Package: cvsd
Severity: important
Tags: patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dear Maintainer,
Please consider enabling hardening flags which are a release goal
for wheezy. For more information please have a look at [1], [2]
and [3].
The following patch bumps debian/compat to 9 to automatically
enable the hardening flags and enables all flags (including PIE
because cvsd is a server); you could also enable them without
changing compat (see [2]), but compat=9 is the preferred and
simplest solution.
diff -Nru cvsd-1.0.23/debian/compat cvsd-1.0.23.1~hardening1/debian/compat
--- cvsd-1.0.23/debian/compat 2011-08-07 21:40:23.000000000 +0200
+++ cvsd-1.0.23.1~hardening1/debian/compat 2012-03-04 20:36:19.000000000
+0100
@@ -1 +1 @@
-8
+9
diff -Nru cvsd-1.0.23/debian/rules cvsd-1.0.23.1~hardening1/debian/rules
--- cvsd-1.0.23/debian/rules 2011-08-07 22:05:56.000000000 +0200
+++ cvsd-1.0.23.1~hardening1/debian/rules 2012-03-04 20:45:44.000000000
+0100
@@ -1,5 +1,7 @@
#!/usr/bin/make -f
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+
export DH_VERBOSE=1
%:
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package:
$ hardening-check /usr/sbin/cvsd
/usr/sbin/cvsd:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJPU8eoAAoJEJL+/bfkTDL5hdUP/20rCYhKH6j2i2zH47vB7nJX
fBCvVzgrqAMtHwlh8r/H6tOnjj7A8XiKk9fuO0ige5O3uRMXXNySvFNj2U3cWGe8
BcwA7cEivVhlGHsZmaliFLpqUgUST0EXl1a3IPEMFX+ix7Re9UUe+0MdQdx/erv6
MUOKTP2O3Wb9eORRQHXiNivAGr+yD0oE1j0LEZxarBXKdFzdwWIC9naaHMlP003C
1YCEG++uLsyU1cKn+Ytbt2DUYZq39OpQ1GcgnK5Pvjxtb0Oao2+Wh/Ct+deADVLU
XiQFKGvDoxvIY8ziCEDSs9Aoxye2/q15O7mmQzE+3YVDyomFshrV0XvT63kDdi00
pxtb6361HhLLgoXibRY4tzEMUTqo93SfDn+7nRFVBNeV5vpkW2Y6nART8/aqiz7r
RUH+plUNQPcILk4MLPwMZbHaQn8yl4cfIIyTi8J+zeDIUFSoKRIv7QiXJ2sRF+EG
jFofB4EdNLoRNtOhAuq1IEbvx8zGF2FSlxsSd/ZhOJgJ7RsG2NGxlROSU36TzLRZ
4Ecj5/c8TvoB61T2wmja41Oq41i+UgNYQ7F0JNGNw6Gu+dXOG2LAqVdn4swkQymB
m7EMbRymJJSABQQhnxGnpSJIGEdHqALWEtv8pkqkPvJ0vkwz5rYHhk5rVKzaCfG9
p9cJGyKkEa8GTZ6DsToS
=QRUX
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]