||||||||
Enterprise Linux 5.1 to 5.2 risk report
Red Hat's Mark Cox has produced a report on the vulnerabilities fixed between Red Hat Enterprise Linux 5.1 and 5.2. These periodic reports do a bit of analysis of the numbers of flaws as well as their impact. In addition, Cox looks at the threat mitigation provided by security technologies like SELinux and ExecShield that ship with RHEL. "Red Hat Enterprise Linux 5 shipped with a number of security technologies designed to make it harder to exploit vulnerabilities and in some cases block exploits for certain flaw types completely. For the period of this study there were two flaws blocked that would otherwise have required updates."
(Log in to post comments)
Enterprise Linux 5.1 to 5.2 risk report Posted Jun 3, 2008 15:45 UTC (Tue) by jhardin (guest, #3297) [Link] "... two flaws blocked that would otherwise have required updates." I sincerely hope that SELinux and ExecShield aren't being treated as excuses to not provide timely security updates... What these technologies provide is coverage until the updates can be applied. The updates are still required!
Enterprise Linux 5.1 to 5.2 risk report Posted Jun 3, 2008 16:32 UTC (Tue) by proski (subscriber, #104) [Link] I think we should distinguish the situations when the vulnerability can be exploited in a non-default configuration (e.g. SELinux disabled) and when it cannot be exploited at all (e.g. memory corruption prevented by libc). In the later case, the update is not required. If the distribution is for enterprise use, it should try to reduce risks and administrative workload, and therefore it should not be issuing an update. Any change has its inherent risks. Installing the update across the net has its risks. System administrators have other things to do than installing fixes that don't fix anything.
Enterprise Linux 5.1 to 5.2 risk report Posted Jun 5, 2008 7:37 UTC (Thu) by mjcox@redhat.com (subscriber, #31775) [Link] "I sincerely hope that SELinux and ExecShield aren't being treated as excuses to not provide timely security updates" Absolutely not. Whilst Execshield parts or a default SELinux policy may reduce the severity of an issue we would normally still provide updates (trying to exploit a security issue caught by one of these technologies still causes the target application to crash, they're not meant to stop a DoS attack, and some of the technologies are designed just to make attackers harder or more time consuming or less automated). However from time to time the way we've compiled a certain package, or the security technologies in use, can completely eliminate a particular vulnerability being exploitable as a security issue. In these occasions (and where we have time to do a complete technical analysis) we may not need to issue an update; and one example is given in the linked article.
Enterprise Linux 5.1 to 5.2 risk report Posted Jun 5, 2008 15:13 UTC (Thu) by jhardin (guest, #3297) [Link] "In these occasions (and where we have time to do a complete technical analysis) we may not need to issue an update;" The implied "ever" in there (and in the article) is what I am objecting to. While I can see the presence of SELinux and ExecShield as a (perfectly acceptable) reason to not rush to issue a _critical_ update, saying "As exploitation of this flaw results in just a crash of a user application, no updates were needed" suggests that SELinux and ExecShield are being used as an excuse to avoid fixing bugs - whether or not this is actually the case. Perhaps I'm getting my panties in a wad over wording. mj, can you clarify whether these sort of bugs are indeed _being fixed_, just not at a critical security severity level because the security tools prevent their successful exploitation? That the bugfix _is_ being worked on, either by RH or by upstream, and typically will be incorporated into the next regular update package? Thanks.
Enterprise Linux 5.1 to 5.2 risk report Posted Jun 9, 2008 7:07 UTC (Mon) by tarjei (subscriber, #29357) [Link] Another reason why Redhat should issue updates to security vulnerabilities that are blocked by SELinux is that very many admins turn it off - usually because it makes it impossible to run an application (OpenLDAP for example). I think Redhat is doing a lot of nice work getting SELinux up and running, but too often I end up thinking that it is not worth it due to the work needed to set it up. That is a shame. Kind regards, Tarjei
|
|
||||||||||||