[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#774117: marked as done (Two items concercing security support)

Your message dated Mon, 29 Dec 2014 07:39:30 +0100
with message-id <20141229063930.GI32681@beskar.mdcc.cx>
and subject line Re: Bug#774117: Two items concercing security support
has caused the Debian Bug report #774117,
regarding Two items concercing security support
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
774117: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774117
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release-notes
Severity: wishlist
Tags: patch

Hi,
the attached patch documents two topics the security team
would like to see covered in the jessie release notes:
The handling of kernel-level hardening against /tmp races
and the debian-security-support package.

Fine-tuning of the English formulations would be appreciated!

Cheers,
        Moritz

Index: whats-new.dbk
===================================================================
--- whats-new.dbk	(Revision 10559)
+++ whats-new.dbk	(Arbeitskopie)
@@ -451,6 +451,28 @@
   as servers and client applications have been compiled or configured
   without support for this protocol.</para>
 
+  <para>
+    The Linux kernel features a security mechanism which nullifies many
+    symlink attacks. It is enabled in the Debian Linux kernel by default.
+    /tmp-related bugs which are rendered non-exploitable by this
+    mechanism are not treated as security vulnerabilities. If you use a custom
+    Linux kernel you should enable it using a sysctl setting:
+    <consoleinput>
+echo 1 > /proc/sys/fs/protected_symlinks
+    </consoleinput>
+  </para>
+
+  <para>
+    In some rare cases the security support for a package shipped in
+    a Debian release needs to be terminated prior to the end of support
+    for the full distribution. jessie provides a new package (<systemitem
+    role="package">debian-security-support</systemitem>) which emits a warning
+    if support for a package needs to be terminated in advance. It also
+    documents packages where the scope of security support is limited.
+    As such, it is recommended to install debian-security-support on
+    all security-relevant systems.
+  </para>
+
   <para>Continuing on the path set by &Oldreleasename;, more packages
   have been built with hardened compiler flags. Also, the stack
   protector flag has been switched to stack-protector-strong for extra

--- End Message ---
--- Begin Message --- 
On Mon, Dec 29, 2014 at 01:01:25AM +0100, Moritz Muehlenhoff wrote:
> 
> the attached patch documents two topics the security team
> would like to see covered in the jessie release notes:
> The handling of kernel-level hardening against /tmp races
> and the debian-security-support package.
> 
> Fine-tuning of the English formulations would be appreciated!
> 
> Cheers,
>         Moritz
<snip>

Hi Moritz,

Applied, thanks!

Bye,

Joost

--- End Message ---
Reply to: