Bug#774117: Two items concercing security support
Package: release-notes
Severity: wishlist
Tags: patch
Hi,
the attached patch documents two topics the security team
would like to see covered in the jessie release notes:
The handling of kernel-level hardening against /tmp races
and the debian-security-support package.
Fine-tuning of the English formulations would be appreciated!
Cheers,
Moritz
Index: whats-new.dbk
===================================================================
--- whats-new.dbk (Revision 10559)
+++ whats-new.dbk (Arbeitskopie)
@@ -451,6 +451,28 @@
as servers and client applications have been compiled or configured
without support for this protocol.</para>
+ <para>
+ The Linux kernel features a security mechanism which nullifies many
+ symlink attacks. It is enabled in the Debian Linux kernel by default.
+ /tmp-related bugs which are rendered non-exploitable by this
+ mechanism are not treated as security vulnerabilities. If you use a custom
+ Linux kernel you should enable it using a sysctl setting:
+ <consoleinput>
+echo 1 > /proc/sys/fs/protected_symlinks
+ </consoleinput>
+ </para>
+
+ <para>
+ In some rare cases the security support for a package shipped in
+ a Debian release needs to be terminated prior to the end of support
+ for the full distribution. jessie provides a new package (<systemitem
+ role="package">debian-security-support</systemitem>) which emits a warning
+ if support for a package needs to be terminated in advance. It also
+ documents packages where the scope of security support is limited.
+ As such, it is recommended to install debian-security-support on
+ all security-relevant systems.
+ </para>
+
<para>Continuing on the path set by &Oldreleasename;, more packages
have been built with hardened compiler flags. Also, the stack
protector flag has been switched to stack-protector-strong for extra
Reply to: