Warning message

Log in to add comments.

Enterprise Linux 6.0 to 6.1 risk report

Mark J. Cox published on 2011-05-20T00:00:00+00:00, last updated 2016-06-20T19:05:21+00:00

Red Hat Enterprise Linux 6.1 was released this week (May 2011), just over six months since the release of 6.0 in October 2010. So let's use this opportunity to take a quick look back over the vulnerabilities and security updates made in that time, specifically for Red Hat Enterprise Linux 6 Server.

Errata count

The chart below illustrates the total number of security updates issued for Red Hat Enterprise Linux 6 Server if you had installed 6.0, up to and including the 6.1 release, broken down by severity. It's split into two columns, one for the packages you'd get if you did a default install, and the other if you installed every single package (which is unlikely as it would involve a bit of manual effort to select every one). For a given installation, the number of package updates and vulnerabilities that affected you will depend on exactly what you have installed or removed.

So, for a default install, from release of 6.0 up to and including 6.1, we shipped 54 advisories to address 195 vulnerabilities. 2 advisories were rated critical, 29 were important, and the remaining 23 were moderate and low.

Or, for all packages, from release of 6.0 up to and including 6.1, we shipped 102 advisories to address 345 vulnerabilities. 8 advisories were rated critical, 39 were important, and the remaining 55 were moderate and low.

These figures include 10 advisories we released on the day we shipped 6.0. This was because we froze package updates some months before releasing the product. Two of those updates were rated critical, an update to Firefox, and to Samba.

Critical vulnerabilities

The 8 critical advisories addressed 37 critical vulnerabilities across 4 components:

  1. An update to Samba (October 2010) where a malicious client could potentially run arbitrary code as the Samba server. Samba is a default install package but the server is not enabled by default.
  2. Four updates to Firefox (October 2010, December 2010, March 2011, April 2011)
    where a malicious web site could potentially run arbitrary code as the user running Firefox.
  3. Two updates to Thunderbird (March 2011, April 2011) where a malicious email message could potentially run arbitrary code as the user running Thunderbird.
  4. An update to Pango (March 2011) where an application using Pango to parse untrusted font data (such as Firefox) could potentially run arbitrary code as the privileges of the user. Pango is a default install package.

Updates to correct all of the 37 critical vulnerabilities were available via Red Hat Network either the same day or the next calendar day after the issues were public.

This data is interesting to get a feel for the risk of running Enterprise Linux 6 Server, but isn't really useful for comparisons with other major versions, distributions, or operating systems -- for example, a default install of Red Hat Enterprise Linux 4AS and 6 Server did not include Firefox, but 5 Server does. You can use our public security measurement data and tools, and run your own custom metrics for any given Red Hat product, package set, timescales, and severity range of interest.


About The Author

Mark J. Cox's picture Red Hat Community Member 25 points

Mark J. Cox

Mark J Cox lives in Scotland and for 2000 to 2018 was the Senior Director of Product Security at Red Hat. Mark has developed software and worked on the security teams of popular open source projects including Apache and OpenSSL. Mark is a founding member of the Apache Software Foundation and the Ope...