hardening-wrapper (1.36ubuntu1.1) precise-security; urgency=medium * hardened-cc: don't set -Wformat options if they are already set (LP: #1347257) -- Chris Coulson Thu, 30 Apr 2015 18:49:28 +0100 hardening-wrapper (1.36ubuntu1) precise; urgency=low * Make bash-completion Multi-Arch: foreign, so that it can satisfy cross-build-dependencies. -- Colin Watson Sat, 31 Mar 2012 02:11:12 +0100 hardening-wrapper (1.36) unstable; urgency=low * hardening-check: fix function-finder to accept IFUNC too, improve reporting slightly, improve manpage to explain false alarms. -- Kees Cook Fri, 27 Jan 2012 12:07:45 -0800 hardening-wrapper (1.35) unstable; urgency=low * debian/control: switch to "optional" priority so lintian can depend on hardening-includes. * hardening-check: rewrite in Perl, add "--lintian" mode, to support fixing bug 650536. -- Kees Cook Thu, 01 Dec 2011 10:15:35 -0800 hardening-wrapper (1.34) unstable; urgency=low * debian/control: update VCS tags for bzr. * hardening{-check,.make}: correct documentation from -O2 to -O1. * hardened-{cc,ld}, hardening.make, debian/rules: use DEB_HOST_ARCH instead of of DEB_HOST_ARCH_CPU for behavioral defaults (Closes: 635642). -- Kees Cook Thu, 28 Jul 2011 12:55:17 -0700 hardening-wrapper (1.33) unstable; urgency=low * debian/control: - bump to standards 3.9.2; no changes needed - hardening-wrapper: mark as Multi-Arch: foreign for build sanity. * debian/source/format: mark as 3.0 native. -- Kees Cook Sun, 03 Jul 2011 11:28:00 -0700 hardening-wrapper (1.32) unstable; urgency=low * debian/rules, debian/hardening-wrapper.{prerm,preinst,postinst}: remove gcc-4.1 diversions since it has been removed from unstable. * hardened-cc, hardening.make: add "-Werror=format-security" by default (Closes: #587358). * tests/Makefile.common, tests/format.c: add test for newly added "-Werror=format-security" default option. * hardened-cc, hardening.make: add "--param ssp-buffer-size=4" by default to catch smaller character arrays. * tests/Makefile.common, tests/ssp-buffer-size-{protect,skip}.c: add tests for newly added "--param ssp-buffer-size=4" default. * debian/README.Debian: updated to include newly added options. * hardened-cc: disable -fstack-protector when -ffreestanding used. * hardening.make: provide examples for working around build-time collisions between "-fPIE" and "-fPIC" (Closes: #596150). -- Kees Cook Fri, 18 Feb 2011 10:57:52 -0800 hardening-wrapper (1.31) unstable; urgency=low * tests/Makefile.common: do not require @@GLIBC suffix for nm tests. * tests/Makefile.wrapper: include symlink for ld.gold testing. * hardening-check: improve hardening-check to parse BIND_NOW also from the FLAGS dynamic section. -- Kees Cook Fri, 14 Jan 2011 10:19:01 -0800 hardening-wrapper (1.30) unstable; urgency=low * debian/README.Debian: update for gcc versions, include minimal notes on hardening-includes (Closes: 592847, 592846). * debian/rules, debian/hardening-wrapper.{prerm,postinst}: add gcc-4.6 to the diversion list. * debian/control: remove binutils-multiarch conflict now that ld.bfd is no longer diverted. -- Kees Cook Tue, 11 Jan 2011 07:54:28 -0800 hardening-wrapper (1.29) unstable; urgency=low * debian/control: add Conflicts for binutils-multiarch (Closes: 579409, LP: #596136). * debian/hardening-wrapper.postrm: remove attempted diversions on installation failure. -- Kees Cook Fri, 09 Jul 2010 09:33:15 -0700 hardening-wrapper (1.28) unstable; urgency=low * hardening.make: enable PIE on hurd (Closes: 586215), thanks to Samuel Thibault. -- Kees Cook Sun, 20 Jun 2010 12:36:32 -0700 hardening-wrapper (1.27) unstable; urgency=low * hardening.make: - disable RELRO on avr32. - clarify use of CXXFLAGS. * hardening-check: fix regex to correctly call sed (Closes: 578488). -- Kees Cook Fri, 23 Apr 2010 16:16:25 -0700 hardening-wrapper (1.26) unstable; urgency=low * hardening.make: disable PIE on avr32 (Closes: 574716). -- Kees Cook Sun, 21 Mar 2010 09:45:52 -0700 hardening-wrapper (1.25) unstable; urgency=low * debian/control: - bump standards version: no changes needed. - should not be considered "experimental". * hardening-check: use readelf's "-s" instead of "-r" to avoid issues with archs that lack sane relocations. * tests/Makefile.common: - adjust tests to include -s output. - weaken nm symbol matching. -- Kees Cook Mon, 01 Mar 2010 14:54:34 -0800 hardening-wrapper (1.24) unstable; urgency=low * hardening-check: handle alternate names for relocation jump slots (Closes: 568622) * tests/Makefile.common: show relocations as well for future debugging. -- Kees Cook Tue, 09 Feb 2010 15:44:19 -0800 hardening-wrapper (1.23) unstable; urgency=low * hardening.make: correctly document how to disable PIE on a per-target basis (Closes: 567707). * tests/Makefile.{common,includes}: add HARDENING_DISABLE_* flags tests. -- Kees Cook Sat, 30 Jan 2010 13:32:14 -0800 hardening-wrapper (1.22) unstable; urgency=low * debian/hardening-wrapper.postrm: fix typo in diversion name (Closes: 564840). -- Kees Cook Tue, 12 Jan 2010 06:18:04 -0800 hardening-wrapper (1.21) unstable; urgency=low * debian/control: add ${misc:Depends} to control file entries to keep lintian happy. * hardening-check: add -q option to only report failures. * really handle gcc 4.5 diversion (Closes: 564596). * handle ld diversion when binutils-gold installed (Closes: 535037). -- Kees Cook Sun, 10 Jan 2010 12:35:38 -0800 hardening-wrapper (1.20) unstable; urgency=low * hardening.make: - switch to "filter" for easier to read logic. - allow PIE for arm/armel, since it's only the kernel that lacks ASLR. * tests/Makefile: perform test builds with -fstack-protector and -fPIE -pie on all architectures just to have a record of the success/failure in the build logs, even if we are manually selecting the defaults. -- Kees Cook Fri, 25 Dec 2009 16:34:24 -0800 hardening-wrapper (1.19) unstable; urgency=low * debian/rules: fix up arch/arch-indep rules to avoid rebuilding arch-indep bits repeatedly. * hardening-check, debian/{rules,hardening-includes.manpages}, tests/Makefile.common: add helper utility to allow users of hardening-includes to evaluate the state of a given binary's resulting hardening features. * debian/rules: add gcc-4.5 to the diversion list. -- Kees Cook Thu, 24 Dec 2009 00:02:02 -0800 hardening-wrapper (1.18) unstable; urgency=low * debian/{control,rules}: add "hardening-includes" for use in other Debian rules files. * debian/rules, hardening.make: relocate/enhance architecture logic to common makefile include file. * tests/*: update to test both wrapper and include style. -- Kees Cook Sat, 19 Dec 2009 18:00:22 -0800 hardening-wrapper (1.17) unstable; urgency=low * Add Conflicts on binutils-gold, which also uses diversions against gcc and friends (Closes: 535037, LP: #442636). -- Kees Cook Wed, 25 Nov 2009 11:40:43 -0800 hardening-wrapper (1.16) unstable; urgency=low * tests/Makefile: exclude relro test on hppa. -- Kees Cook Thu, 29 Oct 2009 21:21:55 -0700 hardening-wrapper (1.15) unstable; urgency=low * tests/Makefile: exclude tests based on architecture (ia64 w/o relro). * debian/rules: disable PIE on mips/mipsel until bug 532821 is solved (Closes: #548250). -- Kees Cook Thu, 24 Sep 2009 15:34:51 -0700 hardening-wrapper (1.14) unstable; urgency=low * hardened-ld: add ...BINDNOW for -Wl,-z,now ELF markings. * debian/control: moved to standards version 3.8.2, no changes needed. * tests/Makefile: add tests for RELRO and BIND_NOW. * hardening-{cc,ld}.1: document BINDNOW and RELRO, add on to See Also. -- Kees Cook Wed, 22 Jul 2009 19:52:00 -0700 hardening-wrapper (1.13) unstable; urgency=low * hardened-cc: add ...DEBUG_SYMLINKS to visualize symlink resolution. * hardened-cc: detect uninstalled targets and abort (Closes: #506066). * debian/{rules,postinst,postrm}: add links for gcc-4.4. * debian/control: moved to standards version 3.8.0, no changes needed. -- Kees Cook Thu, 20 Nov 2008 23:25:52 -0800 hardening-wrapper (1.12) unstable; urgency=low * hardened-cc: add -nostdlib test missing from older gcc (gcc-4.0, gcc-4.1). * hardened-{cc,ld}: load system defaults from /etc/hardening-wrapper.conf * hardened-{cc,ld}.1: updated man pages to mention system-wide config. * hardened-{cc,ld}: handle relative symlinks correctly to address issues pointed out by Sedat Dilek. -- Kees Cook Mon, 28 Apr 2008 15:51:57 -0700 hardening-wrapper (1.11) unstable; urgency=low * hardened-ld: disable PIE logic -- gcc should be the only part of the toolchain requesting PIE. * tests/Makefile: use -B instead of GCC_EXEC_PREFIX, which does not do the right thing on all architectures. -- Kees Cook Mon, 14 Apr 2008 16:06:00 -0700 hardening-wrapper (1.10) unstable; urgency=low * hardened-cc, hardened-ld: re-arranged logic for "-pie". Old logic was resulting in failed compiles under cmake. * tests/Makefile: moved debian/rules tests into separate directory, added -fPIC test cases, based on issues uncovered by cmake. * debian/rules: disabled stack protector on mips, hppa -- not supported. -- Kees Cook Mon, 14 Apr 2008 11:15:35 -0700 hardening-wrapper (1.9) unstable; urgency=low * debian/rules: - disable stack protector on arm, armel. - disable PIE on arm, armel (thanks to Riku Voipio, Closes: 475764). - show readelf output on test builds. - fully link by tricking gcc into running the ld test wrapper. * hello.c: re-arranged to exercise stack protector, report PIE. * hardened-ld: add env var way to force use of /usr/bin/ld during tests. -- Kees Cook Sun, 13 Apr 2008 18:01:38 -0700 hardening-wrapper (1.8) unstable; urgency=low * debian/rules: disable stack protector on ia64 and alpha. -- Kees Cook Sun, 23 Mar 2008 22:03:58 -0700 hardening-wrapper (1.7) unstable; urgency=low * debian/rules: corrected binary-arch target (Closes: 472324). -- Kees Cook Sun, 23 Mar 2008 08:13:47 -0700 hardening-wrapper (1.6) unstable; urgency=low * debian/rules: build hardened-c++ from hardened-cc. * debian/{rules,control}, hardened-cc: disable PIE by default on m68k, hppa (Closes: #465827). * hello.c: added test program to catch architecture-specific failures. -- Kees Cook Fri, 21 Mar 2008 11:20:53 -0700 hardening-wrapper (1.5) unstable; urgency=low * Fix typo in hardened-c++ self-check regex (Closes: #462682). -- Kees Cook Sun, 27 Jan 2008 12:14:59 -0800 hardening-wrapper (1.4) unstable; urgency=low * hardened-ld: fix relro argument passing (ld silently takes any -z arg). -- Kees Cook Wed, 23 Jan 2008 09:59:06 -0800 hardening-wrapper (1.3) unstable; urgency=low * hardened-{cc,c++}: fix -Wformat-security typo. * debian/postinst: only clean up old diversions on a versioned upgrade. * debian/postrm: do not require known arguments. -- Kees Cook Wed, 23 Jan 2008 02:56:57 -0800 hardening-wrapper (1.2) unstable; urgency=low * Move away from generic "builder" prefix to "hardened". * Provide links for gcc 4.1, 4.2, and 4.3 instead of top-level links. * Provide manpage link for package name. * Clean up previous diversions. * Move to "all" arch since arch-dep symlinks are no longer used. -- Kees Cook Tue, 22 Jan 2008 16:48:49 -0800 hardening-wrapper (1.1) unstable; urgency=low * Initial release. -- Kees Cook Tue, 08 Jan 2008 16:00:58 -0800