• Enterprise Linux 6.3 to 6.4 risk report

    Red Hat Enterprise Linux 6.4 was released last week, eight months since the release of 6.3 in June 2012. In this report we take a look back over the vulnerabilities and security updates since that last update, specifically for Red Hat Enterprise Linux 6 Server. Errata count The chart below illustrates the total number of security updates issued for Red Hat Enterprise Linux 6 Server if you had installed 6.3, up to and including the 6.4 release, broken down by severity. It's split into two...
    Posted 2013-02-27T13:00:29+00:00 - 0
  • Red Hat Secure Development Videos

    Red Hat products are used by many organizations in some of the most secure computing environments in the world. We have relationships and collaborations with many U.S. Government agencies, stock exchanges, banks, and health care companies. As a result, the topic of secure coding is discussed both internally and with our partners and customers on a regular basis in an effort to create the needed resources to make secure coding an everyday practice. To make secure coding work we understand that...
    Posted 2013-02-20T13:00:22+00:00 - 0
  • How Red Hat uses CVSSv2 Scoring to assist in rating flaws

    Red Hat rates all security flaws using a four-point scale: critical, important, moderate, and low. A number of factors contribute to this rating: How easily can a flaw be exploited? What kind of damage can be done if exploited? Are there typically other factors involved that lower the impact of the flaw (such as firewalls, Security-Enhanced Linux, compiler directives, and so forth)? CVSSv2 (Common Vulnerability Scoring System version 2.0) can also help to determine the rating. Out of all of...
    Posted 2013-02-13T13:00:46+00:00 - 0
  • A minimal security response process

    This blog post outlines a lightweight security response process for community upstream projects: What you (as a project maintainer or contributor) can do to be prepared for incoming reports of security vulnerabilities, and to eventually respond with a security update. This is purely reactive - it is not about not shipping vulnerable code in the first place. But it is an important step in the right direction, and one that requires relatively little effort. Release engineering Without a minimal...
    Posted 2013-01-30T13:00:12+00:00 - 0
  • Detecting vulnerable Java dependencies at build time

    Background Java is a very popular programming language. Two key reasons for its popularity are security and the availability of a huge ecosystem of libraries and components. Since most Java applications make use of a wide range of libraries, which in turn have dependencies on other libraries, it is difficult to ensure the integrity of these applications from a security perspective. A recent study by Aspect security has revealed the significance of this problem. This study found that 26% of...
    Posted 2013-01-02T13:00:20+00:00 - 0
  • How Red Hat ships JBoss security updates

    JBoss security updates When security flaws are discovered in JBoss products, the Red Hat Security Response Team works to resolve them on a prioritized basis. Flaws are rated according to a four-point scale: low, moderate, important, and critical. For details on the process of rating flaws, refer to How Red Hat rates JBoss security flaws. Flaws of low impact are typically deferred, to be resolved in the next minor release of the affected products. Flaws of moderate or higher impact are typically...
    Posted 2012-11-14T13:00:35+00:00 - 0
  • Red Hat is now CWE Compatible

    Red Hat is pleased to announce it has attained Common Weakness Enumeration (CWE) compatibility. The CWE Compatibility and Effectiveness Program is a formal review and evaluation process for declaring products and services as CWE-Compatible and CWE-Effective. For the last few months, Red Hat was engaged in the CWE Compatibility and Effectiveness Program and worked towards fulfilling its requirements. These requirements included providing a common language for discussing, identifying, and dealing...
    Posted 2012-11-01T14:57:34+00:00 - 0
  • Array allocation in C++

    This technical article covers a subtlety in C++ array allocation and how we changed the GNU C++ compiler to deal with it properly. When a programmer writes T *p = new T[3];the C++ compiler allocates room for at least three copies of objects of type T on the heap. These objects require 3 * sizeof(T) bytes. For this example, assume sizeof(T) is 12, then it is straightforward to allocate 36 bytes (for example, using malloc). But what happens if the array length is 3937053355 (or...
    Posted 2012-10-31T13:00:31+00:00 - 0
  • What defines a security issue?

    When dealing with developers, this question comes up fairly often: Is this bug a security issue? It is not always obvious if a bug is a security flaw or not. The reality is that the line is quite gray when it comes to deciding if something is a security flaw or not. It depends on a lot of factors, many of which are complicated and confusing. Consider the following example: CVE-2012-1182 describes a problem in Samba where a remote attacker could run arbitrary code as root. This is a fancy way of...
    Posted 2012-10-17T13:00:52+00:00 - 0
  • Enterprise Linux 6.2 to 6.3 risk report

    Red Hat Enterprise Linux 6.3 was released in June 2012, six months since the release of 6.2 in December 2011. So let's use this opportunity to take a quick look back over the vulnerabilities and security updates made in that time, specifically for Red Hat Enterprise Linux 6 Server. Errata count The chart below illustrates the total number of security updates issued for Red Hat Enterprise Linux 6 Server if you had installed 6.2, up to and including the 6.3 release, broken down by severity. It's...
    Posted 2012-10-03T13:00:38+00:00 - 0
  • How Red Hat rates JBoss security flaws

    Rating and CVSS v2 It's important to know how severe a security flaw is, so you can plan your response accordingly. Does the latest flaw have a high impact and need to be patched today, or can it wait until your planned upgrade next month? To communicate the risk of each JBoss security flaw, Red Hat uses a four-point severity scale of low, moderate, important and critical, in addition to Common Vulnerability Scoring System (CVSS) version 2 base scores. Most of the time the CVSS v2 base scores...
    Posted 2012-09-19T14:00:49+00:00 - 0
  • CWE Vulnerability Assessment Report

    Common Weakness Enumeration (CWE) is a dictionary or formal list of common software weaknesses. It is a common language or taxonomy for describing vulnerabilities and weaknesses; a standard measurement for software assurance tools and services' capabilities; and a base for software vulnerability and weakness identification, mitigation, and prevention. Weaknesses IDs are assigned to vulnerabilities in Red Hat products in chains. A chain is a sequence of two or more weaknesses that are closely...
    Posted 2012-09-05T13:00:20+00:00 - 0
  • Welcome to the Red Hat Security Blog

    We are happy to announce that Red Hat is starting a security blog. Red Hat has a long history of security leadership in the open source community but this is the first time we have shared our knowledge, security expertise, and experience with a wider audience via a blog. Red Hat has plenty of interesting security news and topics that we think would be useful to share. Previously, various team members have published security stories on an ad hoc basis. Now we have decided it is time to...
    Posted 2012-08-22T13:00:52+00:00 - 0
  • Enterprise Linux 5.7 to 5.8 risk report

    Red Hat Enterprise Linux 5.8 was released today (February 2012), seven months since the release of 5.7 in July 2011. So let's use this opportunity to take a quick look back over the vulnerabilities and security updates made in that time, specifically for Red Hat Enterprise Linux 5 Server. Red Hat Enterprise Linux 5 is coming up to its fifth year since release, and is supported for another five years, until 2017. Errata count The chart below illustrates the total number of security updates...
    Posted 2012-02-21T00:00:00+00:00 - 0
  • Enterprise Linux 6.1 to 6.2 risk report

    Red Hat Enterprise Linux 6.2 was released this week (Dec 2011), just over six months since the release of 6.1 in May 2011. So let's use this opportunity to take a quick look back over the vulnerabilities and security updates made in that time, specifically for Red Hat Enterprise Linux 6 Server. Errata count The chart below illustrates the total number of security updates issued for Red Hat Enterprise Linux 6 Server if you had installed 6.1, up to and including the 6.2 release, broken down by...
    Posted 2011-12-08T00:00:00+00:00 - 0
  • Red Hat's Most Serious Flaw Types for 2010

    A few weeks ago the 2011 update to the CWE/SANS Top 25 Most Dangerous Software Errors was published. As part of our contribution to this update we analysed the most severe vulnerabilities that affected Red Hat since the last update and mapped each one to the appropriate Common Weakness Enumeration (CWE) type. The table below lists all vulnerabilities which have a CVSS score of 7 or more ('high'), that we fixed in any product during calendar year 2010. Most common CWE were: Buffer Copy without...
    Posted 2011-08-09T00:00:00+00:00 - 0
  • Enterprise Linux 5.6 to 5.7 risk report

    Red Hat Enterprise Linux 5.7 was released last week (July 2011), six months since the release of 5.6 in January 2011. So let's use this opportunity to take a quick look back over the vulnerabilities and security updates made in that time, specifically for Red Hat Enterprise Linux 5 Server. Errata count The chart below illustrates the total number of security updates issued for Red Hat Enterprise Linux 5 Server if you had installed 5.6, up to and including the 5.7 release, broken down by...
    Posted 2011-07-27T00:00:00+00:00 - 0
  • Enterprise Linux 6.0 to 6.1 risk report

    Red Hat Enterprise Linux 6.1 was released this week (May 2011), just over six months since the release of 6.0 in October 2010. So let's use this opportunity to take a quick look back over the vulnerabilities and security updates made in that time, specifically for Red Hat Enterprise Linux 6 Server. Errata count The chart below illustrates the total number of security updates issued for Red Hat Enterprise Linux 6 Server if you had installed 6.0, up to and including the 6.1 release, broken down...
    Posted 2011-05-20T00:00:00+00:00 - 0
  • Red Hat Security Advisories in CVRF

    Earlier this year, Red Hat joined the Common Vulnerability Reporting Framework (CVRF) working group run by ICASI. The goal of CVRF is to provide a way to share information about security updates in a machine-readable format. Red Hat already produce a version of our security advisories in machine readable format, as OVAL definitions, but these are really designed for automated test tools to determine the need to apply an update. CVRF looked like it would be more useful for providing customers...
    Posted 2011-05-18T00:00:00+00:00 - 0
  • Enterprise Linux 5.5 to 5.6 risk report

    Red Hat Enterprise Linux 5.6 was released last week (January 2011), nearly ten months since the release of 5.5 in March 2010. So let's use this opportunity to take a quick look back over the vulnerabilities and security updates made in that time, specifically for Red Hat Enterprise Linux 5 Server. Errata count The chart below illustrates the total number of security updates issued for Red Hat Enterprise Linux 5 Server if you had installed 5.5, up to and including the 5.6 release, broken down...
    Posted 2011-01-17T00:00:00+00:00 - 0
  • Why Red Hat Enterprise Linux 6 has a new package signing key

    Starting with Red Hat Enterprise Linux 6 we have switched to using SHA-256 signatures on all RPM packages and to a 4096-bit RSA signing key. We've done this because it is current best practice to migrate away from MD5 and SHA-1 hashes due to various flaws found in them. Those flaws don't yet directly pose a threat to package signing however, and therefore our existing shipped products which used these older hashes will continue to use their existing keys until they reach their end of life. A...
    Posted 2010-11-11T00:00:00+00:00 - 0
  • Enterprise Linux 5.4 to 5.5 risk report

    Red Hat Enterprise Linux 5.5 was released at the end of March 2010, just under 7 months since the release of 5.4 in September 2009. So let's use this opportunity to take a quick look back over the vulnerabilities and security updates we've made in that time, specifically for Red Hat Enterprise Linux 5 Server. Errata count The chart below illustrates the total number of security updates issued for Red Hat Enterprise Linux 5 Server if you had installed 5.4, up to and including the 5.5 release,...
    Posted 2010-04-27T00:00:00+00:00 - 0
  • Red Hat's Top 11 Most Serious Flaw Types for 2009

    The 2010 CWE/SANS Top 25 Most Dangerous Programming Errors was published today listing the most widespread issues that lead to software vulnerabilities. During the creation and review of the list we spent some time to see how closely last years list matched the types of flaws we deal with at Red Hat. We first looked at all the issues that Red Hat fixed across our entire product portfolio in the 2009 calendar year and filtered out those that had the highest severity. All our 2009...
    Posted 2010-02-16T00:00:00+00:00 - 0
  • Enterprise Linux 5.3 to 5.4 risk report

    Red Hat Enterprise Linux 5.4 was released today, just over 7 months since the release of 5.3 in January 2009. So let's use this opportunity to take a quick look back over the vulnerabilities and security updates we've made in that time, specifically for Red Hat Enterprise Linux 5 Server. Errata count The chart below illustrates the total number of security updates issued for Red Hat Enterprise Linux 5 Server as if you installed 5.3, up to and including the 5.4 release, broken down by severity...
    Posted 2009-09-02T00:00:00+00:00 - 0
  • Enterprise Linux 5.2 to 5.3 risk report

    Red Hat Enterprise Linux 5.3 was released today, around 8 months since the release of 5.2 in May 2008. So let's use this opportunity to take a quick look back over the vulnerabilities and security updates we've made in that time, specifically for Red Hat Enterprise Linux 5 Server. The chart below shows the total number of security updates issued for Red Hat Enterprise Linux 5 Server as if you installed 5.2, up to and including the 5.3 release, broken down by severity. I've split it into two...
    Posted 2009-01-20T00:00:00+00:00 - 0

Pages