On Fri, Apr 24, 2015 at 06:20:45PM +0200, Salvatore Bonaccorso wrote:
> Hi all,
>
> On Fri, Apr 24, 2015 at 06:02:59PM +0200, Moritz Muehlenhoff wrote:
> > On Fri, Apr 24, 2015 at 04:58:18PM +0200, Niels Thykier wrote:
> > > Control: tags -1 moreinfo
> > >
> > > On 2015-04-24 11:57, Romain Francoise wrote:
> > > > Package: release-notes
> > > > Severity: normal
> > > >
> > > > As mentioned on IRC, I reviewed the security section of the "What's new
> > > > in Debian 8" chapter and:
> > > > - it mentions the protected_symlinks feature of the kernel as new, but
> > > > afaik it was already enabled in wheezy
> > > > - it advertises hardening-wrapper, but it's planned for deprecation or
> > > > removal in stretch
> > > >
> > > > (X-Debbugs-CC: t...@security.debian.org)
> > > >
> > > > Thanks,
> > > >
> > >
> > > Hi,
> > >
> > > Thanks for the review.
> > >
> > > The kernel change is to #774117. For the hardening-wrapper, I have
> > > traced the latest change to #772694. However, it seems to just be
> > > changes to an existing section that might (or might not) have carried
> > > over from Wheezy.
> > >
> > > * I will await the security team before doing any changes.
> >
> > These were in fact carried over from wheezy and Romain's comments
> > are confirmed to be correct.
>
> But haven't we filled #774117 after the pevious Security team meeting
> to mention that /tmp-related bugs which are rendered non-exploitable
> by this mechanism not (anymore) as security vulnerabilities?
>
> #774117 was explicitly about to cover this and the
> debian-security-support package in the jessie release notes. So at
> least this one I guess we want to keep.
The only thing we needs to be altered wrt /tmp he is that protected_symlinks
is labeled as "new", the rest can and should remain.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
