Mark J Cox, the Director of the Red Hat Security Response Team, published an update to RHEL 4 risk report:
Red Hat® Enterprise Linux® 4 was released on February 15th, 2005. This report takes a look at the state of security for the first three years from
Two of the lines in the conclusion are:
A default installation of Enterprise Linux 4 AS was vulnerable to seven critical security issues over the first three years.
A customised installation of Enterprise Linux 4, selecting every package, would have been vulnerable to 76 critical browser security issues, and 11 in non-browser packages in the three years.
But I doubt how many people use the default installation “as is” or are fulish enough in install everything. I would like to know the security effect of RHEL4 minimal installation, as this my way to install RHEL.
It will also be interesting to see similar reports from other distributions, especially on the response times, as I guess most security issues are common anyway due to shared applications.