partyopensuse
opensuse 时间:2021-04-01 阅读:(
)
SUSESecurityProcessAnoverviewontechnicallevelMarcusMeinerTeamleadSUSESecuritymeissner@suse.
de2006NovellInc.
2SUSESecurityTeamTasks:IncidenthandlingProactivework(auditing,designreviews)ResearchandIntegrationofnewtechnologiesFocusonOpenSourcepartsoftheLinuxproductlinesTightlycooperatingwith:R&D,QA,NTS,Maintenance,Customers2006NovellInc.
3SecurityWork–whatisitnotcoolnofundoesnotmakeyoupopulartiringwork2006NovellInc.
4SecurityProblemsovertimeBufferoverflowsFormatstringproblemsIntegeroverflows(Bufferoverflowsstrikeback)Last2years:imageprocessinglibrariesproblemsinwebapplicationsThisyear:problemsinwebapplicationsProblem:moreandmorecodeoperatesondatafromtheInternetapplicationsgrowandgrowandgrow2006NovellInc.
5NonIncidentWorkAuditsecurityrelevantpackagesnetworkandsystemdaemons,setuidbinariesdesignofnewtechnologieslikeD-BUSothersecuritycriticalpackagesDeployautomatedmeasuresDevelopnewtechnologiesEducatewritepapersholdlecturesonsecuritytopicsResearchresearchintonewtechnologiesandattackvectors2006NovellInc.
6MakingcodehardertoexploitOverflowchecking/mitigation:-D_FORTIFY_SOURCE=2(defaulton10.
0,10.
1.
.
.
)-fstack-protectorheapstructurevalidationmanglingofpointersthatliveindangerousareasrandomizingaddressspaceAutomatedcodecheckingAnnoyinggccwarnings3rdpartytoolsForce^WTeachpeopletowritebettercode2006NovellInc.
7ConfinementNoSELinuxhereniceideaandformalapproachtoocomplicatedtosetupforbothuserandadminAppArmoraccessrestrictionsonapplicationlevelconfinesfileaccess,capabilities,programstartsglobbingandwildcardspossiblenoall-or-nothingapproachlikeSELinuxlightversionon10.
0,fullOpenSourcenowLSMsooninmainlinekernel2006NovellInc.
8ProductlinesSUSELinux(Retail,Box)2yearssupported,getssecurityandcriticalbugfixesreleasedevery6months4-5activeateverytimeSUSELinuxEnterpriseServer5yearsregularmaintenance(+2yearsextended)longerreleasecyclescurrently:SLES8,SLES9,SLD1,NLD9,OESSoon:SLES10,SLED10Active:2majorproducts,3derivatedproducts5differentmaincodestreams(+derivates)2006NovellInc.
9IncidentHandling–EnteringSUSEGettingknowledgeofsecurityproblempublicmailinglistsclosedforums(crossvendorcoordination)newpackagereleasesourownsecurityauditsreportstocontactaddress(security@suse.
de)Trackingdiscard,ifaffectedpackageisnotinactiveproductsdiscard,ifaffectedpackageversionisnotinactiveproductsopenaBugzillaentry2006NovellInc.
10IncidentHandling–TrackingBugzillaIsourincidenttrackingtoolSecurityTeamaddsinitialinformationtonewbugreports:–detaileddescription–VulnerabilityIDs(CVE,VU#,.
.
.
)–affectedpackageversionsandproducts–patch(es)tofixissue(ifany)–sampleexploit(s)(ifany)–decisiononwhethertofixforolderproductsornotAssignedtopackagerAssistingwithfindingpatches,fixingandpriority2006NovellInc.
11IncidentHandling–FixedPackagesPackagemaintainerworkReviewsfixesandaffectedproductsSubmitsfixedpackages(source)forbuildsystemSourcelevelpatchreviewisdonebyBuildsystemTeamBuildsystemTeamcheckspackageintopackagerepositoryofoldproductsBuildsystemConsistencychecksduringbuildAutomatedrebuildingalldependendpackagesNofixed(bitwisesame)binariesduetorebuilds2006NovellInc.
12IncidentHandling–PatchsetCreationCreatingthepatchset:accompaniesfixedpackageuptoreleasetrackedbySWAMP(SUSEWorkflowmanagementtool)createdbySecurityTeam–whatpackages,whatdistributions–description–optionalpreorpostinstallationmessages–linksbacktoBugzillaandSWAMPmetapatchfilegetscheckedintobuildsystem–collectsRPMsoutofcurrentstateofbuildsystemandfixatesthem–preparesthepatchsetthecustomerwillseeforQA2006NovellInc.
13IncidentHandling–QAQAUsescreatedpatchsetCheckreproducabilityofavailableexploitsAppliespatchesjustlikecustomerwould,from–YaSTOnlineUpdateforSUSELinuxandSLES–RedCarpet/ZLMforOESandNLDSystemintegrationQA(checkingRPMdependencies)ComponentIntegrationQA–Packagetestcasesarerun(automatedandmanual)–rerunexploitprocessgoesbacktopackagerifQAfails2006NovellInc.
14IncidentHandling–ReleaseNotbefore:coordinateddisclosuredateQAapprovalOnapproval:patchiscopiedtostaginginfrastructureinthesamewayasforQAnofurthermanualstepsNTSreviewsdocumentationandpublishesTIDarticleSecurityadvisoryreleased2006NovellInc.
15HowcanyouhelpUser/AdministratorsInstallSecurityUpdatesReportcrashesinApplicationsMonitoryourserversDeveloperProgramsafelyusebetterlanguagessecurityconsciousdesign2006NovellInc.
16Itsallaboutcertification.
Security-notafeature,butaprocessCertificationdescribesconfigurations:profilesdefiningscenariosofusersandattackersversionsofinstalledsoftwarecontentofconfigurationsfileshardwareandprocesses:securityhandlingduringtheproductlifecycledocumentationphysicalsecurity2006NovellInc.
17LanguagesCC++ManagedLanguagesandEnvironments–Java–C#Script–perl–php
中午的时候有网友联系提到自己前几天看到Namecheap商家开学季促销活动期间有域名促销活动的,于是就信注册NC账户注册域名的。但是今天登录居然无法登录,这个问题比较困恼是不是商家跑路等问题。Namecheap商家跑路的可能性不大,前几天我还在他们家转移域名的。这里简单的记录我帮助他解决如何重新登录Namecheap商家的问题。1、检查邮件让他检查邮件是不是有官方的邮件提示。比如我们新注册账户是需...
欧路云新上了美国洛杉矶cera机房的云服务器,具备弹性云特征(可自定义需要的资源配置:E5-2660 V3、内存、硬盘、流量、带宽),直连网络(联通CUVIP线路),KVM虚拟,自带一个IP,支持购买多个IP,10G的DDoS防御。付款方式:PayPal、支付宝、微信、数字货币(BTC USDT LTC ETH)测试IP:23.224.49.126云服务器 全场8折 优惠码:zhujiceping...
俄罗斯vps云服务器商家推荐!俄罗斯VPS,也叫毛子主机(毛子vps),因为俄罗斯离中国大陆比较近,所以俄罗斯VPS的延迟会比较低,国内用户也不少,例如新西伯利亚机房和莫斯科机房都是比较热门的俄罗斯机房。这里为大家整理推荐一些好用的俄罗斯VPS云服务器,这里主要推荐这三家:justhost、ruvds、justg等俄罗斯vps主机,方便大家对比购买适合自己的俄罗斯VPS。一、俄罗斯VPS介绍俄罗斯...
opensuse为你推荐
网络访问为什么Wifi无internet访问美国互联网瘫痪美国是否有能力关闭全球互联网以及中国互联网,还有美国有没能力关闭某个网站,比如淘宝,天涯,网易等摩拜超15分钟加钱首次 微信扫 摩拜单车 需要 付压金吗怎么查询商标如何查询商标注册m.2828dy.combabady为啥打不开了,大家帮我提供几个看电影的网址125xx.com高手指教下,www.fshxbxg.com这个域名值多少钱?www.dm8.cc有没有最新的日本动漫网站?www.147qqqcom求女人能满足我的…网站检测工具.请介绍至少五种软件测试工具红玉头冠裂心护肩是哪出的 红玉头冠哪出的
域名拍卖 域名主机管理系统 hostmaster GGC 新加坡服务器 Hello图床 万网优惠券 青果网 网盘申请 777te 中国电信测速112 idc查询 云营销系统 新加坡空间 登陆qq空间 1美元 reboot ftp是什么东西 超低价 网络安装 更多