Package: shadow Version: 1:4.2-2+b2 Severity: serious Tags: patch It has been reported (but privately to me only) that the recent binNMU dropped the hardening flags for the shadow source package.
A later analysis by Simon Ruderich mentioed this is related to cdbs and #712729. Simon provided a patch which I intend to apply in jessie, after seeking approval by the release team. ----- Forwarded message from "Dr. Markus Waldeck" <wald...@gmx.de> ----- Date: Sun, 9 Nov 2014 14:27:36 +0100 From: "Dr. Markus Waldeck" <wald...@gmx.de> To: Christian Perrier <bubu...@debian.org> Cc: Simon RudĀerich <si...@ruderich.org> Subject: shadow (1:4.2-2+b2) X-CRM114-Status: UNSURE (-0.4308) This message is 'unsure'; please train it! Hi Christian, WHO triggered this "Binary-only non-maintainer upload for amd64"? It fucked up the correct applied hardening settings for shadow (1:4.2-2+b1) Thanks! Markus ----- End forwarded message ----- --
diff -Nru shadow-4.2/debian/control shadow-4.2/debian/control --- shadow-4.2/debian/control 2014-04-30 22:28:06.000000000 +0200 +++ shadow-4.2/debian/control 2014-11-10 13:30:34.000000000 +0100 @@ -5,6 +5,7 @@ Standards-Version: 3.9.5 Uploaders: Christian Perrier <bubu...@debian.org>, Nicolas FRANCOIS (Nekral) <nicolas.franc...@centraliens.net> Build-Depends: dh-autoreconf, gettext, libpam0g-dev, debhelper (>= 6.0.7~), quilt, dpkg-dev (>= 1.13.5), xsltproc, docbook-xsl, docbook-xml, libxml2-utils, cdbs, libselinux1-dev [linux-any], libsemanage1-dev [linux-any], gnome-doc-utils (>= 0.4.3), bison, libaudit-dev [linux-any] + ,hardening-wrapper Vcs-Git: git://anonscm.debian.org/git/pkg-shadow/shadow.git Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-shadow/shadow.git;a=summary Homepage: http://pkg-shadow.alioth.debian.org/ diff -Nru shadow-4.2/debian/rules shadow-4.2/debian/rules --- shadow-4.2/debian/rules 2014-04-30 22:28:06.000000000 +0200 +++ shadow-4.2/debian/rules 2014-11-10 13:30:34.000000000 +0100 @@ -3,6 +3,8 @@ DEB_HOST_ARCH_OS := $(shell dpkg-architecture -qDEB_HOST_ARCH_OS) +export DEB_BUILD_HARDENING=1 + # Enable PIE, BINDNOW, and possible future flags. export DEB_BUILD_MAINT_OPTIONS = hardening=+all
signature.asc
Description: Digital signature
