Bug#772694: mention removal of SSLv3 in whatsnew section
Control: tags -1 pending
On 2014-12-10 08:30, Thijs Kinkhorst wrote:
> Package: release-notes
> Severity: wishlist
> Tags: patch
>
> Hi,
>
> Attached patch renames the "Hardening" section to "Security", adds mention
> of the removed SSLv3 protocol and progress on hardened build flags.
>
>
> Cheers,
> Thijs
>
Hi Thijs,
I have applied and committed your patch with 3 changes. These changes are:
* In the first paragraph, avoid implying that all packages have been
compiled without SSLv3 support (as I recall, at least openssl still
have it, and given it removes symbols/breaks ABI to remove them,
will keep it for Jessie)
* Replaced &oldrelease; with &Oldreleasename; (the former resolves to
"7" and the latter to "Wheezy").
* Added a "they" in the sentence:
"""[...], so [they] are not used automatically when locally building
software"""
Please take a minute to review the resulting patch,
~Niels
>From 7f6c76e721e6cd0991808c13537c930eaadc743f Mon Sep 17 00:00:00 2001
From: nthykier <nthykier@313b444b-1b9f-4f58-a734-7bb04f332e8d>
Date: Thu, 11 Dec 2014 18:33:20 +0000
Subject: [PATCH] en/whats-new: Update security section
Heavily based on patch from Thijs Kinkhorst.
Signed-off-by: Niels Thykier <niels@thykier.net>
git-svn-id: svn+ssh://svn.debian.org/svn/ddp/manuals/trunk/release-notes@10520 313b444b-1b9f-4f58-a734-7bb04f332e8d
---
en/whats-new.dbk | 24 ++++++++++++++----------
1 file changed, 14 insertions(+), 10 deletions(-)
diff --git a/en/whats-new.dbk b/en/whats-new.dbk
index 86f3982..7244d3d 100644
--- a/en/whats-new.dbk
+++ b/en/whats-new.dbk
@@ -441,17 +441,21 @@ TODO: Need to include stuff from <5447EC14.2070502@debian.org>
</para>
</section>
-<section id="hardening" condition="fixme">
- <title>Hardened security</title>
- <para>
-TODO: Even more packages / coverage?
- </para>
+<section id="security" condition="fixme">
+ <title>Security</title>
+ <para>The legacy secure sockets layer protocol SSLv3 has been
+ disabled in this release in many packages. Many System cryptography
+ libraries as well as servers and client applications have been
+ compiled or configured without support for this protocol.</para>
- <para>Note that the hardened build flags are not enabled by default in
- <systemitem role="package">gcc</systemitem>, so are not used automatically
- when locally building software. The package
- <systemitem role="package">hardening-wrapper</systemitem> can provide a
- <systemitem>gcc</systemitem> with these flags enabled.
+ <para>Continuing on the path set by &Oldreleasename;, more packages
+ have been built with hardened compiler flags. Also, the stack
+ protector flag has been switched to stack-protector-strong for extra
+ hardening. Note that the hardened build flags are not enabled by
+ default in <systemitem role="package">gcc</systemitem>, so they are
+ not used automatically when locally building software. The package
+ <systemitem role="package">hardening-wrapper</systemitem> can
+ provide a <systemitem>gcc</systemitem> with these flags enabled.
</para>
</section>
--
2.1.3
Reply to: