Risk report: Four years of Red Hat Enterprise Linux 4

“1. Introduction
We measure the overall risk of running Enterprise Linux 4 as a
function of two factors; the vulnerabilities and the threats. Our
first section covers the security vulnerabilities found in packages
that are part of Enterprise Linux 4 and the advisories that address
them. Our second section covers the threats by examining actual
exploitation of those vulnerabilities through exploits and
worms.

“All the data used to generate this report, tables, and graphs,
apply to Red Hat Enterprise Linux 4 AS from release day, 15
February 2005 to 14 February 2009 unless otherwise stated.

“2. Vulnerabilities
At first sight it may appear that Red Hat have released a lot of
updates for Enterprise Linux 4; in the last twelve months
publishing a total of 107 security advisories to address 251
individual vulnerabilities. But in reality this is by far a
worst-case metric, as it treats all vulnerabilities as equal,
regardless of their severity and assumes a system that has
installed every available package – which is not a default or even
a likely installation.

“With the release of Enterprise Linux 4, we started publishing
severity levels with package errata to help users determine which
advisories were the ones that mattered the most. Providing a
prioritised risk assessment helps customers to understand and
better schedule upgrades to their systems, being able to make a
more informed decision on the risk that each issue places on their
unique environment. Red Hat rates the impact of individual
vulnerabilities on a four-point scale designed to be an at-a-glance
guide to how worried Red Hat is about each security issue.”

Complete Story