Package: libapache-mod-jk Severity: normal Tags: patch Dear Maintainer,
The following CPPFLAGS hardening flags are missing because they are ignored by the build system: CPPFLAGS missing (-D_FORTIFY_SOURCE=2): /bin/sh ../libtool --mode=compile i486-linux-gnu-gcc -std=gnu99 -I/usr/include/apache2 -D_LARGEFILE_SUPPORT -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -DHAVE_CONFIG_H -pipe -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -pthread -DHAVE_APR -I/usr/include/apr-1.0 -I/usr/include/apr-1.0 -D_LARGEFILE_SUPPORT -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -DHAVE_CONFIG_H -D_REENTRANT -D_GNU_SOURCE -D_LARGEFILE64_SOURCE -c jk_ajp12_worker.c -o jk_ajp12_worker.lo CPPFLAGS missing (-D_FORTIFY_SOURCE=2): i486-linux-gnu-gcc -std=gnu99 -I/usr/include/apache2 -D_LARGEFILE_SUPPORT -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -DHAVE_CONFIG_H -pipe -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -pthread -DHAVE_APR -I/usr/include/apr-1.0 -I/usr/include/apr-1.0 -D_LARGEFILE_SUPPORT -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -DHAVE_CONFIG_H -D_REENTRANT -D_GNU_SOURCE -D_LARGEFILE64_SOURCE -c jk_ajp12_worker.c -fPIC -DPIC -o .libs/jk_ajp12_worker.o CPPFLAGS missing (-D_FORTIFY_SOURCE=2): i486-linux-gnu-gcc -std=gnu99 -I/usr/include/apache2 -D_LARGEFILE_SUPPORT -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -DHAVE_CONFIG_H -pipe -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -pthread -DHAVE_APR -I/usr/include/apr-1.0 -I/usr/include/apr-1.0 -D_LARGEFILE_SUPPORT -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -DHAVE_CONFIG_H -D_REENTRANT -D_GNU_SOURCE -D_LARGEFILE64_SOURCE -c jk_ajp12_worker.c -o jk_ajp12_worker.o >/dev/null 2>&1 [...] For more hardening information please have a look at [1], [2] and [3]. The following patch fixes the issue: diff -Nru libapache-mod-jk-1.2.37/debian/rules libapache-mod-jk-1.2.37/debian/rules --- libapache-mod-jk-1.2.37/debian/rules 2013-06-01 15:16:39.000000000 +0200 +++ libapache-mod-jk-1.2.37/debian/rules 2013-06-02 17:24:43.000000000 +0200 @@ -1,7 +1,7 @@ #!/usr/bin/make -f -# Enable LFS -CFLAGS = -D_LARGEFILE_SUPPORT -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 $(shell dpkg-buildflags --get CFLAGS) +# Enable LFS, build system doesn't respect CPPFLAGS. +export DEB_CFLAGS_MAINT_APPEND = -D_LARGEFILE_SUPPORT -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 $(shell dpkg-buildflags --get CPPFLAGS) %: dh $@ --with autotools_dev,apache2 --sourcedirectory=native DEB_*_MAINT_APPEND is the preferred way to set additional flags (see man dpkg-buildflags for more information); the default CFLAGS from dpkg-buildpackage are automatically included. To check if all flags were correctly enabled you can use `hardening-check` from the hardening-includes package (Position Independent Executable and Immediate binding is not enabled by default) and check the build log with `blhc` (hardening-check doesn't catch everything). Regards, Simon [1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags [2]: https://wiki.debian.org/HardeningWalkthrough [3]: https://wiki.debian.org/Hardening -- + privacy is necessary + using gnupg http://gnupg.org + public key id: 0x92FEFDB7E44C32F9
signature.asc
Description: Digital signature
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.