LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

LWN Weekly Edition

Front page
Security
Kernel development
Distributions
Development
Announcements
->One big page

 

This page

Previous week
Following week

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Distributions

Six years of RHEL 4 security

By Jake Edge
August 17, 2011

Red Hat does a good job of looking at the security problems found and fixed in its enterprise distributions. It issues periodic reports on those security problems to try to give its customers—and interested bystanders—a sense of how vulnerable their systems are over the lifetime of a particular release. The most recent report [PDF] looks at six years of security update data for RHEL 4.

The report was written by Red Hat security team lead Mark J. Cox, and looks at two broad categories of security concerns: vulnerabilities and threats. Even a cursory glance at the vulnerability information makes it clear that the most numerous flaws come in web browsers. That may not affect too many RHEL customers for a couple of reasons. Most RHEL installations are for servers where browsers are not installed by default and are probably rarely installed by administrators. In addition, browser vulnerabilities require visiting a malicious or compromised site and, even on systems where a browser is installed, one would think that administrators would be fairly careful about which sites are visited.

For desktop or workstation systems, of course, a web browser is standard fare. Over the six years, there have been nearly 200 critical flaws in Mozilla products (which includes Firefox, Seamonkey, and Thunderbird). By way of contrast, the default server install of RHEL 4 has only suffered from 20 critical flaws in that time.

Beyond the Mozilla products (which are the top three entries in the table of "worst security history" in the report), the packages that had multiple critical issues include Samba and Kerberos. Another desktop-oriented package appears in the list, HelixPlayer, which was eventually dropped from RHEL 4 because it was proprietary code that could no longer have its security problems fixed. While the kernel is number four on the list, it has had zero critical vulnerabilities during RHEL 4's lifetime (though there have been nearly 300 vulnerabilities at lower severity levels). It is clear that avoiding browsers and other desktop software will make for a system with fewer updates needed—something that's not really possible for many users, but should be for server systems.

But there clearly were flaws beyond the browser, and the report breaks out the two dozen or so critical flaws in the other packages. The list shows the CVE number (and Red Hat advisory number), whether it is a default package or not (most were), a short description of the vulnerability, and the so-called "days of risk". That measure is meant to give a rough guide of how long it was between the public release of the vulnerability information until Red Hat had a fix available. Those numbers were typically zero (a fix on the same day as the disclosure), though there were some outliers including a seven day risk window for a 2007 GnomeMeeting (now Ekiga) bug.

On the threats side of the ledger, Cox reports on the public exploits that were found that tried to take advantage of the vulnerabilities in RHEL. The exploits described were limited to those that "have the potential to cause remote damage to the confidentiality or integrity of a system". So, denial of service exploits were not considered. For the purposes of looking at the threats, "proof of concept" exploits were counted, and that led to 80 public exploits of RHEL 4 vulnerabilities being found.

There were 15 privilege escalation exploits, 22 web browser exploits (all but three for Mozilla products, though Links, Lynx, and HelixPlayer each had one), 17 "user-complicit" exploits (where the user needs to do something to make it happen, like opening a file with a vulnerable application), and 9 exploits for PHP vulnerabilities (many of which were reported during the "PHP month of bugs"). While some of those could certainly prove to be problematic, the privilege escalations in particular, they often require a hard-to-engineer set of circumstances—at least for widespread exploitation. The most dangerous group are the 17 public exploits that were found for services, many of which would be running on a default RHEL install.

The report also noted the lack of any known Linux worms since 2005. There were two in that year, but both were exploiting PHP flaws in applications that are not shipped with RHEL 4 (though could have been installed by the administrator separately).

The full report is well worth a read for those who are interested. It does a good job reporting on the security vulnerability landscape for RHEL 4, but, more importantly, gives even those who don't run RHEL a useful look at the type and severity of Linux security problems. It would be nice to see more distributions, especially those targeting enterprises, produce similar reports.

Comments (none posted)

Brief items

Distribution quote of the week

Why use Ubuntu's Natty Narwhal? Sure, it's fun to say "Natty Netadmin Netbook," but won't any Linux work? Of course it will, and if you have a favorite, by all means use it.
-- Carla Schroder by way of ITworld

Comments (none posted)

SmartOS (based on IllumOS) released - with KVM

SmartOS is a new Solaris/IllumOS-based distribution released by Joyent. "SmartOS incorporates the four most revolutionary OS technologies of the past decade - Zones, ZFS, DTrace and KVM - into a single operating system, providing an arbitrarily observable, highly multi-tenant environment built on a reliable, enterprise-grade storage stack." Yes, they have ported the KVM virtualization facility from Linux to Solaris.

Comments (48 posted)

Debian Community celebrates its 18th birthday

The Debian Project celebrates the 18th anniversary of Ian Murdoch's founding announcement. "A lot has happened to the project and its community in the past eighteen years. There have been eleven releases - most recently Debian 6.0 "Squeeze" in February 2011 - and a huge amount of free software packaged. The current "unstable" branch consists of more than 35,000 binary packages for the amd64 architecture alone - over 44GB of Free/Libre Software! Throughout this history Debian has maintained its goals of technical excellence, accountability, and above all freedom."

Full Story (comments: none)

CentOS-5.6 Continuous Release i386 and x86_64

The CentOS-5.6 Continuous Release (CR) repository is now available. "This repository contains rpms to be included in the next CentOS-5.x release. Because these include security and bugfix updates, we strongly recommend everyone using CentOS-5 install and update their system using this repository."

Full Story (comments: none)

Distribution News

Ubuntu family

Ubuntu Global Jam coming up: Sep 2-4

Ubuntu Global Jam is an event where local Ubuntu teams around the globe get together to work on Ubuntu directly. "It's a great opportunity for new contributors to learn from their peers about translating, documenting, bug triaging, testing, packaging and loads of other things related to Ubuntu."

Full Story (comments: none)

Newsletters and articles of interest

Distribution newsletters

Comments (none posted)

The 2011 Top 7 Best Linux Distributions for You (Linux.com)

Brian Proffitt presents his choices for Best Desktop Distribution (Fedora), Best Laptop Distribution (Ubuntu), Best Enterprise Desktop (SUSE Linux Enterprise Desktop), Best Enterprise Server (Red Hat Enterprise Linux), Best LiveCD (KNOPPIX), Best Security-Enhanced Distribution (BackTrack), and Best Multimedia Distribution (Ubuntu Studio).

Comments (none posted)

Interview: Kate Stewart, Ubuntu Release Manager at Canonical

Amber Graner has interviewed Kate Stewart about her work as the Ubuntu Release Manger at Canonical. "My biggest personal challenge over the last year has been learning about the interactions in the user space applications and the different flavors' user interfaces. It's very challenging to figure out what the implications of a specific change are after we freeze, and to decide if it makes the product overall better or not. I expect I'll be learning for as long as I'm in this role (since the contents of a release continue to evolve), which is one of the reasons I'm enjoying myself so much. Luckily for me, the other members of release team span a wide range of different backgrounds and have been doing releases for quite a while, and are very willing to share their knowledge."

Comments (none posted)

Page editor: Rebecca Sobol
Next page: Development>>

Copyright © 2011, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds