Bug#714872: apache2: Please enable bindnow hardening build flag
Source: apache2
Version: 2.4.4-6
Tags: patch
User: hardening-discuss@lists.alioth.debian.org
Usertags: goal-hardening
Please enable the -Wl,-z,now hardening build flag in Apache:
https://wiki.debian.org/Hardening#DEB_BUILD_HARDENING_BINDNOW_.28ld_-z_now.29
I have tested that Apache still works when enabling/disabling modules and
then reloading it.
Attached is a patch that implements this.
It uses /usr/share/dpkg/buildflags.mk as make doesn't pass variables
to subshells (so $(shell dpkg-buildflags would ignore DEB_BUILD_MAINT_OPTIONS).
Thanks,
Felix
diff -Nru apache2-2.4.4/debian/rules apache2-2.4.4/debian/rules
--- apache2-2.4.4/debian/rules
+++ apache2-2.4.4/debian/rules
@@ -6,14 +6,17 @@
# Uncomment this to turn on verbose mode.
# export DH_VERBOSE=1
+export DEB_BUILD_MAINT_OPTIONS=hardening=+bindnow
+include /usr/share/dpkg/buildflags.mk
+
LSB_RELEASE := $(shell lsb_release -i -s)
SERVER_VERSION := $(shell dpkg-parsechangelog | perl -ne 'print $$1 if m/Version:\s*([\d\.]+)/')
DEBIAN_VERSION := $(shell dpkg-parsechangelog | perl -ne 'print $$1 if m/Version:\s*(.+)/')
MODULE_DIR := /usr/lib/apache2/modules/
API = $(shell perl -ne 'print $$1 if m/define\s+MODULE_MAGIC_NUMBER_MAJOR\s+?(.*)$$/' < include/ap_mmn.h)
-AP2_CFLAGS = -pipe $(shell dpkg-buildflags --get CFLAGS)
-AP2_LDFLAGS = -Wl,--as-needed $(shell dpkg-buildflags --get LDFLAGS)
-AP2_CPPFLAGS = -DPLATFORM='\"$(LSB_RELEASE)\"' $(shell dpkg-buildflags --get CPPFLAGS)
+AP2_CFLAGS = -pipe $(CFLAGS)
+AP2_LDFLAGS = -Wl,--as-needed $(LDFLAGS)
+AP2_CPPFLAGS = -DPLATFORM='\"$(LSB_RELEASE)\"' $(CPPFLAGS)
support/suexec-custom.c: support/suexec.c debian/patches/suexec-custom.patch
Reply to: