It turns out that, after years of engineering work and collaboration efforts with strategic partners such as IBM, Red Hat’s March 14 release of Red Hat Enterprise Linux 5 had the misfortune of coinciding with the company’s release of a whopping 11 security advisories.
The rest of Red Hat’s advisories were rated important or low. One of the important advisories included a fix to Red Hat’s RHEL 5 kernel. The vulnerabilities fixed in the Linux kernel include a flaw in the keyctl subsystem that allowed a local user to cause a DOS, a flaw in the Omnikey CardMan 4040 driver that allowed a local user to take over a system with kernel privileges, and a flaw in the core-dump handling that allowed a local user to create core dumps from unreadable binaries via PT_INTERP.
As has been noted in posts, the flaws aren’t unique to Red Hat.
“These aren’t Red [Hat] vulnerabilities per se—they affect a lot of distros,” wrote “NetArch” in response to a blog. “It’s just that they were discovered and fixed after Red Hat froze the code base. RH was just in the unfortunate position that the flaws were found very late in the release cycle. None of the other distros are releasing a new version right now, so RH ‘catches all the flak.'”