Hi! On Thu, 2020-09-03 at 21:00:09 +0200, Moritz Mühlenhoff wrote: > On Thu, Jan 10, 2019 at 09:42:10AM -0500, Harlan Lieberman-Berg wrote: > > Package: dpkg-dev > > Version: 1.19.2 > > Severity: wishlist > > Tags: security
> > It would be Really Awesome (TM) if we could add the > > -fstack-clash-protection flag to our default hardening posture. This > > would have provided protection against the recent System Down > > vulnerability (CVE-2018-16864, CVE-2018-16865, CVE-2018-16866, aka > > #918841 and #918848). > > > > I'd realllllllly love it if it would make it into buster, but I know > > that's an awfully aggressive timeline considering the upcoming freeze. > > Still, there are an awfully high number of vulnerabilities that are > > lurking that this might be able to help patch up. > > > > Happy to discuss more, and if we need to do a test archive-rebuild > > with that change made, I can probably do that in the upcoming weekend. > > Has there been progress? Did anyone run archive rebuilds? Or given > that Ubuntu enables it by default these days, do we actually still > need them? I don't think the issues presented by Florian were ever resolved, so my concerns in https://bugs.debian.org/918914#15 would still apply, even though Ubuntu has enabled this, but they have a different set of architectures. In addition adding support for this but disabled by default can be problematic now that many packages just set hardening=+all. :/ I guess I'll need to add the dpkg-compat level support sooner than later. In any case, someone would need to propose this on debian-devel at least. Thanks, Guillem
