partyopensuse
opensuse 时间:2021-04-01 阅读:()
SUSESecurityProcessAnoverviewontechnicallevelMarcusMeinerTeamleadSUSESecuritymeissner@suse.
de2006NovellInc.
2SUSESecurityTeamTasks:IncidenthandlingProactivework(auditing,designreviews)ResearchandIntegrationofnewtechnologiesFocusonOpenSourcepartsoftheLinuxproductlinesTightlycooperatingwith:R&D,QA,NTS,Maintenance,Customers2006NovellInc.
3SecurityWork–whatisitnotcoolnofundoesnotmakeyoupopulartiringwork2006NovellInc.
4SecurityProblemsovertimeBufferoverflowsFormatstringproblemsIntegeroverflows(Bufferoverflowsstrikeback)Last2years:imageprocessinglibrariesproblemsinwebapplicationsThisyear:problemsinwebapplicationsProblem:moreandmorecodeoperatesondatafromtheInternetapplicationsgrowandgrowandgrow2006NovellInc.
5NonIncidentWorkAuditsecurityrelevantpackagesnetworkandsystemdaemons,setuidbinariesdesignofnewtechnologieslikeD-BUSothersecuritycriticalpackagesDeployautomatedmeasuresDevelopnewtechnologiesEducatewritepapersholdlecturesonsecuritytopicsResearchresearchintonewtechnologiesandattackvectors2006NovellInc.
6MakingcodehardertoexploitOverflowchecking/mitigation:-D_FORTIFY_SOURCE=2(defaulton10.
0,10.
1.
.
.
)-fstack-protectorheapstructurevalidationmanglingofpointersthatliveindangerousareasrandomizingaddressspaceAutomatedcodecheckingAnnoyinggccwarnings3rdpartytoolsForce^WTeachpeopletowritebettercode2006NovellInc.
7ConfinementNoSELinuxhereniceideaandformalapproachtoocomplicatedtosetupforbothuserandadminAppArmoraccessrestrictionsonapplicationlevelconfinesfileaccess,capabilities,programstartsglobbingandwildcardspossiblenoall-or-nothingapproachlikeSELinuxlightversionon10.
0,fullOpenSourcenowLSMsooninmainlinekernel2006NovellInc.
8ProductlinesSUSELinux(Retail,Box)2yearssupported,getssecurityandcriticalbugfixesreleasedevery6months4-5activeateverytimeSUSELinuxEnterpriseServer5yearsregularmaintenance(+2yearsextended)longerreleasecyclescurrently:SLES8,SLES9,SLD1,NLD9,OESSoon:SLES10,SLED10Active:2majorproducts,3derivatedproducts5differentmaincodestreams(+derivates)2006NovellInc.
9IncidentHandling–EnteringSUSEGettingknowledgeofsecurityproblempublicmailinglistsclosedforums(crossvendorcoordination)newpackagereleasesourownsecurityauditsreportstocontactaddress(security@suse.
de)Trackingdiscard,ifaffectedpackageisnotinactiveproductsdiscard,ifaffectedpackageversionisnotinactiveproductsopenaBugzillaentry2006NovellInc.
10IncidentHandling–TrackingBugzillaIsourincidenttrackingtoolSecurityTeamaddsinitialinformationtonewbugreports:–detaileddescription–VulnerabilityIDs(CVE,VU#,.
.
.
)–affectedpackageversionsandproducts–patch(es)tofixissue(ifany)–sampleexploit(s)(ifany)–decisiononwhethertofixforolderproductsornotAssignedtopackagerAssistingwithfindingpatches,fixingandpriority2006NovellInc.
11IncidentHandling–FixedPackagesPackagemaintainerworkReviewsfixesandaffectedproductsSubmitsfixedpackages(source)forbuildsystemSourcelevelpatchreviewisdonebyBuildsystemTeamBuildsystemTeamcheckspackageintopackagerepositoryofoldproductsBuildsystemConsistencychecksduringbuildAutomatedrebuildingalldependendpackagesNofixed(bitwisesame)binariesduetorebuilds2006NovellInc.
12IncidentHandling–PatchsetCreationCreatingthepatchset:accompaniesfixedpackageuptoreleasetrackedbySWAMP(SUSEWorkflowmanagementtool)createdbySecurityTeam–whatpackages,whatdistributions–description–optionalpreorpostinstallationmessages–linksbacktoBugzillaandSWAMPmetapatchfilegetscheckedintobuildsystem–collectsRPMsoutofcurrentstateofbuildsystemandfixatesthem–preparesthepatchsetthecustomerwillseeforQA2006NovellInc.
13IncidentHandling–QAQAUsescreatedpatchsetCheckreproducabilityofavailableexploitsAppliespatchesjustlikecustomerwould,from–YaSTOnlineUpdateforSUSELinuxandSLES–RedCarpet/ZLMforOESandNLDSystemintegrationQA(checkingRPMdependencies)ComponentIntegrationQA–Packagetestcasesarerun(automatedandmanual)–rerunexploitprocessgoesbacktopackagerifQAfails2006NovellInc.
14IncidentHandling–ReleaseNotbefore:coordinateddisclosuredateQAapprovalOnapproval:patchiscopiedtostaginginfrastructureinthesamewayasforQAnofurthermanualstepsNTSreviewsdocumentationandpublishesTIDarticleSecurityadvisoryreleased2006NovellInc.
15HowcanyouhelpUser/AdministratorsInstallSecurityUpdatesReportcrashesinApplicationsMonitoryourserversDeveloperProgramsafelyusebetterlanguagessecurityconsciousdesign2006NovellInc.
16Itsallaboutcertification.
Security-notafeature,butaprocessCertificationdescribesconfigurations:profilesdefiningscenariosofusersandattackersversionsofinstalledsoftwarecontentofconfigurationsfileshardwareandprocesses:securityhandlingduringtheproductlifecycledocumentationphysicalsecurity2006NovellInc.
17LanguagesCC++ManagedLanguagesandEnvironments–Java–C#Script–perl–php
de2006NovellInc.
2SUSESecurityTeamTasks:IncidenthandlingProactivework(auditing,designreviews)ResearchandIntegrationofnewtechnologiesFocusonOpenSourcepartsoftheLinuxproductlinesTightlycooperatingwith:R&D,QA,NTS,Maintenance,Customers2006NovellInc.
3SecurityWork–whatisitnotcoolnofundoesnotmakeyoupopulartiringwork2006NovellInc.
4SecurityProblemsovertimeBufferoverflowsFormatstringproblemsIntegeroverflows(Bufferoverflowsstrikeback)Last2years:imageprocessinglibrariesproblemsinwebapplicationsThisyear:problemsinwebapplicationsProblem:moreandmorecodeoperatesondatafromtheInternetapplicationsgrowandgrowandgrow2006NovellInc.
5NonIncidentWorkAuditsecurityrelevantpackagesnetworkandsystemdaemons,setuidbinariesdesignofnewtechnologieslikeD-BUSothersecuritycriticalpackagesDeployautomatedmeasuresDevelopnewtechnologiesEducatewritepapersholdlecturesonsecuritytopicsResearchresearchintonewtechnologiesandattackvectors2006NovellInc.
6MakingcodehardertoexploitOverflowchecking/mitigation:-D_FORTIFY_SOURCE=2(defaulton10.
0,10.
1.
.
.
)-fstack-protectorheapstructurevalidationmanglingofpointersthatliveindangerousareasrandomizingaddressspaceAutomatedcodecheckingAnnoyinggccwarnings3rdpartytoolsForce^WTeachpeopletowritebettercode2006NovellInc.
7ConfinementNoSELinuxhereniceideaandformalapproachtoocomplicatedtosetupforbothuserandadminAppArmoraccessrestrictionsonapplicationlevelconfinesfileaccess,capabilities,programstartsglobbingandwildcardspossiblenoall-or-nothingapproachlikeSELinuxlightversionon10.
0,fullOpenSourcenowLSMsooninmainlinekernel2006NovellInc.
8ProductlinesSUSELinux(Retail,Box)2yearssupported,getssecurityandcriticalbugfixesreleasedevery6months4-5activeateverytimeSUSELinuxEnterpriseServer5yearsregularmaintenance(+2yearsextended)longerreleasecyclescurrently:SLES8,SLES9,SLD1,NLD9,OESSoon:SLES10,SLED10Active:2majorproducts,3derivatedproducts5differentmaincodestreams(+derivates)2006NovellInc.
9IncidentHandling–EnteringSUSEGettingknowledgeofsecurityproblempublicmailinglistsclosedforums(crossvendorcoordination)newpackagereleasesourownsecurityauditsreportstocontactaddress(security@suse.
de)Trackingdiscard,ifaffectedpackageisnotinactiveproductsdiscard,ifaffectedpackageversionisnotinactiveproductsopenaBugzillaentry2006NovellInc.
10IncidentHandling–TrackingBugzillaIsourincidenttrackingtoolSecurityTeamaddsinitialinformationtonewbugreports:–detaileddescription–VulnerabilityIDs(CVE,VU#,.
.
.
)–affectedpackageversionsandproducts–patch(es)tofixissue(ifany)–sampleexploit(s)(ifany)–decisiononwhethertofixforolderproductsornotAssignedtopackagerAssistingwithfindingpatches,fixingandpriority2006NovellInc.
11IncidentHandling–FixedPackagesPackagemaintainerworkReviewsfixesandaffectedproductsSubmitsfixedpackages(source)forbuildsystemSourcelevelpatchreviewisdonebyBuildsystemTeamBuildsystemTeamcheckspackageintopackagerepositoryofoldproductsBuildsystemConsistencychecksduringbuildAutomatedrebuildingalldependendpackagesNofixed(bitwisesame)binariesduetorebuilds2006NovellInc.
12IncidentHandling–PatchsetCreationCreatingthepatchset:accompaniesfixedpackageuptoreleasetrackedbySWAMP(SUSEWorkflowmanagementtool)createdbySecurityTeam–whatpackages,whatdistributions–description–optionalpreorpostinstallationmessages–linksbacktoBugzillaandSWAMPmetapatchfilegetscheckedintobuildsystem–collectsRPMsoutofcurrentstateofbuildsystemandfixatesthem–preparesthepatchsetthecustomerwillseeforQA2006NovellInc.
13IncidentHandling–QAQAUsescreatedpatchsetCheckreproducabilityofavailableexploitsAppliespatchesjustlikecustomerwould,from–YaSTOnlineUpdateforSUSELinuxandSLES–RedCarpet/ZLMforOESandNLDSystemintegrationQA(checkingRPMdependencies)ComponentIntegrationQA–Packagetestcasesarerun(automatedandmanual)–rerunexploitprocessgoesbacktopackagerifQAfails2006NovellInc.
14IncidentHandling–ReleaseNotbefore:coordinateddisclosuredateQAapprovalOnapproval:patchiscopiedtostaginginfrastructureinthesamewayasforQAnofurthermanualstepsNTSreviewsdocumentationandpublishesTIDarticleSecurityadvisoryreleased2006NovellInc.
15HowcanyouhelpUser/AdministratorsInstallSecurityUpdatesReportcrashesinApplicationsMonitoryourserversDeveloperProgramsafelyusebetterlanguagessecurityconsciousdesign2006NovellInc.
16Itsallaboutcertification.
Security-notafeature,butaprocessCertificationdescribesconfigurations:profilesdefiningscenariosofusersandattackersversionsofinstalledsoftwarecontentofconfigurationsfileshardwareandprocesses:securityhandlingduringtheproductlifecycledocumentationphysicalsecurity2006NovellInc.
17LanguagesCC++ManagedLanguagesandEnvironments–Java–C#Script–perl–php
- partyopensuse相关文档
- desktopopensuse
- refersopensuse
- 数据opensuse
- 位址opensuse
- taropensuse
- sortopensuse
提速啦(24元/月)河南BGP云服务器活动 买一年送一年4核 4G 5M
提速啦的来历提速啦是 网站 本着“良心 便宜 稳定”的初衷 为小白用户避免被坑 由赣州王成璟网络科技有限公司旗下赣州提速啦网络科技有限公司运营 投资1000万人民币 在美国Cera 香港CTG 香港Cera 国内 杭州 宿迁 浙江 赣州 南昌 大连 辽宁 扬州 等地区建立数据中心 正规持有IDC ISP CDN 云牌照 公司。公司购买产品支持3天内退款 超过3天步退款政策。提速啦的市场定位提速啦主...
域名注册需要哪些条件(新手注册域名考虑的问题)
今天下午遇到一个网友聊到他昨天新注册的一个域名,今天在去使用的时候发现域名居然不见。开始怀疑他昨天是否付款扣费,以及是否有实名认证过,毕竟我们在国内域名注册平台注册域名是需要实名认证的,大概3-5天内如果不验证那是不可以使用的。但是如果注册完毕的域名找不到那也是奇怪。同时我也有怀疑他是不是忘记记错账户。毕竟我们有很多朋友在某个商家注册很多账户,有时候自己都忘记是用哪个账户的。但是我们去找账户也不办...
弘速云20.8元/月 ,香港云服务器 2核 1g 10M
弘速云元旦活动本公司所销售的弹性云服务器、虚拟专用服务器(VPS)、虚拟主机等涉及网站接入服务的云产品由具备相关资质的第三方合作服务商提供官方网站:https://www.hosuyun.com公司名:弘速科技有限公司香港沙田直营机房采用CTGNET高速回国线路弹性款8折起优惠码:hosu1-1 测试ip:69.165.77.50地区CPU内存硬盘带宽价格购买地址香港沙田2-8核1-16G20-...
opensuse为你推荐
-
AsgardiaGlacia怎么读?是什么意思?摩根币摩根币是怎么骗人的?今日油条油条每周最多能吃多少陈嘉垣陈浩民、马德钟强吻女星陈嘉桓,求大家一个说法。xyq.163.cbg.comhttp://xyq.cbg.163.com/cgi-bin/equipquery.py?act=buy_show_equip_info&equip_id=475364&server_id=625 有金鱼贵吗?同一ip网站同一个IP不同的30个网站,是不是在一个服务器上呢?www.522av.com现在怎样在手机上看AV8090lu.com8090看看电影网怎么打不开了www.kk4kk.com猪猪影院www.mlzz.com 最新电影收费吗?www.e12.com.cn有什么好的高中学习网?