Weird blog posting about my position change at SUSE

My wife stumbled of a weird blog posting about a blog entry from myself explaining that I change the position in my department. In this weird posting the author claims that I left SUSE and become a Professor... uh?!? :-D

Update: Ah, the "Professor part" was about another colleague. Too bad ;)

kostenloser Counter

4th German OWASP Security Day

My submission to the 4th German OWASP Security Day was accepted. Now let's see if we can accept their OWASP license that needs to be signed...

kostenloser Counter

I am leaving the SUSE Security Team...

After 12 years I am leaving the SUSE Security-Team... just to support them! :-)

Like a satellite I was spun-off from mother earth. Flying around the SUSE Security Team as project-manager to take care of our products before they get released working hand-in-hand with Marcus and his team that (mostly but not exclusively) takes care of the security of already released products.

kostenloser Counter

Scanny will replace the ror-sec-scanner

David and Flavio created a new github project to replace my ror-sec-scanner. "Scanny" doesn't uses regex but the AST and emits fewer false positives. So lets start adding rules/checks to it to become more powerful.

kostenloser Counter

SUSE Manager Security Update

Last Friday we released a security update for SUSE Manager. It eliminates four vulnerabilities which I will describe in detail here:

1. CSRF (CVE-2009-4139): This is the most dangerous issue fixed by this update. It was found during a penetration-test executed by me before we released the SUSE Manager. You may wonder why we released the fix after the "gold master" (GM) and why it has a CVE-ID from 2009. Red Hat was informed about this issue in 2009 already (by another person) and after some back and forth we decided to release it together with Red Hat and not earlier. But not only the release date was coordinated, we also coordinate fixing and testing.
2. The default SSL ciphersuite configuration that comes with our apache2 package (this also affects the SM proxy) was made up to support as much and as old client as possible. This results in a config that is insecure because it support "export ciphers", SSLv2, short keys, etc. If you install this update before you configured your SM you will have a up-to-date and secure config. Use sslscan to verify your setup. If it is still insecure go to /etc/apache2/ssl-global.conf and change it to something like:

   ssl_protocols TLSv1

   ssl_ciphers ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!MD5:@STRENGTH

3. Open Redirect (CVE-2011-1594): A hidden field named "url_bounce" allows HTTP redirects and therefore phishing attacks. Found during penetration-test, released after GM because it was too minor to hold release.
   
4. XML remote denial of service (CVE-2011-1755): jabber2 server can be dos'ed ("billion laughs attack"), not found by us.

kostenloser Counter

Mastodon

SAD 4: Security Day

Three weeks ago the SUSE Studio team had its first "Security Day" to fix the possible security vulnerabilities found by ror-sec-scanner. (a Rails static code analyzer)
The team eliminated:

• 161 false positives
  
• 28 real bugs

Thank you folks! :-)

Note: Earlier this year another team consolidated its forces to fix potential security problems in their code and reduced the number of bugs per KLOC to 0.

I hope we can have a "Security Day" prior every new release.

kostenloser Counter