Bug#714872: apache2: Please enable bindnow hardening build flag

Felix Geyer Wed, 03 Jul 2013 11:04:35 -0700

Source: apache2
Version: 2.4.4-6
Tags: patch
User: [email protected]
Usertags: goal-hardening


Please enable the -Wl,-z,now hardening build flag in Apache:
https://wiki.debian.org/Hardening#DEB_BUILD_HARDENING_BINDNOW_.28ld_-z_now.29

I have tested that Apache still works when enabling/disabling modules and
then reloading it.

Attached is a patch that implements this.
It uses /usr/share/dpkg/buildflags.mk as make doesn't pass variables
to subshells (so $(shell dpkg-buildflags would ignore DEB_BUILD_MAINT_OPTIONS).

Thanks,
Felix

diff -Nru apache2-2.4.4/debian/rules apache2-2.4.4/debian/rules
--- apache2-2.4.4/debian/rules
+++ apache2-2.4.4/debian/rules
@@ -6,14 +6,17 @@
 # Uncomment this to turn on verbose mode.
 # export DH_VERBOSE=1
 
+export DEB_BUILD_MAINT_OPTIONS=hardening=+bindnow
+include /usr/share/dpkg/buildflags.mk
+
 LSB_RELEASE := $(shell lsb_release -i -s)
 SERVER_VERSION := $(shell dpkg-parsechangelog | perl -ne 'print $$1 if m/Version:\s*([\d\.]+)/')
 DEBIAN_VERSION := $(shell dpkg-parsechangelog | perl -ne 'print $$1 if m/Version:\s*(.+)/')
 MODULE_DIR := /usr/lib/apache2/modules/
 API = $(shell perl -ne 'print $$1 if m/define\s+MODULE_MAGIC_NUMBER_MAJOR\s+?(.*)$$/' < include/ap_mmn.h)
-AP2_CFLAGS = -pipe $(shell dpkg-buildflags --get CFLAGS)
-AP2_LDFLAGS = -Wl,--as-needed $(shell dpkg-buildflags --get LDFLAGS)
-AP2_CPPFLAGS = -DPLATFORM='\"$(LSB_RELEASE)\"' $(shell dpkg-buildflags --get CPPFLAGS)
+AP2_CFLAGS = -pipe $(CFLAGS)
+AP2_LDFLAGS = -Wl,--as-needed $(LDFLAGS)
+AP2_CPPFLAGS = -DPLATFORM='\"$(LSB_RELEASE)\"' $(CPPFLAGS)
 
 
 support/suexec-custom.c: support/suexec.c debian/patches/suexec-custom.patch

Bug#714872: apache2: Please enable bindnow hardening build flag

Reply via email to