partyopensuse
opensuse 时间:2021-04-01 阅读:()
SUSESecurityProcessAnoverviewontechnicallevelMarcusMeinerTeamleadSUSESecuritymeissner@suse.
de2006NovellInc.
2SUSESecurityTeamTasks:IncidenthandlingProactivework(auditing,designreviews)ResearchandIntegrationofnewtechnologiesFocusonOpenSourcepartsoftheLinuxproductlinesTightlycooperatingwith:R&D,QA,NTS,Maintenance,Customers2006NovellInc.
3SecurityWork–whatisitnotcoolnofundoesnotmakeyoupopulartiringwork2006NovellInc.
4SecurityProblemsovertimeBufferoverflowsFormatstringproblemsIntegeroverflows(Bufferoverflowsstrikeback)Last2years:imageprocessinglibrariesproblemsinwebapplicationsThisyear:problemsinwebapplicationsProblem:moreandmorecodeoperatesondatafromtheInternetapplicationsgrowandgrowandgrow2006NovellInc.
5NonIncidentWorkAuditsecurityrelevantpackagesnetworkandsystemdaemons,setuidbinariesdesignofnewtechnologieslikeD-BUSothersecuritycriticalpackagesDeployautomatedmeasuresDevelopnewtechnologiesEducatewritepapersholdlecturesonsecuritytopicsResearchresearchintonewtechnologiesandattackvectors2006NovellInc.
6MakingcodehardertoexploitOverflowchecking/mitigation:-D_FORTIFY_SOURCE=2(defaulton10.
0,10.
1.
.
.
)-fstack-protectorheapstructurevalidationmanglingofpointersthatliveindangerousareasrandomizingaddressspaceAutomatedcodecheckingAnnoyinggccwarnings3rdpartytoolsForce^WTeachpeopletowritebettercode2006NovellInc.
7ConfinementNoSELinuxhereniceideaandformalapproachtoocomplicatedtosetupforbothuserandadminAppArmoraccessrestrictionsonapplicationlevelconfinesfileaccess,capabilities,programstartsglobbingandwildcardspossiblenoall-or-nothingapproachlikeSELinuxlightversionon10.
0,fullOpenSourcenowLSMsooninmainlinekernel2006NovellInc.
8ProductlinesSUSELinux(Retail,Box)2yearssupported,getssecurityandcriticalbugfixesreleasedevery6months4-5activeateverytimeSUSELinuxEnterpriseServer5yearsregularmaintenance(+2yearsextended)longerreleasecyclescurrently:SLES8,SLES9,SLD1,NLD9,OESSoon:SLES10,SLED10Active:2majorproducts,3derivatedproducts5differentmaincodestreams(+derivates)2006NovellInc.
9IncidentHandling–EnteringSUSEGettingknowledgeofsecurityproblempublicmailinglistsclosedforums(crossvendorcoordination)newpackagereleasesourownsecurityauditsreportstocontactaddress(security@suse.
de)Trackingdiscard,ifaffectedpackageisnotinactiveproductsdiscard,ifaffectedpackageversionisnotinactiveproductsopenaBugzillaentry2006NovellInc.
10IncidentHandling–TrackingBugzillaIsourincidenttrackingtoolSecurityTeamaddsinitialinformationtonewbugreports:–detaileddescription–VulnerabilityIDs(CVE,VU#,.
.
.
)–affectedpackageversionsandproducts–patch(es)tofixissue(ifany)–sampleexploit(s)(ifany)–decisiononwhethertofixforolderproductsornotAssignedtopackagerAssistingwithfindingpatches,fixingandpriority2006NovellInc.
11IncidentHandling–FixedPackagesPackagemaintainerworkReviewsfixesandaffectedproductsSubmitsfixedpackages(source)forbuildsystemSourcelevelpatchreviewisdonebyBuildsystemTeamBuildsystemTeamcheckspackageintopackagerepositoryofoldproductsBuildsystemConsistencychecksduringbuildAutomatedrebuildingalldependendpackagesNofixed(bitwisesame)binariesduetorebuilds2006NovellInc.
12IncidentHandling–PatchsetCreationCreatingthepatchset:accompaniesfixedpackageuptoreleasetrackedbySWAMP(SUSEWorkflowmanagementtool)createdbySecurityTeam–whatpackages,whatdistributions–description–optionalpreorpostinstallationmessages–linksbacktoBugzillaandSWAMPmetapatchfilegetscheckedintobuildsystem–collectsRPMsoutofcurrentstateofbuildsystemandfixatesthem–preparesthepatchsetthecustomerwillseeforQA2006NovellInc.
13IncidentHandling–QAQAUsescreatedpatchsetCheckreproducabilityofavailableexploitsAppliespatchesjustlikecustomerwould,from–YaSTOnlineUpdateforSUSELinuxandSLES–RedCarpet/ZLMforOESandNLDSystemintegrationQA(checkingRPMdependencies)ComponentIntegrationQA–Packagetestcasesarerun(automatedandmanual)–rerunexploitprocessgoesbacktopackagerifQAfails2006NovellInc.
14IncidentHandling–ReleaseNotbefore:coordinateddisclosuredateQAapprovalOnapproval:patchiscopiedtostaginginfrastructureinthesamewayasforQAnofurthermanualstepsNTSreviewsdocumentationandpublishesTIDarticleSecurityadvisoryreleased2006NovellInc.
15HowcanyouhelpUser/AdministratorsInstallSecurityUpdatesReportcrashesinApplicationsMonitoryourserversDeveloperProgramsafelyusebetterlanguagessecurityconsciousdesign2006NovellInc.
16Itsallaboutcertification.
Security-notafeature,butaprocessCertificationdescribesconfigurations:profilesdefiningscenariosofusersandattackersversionsofinstalledsoftwarecontentofconfigurationsfileshardwareandprocesses:securityhandlingduringtheproductlifecycledocumentationphysicalsecurity2006NovellInc.
17LanguagesCC++ManagedLanguagesandEnvironments–Java–C#Script–perl–php
de2006NovellInc.
2SUSESecurityTeamTasks:IncidenthandlingProactivework(auditing,designreviews)ResearchandIntegrationofnewtechnologiesFocusonOpenSourcepartsoftheLinuxproductlinesTightlycooperatingwith:R&D,QA,NTS,Maintenance,Customers2006NovellInc.
3SecurityWork–whatisitnotcoolnofundoesnotmakeyoupopulartiringwork2006NovellInc.
4SecurityProblemsovertimeBufferoverflowsFormatstringproblemsIntegeroverflows(Bufferoverflowsstrikeback)Last2years:imageprocessinglibrariesproblemsinwebapplicationsThisyear:problemsinwebapplicationsProblem:moreandmorecodeoperatesondatafromtheInternetapplicationsgrowandgrowandgrow2006NovellInc.
5NonIncidentWorkAuditsecurityrelevantpackagesnetworkandsystemdaemons,setuidbinariesdesignofnewtechnologieslikeD-BUSothersecuritycriticalpackagesDeployautomatedmeasuresDevelopnewtechnologiesEducatewritepapersholdlecturesonsecuritytopicsResearchresearchintonewtechnologiesandattackvectors2006NovellInc.
6MakingcodehardertoexploitOverflowchecking/mitigation:-D_FORTIFY_SOURCE=2(defaulton10.
0,10.
1.
.
.
)-fstack-protectorheapstructurevalidationmanglingofpointersthatliveindangerousareasrandomizingaddressspaceAutomatedcodecheckingAnnoyinggccwarnings3rdpartytoolsForce^WTeachpeopletowritebettercode2006NovellInc.
7ConfinementNoSELinuxhereniceideaandformalapproachtoocomplicatedtosetupforbothuserandadminAppArmoraccessrestrictionsonapplicationlevelconfinesfileaccess,capabilities,programstartsglobbingandwildcardspossiblenoall-or-nothingapproachlikeSELinuxlightversionon10.
0,fullOpenSourcenowLSMsooninmainlinekernel2006NovellInc.
8ProductlinesSUSELinux(Retail,Box)2yearssupported,getssecurityandcriticalbugfixesreleasedevery6months4-5activeateverytimeSUSELinuxEnterpriseServer5yearsregularmaintenance(+2yearsextended)longerreleasecyclescurrently:SLES8,SLES9,SLD1,NLD9,OESSoon:SLES10,SLED10Active:2majorproducts,3derivatedproducts5differentmaincodestreams(+derivates)2006NovellInc.
9IncidentHandling–EnteringSUSEGettingknowledgeofsecurityproblempublicmailinglistsclosedforums(crossvendorcoordination)newpackagereleasesourownsecurityauditsreportstocontactaddress(security@suse.
de)Trackingdiscard,ifaffectedpackageisnotinactiveproductsdiscard,ifaffectedpackageversionisnotinactiveproductsopenaBugzillaentry2006NovellInc.
10IncidentHandling–TrackingBugzillaIsourincidenttrackingtoolSecurityTeamaddsinitialinformationtonewbugreports:–detaileddescription–VulnerabilityIDs(CVE,VU#,.
.
.
)–affectedpackageversionsandproducts–patch(es)tofixissue(ifany)–sampleexploit(s)(ifany)–decisiononwhethertofixforolderproductsornotAssignedtopackagerAssistingwithfindingpatches,fixingandpriority2006NovellInc.
11IncidentHandling–FixedPackagesPackagemaintainerworkReviewsfixesandaffectedproductsSubmitsfixedpackages(source)forbuildsystemSourcelevelpatchreviewisdonebyBuildsystemTeamBuildsystemTeamcheckspackageintopackagerepositoryofoldproductsBuildsystemConsistencychecksduringbuildAutomatedrebuildingalldependendpackagesNofixed(bitwisesame)binariesduetorebuilds2006NovellInc.
12IncidentHandling–PatchsetCreationCreatingthepatchset:accompaniesfixedpackageuptoreleasetrackedbySWAMP(SUSEWorkflowmanagementtool)createdbySecurityTeam–whatpackages,whatdistributions–description–optionalpreorpostinstallationmessages–linksbacktoBugzillaandSWAMPmetapatchfilegetscheckedintobuildsystem–collectsRPMsoutofcurrentstateofbuildsystemandfixatesthem–preparesthepatchsetthecustomerwillseeforQA2006NovellInc.
13IncidentHandling–QAQAUsescreatedpatchsetCheckreproducabilityofavailableexploitsAppliespatchesjustlikecustomerwould,from–YaSTOnlineUpdateforSUSELinuxandSLES–RedCarpet/ZLMforOESandNLDSystemintegrationQA(checkingRPMdependencies)ComponentIntegrationQA–Packagetestcasesarerun(automatedandmanual)–rerunexploitprocessgoesbacktopackagerifQAfails2006NovellInc.
14IncidentHandling–ReleaseNotbefore:coordinateddisclosuredateQAapprovalOnapproval:patchiscopiedtostaginginfrastructureinthesamewayasforQAnofurthermanualstepsNTSreviewsdocumentationandpublishesTIDarticleSecurityadvisoryreleased2006NovellInc.
15HowcanyouhelpUser/AdministratorsInstallSecurityUpdatesReportcrashesinApplicationsMonitoryourserversDeveloperProgramsafelyusebetterlanguagessecurityconsciousdesign2006NovellInc.
16Itsallaboutcertification.
Security-notafeature,butaprocessCertificationdescribesconfigurations:profilesdefiningscenariosofusersandattackersversionsofinstalledsoftwarecontentofconfigurationsfileshardwareandprocesses:securityhandlingduringtheproductlifecycledocumentationphysicalsecurity2006NovellInc.
17LanguagesCC++ManagedLanguagesandEnvironments–Java–C#Script–perl–php
- partyopensuse相关文档
- desktopopensuse
- refersopensuse
- 数据opensuse
- 位址opensuse
- taropensuse
- sortopensuse
新注册NameCheap账户几天后无法登录原因及解决办法
中午的时候有网友联系提到自己前几天看到Namecheap商家开学季促销活动期间有域名促销活动的,于是就信注册NC账户注册域名的。但是今天登录居然无法登录,这个问题比较困恼是不是商家跑路等问题。Namecheap商家跑路的可能性不大,前几天我还在他们家转移域名的。这里简单的记录我帮助他解决如何重新登录Namecheap商家的问题。1、检查邮件让他检查邮件是不是有官方的邮件提示。比如我们新注册账户是需...
欧路云:美国CUVIP线路10G防御,8折优惠,19元/月起
欧路云新上了美国洛杉矶cera机房的云服务器,具备弹性云特征(可自定义需要的资源配置:E5-2660 V3、内存、硬盘、流量、带宽),直连网络(联通CUVIP线路),KVM虚拟,自带一个IP,支持购买多个IP,10G的DDoS防御。付款方式:PayPal、支付宝、微信、数字货币(BTC USDT LTC ETH)测试IP:23.224.49.126云服务器 全场8折 优惠码:zhujiceping...
云俄罗斯VPSJusthost俄罗斯VPS云服务器justg:JustHost、RuVDS、JustG等俄罗斯vps主机
俄罗斯vps云服务器商家推荐!俄罗斯VPS,也叫毛子主机(毛子vps),因为俄罗斯离中国大陆比较近,所以俄罗斯VPS的延迟会比较低,国内用户也不少,例如新西伯利亚机房和莫斯科机房都是比较热门的俄罗斯机房。这里为大家整理推荐一些好用的俄罗斯VPS云服务器,这里主要推荐这三家:justhost、ruvds、justg等俄罗斯vps主机,方便大家对比购买适合自己的俄罗斯VPS。一、俄罗斯VPS介绍俄罗斯...
opensuse为你推荐
-
网络访问为什么Wifi无internet访问美国互联网瘫痪美国是否有能力关闭全球互联网以及中国互联网,还有美国有没能力关闭某个网站,比如淘宝,天涯,网易等摩拜超15分钟加钱首次 微信扫 摩拜单车 需要 付压金吗怎么查询商标如何查询商标注册m.2828dy.combabady为啥打不开了,大家帮我提供几个看电影的网址125xx.com高手指教下,www.fshxbxg.com这个域名值多少钱?www.dm8.cc有没有最新的日本动漫网站?www.147qqqcom求女人能满足我的…网站检测工具.请介绍至少五种软件测试工具红玉头冠裂心护肩是哪出的 红玉头冠哪出的