The SUSE Security Team - Taking care of openSUSE Security

Tasks

• Indcident handling
• Proactive work (auditing, design reviews)
• Research an Integration of new technologies

Focus on OpenSource parts of the Linux product lines tightly cooperating with: R&D, QA, NTS , Maintenance

Buffer overflews Format string problems Integer overflows (Buffer overflows strike back)

Last years

• image processing libraries
• problems in web applications

vKernel Problems

This year

• Mord funny kernel problems, image and fongt libraries

Problem:

• Rapidly changing and growing code
• New and interesting usages

Audit security relevant packages network an system daemons, setuid binaries desig of new things like D-BUS Services, PolicyKit other security critical packages Deploy automated measures Develop new technologies Educate write papers hold lectures on security topics

Overflow checking / mitigation::

D_FORTIFY_SOUCE=2 fstack-protector heap stricture validation manling of pointers that live in dangerous areas randomizing address space

Automated code checking

Annoying gcc warnings##No SELinux here (yet)

nice idea and formal approach too complicated to setup for bith user an admin

AppArmor

access restrictions on application level confines file access, capabilities, program starts glebbing and wildcards

openSUSE

e releases + 2 months supported, gest security and critical bugfixes released every 8 months 2. 3 active at every time

SUSE Linux Enterprise

7 years regular maintenance (longer life planned) longer release cycles (2 years + approx) currently:

SUSE Studio SMT Appliance Toolkit

• SLMS
• WebYAST
• Studio Onsite

openSUSE Buildservice

'Getting knowledge of security problem

• public mailinglists
• closed forums (cross vendor coordination)
• CVE database dumps
• new package releases
• our own security audits
• reports to contact assress (security@suse.de)

Trecking

• discard, if affected paackage is not in active products
• discard, if affected package version is not in active products
• open a Bugzilla entry

Bugzilla

• ls our incident tracking tool
• Security Team adds initial information to new bugreports:
• detailed description
• Vulnerability ISs
• affected package versions and products
• patch(es) to fix

Package maintainer work

• Review fixes and affectred products
• Submits fixes packages (source) for buildsystem

Creating the patch set

• accompanies fixes package up to release
• tracked by SWAMP (SUSE Workflow management tool)
• created by Security Team
• meta patchfile gets checked into buildsystem

QA for SUSE Linux Enterprise

• ses created patchset
• Check reproducability

QA for openSUSE

• Uses created patchset
• Uses synergy with SUSE Linux Enterprise QA
• Specific targeted testing of
• Kernel
• Zypp update stack
• 11.x-test update test channes in use for the community

Release waits for

• coordinated disclosure date
• QA approval

On approval

• patch iscopied to staging infrastructure in the same way as for QA
• no further manual stepe
• NTS revies

Security Updates: 485

• Mozilla Firefox: 18 times
• Opera: 12 times
• Clamav, Acrobat Reader: 10 times
• Kernel: 9 times

Totlo security incidents (CVEs): 1141

• Firefox: 143
• Sus Java 6: 102
• Adobe reader: 93
• Kernel: 75
• FlashPlayer