What does the severity rating in the security advisory mean?

Updated -

The severity rating is used to classify the impact of security issues found in Red Hat products, providing a simple way to judge the severity of security updates and to see which issues matter the most. Red Hat rates the impact of vulnerabilities on a four-point scale. The scale takes into account the potential risk of a flaw based on a technical analysis of the exact flaw and its type, but not the current threat level.

A Red Hat security advisory can contain fixes for more than one vulnerability, and can contain packages for more than one affected distribution. For each individual vulnerability, the Red Hat Security Response Team will determine the impact rating for each distribution. The overall severity of an advisory is then taken as the highest severity of all the individual issues across all the distributions. For simplicity, the security advisories will show only the overall severity and not list the impact ratings for each issue individually. Instead, each advisory already contains links to relevant tickets in Red Hat's bug tracking system where the individual impacts as well as any additional commentary is given.

See "Understanding Red Hat security ratings" for a description of the severity ratings.