Security Watch

Keeping Track of patches and hacks in the IT security world.

Red Hat Release Coincides with Host of Related Application, Kernel Fixes

It turns out that, after years of engineering work and collaboration efforts with strategic partners such as IBM, Red Hat's March 14 release of Red Hat Enterprise Linux 5 had the misfortune of coinciding with the company's release of a whopping 11 security advisories.

Three of the advisories are rated critical, but those three pertain to other applications with critical flaws, the updated versions of which now are available for RHEL 5. They include multiple flaws, such as cross-site scripting and JavaScript handling errors, in the open-source Firefox browser. A second critical advisory covers flaws in Thunderbird, the open-source mail client. The third critical advisory concerns flaws in Ekiga, a tool for communicating with video and audio over the Internet.

The rest of Red Hat's advisories were rated important or low. One of the important advisories included a fix to Red Hat's RHEL 5 kernel. The vulnerabilities fixed in the Linux kernel include a flaw in the keyctl subsystem that allowed a local user to cause a DOS, a flaw in the Omnikey CardMan 4040 driver that allowed a local user to take over a system with kernel privileges, and a flaw in the core-dump handling that allowed a local user to create core dumps from unreadable binaries via PT_INTERP.

As has been noted in posts, the flaws aren't unique to Red Hat.

"These aren't Red [Hat] vulnerabilities per se—they affect a lot of distros," wrote "NetArch" in response to a blog. "It's just that they were discovered and fixed after Red Hat froze the code base. RH was just in the unfortunate position that the flaws were found very late in the release cycle. None of the other distros are releasing a new version right now, so RH 'catches all the flak.'"