A Red Hat (Linux) mega patch

A Red Hat (Linux) mega patch

Summary: Here's a major security update that may have slipped under the (mainstream media) radar.The new version of RHEL (Red Hat Enterprise Linux) desktop includes fixes for a wide range of vulnerabilities, some rated "critical.

SHARE:
8

Here's a major security update that may have slipped under the (mainstream media) radar.

Red Hat security updateThe new version of RHEL (Red Hat Enterprise Linux) desktop includes fixes for a wide range of vulnerabilities, some rated "critical."

An advisory from Red Hat provides links to 11 security issues covering more than 40 flaws affecting installations of its open-source operating system.

Three of the 11 carry a "critical" severity rating (Firefox, Thunderbird and ekiga) while four are rated "important."   One of the "important" fix applies to the kernel.

The RHEL v.5 update also fixes security holes in bind, samba, wireshark, postgresql, spamassassin, gnupg and xen.

[UPDATE: March 16, 2007 at 1:11 PM EST]  Just a quick note to point out the Red Hat errata covers issues found between the time that RHEL5 went into complete freeze, and the time that it was released.  All of the vulnerabilities mentioned were repaired in due time in previous versions of RHEL.

Topics: Security, Linux, Open Source

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

8 comments
Log in or register to join the discussion
  • Veryy misleading title - Mega Patch

    As you stated, there are 3 critical vulnerabilities, but they're in user packages, not core OS internals.

    [b]Ekiga[/b] (formerly Gnome Meeting - an H.323 client)
    [b]Firefox[/b] This is the 1.5.0.10 patch that everyone knows about - nothing new
    [b]Thunderbird[/b] Again, this was known.

    The flaws rated important were a mix. A kernel flaw that could lead to a DOS or code execution. The GNUpg patch wasn't due to a flaw in its code but a patch that would prevent ill-written apps from allowing some data outside the bounds of signed data to be interpreted as signed. Xen had a flaw that could allow read ability as root outside of a VM; again, no DOS or code execution.

    Others were OS services like bind and Samba. Still others were spamassasin, wireshard, and a Wordperfect format converter.

    What's a common theme here? Well, there's a couple:

    (1) These aren't Red Had vulnerabilities per se - they affect a lot of distros. It's just that they were discovered and fixed after Red Hat froze the code base. RH was just in the unfortunate position that the flaws were found very late in the release cycle. None of the other distros are releasing a new version right now, so RH "catches all the flak".

    (2) Most are in applications that aren't even part of the OS itself. They're add-ons - in particular the three critical ones.

    At least Ryan didn't say they were flaws in the operating system, but by not expanding on what they actually were, a certain ilk here will run with the headline and broadcast to the world "See, here's proof our development methods produce a more secure Operating System". And we all know that would be very far from the truth...
    NetArch.
    • You're not reading that right

      There were 40 flaws. You keep reading 11 advisories with 3 of them critical. But you need to start counting flaws, not advisories.
      georgeou
      • You should read the actual advisories!

        There were only 20 actual issues, they were broken down into security, bug fixes and enhancements (all covers the 3 other sections were counted in his total). There were 12 security advisories, 5 bugs and 3 enhancements. The 3 critical ones dealt with ekiga, firefox and thunderbird (all applications).
        B.O.F.H.
    • Doesn't matter...

      Here is my box. Is my box secure? No, not without a megapatch.

      Discussion over. (Same crap you hear about Windows and applications.)
      No_Ax_to_Grind
      • Still doesn't matter...

        Here is my PC. I've installed Windows. Will my PC ever be secure? Nope. Discussion over.

        Unfortunately what you call "crap" most of us call "reality".
        jasonp@...
        • Thanks for proving my point

          All OS's and apps have security bugs.
          No_Ax_to_Grind
          • Yes but here is the difference !!

            You are very right indeed all OS's and applications have security bugs.

            However, some OS's and applications have their bugs quashed in a timely fashion like Linux,BSD Firefox and Thunderbird. Now windows on the other hand has many bugs that will get fixed some day! Maybe? Promise! Like an MSHTML.dll bug that is present in every version of windows that I know of. And MS 's response you have loads of disk space and memory so we'll just ignore it!!!
            madhead@...
    • Doesn't matter...

      Here is my box. Is my box secure? No, not without a megapatch.

      Discussion over. (Same crap you hear about Windows and applications.)
      No_Ax_to_Grind