"for all packages, from release of 6.3 up to and including 6.4, we shipped
108 advisories to address 311 vulnerabilities. 18 advisories were rated
critical, 28 were important, and the remaining 62 were moderate and low."
"Updates to correct 77 of the 78 critical vulnerabilities were available via
Red Hat Network either the same day or the next calendar day after the
issues were public. The other one was in OpenJDK 1.60
where the update took 4 calendar days (over a weekend)."
And if you are interested in how the figures were calculated, here is the
working out:
Note that we can't just use a date range because we've pushed some
RHSA the weeks before 6.4 that were not included in the 6.4 spin.
These issues will get included when we do the 6.4 to 6.5 report (as
anyone installing 6.4 will have got them when they first updated).
So just after 6.4 before anything else was pushed that day:
** Product: Red Hat Enterprise Linux 6 server (all packages)
** Dates: 20101110 - 20130221 (835 days)
** 397 advisories (C=55 I=109 L=47 M=186 )
** 1151 vulnerabilities (C=198 I=185 L=279 M=489 )
** Product: Red Hat Enterprise Linux 6 Server (default installation packages)
** Dates: 20101110 - 20130221 (835 days)
** 177 advisories (C=11 I=71 L=19 M=76 )
** 579 vulnerabilities (C=35 I=133 L=159 M=252 )
And we need to exclude errata released before 2013-02-21 but not in 6.4:
RHSA-2013:0273 [critical, default]
RHSA-2013:0275 [important, not default]
RHSA-2013:0272 [critical, not default]
RHSA-2013:0271 [critical, not default]
RHSA-2013:0270 [moderate, not default]
RHSA-2013:0269 [moderate, not default]
RHSA-2013:0250 [moderate, default]
RHSA-2013:0247 [important, not default]
RHSA-2013:0245 [critical, default]
RHSA-2013:0219 [moderate, default]
RHSA-2013:0216 [important, default]
Default vulns from above: critical:12 important:2 moderate:16 low:3
Non-Default vulns from above: critical:4 important:2 moderate:5 low:0
This gives us "Fixed between GA and 6.4 iso":
** Product: Red Hat Enterprise Linux 6 server (all packages)
** Dates: 20101110 - 20130221 (835 days)
** 386 advisories (C=51 I=106 L=47 M=182 )
** 1107 vulnerabilities (C=182 I=181 L=276 M=468 )
** Product: Red Hat Enterprise Linux 6 Server (default installation packages)
** Dates: 20101110 - 20130221 (835 days)
** 172 advisories (C=9 I=70 L=19 M=74 )
** 546 vulnerabilities (C=23 I=131 L=156 M=236 )
And taken from the last report "Fixed between GA and 6.3 iso":
** Product: Red Hat Enterprise Linux 6 server (all packages)
** Dates: 20101110 - 20120620 (589 days)
** 278 advisories (C=33 I=78 L=31 M=136 )
** 796 vulnerabilities (C=104 I=140 L=196 M=356 )
** Product: Red Hat Enterprise Linux 6 Server (default installation packages)
** Dates: 20101110 - 20120620 (589 days)
** 134 advisories (C=6 I=56 L=15 M=57 )
** 438 vulnerabilities (C=16 I=110 L=126 M=186 )
Therefore between 6.3 iso and 6.4 iso:
** Product: Red Hat Enterprise Linux 6 server (all packages)
** Dates: 20120621 - 20130221 (246 days)
** 108 advisories (C=18 I=28 L=16 M=46 )
** 311 vulnerabilities (C=78 I=41 L=80 M=112 )
** Product: Red Hat Enterprise Linux 6 Server (default installation packages)
** Dates: 20120621 - 20130221 (246 days)
** 38 advisories (C=3 I=14 L=4 M=17 )
** 108 vulnerabilities (C=7 I=21 L=30 M=50 )
Note: although we have 3 default criticals, they are in openjdk-1.6.0, but we
only call Java issues critical if they can be exploited via a browser, and in
RHEL6 the Java browser plugin is in the icedtea-web package, which isn't a
default package. So that means on a default install you don't get Java plugins
running in your browser, so really these are not default criticals in RHEL6
default at all.
My wife is part of a competition to be the next face representing her college;
with the final number of positive 'likes' on YouTube videos determining the
winners. I thought it would be neat to create a scoreboard to track her
progress, but also to learn how to use OpenShift all in one. It took me
longer to write this blog than to write the code and deploy it live!
After creating an account on Red Hat OpenShift
I created a new app based on perl and added a cron container so we can run our
script every few minutes (to stop overloading the YouTube API if the site
gets popular):
rhc-create-app -a fomc -t perl-5.10
rhc-ctl-app -a fomc -e add-cron-1.4
cd fomc
That was all the configuration needed, the 'fomc' directory is populated with
everything you need. OpenShift when you deploy your app,
figures out your perl dependencies and grabs and builds them for you, so
no messing around needing root or even logging into the host.
By default the file perl/index.pl will get served, but since
we're going to cache the output from the script let's make it a html file
index. To do this simply add to the existing perl/.htaccess
file:
DirectoryIndex index.html
I wrote this quick perl
program to query the YouTube API and do a simplistic HTML page of the number of
likes for each of the videos in the playlist, and placed it in the main
directory as youtube.pl. Now to get it created every ten minutes
we use the cron container by creating a
file .openshift/cron/minutely/perljob with the contents:
#!/bin/bash
MIN=`date +%M`
if [ $((${MIN#0} % 10)) == 0 ]; then
perl ${OPENSHIFT_REPO_DIR}/youtube.pl > ${OPENSHIFT_REPO_DIR}/index.html
mv -f ${OPENSHIFT_REPO_DIR}/index.html ${OPENSHIFT_REPO_DIR}/perl/index.html
fi
The cron job is run every minute, but the "modulus 10" ensures we only run the
perl script once every 10 minutes. We use an intermediate file so that anyone
visiting the site during the time it takes to create the file doesn't get a
blank page. Finally we want to make sure that we don't have to wait ten minutes
for the file to be created when we push the app, and give people the ability
to see the source, so we
create .openshift/action_hooks/post_deploy with the contents:
And the app is up and running; here it is:
http://fomc-esoom.rhcloud.com/. If this
blog was useful (blatent plug!) please click on
"Tracy Cox", make sure
you're logged in, and click "like" ;)
"for all packages, from release of 6.2 up to and including 6.3, we shipped
88 advisories to address 233 vulnerabilities. 15 advisories were rated critical,
23 were important, and the remaining 50 were moderate and low."
"Updates to correct 34 of the 36 critical vulnerabilities were
available via Red Hat Network either the same day or the next calendar
day after the issues were public. The Kerberos telnet flaw was fixed
in 2 calendar days as the issue was published on Christmas day. The
second PHP flaw took 4 calendar days (over a weekend) as the initial
fix released upstream was incomplete."
And if you are interested in how
the figures were calculated, as always view the source of this
blog entry.
For a two day trip I decided to test using my Android tablet instead of
also taking a laptop, and it worked out okay for the most part.
I was booked to go to Red Hat HQ in Raleigh, NC at the start of August for a
two-day business trip, well more accurately two-days in the office and another
two-days of travelling. I'd usually take my trusty ThinkPad x201 on the trip
with me, it's small and light, but it's battery life isn't so great anymore.
Earlier this year I'd bought an Android tablet, an ASUS Transformer Prime which
with a long battery life would be perfect for movies, but could it replace my
ThinkPad completely and save me travelling with two devices? I worked through
my requirements and it seemed plausible in theory, so here is how it stacked up
in practice:
Connectivity. In the UK you can only buy the Prime with the keyboard
dock, the keyboard dock is great. The in-built wifi was okay for the airport,
hotel, and office. I carry a USB network adapter anyway just in case the hotel
has a physical connection. The wifi signal on the Prime is terrible compared to
other things (like a phone) though, so be prepared to walk around a bit to the
best signal. Partial Win.
In flight entertainment.
I wanted something to watch movies (as US Airways transatlantic don't yet have
seat-back video, really!).
The large internal memory meant I could store a
few films in decent quality to watch and battery life wasn't a problem. I'd used
the tablet continously (without wifi) with the keyboard connected for 6
hours and wasn't even down to 50% battery. Although hardware decoding of videos
was a bit hit-and-miss, and after trying a dozen apps only "BS Player" seemed to
do a reasonable job. A couple of the movies I'd brought had low audio and I
couldn't figure out a way to boost it enough to hear over the noise of the plane,
even with decent in-ear noise blocking headphones. Having the keyboard dock
helped considerably as with the tablet on the tray-table I could set a decent
angle to watch a movie. Win.
Reading material. I had a few papers and magazines to read which I'd
preloaded onto the tablet in PDF format. The Adobe PDF viewer is
acceptable, but it seems a little sluggish for something running on a
quad-core processor, and the screen resolution isn't really good enough
for magazines. The new Transformer Infinity would help here. Partial Win.
Keeping in touch with home. The standard Android GMail app and Facebook
app are okay, and I was able to use GMail talk to have video chats with
my family from both the hotel and office. Win.
Working. With just a couple days away I figured all that was needed was
the ability to read and send email and browse intranet internal web pages. The
standard VPN client on the Prime worked perfectly, and along with the Firefox
beta app gave me perfect access to internal sites. For email I prefer
command-line text-window clients anyway, so I just needed to be able to connect
to a work machine. "Connectbot" on Android works well enough for ssh, and there
are a few forked versions you can get that work with the Prime keyboard. The
AndChat app works for irc. Win.
Presentations. I was giving a presentation at a meeting, but fortunately
they had a laptop set up with the projector and I didn't need to worry about
taking a HDMI lead and hoping it was a recent projector. Unexpectedly I needed
to edit an existing OpenOffice presentation to remove a couple of slides and
then convert to PDF to send to another company. I had to ask a colleague to do
it for me. There are apps that can view OpenOffice files, but no native
OpenOffice suite for android. I'd probably make sure I had access to a VNC
server in the future and use a VNC client for anything like this. Fail.
Privacy. My thinkpad has full-disk encryption but I didn't bother for
Android as I wasn't going to be storing anything sensitive on the machine. My
thinkpad has a 3M privacy filter, which is great for airplanes and airports to
stop people either side and behind you looking at your screen. The same filters
do exist for Android, but are not as straightforward (it of couse only works in
one orientation and attaches like a screen protector, so isn't the easiest thing
to continuously take on and off, and forces you to use your screen in portrait
mode for everything). Fail.
Printing a boarding card. When it was time to return home I was able to
use Firefox to check in online, and printing my boarding passes gave me a PDF
file. I didn't have any printer apps set up, but it was easy enough to email a
PDF to a colleague to print for me. Partial Win.
So in summary I think I got away with it; having just the tablet didn't stop me
doing anything that had to be done on the trip and I'll definately do the same
thing again in the future for very short trips. For anything more than a couple
of days or where connectivity might be an issue I'd miss having a full-featured
OS.
We now have an official Red Hat Security Blog, and you'll find all my future
reports and discussions about security metrics there. In the meantime
here are a few already published articles:
The Common Vulnerability Reporting Framework (CVRF) is a way to share
information about security updates in an XML machine-readable format. CVRF
1.1 got released this week and over at Red Hat we've started publishing
our security advisories in CVRF format.
When I moved to a new house in 2001 I designed and installed my own home-brew
home automation system in it to control things like the heating, lighting,
alarm system, and more. The messaging system I picked was to use standard
XMPP (Jabber) because most platforms have existing open source XMPP libraries
so writing clients is easy. The back-end is just a load of XMPP bots written
in Perl. Around the house I had a number of Fujitsu Point 1600 tablets
running an interface I designed and wrote using Perl/Tk. The tablets are
great, but they're starting to show their age with limited resolution
of 800x600 and CPU speed making full-screen video not really possible.
So last year I obtained an Archos 101 10.1" android tablet with the plan being
to replace the existing tablets with android powered ones. It was a good excuse
to dust off the old skills and learn programming apps for Android. Converting
the app was straightforward and tooks a couple of weekends, troubles with the
tablet took quite a bit more work.
Finding a way to mount the Archos tablet on a wall proved tricky, the back
of the device isn't perfectly flat and it has an annoying desk stand in
the middle. I ended up using a PadTab
for mounting, but having to custom modify it to handle not being in the
centre of the device, and add thick sticky strips (normally used to dampen
fans). The build quality of these tablets is pretty poor.
The display panel on the tablet isn't very good either and has limited viewing angles
from three sides, so in order to be able to see the screen when mounted to
the wall I had to turn it upside down. Android can happily handle a rotated
display, the only downside is that the Archos logo is the wrong way up (a bit of
black tape covers it up now).
I left the Archos mounted on the wall and running for a week, permanently
attached to its charger. At the end of the week I noticed it wasn't sitting
straight on the wall, and in fact the internal batteries had both swelled up
and burst out of the case. I read online a few other stories from folks who
had bought Archos tablets which had failed in the same way, I guess they're
really not designed to be left on charge permanently (that's really bad
design Archos, this could have easily caught fire!)
I figured I didn't really need to have batteries installed, the tablet is
going to be permanently powered on anyway, and it would be safer to leave
the house knowing there was no risk of exploding batteries. So I took the
tablet apart and removed them. Without batteries the Archos starts its
power up cycle, displays a logo, then gets to a certain part of the boot process
and powers down. I guess it does a check on the state of the batteries
and it fails. This presented a real problem and I gave up trying to
use the tablet. Over the Christmas holidays I heard that you could flash an
alternative OS, CyanogenMod, and that actually booted and ran just fine without batteries,
but it wasn't stable and featured enough for running the Home Automation app I'd written.
So I decided to try to debug the Archos OS, so connected it to USB to get
debug messages, and interestingly it powered up perfectly first time. Removing
the USB connection caused it to lock up a few seconds later. Strange
behaviour! I tried just connecting power to the USB port, and that worked
too. So if you want to run your Archos 101 android tablet without internal
batteries you can, but you need to splice your power cable and feed 5v to
both the power socket and the USB socket.
So now I had a working tablet again I changed the power adaptor so it
mounted neatly against the wall:
Red Hat Enterprise Linux 5.8 was released today (February 2012), seven
months since the release of 5.7 in July 2011. So let's use this opportunity to
take a quick look back over the vulnerabilities and security updates made in
that time, specifically for Red Hat Enterprise Linux 5 Server.
The chart below illustrates the total number of security updates issued for Red
Hat Enterprise Linux 5 Server if you had installed 5.7, up to and including the
5.8 release, broken down by severity. It's split into two columns, one for
the packages you'd get if you did a default install, and the other if you
installed every single package (which is unlikely as it would involve quite a bit of
manual effort to select every one). For a given installation, the number of
package updates and vulnerabilities that affected you will depend on exactly
what packages you have installed or removed.
So, for a default install, from release of 5.7 up to and including
5.8, we shipped 42 advisories to address 118 vulnerabilities. 4
advisories were
rated critical, 13 were important, and the remaining
25 were moderate and low.
Or, for all packages, from release of 5.7 up to and including 5.8, we
shipped 71 advisories to address 177 vulnerabilities. 7 advisories
were rated critical, 16 were important, and the remaining 48 were
moderate and low.
Critical vulnerabilities
The 7 critical advisories addressed 20 critical vulnerabilities across 4 different packages:
An update to
OpenJDK 6 Java Runtime Environment,
(October 2011)
where a web site hosting a malicious Java applet could potentially run
arbitrary code as the user.
An update to the
MIT krb5 telnet daemon
(December 2011) where
a remote attacker who can access the telnet port of a target machine could use
this flaw to execute arbitrary code as root. Note that the krb5 telnet daemon
is not installed or enabled by default, and the default firewall rules block remote access to
the telnet port. This flaw did not affect the more commonly used telnet daemon distributed in the
telnet-server package.
Updates to
PHP
and
PHP 5.3
(February 2012)
where a remote attacker could send a specially-crafted HTTP request to cause the
PHP interpreter to crash or, possibly, execute arbitrary code. This flaw was
caused by the fix for CVE-2011-4885.
Three updates to Firefox (August 2011, September 2011, November 2011)
where a malicious web site could potentially run arbitrary code as the user
running Firefox.
Updates to correct 19 out of the 20 critical vulnerabilities were
available via Red Hat Network either the same day or the next
calendar day after the issues were public. The update to krb5
took 2 calendar days because it was public on Christmas day.
Overall, for Red Hat Enterprise Linux 5 since release until 5.8, 98%
of critical vulnerabilities have had an update available to address
them available from the Red Hat Network either the same day or the
next calendar day after the issue was public.
Other significant vulnerabilities
Although not in the definition of critical severity, also of interest during
this period were a couple of remote denial of service flaws that were easily exploitable:
A flaw in Apache HTTP Server,
CVE-2011-3192, fixed by
RHSA-2011:1245.
A remote attacker could use this flaw to cause httpd to use an
excessive amount of memory and CPU time.
To compare these statistics with previous update releases we need
to take into account that the time between each update release is different.
So looking at a default installation and calculating the number of
advisories per month gives the following chart:
This data is interesting to get a feel for the risk of running Enterprise
Linux 5 Server, but isn't really useful for comparisons with other major
versions, distributions, or operating systems -- for example, a default install
of Red Hat Enterprise Linux 4AS did not include Firefox, but 5 Server does. You
can use our public
security measurement data and tools, and run your own custom metrics for any
given Red Hat product, package set, timescales, and severity range of interest.
The inspiration for the Sonik video for Gravitation came from a local friend of
ours, a talented and world-renowned photographer, Adrian Brannan. Ade is famous for
his analogue photo
collages (please give him a 'like' on his Facebook page):
We
often wondered how the same effect would look if rendered with video. With video
you've got the extra element of time, each segment of the mosaic can be running
from a different starting point, with a different speed, and even a different
direction. In addition the segments themselves can move over time. Would this
end up with an effect that was just too much of a mess? Or would it give an
effect that helps visualise the consequence of spacetime?
We started by taking several videos at three different locations over the period
of a year with a Kodak Zi8 camera. A motorway bridge over the M74, just outside
the Buchanan shopping center in Glasgow, and a bench in Strathclyde park.
Lining up the images was done roughly by using lines drawn on acetate stuck over the
camera screen.
The software to do the mosaic effect was hand-written. We used a simple
scripting language, Perl, and the image library GD. On a relatively modern
Linux PC running Fedora 16 we can render near real-time 720p HD even when handling 300
segments of mosaic. A simple language controls which parts of the screen come
from which video, and the first half of the music video uses this with simple
effects having just a few boxes overlayed:
Later in the video things get more
complicated, using randomisation to pick the location and movement of each
segment:
We used our scripts to create a number of ~13 second segments, then put them all
together using kdenlive. The intro and outro were taken from a different video
from a hotel room in London Victoria; the intro using a 'miniature' effect, and
outro using the randomised segments applied to a single video.
Red Hat Enterprise Linux 6.2 was released this week (Dec 2011), just
over six months since the release of 6.1 in May 2011. So let's
use this opportunity to take a quick look back over the
vulnerabilities and security updates made in that time, specifically
for Red Hat Enterprise Linux 6 Server.
Errata count
The chart below illustrates the total number of security updates issued for Red
Hat Enterprise Linux 6 Server if you had installed 6.1, up to and including the
6.2 release, broken down by severity. It's split into two columns, one for
the packages you'd get if you did a default install, and the other if you
installed every single package (which is unlikely as it would involve a bit of
manual effort to select every one). For a given installation, the number of
package updates and vulnerabilities that affected you will depend on exactly what you
have installed or removed.
So, for a default install, from release of 6.1 up to and including 6.2, we
shipped 36 advisories to address 121 vulnerabilities. 2 advisories were rated
critical, 10 were important, and the remaining 24 were moderate and low.
Or, for all packages, from release of 6.1 up to and including 6.2, we shipped
88 advisories to address 218 vulnerabilities. 10 advisories were rated critical,
16 were important, and the remaining 62 were moderate and low.
Critical vulnerabilities
The 10 critical advisories addressed 31 critical vulnerabilities across 3 components:
Two updates to the OpenJDK 6 Java Runtime
(June 2011,
October 2011)
where a malicious web site presenting a Java applet could potentially run arbitrary code as the user
running a web browser.
Updates to correct all of the 31 critical vulnerabilities were
available via Red Hat Network either the same day or the next calendar
day after the issues were public.
Other significant vulnerabilities
Although not in the definition of critical severity, also of interest during
this period were a few flaws that were high risk or easily exploitable:
A flaw in Bind, CVE-2011-4313
fixed by RHSA-2011:1458
where a malicious client could cause Bind to stop responding, a denial
of service attack. This flaw was discovered by it being accidentally
triggered in the wild.
A flaw in the Apache HTTP Server, CVE-2011-3192,
fixed by RHSA-2011:1245, where a remote attacker could
cause a denial of service attack. This was discovered due to a public exploit.
A flaw in RPM, CVE-2011-3378
fixed by RHSA-2011:1349
where a specially-crafted RPM package that, when queried or installed,
would cause rpm to crash or, potentially, execute arbitrary code prior to any
signature checking. We're not aware of any working exploits for this issue.
To compare these statistics with previous update releases we need to take into
account that the time between each update release is different. So looking at
a default installation and calculating the number of advisories per month
gives the following chart:
This data is interesting to get a feel for the risk of running Enterprise
Linux 6 Server, but isn't really useful for comparisons with other major
versions, distributions, or operating systems -- for example, a default install
of either Red Hat Enterprise Linux 4AS and 6 Server does not include Firefox, but a
default install of 5 Server does. You can use
our public security
measurement data and tools, and run your own custom metrics for any given
Red Hat product, package set, timescales, and severity range of interest.
Hi! I'm Mark Cox. This blog gives my
thoughts and opinions on my security
work, open source, fedora, home automation,
and other topics.
The Common Vulnerability Reporting Framework (CVRF) is a way to share
information about security updates in an XML machine-readable format. CVRF
1.1 got released this week and over at Red Hat we've started publishing
our security advisories in CVRF format.
