Bug#714872: marked as done (apache2: Please enable bindnow hardening build flag)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Mon, 12 Aug 2013 18:48:39 +0000
with message-id <E1V8xAV-0006il-0F@franck.debian.org>
and subject line Bug#714872: fixed in apache2 2.4.6-3
has caused the Debian Bug report #714872,
regarding apache2: Please enable bindnow hardening build flag
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
714872: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714872
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: apache2: Please enable bindnow hardening build flag
• From: Felix Geyer <fgeyer@debian.org>
• Date: Wed, 03 Jul 2013 19:59:38 +0200
• Message-id: <20130703175938.14064.9580.reportbug@localhost6.localdomain6>

Source: apache2
Version: 2.4.4-6
Tags: patch
User: hardening-discuss@lists.alioth.debian.org
Usertags: goal-hardening

Please enable the -Wl,-z,now hardening build flag in Apache:
https://wiki.debian.org/Hardening#DEB_BUILD_HARDENING_BINDNOW_.28ld_-z_now.29

I have tested that Apache still works when enabling/disabling modules and
then reloading it.

Attached is a patch that implements this.
It uses /usr/share/dpkg/buildflags.mk as make doesn't pass variables
to subshells (so $(shell dpkg-buildflags would ignore DEB_BUILD_MAINT_OPTIONS).

Thanks,
Felix

diff -Nru apache2-2.4.4/debian/rules apache2-2.4.4/debian/rules
--- apache2-2.4.4/debian/rules
+++ apache2-2.4.4/debian/rules
@@ -6,14 +6,17 @@
 # Uncomment this to turn on verbose mode.
 # export DH_VERBOSE=1
 
+export DEB_BUILD_MAINT_OPTIONS=hardening=+bindnow
+include /usr/share/dpkg/buildflags.mk
+
 LSB_RELEASE := $(shell lsb_release -i -s)
 SERVER_VERSION := $(shell dpkg-parsechangelog | perl -ne 'print $$1 if m/Version:\s*([\d\.]+)/')
 DEBIAN_VERSION := $(shell dpkg-parsechangelog | perl -ne 'print $$1 if m/Version:\s*(.+)/')
 MODULE_DIR := /usr/lib/apache2/modules/
 API = $(shell perl -ne 'print $$1 if m/define\s+MODULE_MAGIC_NUMBER_MAJOR\s+?(.*)$$/' < include/ap_mmn.h)
-AP2_CFLAGS = -pipe $(shell dpkg-buildflags --get CFLAGS)
-AP2_LDFLAGS = -Wl,--as-needed $(shell dpkg-buildflags --get LDFLAGS)
-AP2_CPPFLAGS = -DPLATFORM='\"$(LSB_RELEASE)\"' $(shell dpkg-buildflags --get CPPFLAGS)
+AP2_CFLAGS = -pipe $(CFLAGS)
+AP2_LDFLAGS = -Wl,--as-needed $(LDFLAGS)
+AP2_CPPFLAGS = -DPLATFORM='\"$(LSB_RELEASE)\"' $(CPPFLAGS)
 
 
 support/suexec-custom.c: support/suexec.c debian/patches/suexec-custom.patch

--- End Message ---

--- Begin Message ---

• To: 714872-close@bugs.debian.org
• Subject: Bug#714872: fixed in apache2 2.4.6-3
• From: Stefan Fritsch <sf@debian.org>
• Date: Mon, 12 Aug 2013 18:48:39 +0000
• Message-id: <E1V8xAV-0006il-0F@franck.debian.org>

Source: apache2
Source-Version: 2.4.6-3

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 714872@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 12 Aug 2013 20:15:38 +0200
Source: apache2
Binary: apache2 apache2-data apache2-bin apache2-mpm-worker apache2-mpm-prefork apache2-mpm-event apache2-mpm-itk apache2.2-bin libapache2-mod-proxy-html libapache2-mod-macro apache2-utils apache2-suexec apache2-suexec-pristine apache2-suexec-custom apache2-doc apache2-dev apache2-dbg
Architecture: source i386 all
Version: 2.4.6-3
Distribution: unstable
Urgency: low
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description: 
 apache2    - Apache HTTP Server
 apache2-bin - Apache HTTP Server (binary files and modules)
 apache2-data - Apache HTTP Server (common files)
 apache2-dbg - Apache debugging symbols
 apache2-dev - Apache HTTP Server (development headers)
 apache2-doc - Apache HTTP Server (on-site documentation)
 apache2-mpm-event - transitional event MPM package for apache2
 apache2-mpm-itk - transitional itk MPM package for apache2
 apache2-mpm-prefork - transitional prefork MPM package for apache2
 apache2-mpm-worker - transitional worker MPM package for apache2
 apache2-suexec - transitional package for apache2-suexec-pristine
 apache2-suexec-custom - Apache HTTP Server configurable suexec program for mod_suexec
 apache2-suexec-pristine - Apache HTTP Server standard suexec program for mod_suexec
 apache2-utils - Apache HTTP Server (utility programs for web servers)
 apache2.2-bin - Transitional package for apache2-bin
 libapache2-mod-macro - Transitional package for apache2-bin
 libapache2-mod-proxy-html - Transitional package for apache2-bin
Closes: 714872 717910 718387 718650 718677 718909
Changes: 
 apache2 (2.4.6-3) unstable; urgency=low
 .
   * Fix 'implicit declaration' compiler warnings.
   * Fix module dependencies in lbmethod_*.load files. Closes: #717910
     LP: #1205314
   * Mark apache2-data as Multi-Arch: foreign. Closes: #718387
   * Backport open_htaccess hook from upstream 2.4.x branch to allow
     building mpm-itk as separate package.
   * Improve comment for LogLevel in apache2.conf. Closes: #718677
   * Fix comment in ports.conf. Closes: #718650
   * Fix htcacheclean path and function name in init script. Closes: #718909
   * Enable bindnow hardening compiler option, patch by Felix Geyer.
     Closes: #714872
Checksums-Sha1: 
 f2f72d62038aeb2186bf4698875cd2fe684f8329 2430 apache2_2.4.6-3.dsc
 855210cabe943582e2961f5c9f26735d9af1fd24 190430 apache2_2.4.6-3.debian.tar.gz
 39291a83c4478dcdf0fc1e56817ba8067260cad6 1408 libapache2-mod-proxy-html_2.4.6-3_i386.deb
 c06c0ea56e9cbf092627563c4efcdde8312c9de0 1402 libapache2-mod-macro_2.4.6-3_i386.deb
 e004c7b096059555956968a3e140121e21fca263 187640 apache2_2.4.6-3_i386.deb
 785b98a0765407736510be7b6313594f6e839276 153666 apache2-data_2.4.6-3_all.deb
 857ab9c728cf2887e6491b4620259dee3935e56a 949742 apache2-bin_2.4.6-3_i386.deb
 2c6b656d75c71a9f749186f5ac96d74405a8b1b4 1396 apache2-mpm-worker_2.4.6-3_i386.deb
 dc79251a053eb7f24e097ed01bf645a347ece902 1398 apache2-mpm-prefork_2.4.6-3_i386.deb
 f8a3a5bcd276de973a6c3e3d4f3a5671569a6754 1394 apache2-mpm-event_2.4.6-3_i386.deb
 91a6aaba4858d3cf54143be75c4d255eef2e9f30 1388 apache2-mpm-itk_2.4.6-3_i386.deb
 c02fa9978737ff8e793b0bc127a77d8d137d1774 1424 apache2.2-bin_2.4.6-3_i386.deb
 15c67021ba3898d3089f33ae471f42d015b6095b 180796 apache2-utils_2.4.6-3_i386.deb
 b3c577209b6b1f4cfd1897455e6756c968aa1160 1386 apache2-suexec_2.4.6-3_i386.deb
 6c73faba4d08db45a21a418054f761461c33512d 115252 apache2-suexec-pristine_2.4.6-3_i386.deb
 5a2246d7ed30ee98d53947f4844ded5c03afa201 116722 apache2-suexec-custom_2.4.6-3_i386.deb
 1f742b9ce209daad8356fbb8bb499f7637e24fda 2674642 apache2-doc_2.4.6-3_all.deb
 a54f875bd70203a0842a3ebfcd8163c0c8280d5f 263324 apache2-dev_2.4.6-3_i386.deb
 fef426893c17d0cfd796b32004f0742eb611f1a3 1939180 apache2-dbg_2.4.6-3_i386.deb
Checksums-Sha256: 
 deb5fa88cf20563289fb18a3205af8977826f7ce2d7252707cf283696f1bdc6c 2430 apache2_2.4.6-3.dsc
 b63df3fd857652abbb27fefaa7b64a32255c2739352caf509e25f98f91d34b59 190430 apache2_2.4.6-3.debian.tar.gz
 5925425e10db69748145ac86a6c0f7f863b74880cb382c47a03c9cef90f866f2 1408 libapache2-mod-proxy-html_2.4.6-3_i386.deb
 0a814f57c791a69b876004b7363c1ac8db8d78bfb5a76f05fec0896191309d03 1402 libapache2-mod-macro_2.4.6-3_i386.deb
 cbcd8a6f11f852fb6359b89aebfb2560f307a0a766735869bb37fa1ea936048a 187640 apache2_2.4.6-3_i386.deb
 d16bd67f8a2917059d6398866d7f5d5c8f955e4047e019162c23380a171f6383 153666 apache2-data_2.4.6-3_all.deb
 3d8b3c07960d2cca0ae06141a08212b5bd6fc883d8bd69976cf55c3a2b1f2c3f 949742 apache2-bin_2.4.6-3_i386.deb
 8665013a6cf4f50ec5c0e91c326dcd5c6b7a00660acf6dfefd921a708e8ac6c5 1396 apache2-mpm-worker_2.4.6-3_i386.deb
 11033b6f9ab39dca5f8c98836e7c3b5217f0232f86178363c819cec445e1ace2 1398 apache2-mpm-prefork_2.4.6-3_i386.deb
 1d64cf869631bc11b2b97b5cdbac93751f59791331dbd9c278e0c8b6e47b1c74 1394 apache2-mpm-event_2.4.6-3_i386.deb
 017bbe48151a22ff5581d66d7e29a1f01a5ddac873d92e93829ddb387ea6d4da 1388 apache2-mpm-itk_2.4.6-3_i386.deb
 ea6ca49c3c1f24242f2135d1daabaea13255d5dc55ca20f69f1504a531527672 1424 apache2.2-bin_2.4.6-3_i386.deb
 5e995bc99ec3ceb5023b815e78e97df5d7cf992be91ff3b99ba9136c13a55358 180796 apache2-utils_2.4.6-3_i386.deb
 2ba180e3777e76e5ee45c2eeeac75eacf6fcb418855bcb8b25d433cf8b6ba9ab 1386 apache2-suexec_2.4.6-3_i386.deb
 b6ccab9f2efb0d8e5be0571563a545190ed1d0afcbcafd1bb80b11198cbf67a6 115252 apache2-suexec-pristine_2.4.6-3_i386.deb
 f95bb682aece26421f79da35d027aa008766725fdd9c962cbf8a6e2df30da0ef 116722 apache2-suexec-custom_2.4.6-3_i386.deb
 d49ded38bad25a37d67c935df4e5111d5973121b436c949f4b280ce223f7d70c 2674642 apache2-doc_2.4.6-3_all.deb
 2e7977d8b3eb016ae7e0e05404b360a1e91b05cf5ac852b25df79ea9889c78dd 263324 apache2-dev_2.4.6-3_i386.deb
 f5e5e06e575715f688ed72628466e014e9017919bf94131852623f6cfe53c7b4 1939180 apache2-dbg_2.4.6-3_i386.deb
Files: 
 2b22035b292eee0727bb7a2c60b92021 2430 httpd optional apache2_2.4.6-3.dsc
 377f3a5d01f7be0a6ff953deb1095096 190430 httpd optional apache2_2.4.6-3.debian.tar.gz
 e428b8ad76485b304f5ab1e1243393a1 1408 oldlibs extra libapache2-mod-proxy-html_2.4.6-3_i386.deb
 7d329dc374f9cfdf6c79e1e8cfee3768 1402 oldlibs extra libapache2-mod-macro_2.4.6-3_i386.deb
 ba5deb6143aac734c7e79ecac2bfc273 187640 httpd optional apache2_2.4.6-3_i386.deb
 a9f8e406c53394ae5f9c5ceee0072501 153666 httpd optional apache2-data_2.4.6-3_all.deb
 90962fc789d12e9d49262dde1c7e7cbe 949742 httpd optional apache2-bin_2.4.6-3_i386.deb
 7cdb0060822353f17e7e22baed7ebcfd 1396 oldlibs extra apache2-mpm-worker_2.4.6-3_i386.deb
 693570b7d59dbe1da3f8295b85019a81 1398 oldlibs extra apache2-mpm-prefork_2.4.6-3_i386.deb
 86968ced4856c91fd11d6488c4cd5f18 1394 oldlibs extra apache2-mpm-event_2.4.6-3_i386.deb
 0a122cbdca6198961b1bdbb39e665a17 1388 oldlibs extra apache2-mpm-itk_2.4.6-3_i386.deb
 073ca2ad04890a17cb83586ea78994b9 1424 oldlibs extra apache2.2-bin_2.4.6-3_i386.deb
 e019a8f6ad76664114185ba2f8901642 180796 httpd optional apache2-utils_2.4.6-3_i386.deb
 c992213761833b051e147a6182b2edda 1386 oldlibs extra apache2-suexec_2.4.6-3_i386.deb
 01f683a4b528c4e6c614095436227a05 115252 httpd optional apache2-suexec-pristine_2.4.6-3_i386.deb
 ef6942e578454d3033b35ea87ef864b4 116722 httpd extra apache2-suexec-custom_2.4.6-3_i386.deb
 160fd67ad343e551909940a318d76fc6 2674642 doc optional apache2-doc_2.4.6-3_all.deb
 828188fdb361a08f5e90664cee2d0a8a 263324 httpd optional apache2-dev_2.4.6-3_i386.deb
 81381293b3d04771a510ff62f87f01c2 1939180 debug extra apache2-dbg_2.4.6-3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iD8DBQFSCSpDbxelr8HyTqQRAn7GAJ4zgvOiwBEftzG61SAiVyI56MeLmwCeOnr6
oShxs2wIe+nWbranm55JoDI=
=8jGH
-----END PGP SIGNATURE-----

--- End Message ---