Source: nss-pam-ldapd Version: 0.9.7-2 Severity: normal Tags: patch
With gcc in stretch defaulting to PIE, hardening=+all,-pie changed semantics from "enable hardening but not PIE" to "enable all hardening and explicitely disable the default PIE". The latter is usually not intended. The -pie in hardening flags was in some cases required in pre-stretch releases to avoid build failures caused by (incorrectly) passing -fPIE to the compiler when building shared libraries or plugins. This problem does no longer exist. Please consider applying the following patch: --- debian/rules.old 2017-04-03 12:56:50.000000000 +0000 +++ debian/rules 2017-04-03 12:57:00.000000000 +0000 @@ -5,8 +5,8 @@ # multiarch support DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH) -# enable hardening options (we disable pie because it conflicts with -fPIC) -export DEB_BUILD_MAINT_OPTIONS=hardening=+all,-pie +# enable hardening options +export DEB_BUILD_MAINT_OPTIONS=hardening=+all %: dh $@ --with python2