Until recently I also used RH9. I upgraded to Debian Sarge mainly because of the same problem
If you are determined to stick with RH9, there are several sources to update your system:
https://rhn.redhat.com/errata/rh9-errata.html
Red Hat still maintains a list of security advisories for end-of-life products.
ftp://fr.rpmfind.net/linux/redhat/9/...86/RedHat/RPMS
At rpmfind, there is quite a bunch of updated RPMs for RH9.
To automate the update process, you might want to use a tool like apt. It looks for updated packages, downloads and installs them while trying to resolve all dependencies correctly. It is available for RedHat and also works for the RPM package format (originally it was developed for Debian and dpkg). Here is the contents of my old "sources.list" file, which points apt to the locations where it should look for updates:
Paste those lines into /etc/apt/sources.list and issue the following commands:
apt-get update
apt-get upgrade
You should get quite a large list of packages that are marked for upgrade. Take care not to upgrade all packages at first, because your RPM database might get inconsistent. In my experience apt is not able to resolve all dependencies correctly, and you might end up with an inconsistent system. Especially large packages like kde are a problem. Try to update smaller packages first that are important for security, like samba or httpd.