Package: libapache-mod-jk Severity: normal Tags: patch Dear Maintainer,
The following CPPFLAGS hardening flags are missing because they
are ignored by the build system:
CPPFLAGS missing (-D_FORTIFY_SOURCE=2): /bin/sh ../libtool --mode=compile
i486-linux-gnu-gcc -std=gnu99 -I/usr/include/apache2 -D_LARGEFILE_SUPPORT
-D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -g -O2 -fstack-protector
--param=ssp-buffer-size=4 -Wformat -Werror=format-security -DHAVE_CONFIG_H
-pipe -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat
-Werror=format-security -pthread -DHAVE_APR -I/usr/include/apr-1.0
-I/usr/include/apr-1.0 -D_LARGEFILE_SUPPORT -D_LARGEFILE64_SOURCE
-D_FILE_OFFSET_BITS=64 -g -O2 -fstack-protector --param=ssp-buffer-size=4
-Wformat -Werror=format-security -DHAVE_CONFIG_H -D_REENTRANT -D_GNU_SOURCE
-D_LARGEFILE64_SOURCE -c jk_ajp12_worker.c -o jk_ajp12_worker.lo
CPPFLAGS missing (-D_FORTIFY_SOURCE=2): i486-linux-gnu-gcc -std=gnu99
-I/usr/include/apache2 -D_LARGEFILE_SUPPORT -D_LARGEFILE64_SOURCE
-D_FILE_OFFSET_BITS=64 -g -O2 -fstack-protector --param=ssp-buffer-size=4
-Wformat -Werror=format-security -DHAVE_CONFIG_H -pipe -g -O2 -fstack-protector
--param=ssp-buffer-size=4 -Wformat -Werror=format-security -pthread -DHAVE_APR
-I/usr/include/apr-1.0 -I/usr/include/apr-1.0 -D_LARGEFILE_SUPPORT
-D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -g -O2 -fstack-protector
--param=ssp-buffer-size=4 -Wformat -Werror=format-security -DHAVE_CONFIG_H
-D_REENTRANT -D_GNU_SOURCE -D_LARGEFILE64_SOURCE -c jk_ajp12_worker.c -fPIC
-DPIC -o .libs/jk_ajp12_worker.o
CPPFLAGS missing (-D_FORTIFY_SOURCE=2): i486-linux-gnu-gcc -std=gnu99
-I/usr/include/apache2 -D_LARGEFILE_SUPPORT -D_LARGEFILE64_SOURCE
-D_FILE_OFFSET_BITS=64 -g -O2 -fstack-protector --param=ssp-buffer-size=4
-Wformat -Werror=format-security -DHAVE_CONFIG_H -pipe -g -O2 -fstack-protector
--param=ssp-buffer-size=4 -Wformat -Werror=format-security -pthread -DHAVE_APR
-I/usr/include/apr-1.0 -I/usr/include/apr-1.0 -D_LARGEFILE_SUPPORT
-D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -g -O2 -fstack-protector
--param=ssp-buffer-size=4 -Wformat -Werror=format-security -DHAVE_CONFIG_H
-D_REENTRANT -D_GNU_SOURCE -D_LARGEFILE64_SOURCE -c jk_ajp12_worker.c -o
jk_ajp12_worker.o >/dev/null 2>&1
[...]
For more hardening information please have a look at [1], [2] and
[3].
The following patch fixes the issue:
diff -Nru libapache-mod-jk-1.2.37/debian/rules
libapache-mod-jk-1.2.37/debian/rules
--- libapache-mod-jk-1.2.37/debian/rules 2013-06-01 15:16:39.000000000
+0200
+++ libapache-mod-jk-1.2.37/debian/rules 2013-06-02 17:24:43.000000000
+0200
@@ -1,7 +1,7 @@
#!/usr/bin/make -f
-# Enable LFS
-CFLAGS = -D_LARGEFILE_SUPPORT -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
$(shell dpkg-buildflags --get CFLAGS)
+# Enable LFS, build system doesn't respect CPPFLAGS.
+export DEB_CFLAGS_MAINT_APPEND = -D_LARGEFILE_SUPPORT -D_LARGEFILE64_SOURCE
-D_FILE_OFFSET_BITS=64 $(shell dpkg-buildflags --get CPPFLAGS)
%:
dh $@ --with autotools_dev,apache2 --sourcedirectory=native
DEB_*_MAINT_APPEND is the preferred way to set additional flags
(see man dpkg-buildflags for more information); the default
CFLAGS from dpkg-buildpackage are automatically included.
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package (Position
Independent Executable and Immediate binding is not enabled by
default) and check the build log with `blhc` (hardening-check
doesn't catch everything).
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
signature.asc
Description: Digital signature
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
