Your message dated Mon, 12 Aug 2013 09:34:27 +0000 with message-id <[email protected]> and subject line Bug#710809: fixed in libapache-mod-jk 1:1.2.37-3 has caused the Debian Bug report #710809, regarding libapache-mod-jk: Hardening CPPFLAGS missing to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 710809: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=710809 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: libapache-mod-jk Severity: normal Tags: patch Dear Maintainer, The following CPPFLAGS hardening flags are missing because they are ignored by the build system: CPPFLAGS missing (-D_FORTIFY_SOURCE=2): /bin/sh ../libtool --mode=compile i486-linux-gnu-gcc -std=gnu99 -I/usr/include/apache2 -D_LARGEFILE_SUPPORT -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -DHAVE_CONFIG_H -pipe -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -pthread -DHAVE_APR -I/usr/include/apr-1.0 -I/usr/include/apr-1.0 -D_LARGEFILE_SUPPORT -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -DHAVE_CONFIG_H -D_REENTRANT -D_GNU_SOURCE -D_LARGEFILE64_SOURCE -c jk_ajp12_worker.c -o jk_ajp12_worker.lo CPPFLAGS missing (-D_FORTIFY_SOURCE=2): i486-linux-gnu-gcc -std=gnu99 -I/usr/include/apache2 -D_LARGEFILE_SUPPORT -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -DHAVE_CONFIG_H -pipe -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -pthread -DHAVE_APR -I/usr/include/apr-1.0 -I/usr/include/apr-1.0 -D_LARGEFILE_SUPPORT -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -DHAVE_CONFIG_H -D_REENTRANT -D_GNU_SOURCE -D_LARGEFILE64_SOURCE -c jk_ajp12_worker.c -fPIC -DPIC -o .libs/jk_ajp12_worker.o CPPFLAGS missing (-D_FORTIFY_SOURCE=2): i486-linux-gnu-gcc -std=gnu99 -I/usr/include/apache2 -D_LARGEFILE_SUPPORT -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -DHAVE_CONFIG_H -pipe -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -pthread -DHAVE_APR -I/usr/include/apr-1.0 -I/usr/include/apr-1.0 -D_LARGEFILE_SUPPORT -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -DHAVE_CONFIG_H -D_REENTRANT -D_GNU_SOURCE -D_LARGEFILE64_SOURCE -c jk_ajp12_worker.c -o jk_ajp12_worker.o >/dev/null 2>&1 [...] For more hardening information please have a look at [1], [2] and [3]. The following patch fixes the issue: diff -Nru libapache-mod-jk-1.2.37/debian/rules libapache-mod-jk-1.2.37/debian/rules --- libapache-mod-jk-1.2.37/debian/rules 2013-06-01 15:16:39.000000000 +0200 +++ libapache-mod-jk-1.2.37/debian/rules 2013-06-02 17:24:43.000000000 +0200 @@ -1,7 +1,7 @@ #!/usr/bin/make -f -# Enable LFS -CFLAGS = -D_LARGEFILE_SUPPORT -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 $(shell dpkg-buildflags --get CFLAGS) +# Enable LFS, build system doesn't respect CPPFLAGS. +export DEB_CFLAGS_MAINT_APPEND = -D_LARGEFILE_SUPPORT -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 $(shell dpkg-buildflags --get CPPFLAGS) %: dh $@ --with autotools_dev,apache2 --sourcedirectory=native DEB_*_MAINT_APPEND is the preferred way to set additional flags (see man dpkg-buildflags for more information); the default CFLAGS from dpkg-buildpackage are automatically included. To check if all flags were correctly enabled you can use `hardening-check` from the hardening-includes package (Position Independent Executable and Immediate binding is not enabled by default) and check the build log with `blhc` (hardening-check doesn't catch everything). Regards, Simon [1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags [2]: https://wiki.debian.org/HardeningWalkthrough [3]: https://wiki.debian.org/Hardening -- + privacy is necessary + using gnupg http://gnupg.org + public key id: 0x92FEFDB7E44C32F9
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---Source: libapache-mod-jk Source-Version: 1:1.2.37-3 We believe that the bug you reported is fixed in the latest version of libapache-mod-jk, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Damien Raude-Morvan <[email protected]> (supplier of updated libapache-mod-jk package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 12 Aug 2013 10:28:44 +0200 Source: libapache-mod-jk Binary: libapache2-mod-jk libapache-mod-jk-doc Architecture: source amd64 all Version: 1:1.2.37-3 Distribution: sid Urgency: low Maintainer: Debian Java Maintainers <[email protected]> Changed-By: Damien Raude-Morvan <[email protected]> Description: libapache-mod-jk-doc - Documentation of libapache2-mod-jk package libapache2-mod-jk - Apache 2 connector for the Tomcat Java servlet engine Closes: 710809 711934 Changes: libapache-mod-jk (1:1.2.37-3) unstable; urgency=low . * d/rules: Fix "Hardening CPPFLAGS missing" (Closes: #710809). Thanks to Simon Ruderich for providing patch. * d/patches/0004-corrupted-worker-activation-status.patch: Fix "Worker activation state corrupted when using jkmanager", Thanks to David Gubler for patch (Closes: #711934). Checksums-Sha1: 8bb735c1d187596795b263add1c5267c149a5a7a 2173 libapache-mod-jk_1.2.37-3.dsc 7c66e4f3bfcbd11f7b9637d49d27f6b19542d631 10022 libapache-mod-jk_1.2.37-3.debian.tar.gz c3674dbd451b1f4598547b94bc06d1941091ad56 143528 libapache2-mod-jk_1.2.37-3_amd64.deb 3ecbcf1c3fca68ed40c6faa5a8867431e9de2510 167480 libapache-mod-jk-doc_1.2.37-3_all.deb Checksums-Sha256: 2cfe35360a6e6b9c5101ce9335d2080babe56290c75efb0eeb6662251a87ebf2 2173 libapache-mod-jk_1.2.37-3.dsc 61f7cf5d8b19b32a178525a3de512bb0d63471ee1e59e24b2b51f6c3f1b03a38 10022 libapache-mod-jk_1.2.37-3.debian.tar.gz bfbe064b9adda442c482940776328f7b8e449afe25eb858deb5e798e88382d17 143528 libapache2-mod-jk_1.2.37-3_amd64.deb 1dfff747576b647edd84d227026cfea89e075c442df073d55d981a7a94465e6f 167480 libapache-mod-jk-doc_1.2.37-3_all.deb Files: c9229c014bad5f494810fcedd040dfd2 2173 httpd optional libapache-mod-jk_1.2.37-3.dsc 3b4253e38ae75f7e17beb80ffa40ff8b 10022 httpd optional libapache-mod-jk_1.2.37-3.debian.tar.gz 89bd73416444c69b6a36734f4cb1bbf9 143528 httpd optional libapache2-mod-jk_1.2.37-3_amd64.deb a7cda74a72d50ecc80fab12467db8ff9 167480 doc optional libapache-mod-jk-doc_1.2.37-3_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) iQIcBAEBCAAGBQJSCKZ1AAoJEHXiDM0z50n8CkQP/ipMojVR0Rb4jkXwbwI2wo6L HYOvYT584BZZb3aZTvL0nijb704spEP1uK/rkvDP8MnSD5Ux6ZPo3exd2FJQmUhz QjqY38RgE8WZeoHTkX05teds5xuEqXZHB336diyDrcb8nsAc8PQsK4o+TiWhSkWE 1uZUilHmkbUDZaD1VL84akf/mkF5odz9VJ2/BgM0aaf8lguuS0JrDAhFfHu+aTnx eae3VJF/9C/d57QdIuT/fJzAKNOYIiQAkHCRqVHaafnmI3m1WmjMqYnLaOFFb5BJ UIeZBGTa/GAFMQYK0LfO7uPjbAUjaNx5E3fHHe5j05/B+bTpHscHlYjIMUnimyLx MKDZVVmx9rF9VwJAczDsreFxogAYufZBSI9slP98QC5vDIc0BQKt5NMyMcfE4Dyy ske9RB8gYjntabhCGCiPWSUXBAe5YOW6Hr5Boi2gPgt3J7UkUjU0coV4hejy3QBE lz8ScAzSgOpyfmIzIGwAaMnQWxG5mr7qtORTecE0o+000gox+2rsU4mAg+FdIIuP ZOOdp5YojWeHg20/jjkeOr7H8GVcTOD0FwVVf7xVzssjCotJK5BJhmnay2oraq7b b5b121J91DG9qzj6B9oahpt3HZU09awKb5TAcwMatRjpux9ETnHlvJ8c2UfiAeS3 iRiDQ0ok6p5dJEEK8DOa =w1vj -----END PGP SIGNATURE-----
--- End Message ---
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use [email protected] for discussions and questions.
