1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
|
hardening-wrapper (2.3ubuntu1) saucy; urgency=low
* SSP is not (yet) supported on Aarch64.
-- Matthias Klose <doko@ubuntu.com> Sun, 21 Jul 2013 22:25:17 +0200
hardening-wrapper (2.3) unstable; urgency=low
* debian/hardening-wrapper.{prerm,postinst,links}, debian/README.Debian:
add gcc-4.8 to the diversion list, and sync list of compiler versions
(Closes: 681799).
* hardening-check: fix hash size check syntax (Closes: 682451).
-- Kees Cook <kees@debian.org> Sun, 16 Dec 2012 14:56:48 -0800
hardening-wrapper (2.2) unstable; urgency=low
* debian/control: add missing Dep on binutils, thanks to Stéphane Graber.
* hardened-cc: use "=" as argument separator for better interoperability
with dpkg-buildflags.
* hardening-check: reset tag list for each argument (Closes: 677530).
-- Kees Cook <kees@debian.org> Thu, 14 Jun 2012 09:40:03 -0700
hardening-wrapper (2.1) unstable; urgency=low
* hardening-check:
- handle _local suffix for non-ELF i386 objects (Closes: 666895).
- add "-h" for "--help".
- sort and indent libc function list for easier review.
* Makefile: retain newlines when generating libc function list.
-- Kees Cook <kees@debian.org> Mon, 02 Apr 2012 08:18:52 -0700
hardening-wrapper (2.0) unstable; urgency=low
* hardening-check: add color, based on a patch from Simon Ruderich.
* hardening-check: fix lintian tag for non-PIE ELF to "no-pie".
* debian/rules, debian/hardening-wrapper.{prerm,postinst}: add gcc-4.7
to the diversion list (Closes: 666520).
* debian/control:
- fix Vcs-Browser link for loggerhead (Closes: 664495).
- add Multiarch tag to hardening-includes (Closes: 666471).
* Makefile, debian/*: convert to dh(1).
* hardening-check: generate list of libc functions at build time.
* hardening-check, tests/Makefile.common: add support for scanning
object archives for stack-protector and fortify (Closes: 664862).
-- Kees Cook <kees@debian.org> Sat, 31 Mar 2012 16:32:03 -0700
hardening-wrapper (1.36) unstable; urgency=low
* hardening-check: fix function-finder to accept IFUNC too, improve
reporting slightly, improve manpage to explain false alarms.
-- Kees Cook <kees@debian.org> Fri, 27 Jan 2012 12:07:45 -0800
hardening-wrapper (1.35) unstable; urgency=low
* debian/control: switch to "optional" priority so lintian can depend
on hardening-includes.
* hardening-check: rewrite in Perl, add "--lintian" mode, to support
fixing bug 650536.
-- Kees Cook <kees@debian.org> Thu, 01 Dec 2011 10:15:35 -0800
hardening-wrapper (1.34) unstable; urgency=low
* debian/control: update VCS tags for bzr.
* hardening{-check,.make}: correct documentation from -O2 to -O1.
* hardened-{cc,ld}, hardening.make, debian/rules: use DEB_HOST_ARCH instead
of of DEB_HOST_ARCH_CPU for behavioral defaults (Closes: 635642).
-- Kees Cook <kees@debian.org> Thu, 28 Jul 2011 12:55:17 -0700
hardening-wrapper (1.33) unstable; urgency=low
* debian/control:
- bump to standards 3.9.2; no changes needed
- hardening-wrapper: mark as Multi-Arch: foreign for build sanity.
* debian/source/format: mark as 3.0 native.
-- Kees Cook <kees@debian.org> Sun, 03 Jul 2011 11:28:00 -0700
hardening-wrapper (1.32) unstable; urgency=low
* debian/rules, debian/hardening-wrapper.{prerm,preinst,postinst}:
remove gcc-4.1 diversions since it has been removed from unstable.
* hardened-cc, hardening.make: add "-Werror=format-security" by default
(Closes: #587358).
* tests/Makefile.common, tests/format.c: add test for newly added
"-Werror=format-security" default option.
* hardened-cc, hardening.make: add "--param ssp-buffer-size=4" by
default to catch smaller character arrays.
* tests/Makefile.common, tests/ssp-buffer-size-{protect,skip}.c:
add tests for newly added "--param ssp-buffer-size=4" default.
* debian/README.Debian: updated to include newly added options.
* hardened-cc: disable -fstack-protector when -ffreestanding used.
* hardening.make: provide examples for working around build-time
collisions between "-fPIE" and "-fPIC" (Closes: #596150).
-- Kees Cook <kees@debian.org> Fri, 18 Feb 2011 10:57:52 -0800
hardening-wrapper (1.31) unstable; urgency=low
* tests/Makefile.common: do not require @@GLIBC suffix for nm tests.
* tests/Makefile.wrapper: include symlink for ld.gold testing.
* hardening-check: improve hardening-check to parse BIND_NOW also from
the FLAGS dynamic section.
-- Kees Cook <kees@debian.org> Fri, 14 Jan 2011 10:19:01 -0800
hardening-wrapper (1.30) unstable; urgency=low
* debian/README.Debian: update for gcc versions, include minimal
notes on hardening-includes (Closes: 592847, 592846).
* debian/rules, debian/hardening-wrapper.{prerm,postinst}: add gcc-4.6
to the diversion list.
* debian/control: remove binutils-multiarch conflict now that ld.bfd
is no longer diverted.
-- Kees Cook <kees@debian.org> Tue, 11 Jan 2011 07:54:28 -0800
hardening-wrapper (1.29) unstable; urgency=low
* debian/control: add Conflicts for binutils-multiarch (Closes: 579409,
LP: #596136).
* debian/hardening-wrapper.postrm: remove attempted diversions on
installation failure.
-- Kees Cook <kees@debian.org> Fri, 09 Jul 2010 09:33:15 -0700
hardening-wrapper (1.28) unstable; urgency=low
* hardening.make: enable PIE on hurd (Closes: 586215), thanks to
Samuel Thibault.
-- Kees Cook <kees@debian.org> Sun, 20 Jun 2010 12:36:32 -0700
hardening-wrapper (1.27) unstable; urgency=low
* hardening.make:
- disable RELRO on avr32.
- clarify use of CXXFLAGS.
* hardening-check: fix regex to correctly call sed (Closes: 578488).
-- Kees Cook <kees@debian.org> Fri, 23 Apr 2010 16:16:25 -0700
hardening-wrapper (1.26) unstable; urgency=low
* hardening.make: disable PIE on avr32 (Closes: 574716).
-- Kees Cook <kees@debian.org> Sun, 21 Mar 2010 09:45:52 -0700
hardening-wrapper (1.25) unstable; urgency=low
* debian/control:
- bump standards version: no changes needed.
- should not be considered "experimental".
* hardening-check: use readelf's "-s" instead of "-r" to avoid issues
with archs that lack sane relocations.
* tests/Makefile.common:
- adjust tests to include -s output.
- weaken nm symbol matching.
-- Kees Cook <kees@debian.org> Mon, 01 Mar 2010 14:54:34 -0800
hardening-wrapper (1.24) unstable; urgency=low
* hardening-check: handle alternate names for relocation jump slots
(Closes: 568622)
* tests/Makefile.common: show relocations as well for future debugging.
-- Kees Cook <kees@debian.org> Tue, 09 Feb 2010 15:44:19 -0800
hardening-wrapper (1.23) unstable; urgency=low
* hardening.make: correctly document how to disable PIE on a per-target
basis (Closes: 567707).
* tests/Makefile.{common,includes}: add HARDENING_DISABLE_* flags tests.
-- Kees Cook <kees@debian.org> Sat, 30 Jan 2010 13:32:14 -0800
hardening-wrapper (1.22) unstable; urgency=low
* debian/hardening-wrapper.postrm: fix typo in diversion name
(Closes: 564840).
-- Kees Cook <kees@debian.org> Tue, 12 Jan 2010 06:18:04 -0800
hardening-wrapper (1.21) unstable; urgency=low
* debian/control: add ${misc:Depends} to control file entries to
keep lintian happy.
* hardening-check: add -q option to only report failures.
* really handle gcc 4.5 diversion (Closes: 564596).
* handle ld diversion when binutils-gold installed (Closes: 535037).
-- Kees Cook <kees@debian.org> Sun, 10 Jan 2010 12:35:38 -0800
hardening-wrapper (1.20) unstable; urgency=low
* hardening.make:
- switch to "filter" for easier to read logic.
- allow PIE for arm/armel, since it's only the kernel that lacks ASLR.
* tests/Makefile: perform test builds with -fstack-protector and -fPIE -pie
on all architectures just to have a record of the success/failure
in the build logs, even if we are manually selecting the defaults.
-- Kees Cook <kees@debian.org> Fri, 25 Dec 2009 16:34:24 -0800
hardening-wrapper (1.19) unstable; urgency=low
* debian/rules: fix up arch/arch-indep rules to avoid rebuilding
arch-indep bits repeatedly.
* hardening-check, debian/{rules,hardening-includes.manpages},
tests/Makefile.common: add helper utility to allow users of
hardening-includes to evaluate the state of a given binary's
resulting hardening features.
* debian/rules: add gcc-4.5 to the diversion list.
-- Kees Cook <kees@debian.org> Thu, 24 Dec 2009 00:02:02 -0800
hardening-wrapper (1.18) unstable; urgency=low
* debian/{control,rules}: add "hardening-includes" for use in other
Debian rules files.
* debian/rules, hardening.make: relocate/enhance architecture logic
to common makefile include file.
* tests/*: update to test both wrapper and include style.
-- Kees Cook <kees@debian.org> Sat, 19 Dec 2009 18:00:22 -0800
hardening-wrapper (1.17) unstable; urgency=low
* Add Conflicts on binutils-gold, which also uses diversions against
gcc and friends (Closes: 535037, LP: #442636).
-- Kees Cook <kees@debian.org> Wed, 25 Nov 2009 11:40:43 -0800
hardening-wrapper (1.16) unstable; urgency=low
* tests/Makefile: exclude relro test on hppa.
-- Kees Cook <kees@debian.org> Thu, 29 Oct 2009 21:21:55 -0700
hardening-wrapper (1.15) unstable; urgency=low
* tests/Makefile: exclude tests based on architecture (ia64 w/o relro).
* debian/rules: disable PIE on mips/mipsel until bug 532821 is solved
(Closes: #548250).
-- Kees Cook <kees@debian.org> Thu, 24 Sep 2009 15:34:51 -0700
hardening-wrapper (1.14) unstable; urgency=low
* hardened-ld: add ...BINDNOW for -Wl,-z,now ELF markings.
* debian/control: moved to standards version 3.8.2, no changes needed.
* tests/Makefile: add tests for RELRO and BIND_NOW.
* hardening-{cc,ld}.1: document BINDNOW and RELRO, add on to See Also.
-- Kees Cook <kees@debian.org> Wed, 22 Jul 2009 19:52:00 -0700
hardening-wrapper (1.13) unstable; urgency=low
* hardened-cc: add ...DEBUG_SYMLINKS to visualize symlink resolution.
* hardened-cc: detect uninstalled targets and abort (Closes: #506066).
* debian/{rules,postinst,postrm}: add links for gcc-4.4.
* debian/control: moved to standards version 3.8.0, no changes needed.
-- Kees Cook <kees@outflux.net> Thu, 20 Nov 2008 23:25:52 -0800
hardening-wrapper (1.12) unstable; urgency=low
* hardened-cc: add -nostdlib test missing from older gcc (gcc-4.0, gcc-4.1).
* hardened-{cc,ld}: load system defaults from /etc/hardening-wrapper.conf
* hardened-{cc,ld}.1: updated man pages to mention system-wide config.
* hardened-{cc,ld}: handle relative symlinks correctly to address issues
pointed out by Sedat Dilek.
-- Kees Cook <kees@outflux.net> Mon, 28 Apr 2008 15:51:57 -0700
hardening-wrapper (1.11) unstable; urgency=low
* hardened-ld: disable PIE logic -- gcc should be the only part of the
toolchain requesting PIE.
* tests/Makefile: use -B instead of GCC_EXEC_PREFIX, which does not
do the right thing on all architectures.
-- Kees Cook <kees@outflux.net> Mon, 14 Apr 2008 16:06:00 -0700
hardening-wrapper (1.10) unstable; urgency=low
* hardened-cc, hardened-ld: re-arranged logic for "-pie". Old logic
was resulting in failed compiles under cmake.
* tests/Makefile: moved debian/rules tests into separate directory,
added -fPIC test cases, based on issues uncovered by cmake.
* debian/rules: disabled stack protector on mips, hppa -- not supported.
-- Kees Cook <kees@outflux.net> Mon, 14 Apr 2008 11:15:35 -0700
hardening-wrapper (1.9) unstable; urgency=low
* debian/rules:
- disable stack protector on arm, armel.
- disable PIE on arm, armel (thanks to Riku Voipio, Closes: 475764).
- show readelf output on test builds.
- fully link by tricking gcc into running the ld test wrapper.
* hello.c: re-arranged to exercise stack protector, report PIE.
* hardened-ld: add env var way to force use of /usr/bin/ld during tests.
-- Kees Cook <kees@outflux.net> Sun, 13 Apr 2008 18:01:38 -0700
hardening-wrapper (1.8) unstable; urgency=low
* debian/rules: disable stack protector on ia64 and alpha.
-- Kees Cook <kees@outflux.net> Sun, 23 Mar 2008 22:03:58 -0700
hardening-wrapper (1.7) unstable; urgency=low
* debian/rules: corrected binary-arch target (Closes: 472324).
-- Kees Cook <kees@outflux.net> Sun, 23 Mar 2008 08:13:47 -0700
hardening-wrapper (1.6) unstable; urgency=low
* debian/rules: build hardened-c++ from hardened-cc.
* debian/{rules,control}, hardened-cc: disable PIE by default on m68k,
hppa (Closes: #465827).
* hello.c: added test program to catch architecture-specific failures.
-- Kees Cook <kees@outflux.net> Fri, 21 Mar 2008 11:20:53 -0700
hardening-wrapper (1.5) unstable; urgency=low
* Fix typo in hardened-c++ self-check regex (Closes: #462682).
-- Kees Cook <kees@outflux.net> Sun, 27 Jan 2008 12:14:59 -0800
hardening-wrapper (1.4) unstable; urgency=low
* hardened-ld: fix relro argument passing (ld silently takes any -z arg).
-- Kees Cook <kees@outflux.net> Wed, 23 Jan 2008 09:59:06 -0800
hardening-wrapper (1.3) unstable; urgency=low
* hardened-{cc,c++}: fix -Wformat-security typo.
* debian/postinst: only clean up old diversions on a versioned upgrade.
* debian/postrm: do not require known arguments.
-- Kees Cook <kees@outflux.net> Wed, 23 Jan 2008 02:56:57 -0800
hardening-wrapper (1.2) unstable; urgency=low
* Move away from generic "builder" prefix to "hardened".
* Provide links for gcc 4.1, 4.2, and 4.3 instead of top-level links.
* Provide manpage link for package name.
* Clean up previous diversions.
* Move to "all" arch since arch-dep symlinks are no longer used.
-- Kees Cook <kees@outflux.net> Tue, 22 Jan 2008 16:48:49 -0800
hardening-wrapper (1.1) unstable; urgency=low
* Initial release.
-- Kees Cook <kees@outflux.net> Tue, 08 Jan 2008 16:00:58 -0800
|