Summer and work travel have really had an impact and I've missed a couple of months of scorecards, so last weekend, I decided to dig in and catch up to July.   I hit a few road bumps:

  • Sun changed their Security Alerts web site, making it a bit more challenging.  I gave up for now, but will try to add them back with subsequent scorecards. 
  • Novell, in a similar but different move, created a new psdb page for their version Enterprise Linux v10 SP1 products.  At first, I thought they had not released any patches since mid-June.  Nope.  Let me give you details.  If you want to see:

In addition, I wanted to add in the Red Hat EL 5 versions of client and server, since they've been available for over 3 months now, and that took some time as well.  Anyway, back in action now.

Here are the sections for this month:

  1. Year-to-date 2007 Client and Server charts for all vulnerabilities for
    • all shipping components of the products
  2. May - July 2007 Client and Server charts for all vulnerabilities for
    • all shipping components of the products
  3. Year-to-date 2007 Client and Server charts for vulnerabilities for
    • all shipping components of the non-Linux products
    • reduced set of components for the Linux products
  4. May - July 2007 Client and Server charts for vulnerabilities for
    • all shipping components of the non-Linux products
    • reduced set of components for the Linux products

Comments on the July Charts

When I started doing these scorecards, I did two variations - year-to-date and last-3-months - thinking that the latter would reflect short-term bursts of issues and that the former would give an overall view for the year that would incorporate the ups and downs.

Instead, the two versions of the charts seem to look very similar except for the numbers and scale.  This kind of hints that whatever vulnerability disclosure and fix rate a product has, it is staying pretty consistent over time, at least in 2007. 

The other thing I find a bit interesting is the Server charts that incorporate the reduced set of Linux packages.  For those Linux server builds, I eliminated everything GUI, X11, Gnome, KDE-related, firefox and all optional client-type application components and just kept a minimalist server with the ability to server web pages or act in a few other common server roles.  In contrast, the Windows Server build includes every shipping component including Internet Explorer, Media Player and similar stuff.  I imagine that a lot of people would have expected a stripped-down Linux server to have, if not fewer total vulnerabilities, then fewer High severity vulnerabilities.

Finally, if I had one surprise in the charts, it was that I expected RHEL5 to be further distinguished from (ie, much lower than) RHEL4 in the YTD charts, given that it did not ship until March.

 

Year-to-date 2007 Client and Server Charts - Full Set of Supported Components

image

* RHEL Desktop 5 shipped in March, so only represents vulns since then

image

* RHEL 5 Advanced Server shipped in March, so only represents vulns since then

May - July 2007 Client and Server charts - Full Set of Supported Components

image

image

 

Year-to-date 2007 Client and Server Charts - Reduced Set of Linux Packages

In this section and the next one, note that each of the Linux distributions analyzed do not include the full set of product components, as I went through a process to filter out optional and non-comparable components.  For more details on assumption and methods, please read review my methodology, sources and assumptions on this page

image

 

image

 

 

May - July 2007 Client and Server Charts - Reduced Set of Linux Packages

image

image