[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#772694: mention removal of SSLv3 in whatsnew section

Control: tags -1 pending

On 2014-12-10 08:30, Thijs Kinkhorst wrote:
> Package: release-notes
> Severity: wishlist
> Tags: patch
> 
> Hi,
> 
> Attached patch renames the "Hardening" section to "Security", adds mention
> of the removed SSLv3 protocol and progress on hardened build flags.
> 
> 
> Cheers,
> Thijs
> 

Hi Thijs,

I have applied and committed your patch with 3 changes.  These changes are:

 * In the first paragraph, avoid implying that all packages have been
   compiled without SSLv3 support (as I recall, at least openssl still
   have it, and given it removes symbols/breaks ABI to remove them,
   will keep it for Jessie)
 * Replaced &oldrelease; with &Oldreleasename; (the former resolves to
   "7" and the latter to "Wheezy").
 * Added a "they" in the sentence:
   """[...], so [they] are not used automatically when locally building
   software"""


Please take a minute to review the resulting patch,
~Niels



>From 7f6c76e721e6cd0991808c13537c930eaadc743f Mon Sep 17 00:00:00 2001
From: nthykier <nthykier@313b444b-1b9f-4f58-a734-7bb04f332e8d>
Date: Thu, 11 Dec 2014 18:33:20 +0000
Subject: [PATCH] en/whats-new: Update security section

Heavily based on patch from Thijs Kinkhorst.

Signed-off-by: Niels Thykier <niels@thykier.net>

git-svn-id: svn+ssh://svn.debian.org/svn/ddp/manuals/trunk/release-notes@10520 313b444b-1b9f-4f58-a734-7bb04f332e8d
---
 en/whats-new.dbk | 24 ++++++++++++++----------
 1 file changed, 14 insertions(+), 10 deletions(-)

diff --git a/en/whats-new.dbk b/en/whats-new.dbk
index 86f3982..7244d3d 100644
--- a/en/whats-new.dbk
+++ b/en/whats-new.dbk
@@ -441,17 +441,21 @@ TODO: Need to include stuff from &lt;5447EC14.2070502@debian.org&gt;
 </para>
 </section>
 
-<section id="hardening" condition="fixme">
-  <title>Hardened security</title>
-  <para>
-TODO: Even more packages / coverage?
-  </para>
+<section id="security" condition="fixme">
+  <title>Security</title>
+  <para>The legacy secure sockets layer protocol SSLv3 has been
+  disabled in this release in many packages. Many System cryptography
+  libraries as well as servers and client applications have been
+  compiled or configured without support for this protocol.</para>
 
-  <para>Note that the hardened build flags are not enabled by default in
-  <systemitem role="package">gcc</systemitem>, so are not used automatically
-  when locally building software. The package
-  <systemitem role="package">hardening-wrapper</systemitem> can provide a
-  <systemitem>gcc</systemitem> with these flags enabled.
+  <para>Continuing on the path set by &Oldreleasename;, more packages
+  have been built with hardened compiler flags. Also, the stack
+  protector flag has been switched to stack-protector-strong for extra
+  hardening.  Note that the hardened build flags are not enabled by
+  default in <systemitem role="package">gcc</systemitem>, so they are
+  not used automatically when locally building software. The package
+  <systemitem role="package">hardening-wrapper</systemitem> can
+  provide a <systemitem>gcc</systemitem> with these flags enabled.
   </para>
 </section>
 
-- 
2.1.3
Reply to: