partyopensuse
opensuse 时间:2021-04-01 阅读:()
SUSESecurityProcessAnoverviewontechnicallevelMarcusMeinerTeamleadSUSESecuritymeissner@suse.
de2006NovellInc.
2SUSESecurityTeamTasks:IncidenthandlingProactivework(auditing,designreviews)ResearchandIntegrationofnewtechnologiesFocusonOpenSourcepartsoftheLinuxproductlinesTightlycooperatingwith:R&D,QA,NTS,Maintenance,Customers2006NovellInc.
3SecurityWork–whatisitnotcoolnofundoesnotmakeyoupopulartiringwork2006NovellInc.
4SecurityProblemsovertimeBufferoverflowsFormatstringproblemsIntegeroverflows(Bufferoverflowsstrikeback)Last2years:imageprocessinglibrariesproblemsinwebapplicationsThisyear:problemsinwebapplicationsProblem:moreandmorecodeoperatesondatafromtheInternetapplicationsgrowandgrowandgrow2006NovellInc.
5NonIncidentWorkAuditsecurityrelevantpackagesnetworkandsystemdaemons,setuidbinariesdesignofnewtechnologieslikeD-BUSothersecuritycriticalpackagesDeployautomatedmeasuresDevelopnewtechnologiesEducatewritepapersholdlecturesonsecuritytopicsResearchresearchintonewtechnologiesandattackvectors2006NovellInc.
6MakingcodehardertoexploitOverflowchecking/mitigation:-D_FORTIFY_SOURCE=2(defaulton10.
0,10.
1.
.
.
)-fstack-protectorheapstructurevalidationmanglingofpointersthatliveindangerousareasrandomizingaddressspaceAutomatedcodecheckingAnnoyinggccwarnings3rdpartytoolsForce^WTeachpeopletowritebettercode2006NovellInc.
7ConfinementNoSELinuxhereniceideaandformalapproachtoocomplicatedtosetupforbothuserandadminAppArmoraccessrestrictionsonapplicationlevelconfinesfileaccess,capabilities,programstartsglobbingandwildcardspossiblenoall-or-nothingapproachlikeSELinuxlightversionon10.
0,fullOpenSourcenowLSMsooninmainlinekernel2006NovellInc.
8ProductlinesSUSELinux(Retail,Box)2yearssupported,getssecurityandcriticalbugfixesreleasedevery6months4-5activeateverytimeSUSELinuxEnterpriseServer5yearsregularmaintenance(+2yearsextended)longerreleasecyclescurrently:SLES8,SLES9,SLD1,NLD9,OESSoon:SLES10,SLED10Active:2majorproducts,3derivatedproducts5differentmaincodestreams(+derivates)2006NovellInc.
9IncidentHandling–EnteringSUSEGettingknowledgeofsecurityproblempublicmailinglistsclosedforums(crossvendorcoordination)newpackagereleasesourownsecurityauditsreportstocontactaddress(security@suse.
de)Trackingdiscard,ifaffectedpackageisnotinactiveproductsdiscard,ifaffectedpackageversionisnotinactiveproductsopenaBugzillaentry2006NovellInc.
10IncidentHandling–TrackingBugzillaIsourincidenttrackingtoolSecurityTeamaddsinitialinformationtonewbugreports:–detaileddescription–VulnerabilityIDs(CVE,VU#,.
.
.
)–affectedpackageversionsandproducts–patch(es)tofixissue(ifany)–sampleexploit(s)(ifany)–decisiononwhethertofixforolderproductsornotAssignedtopackagerAssistingwithfindingpatches,fixingandpriority2006NovellInc.
11IncidentHandling–FixedPackagesPackagemaintainerworkReviewsfixesandaffectedproductsSubmitsfixedpackages(source)forbuildsystemSourcelevelpatchreviewisdonebyBuildsystemTeamBuildsystemTeamcheckspackageintopackagerepositoryofoldproductsBuildsystemConsistencychecksduringbuildAutomatedrebuildingalldependendpackagesNofixed(bitwisesame)binariesduetorebuilds2006NovellInc.
12IncidentHandling–PatchsetCreationCreatingthepatchset:accompaniesfixedpackageuptoreleasetrackedbySWAMP(SUSEWorkflowmanagementtool)createdbySecurityTeam–whatpackages,whatdistributions–description–optionalpreorpostinstallationmessages–linksbacktoBugzillaandSWAMPmetapatchfilegetscheckedintobuildsystem–collectsRPMsoutofcurrentstateofbuildsystemandfixatesthem–preparesthepatchsetthecustomerwillseeforQA2006NovellInc.
13IncidentHandling–QAQAUsescreatedpatchsetCheckreproducabilityofavailableexploitsAppliespatchesjustlikecustomerwould,from–YaSTOnlineUpdateforSUSELinuxandSLES–RedCarpet/ZLMforOESandNLDSystemintegrationQA(checkingRPMdependencies)ComponentIntegrationQA–Packagetestcasesarerun(automatedandmanual)–rerunexploitprocessgoesbacktopackagerifQAfails2006NovellInc.
14IncidentHandling–ReleaseNotbefore:coordinateddisclosuredateQAapprovalOnapproval:patchiscopiedtostaginginfrastructureinthesamewayasforQAnofurthermanualstepsNTSreviewsdocumentationandpublishesTIDarticleSecurityadvisoryreleased2006NovellInc.
15HowcanyouhelpUser/AdministratorsInstallSecurityUpdatesReportcrashesinApplicationsMonitoryourserversDeveloperProgramsafelyusebetterlanguagessecurityconsciousdesign2006NovellInc.
16Itsallaboutcertification.
Security-notafeature,butaprocessCertificationdescribesconfigurations:profilesdefiningscenariosofusersandattackersversionsofinstalledsoftwarecontentofconfigurationsfileshardwareandprocesses:securityhandlingduringtheproductlifecycledocumentationphysicalsecurity2006NovellInc.
17LanguagesCC++ManagedLanguagesandEnvironments–Java–C#Script–perl–php
de2006NovellInc.
2SUSESecurityTeamTasks:IncidenthandlingProactivework(auditing,designreviews)ResearchandIntegrationofnewtechnologiesFocusonOpenSourcepartsoftheLinuxproductlinesTightlycooperatingwith:R&D,QA,NTS,Maintenance,Customers2006NovellInc.
3SecurityWork–whatisitnotcoolnofundoesnotmakeyoupopulartiringwork2006NovellInc.
4SecurityProblemsovertimeBufferoverflowsFormatstringproblemsIntegeroverflows(Bufferoverflowsstrikeback)Last2years:imageprocessinglibrariesproblemsinwebapplicationsThisyear:problemsinwebapplicationsProblem:moreandmorecodeoperatesondatafromtheInternetapplicationsgrowandgrowandgrow2006NovellInc.
5NonIncidentWorkAuditsecurityrelevantpackagesnetworkandsystemdaemons,setuidbinariesdesignofnewtechnologieslikeD-BUSothersecuritycriticalpackagesDeployautomatedmeasuresDevelopnewtechnologiesEducatewritepapersholdlecturesonsecuritytopicsResearchresearchintonewtechnologiesandattackvectors2006NovellInc.
6MakingcodehardertoexploitOverflowchecking/mitigation:-D_FORTIFY_SOURCE=2(defaulton10.
0,10.
1.
.
.
)-fstack-protectorheapstructurevalidationmanglingofpointersthatliveindangerousareasrandomizingaddressspaceAutomatedcodecheckingAnnoyinggccwarnings3rdpartytoolsForce^WTeachpeopletowritebettercode2006NovellInc.
7ConfinementNoSELinuxhereniceideaandformalapproachtoocomplicatedtosetupforbothuserandadminAppArmoraccessrestrictionsonapplicationlevelconfinesfileaccess,capabilities,programstartsglobbingandwildcardspossiblenoall-or-nothingapproachlikeSELinuxlightversionon10.
0,fullOpenSourcenowLSMsooninmainlinekernel2006NovellInc.
8ProductlinesSUSELinux(Retail,Box)2yearssupported,getssecurityandcriticalbugfixesreleasedevery6months4-5activeateverytimeSUSELinuxEnterpriseServer5yearsregularmaintenance(+2yearsextended)longerreleasecyclescurrently:SLES8,SLES9,SLD1,NLD9,OESSoon:SLES10,SLED10Active:2majorproducts,3derivatedproducts5differentmaincodestreams(+derivates)2006NovellInc.
9IncidentHandling–EnteringSUSEGettingknowledgeofsecurityproblempublicmailinglistsclosedforums(crossvendorcoordination)newpackagereleasesourownsecurityauditsreportstocontactaddress(security@suse.
de)Trackingdiscard,ifaffectedpackageisnotinactiveproductsdiscard,ifaffectedpackageversionisnotinactiveproductsopenaBugzillaentry2006NovellInc.
10IncidentHandling–TrackingBugzillaIsourincidenttrackingtoolSecurityTeamaddsinitialinformationtonewbugreports:–detaileddescription–VulnerabilityIDs(CVE,VU#,.
.
.
)–affectedpackageversionsandproducts–patch(es)tofixissue(ifany)–sampleexploit(s)(ifany)–decisiononwhethertofixforolderproductsornotAssignedtopackagerAssistingwithfindingpatches,fixingandpriority2006NovellInc.
11IncidentHandling–FixedPackagesPackagemaintainerworkReviewsfixesandaffectedproductsSubmitsfixedpackages(source)forbuildsystemSourcelevelpatchreviewisdonebyBuildsystemTeamBuildsystemTeamcheckspackageintopackagerepositoryofoldproductsBuildsystemConsistencychecksduringbuildAutomatedrebuildingalldependendpackagesNofixed(bitwisesame)binariesduetorebuilds2006NovellInc.
12IncidentHandling–PatchsetCreationCreatingthepatchset:accompaniesfixedpackageuptoreleasetrackedbySWAMP(SUSEWorkflowmanagementtool)createdbySecurityTeam–whatpackages,whatdistributions–description–optionalpreorpostinstallationmessages–linksbacktoBugzillaandSWAMPmetapatchfilegetscheckedintobuildsystem–collectsRPMsoutofcurrentstateofbuildsystemandfixatesthem–preparesthepatchsetthecustomerwillseeforQA2006NovellInc.
13IncidentHandling–QAQAUsescreatedpatchsetCheckreproducabilityofavailableexploitsAppliespatchesjustlikecustomerwould,from–YaSTOnlineUpdateforSUSELinuxandSLES–RedCarpet/ZLMforOESandNLDSystemintegrationQA(checkingRPMdependencies)ComponentIntegrationQA–Packagetestcasesarerun(automatedandmanual)–rerunexploitprocessgoesbacktopackagerifQAfails2006NovellInc.
14IncidentHandling–ReleaseNotbefore:coordinateddisclosuredateQAapprovalOnapproval:patchiscopiedtostaginginfrastructureinthesamewayasforQAnofurthermanualstepsNTSreviewsdocumentationandpublishesTIDarticleSecurityadvisoryreleased2006NovellInc.
15HowcanyouhelpUser/AdministratorsInstallSecurityUpdatesReportcrashesinApplicationsMonitoryourserversDeveloperProgramsafelyusebetterlanguagessecurityconsciousdesign2006NovellInc.
16Itsallaboutcertification.
Security-notafeature,butaprocessCertificationdescribesconfigurations:profilesdefiningscenariosofusersandattackersversionsofinstalledsoftwarecontentofconfigurationsfileshardwareandprocesses:securityhandlingduringtheproductlifecycledocumentationphysicalsecurity2006NovellInc.
17LanguagesCC++ManagedLanguagesandEnvironments–Java–C#Script–perl–php
- partyopensuse相关文档
- desktopopensuse
- refersopensuse
- 数据opensuse
- 位址opensuse
- taropensuse
- sortopensuse
Megalayer(月599元)限时8月香港和美国大带宽服务器
第一、香港服务器机房这里我们可以看到有提供四个大带宽方案,是全向带宽和国际带宽,前者适合除了中国大陆地区的全网地区用户可以用,后者国际带宽适合欧美地区业务。如果我们是需要大陆地区速度CN2优化的,那就需要选择常规的优化带宽方案,参考这里。CPU内存硬盘带宽流量价格选择E3-12308GB240GB SSD50M全向带宽不限999元/月方案选择E3-12308GB240GB SSD100M国际带宽不...
HostRound:美国达拉斯/洛杉矶/纽约/荷兰大硬盘服务器,1TB NVMe+4TB HDD,$179/月
hostround怎么样?大硬盘服务器,高防服务器。hostround,美国商家,2017年成立,正规注册公司(Company File #6180543),提供虚拟主机、VPS云主机、美国服务器、荷兰服务器租用等。现在有1款特价大硬盘独服,位于达拉斯,配置还不错,本月订购时包括免费 500Gbps DDoS 保护,有兴趣的可以关注一下。点击直达:hostround官方网站地址美国\荷兰独立服务器...
搬瓦工VPS:新增荷兰机房“联通”线路的VPS,10Gbps带宽,可在美国cn2gia、日本软银、荷兰“联通”之间随意切换
搬瓦工今天正式对外开卖荷兰阿姆斯特丹机房走联通AS9929高端线路的VPS,官方标注为“NL - China Unicom Amsterdam(ENUL_9)”,三网都走联通高端网络,即使是在欧洲,国内访问也就是飞快。搬瓦工的依旧是10Gbps带宽,可以在美国cn2 gia、日本软银与荷兰AS9929之间免费切换。官方网站:https://bwh81.net优惠码:BWH3HYATVBJW,节约6...
opensuse为你推荐
-
安徽汽车网安徽汽车票查询www.hao360.cn主页设置为http://hao.360.cn/,但打开360浏览器先显示www.yes125.com后转换为www.2345.com,搜索注册表和7788k.comwww.8855k.com是个什么网站罗伦佐娜手上鸡皮肤怎么办,维洛娜毛周角化修复液百度关键词分析关键词怎么分析?www.vtigu.com破译密码L dp d vwxghqw.你能看出这些字母代表什么意思吗?如果给你一把破以它的钥匙X-3,联想www.mywife.ccmywife哪部最经典www.6vhao.com有哪些电影网站bbs2.99nets.com让(bbs www)*****.cn进入同一个站www.hyyan.com请问我是HY了吗?在线等