Source: afterstep Version: 2.2.12-9 Severity: normal Tags: patch With gcc in stretch defaulting to PIE, hardening=+all,-pie changed semantics from "enable hardening but not PIE" to "enable all hardening and explicitely disable the default PIE". The latter is usually not intended.
The -pie in hardening flags was in some cases required in pre-stretch releases to avoid build failures caused by (incorrectly) passing -fPIE to the compiler when building shared libraries or plugins. This problem does no longer exist. Please consider applying the following patch: --- debian/rules.old 2017-06-23 02:43:15.000000000 +0000 +++ debian/rules 2017-06-23 02:43:25.000000000 +0000 @@ -4,7 +4,7 @@ LAST_CHANGE=$(shell dpkg-parsechangelog -S Date) BUILD_DATE=$(shell date +%s -d "$(LAST_CHANGE)") -export DEB_BUILD_MAINT_OPTIONS=hardening=+all,-pie # pie does not work with shared libs +export DEB_BUILD_MAINT_OPTIONS=hardening=+all SHELL := /bin/sh DH_AUTO_OPTIONS := -v -Sautoconf
