Re: [announce] April 2021 bugfix update (plus an mdevd feature)

2021-04-15 Thread Laurent Bercot

 Erratum: mdevd's version is

Re: [announce] April 2021 bugfix update (plus an mdevd feature)

2021-04-15 Thread Laurent Bercot

 Wow, my client really did a number on the formatting this time.
Sorry about that. Here's a version with, hopefully, better


 New bugfix versions of all the packages are available.
I normally don't announce bugfix releases, but this one spans all
the packages, because it makes an important fix to the build system:

 - Libraries and binaries don't have the .note.GNU-stack section
stripped anymore. Previously, "make strip" would strip that section,
which would sometimes (depending on the toolchain) cause binaries to be
incorrectly tagged as needing an executable stack. This is not a 

issue in itself, but an executable stack makes it easier for an attacker
to turn bugs into exploits, so it should be avoided whenever possible.
Thanks to Xavier Stonestreet for reporting and finding the cause
of the problem.

 Additionally, link tests are now performed with a regular file as
their output, instead of /dev/null, which makes them more portable to
old/buggy linkers.

 The new versions are the following:

skalibs- (*)
utmps- (*)
s6- (*)
s6-linux-init- (*)
s6-dns- (*)

 The packages marked (*) have also had other bugs fixed, in addition
to the build system changes.

 Dependencies have all been updated to the latest versions. They are
not strict: libraries and binaries will build with older releases of
their dependencies. However, if you use "make strip" in your build,
it is recommended to upgrade everything all the way down to skalibs,
because otherwise your old installation may keep tainting your future
builds with an executable stack.

 You do not need to recompile your service databases, or recreate
your run-images. However, if you have a supervision tree running,
and "readelf -lW `which s6-supervise` | grep GNU_STACK | grep RWE"
prints a line, then you should restart your supervision tree after
upgrading at least skalibs and s6, as soon as is convenient for you.

 mdevd got a minor version bump instead of a bugfix bump, because this
version also comes with a new feature:
 The +, - and & directives in mdev.conf cause the rest of the line to be
interpreted as a command run under "execlineb -P". They are similar to
the @, $ and * directives respectively, but use "execlineb -P" instead
of "/bin/sh" as the command interpreter.

 More bug-reports always welcome.