~ubuntu-branches/ubuntu/saucy/hardening-wrapper/saucy-proposed

hardening-wrapper (2.3ubuntu1) saucy; urgency=low

  * SSP is not (yet) supported on Aarch64.

 -- Matthias Klose <doko@ubuntu.com>  Sun, 21 Jul 2013 22:25:17 +0200

hardening-wrapper (2.3) unstable; urgency=low

  * debian/hardening-wrapper.{prerm,postinst,links}, debian/README.Debian:
    add gcc-4.8 to the diversion list, and sync list of compiler versions
    (Closes: 681799).
  * hardening-check: fix hash size check syntax (Closes: 682451).

 -- Kees Cook <kees@debian.org>  Sun, 16 Dec 2012 14:56:48 -0800

hardening-wrapper (2.2) unstable; urgency=low

  * debian/control: add missing Dep on binutils, thanks to Stéphane Graber.
  * hardened-cc: use "=" as argument separator for better interoperability
    with dpkg-buildflags.
  * hardening-check: reset tag list for each argument (Closes: 677530).

 -- Kees Cook <kees@debian.org>  Thu, 14 Jun 2012 09:40:03 -0700

hardening-wrapper (2.1) unstable; urgency=low

  * hardening-check:
    - handle _local suffix for non-ELF i386 objects (Closes: 666895).
    - add "-h" for "--help".
    - sort and indent libc function list for easier review.
  * Makefile: retain newlines when generating libc function list.

 -- Kees Cook <kees@debian.org>  Mon, 02 Apr 2012 08:18:52 -0700

hardening-wrapper (2.0) unstable; urgency=low

  * hardening-check: add color, based on a patch from Simon Ruderich.
  * hardening-check: fix lintian tag for non-PIE ELF to "no-pie".
  * debian/rules, debian/hardening-wrapper.{prerm,postinst}: add gcc-4.7
    to the diversion list (Closes: 666520).
  * debian/control:
    - fix Vcs-Browser link for loggerhead (Closes: 664495).
    - add Multiarch tag to hardening-includes (Closes: 666471).
  * Makefile, debian/*: convert to dh(1).
  * hardening-check: generate list of libc functions at build time.
  * hardening-check, tests/Makefile.common: add support for scanning
    object archives for stack-protector and fortify (Closes: 664862).

 -- Kees Cook <kees@debian.org>  Sat, 31 Mar 2012 16:32:03 -0700

hardening-wrapper (1.36) unstable; urgency=low

  * hardening-check: fix function-finder to accept IFUNC too, improve
    reporting slightly, improve manpage to explain false alarms.

 -- Kees Cook <kees@debian.org>  Fri, 27 Jan 2012 12:07:45 -0800

hardening-wrapper (1.35) unstable; urgency=low

  * debian/control: switch to "optional" priority so lintian can depend
    on hardening-includes.
  * hardening-check: rewrite in Perl, add "--lintian" mode, to support
    fixing bug 650536.

 -- Kees Cook <kees@debian.org>  Thu, 01 Dec 2011 10:15:35 -0800

hardening-wrapper (1.34) unstable; urgency=low

  * debian/control: update VCS tags for bzr.
  * hardening{-check,.make}: correct documentation from -O2 to -O1.
  * hardened-{cc,ld}, hardening.make, debian/rules: use DEB_HOST_ARCH instead
    of of DEB_HOST_ARCH_CPU for behavioral defaults (Closes: 635642).

 -- Kees Cook <kees@debian.org>  Thu, 28 Jul 2011 12:55:17 -0700

hardening-wrapper (1.33) unstable; urgency=low

  * debian/control:
    - bump to standards 3.9.2; no changes needed
    - hardening-wrapper: mark as Multi-Arch: foreign for build sanity.
  * debian/source/format: mark as 3.0 native.

 -- Kees Cook <kees@debian.org>  Sun, 03 Jul 2011 11:28:00 -0700

hardening-wrapper (1.32) unstable; urgency=low

  * debian/rules, debian/hardening-wrapper.{prerm,preinst,postinst}:
    remove gcc-4.1 diversions since it has been removed from unstable.
  * hardened-cc, hardening.make: add "-Werror=format-security" by default
    (Closes: #587358).
  * tests/Makefile.common, tests/format.c: add test for newly added
    "-Werror=format-security" default option.
  * hardened-cc, hardening.make: add "--param ssp-buffer-size=4" by
    default to catch smaller character arrays.
  * tests/Makefile.common, tests/ssp-buffer-size-{protect,skip}.c:
    add tests for newly added "--param ssp-buffer-size=4" default.
  * debian/README.Debian: updated to include newly added options.
  * hardened-cc: disable -fstack-protector when -ffreestanding used.
  * hardening.make: provide examples for working around build-time
    collisions between "-fPIE" and "-fPIC" (Closes: #596150).

 -- Kees Cook <kees@debian.org>  Fri, 18 Feb 2011 10:57:52 -0800

hardening-wrapper (1.31) unstable; urgency=low

  * tests/Makefile.common: do not require @@GLIBC suffix for nm tests.
  * tests/Makefile.wrapper: include symlink for ld.gold testing.
  * hardening-check: improve hardening-check to parse BIND_NOW also from
    the FLAGS dynamic section.

 -- Kees Cook <kees@debian.org>  Fri, 14 Jan 2011 10:19:01 -0800

hardening-wrapper (1.30) unstable; urgency=low

  * debian/README.Debian: update for gcc versions, include minimal
    notes on hardening-includes (Closes: 592847, 592846).
  * debian/rules, debian/hardening-wrapper.{prerm,postinst}: add gcc-4.6
    to the diversion list.
  * debian/control: remove binutils-multiarch conflict now that ld.bfd
    is no longer diverted.

 -- Kees Cook <kees@debian.org>  Tue, 11 Jan 2011 07:54:28 -0800

hardening-wrapper (1.29) unstable; urgency=low

  * debian/control: add Conflicts for binutils-multiarch (Closes: 579409,
    LP: #596136).
  * debian/hardening-wrapper.postrm: remove attempted diversions on
    installation failure.

 -- Kees Cook <kees@debian.org>  Fri, 09 Jul 2010 09:33:15 -0700

hardening-wrapper (1.28) unstable; urgency=low

  * hardening.make: enable PIE on hurd (Closes: 586215), thanks to
    Samuel Thibault.

 -- Kees Cook <kees@debian.org>  Sun, 20 Jun 2010 12:36:32 -0700

hardening-wrapper (1.27) unstable; urgency=low

  * hardening.make:
    - disable RELRO on avr32.
    - clarify use of CXXFLAGS.
  * hardening-check: fix regex to correctly call sed (Closes: 578488).

 -- Kees Cook <kees@debian.org>  Fri, 23 Apr 2010 16:16:25 -0700

hardening-wrapper (1.26) unstable; urgency=low

  * hardening.make: disable PIE on avr32 (Closes: 574716).

 -- Kees Cook <kees@debian.org>  Sun, 21 Mar 2010 09:45:52 -0700

hardening-wrapper (1.25) unstable; urgency=low

  * debian/control:
    - bump standards version: no changes needed.
    - should not be considered "experimental".
  * hardening-check: use readelf's "-s" instead of "-r" to avoid issues
    with archs that lack sane relocations.
  * tests/Makefile.common:
    - adjust tests to include -s output.
    - weaken nm symbol matching.

 -- Kees Cook <kees@debian.org>  Mon, 01 Mar 2010 14:54:34 -0800

hardening-wrapper (1.24) unstable; urgency=low

  * hardening-check: handle alternate names for relocation jump slots
    (Closes: 568622)
  * tests/Makefile.common: show relocations as well for future debugging.

 -- Kees Cook <kees@debian.org>  Tue, 09 Feb 2010 15:44:19 -0800

hardening-wrapper (1.23) unstable; urgency=low

  * hardening.make: correctly document how to disable PIE on a per-target
    basis (Closes: 567707).
  * tests/Makefile.{common,includes}: add HARDENING_DISABLE_* flags tests.

 -- Kees Cook <kees@debian.org>  Sat, 30 Jan 2010 13:32:14 -0800

hardening-wrapper (1.22) unstable; urgency=low

  * debian/hardening-wrapper.postrm: fix typo in diversion name
    (Closes: 564840).

 -- Kees Cook <kees@debian.org>  Tue, 12 Jan 2010 06:18:04 -0800

hardening-wrapper (1.21) unstable; urgency=low

  * debian/control: add ${misc:Depends} to control file entries to
    keep lintian happy.
  * hardening-check: add -q option to only report failures.
  * really handle gcc 4.5 diversion (Closes: 564596).
  * handle ld diversion when binutils-gold installed (Closes: 535037).

 -- Kees Cook <kees@debian.org>  Sun, 10 Jan 2010 12:35:38 -0800

hardening-wrapper (1.20) unstable; urgency=low

  * hardening.make:
    - switch to "filter" for easier to read logic.
    - allow PIE for arm/armel, since it's only the kernel that lacks ASLR.
  * tests/Makefile: perform test builds with -fstack-protector and -fPIE -pie
    on all architectures just to have a record of the success/failure
    in the build logs, even if we are manually selecting the defaults.

 -- Kees Cook <kees@debian.org>  Fri, 25 Dec 2009 16:34:24 -0800

hardening-wrapper (1.19) unstable; urgency=low

  * debian/rules: fix up arch/arch-indep rules to avoid rebuilding
    arch-indep bits repeatedly.
  * hardening-check, debian/{rules,hardening-includes.manpages},
    tests/Makefile.common: add helper utility to allow users of
    hardening-includes to evaluate the state of a given binary's
    resulting hardening features.
  * debian/rules: add gcc-4.5 to the diversion list.

 -- Kees Cook <kees@debian.org>  Thu, 24 Dec 2009 00:02:02 -0800

hardening-wrapper (1.18) unstable; urgency=low

  * debian/{control,rules}: add "hardening-includes" for use in other
    Debian rules files.
  * debian/rules, hardening.make: relocate/enhance architecture logic
    to common makefile include file.
  * tests/*: update to test both wrapper and include style.

 -- Kees Cook <kees@debian.org>  Sat, 19 Dec 2009 18:00:22 -0800

hardening-wrapper (1.17) unstable; urgency=low

  * Add Conflicts on binutils-gold, which also uses diversions against
    gcc and friends (Closes: 535037, LP: #442636).

 -- Kees Cook <kees@debian.org>  Wed, 25 Nov 2009 11:40:43 -0800

hardening-wrapper (1.16) unstable; urgency=low

  * tests/Makefile: exclude relro test on hppa.

 -- Kees Cook <kees@debian.org>  Thu, 29 Oct 2009 21:21:55 -0700

hardening-wrapper (1.15) unstable; urgency=low

  * tests/Makefile: exclude tests based on architecture (ia64 w/o relro).
  * debian/rules: disable PIE on mips/mipsel until bug 532821 is solved
    (Closes: #548250).

 -- Kees Cook <kees@debian.org>  Thu, 24 Sep 2009 15:34:51 -0700

hardening-wrapper (1.14) unstable; urgency=low

  * hardened-ld: add ...BINDNOW for -Wl,-z,now ELF markings.
  * debian/control: moved to standards version 3.8.2, no changes needed.
  * tests/Makefile: add tests for RELRO and BIND_NOW.
  * hardening-{cc,ld}.1: document BINDNOW and RELRO, add on to See Also.

 -- Kees Cook <kees@debian.org>  Wed, 22 Jul 2009 19:52:00 -0700

hardening-wrapper (1.13) unstable; urgency=low

  * hardened-cc: add ...DEBUG_SYMLINKS to visualize symlink resolution.
  * hardened-cc: detect uninstalled targets and abort (Closes: #506066).
  * debian/{rules,postinst,postrm}: add links for gcc-4.4.
  * debian/control: moved to standards version 3.8.0, no changes needed.

 -- Kees Cook <kees@outflux.net>  Thu, 20 Nov 2008 23:25:52 -0800

hardening-wrapper (1.12) unstable; urgency=low

  * hardened-cc: add -nostdlib test missing from older gcc (gcc-4.0, gcc-4.1).
  * hardened-{cc,ld}: load system defaults from /etc/hardening-wrapper.conf
  * hardened-{cc,ld}.1: updated man pages to mention system-wide config.
  * hardened-{cc,ld}: handle relative symlinks correctly to address issues
    pointed out by Sedat Dilek.

 -- Kees Cook <kees@outflux.net>  Mon, 28 Apr 2008 15:51:57 -0700

hardening-wrapper (1.11) unstable; urgency=low

  * hardened-ld: disable PIE logic -- gcc should be the only part of the
    toolchain requesting PIE.
  * tests/Makefile: use -B instead of GCC_EXEC_PREFIX, which does not
    do the right thing on all architectures.

 -- Kees Cook <kees@outflux.net>  Mon, 14 Apr 2008 16:06:00 -0700

hardening-wrapper (1.10) unstable; urgency=low

  * hardened-cc, hardened-ld: re-arranged logic for "-pie".  Old logic
    was resulting in failed compiles under cmake.
  * tests/Makefile: moved debian/rules tests into separate directory,
    added -fPIC test cases, based on issues uncovered by cmake.
  * debian/rules: disabled stack protector on mips, hppa -- not supported.

 -- Kees Cook <kees@outflux.net>  Mon, 14 Apr 2008 11:15:35 -0700

hardening-wrapper (1.9) unstable; urgency=low

  * debian/rules:
    - disable stack protector on arm, armel.
    - disable PIE on arm, armel (thanks to Riku Voipio, Closes: 475764).
    - show readelf output on test builds.
    - fully link by tricking gcc into running the ld test wrapper.
  * hello.c: re-arranged to exercise stack protector, report PIE.
  * hardened-ld: add env var way to force use of /usr/bin/ld during tests.

 -- Kees Cook <kees@outflux.net>  Sun, 13 Apr 2008 18:01:38 -0700

hardening-wrapper (1.8) unstable; urgency=low

  * debian/rules: disable stack protector on ia64 and alpha.

 -- Kees Cook <kees@outflux.net>  Sun, 23 Mar 2008 22:03:58 -0700

hardening-wrapper (1.7) unstable; urgency=low

  * debian/rules: corrected binary-arch target (Closes: 472324).

 -- Kees Cook <kees@outflux.net>  Sun, 23 Mar 2008 08:13:47 -0700

hardening-wrapper (1.6) unstable; urgency=low

  * debian/rules: build hardened-c++ from hardened-cc.
  * debian/{rules,control}, hardened-cc: disable PIE by default on m68k,
    hppa (Closes: #465827).
  * hello.c: added test program to catch architecture-specific failures.

 -- Kees Cook <kees@outflux.net>  Fri, 21 Mar 2008 11:20:53 -0700

hardening-wrapper (1.5) unstable; urgency=low

  * Fix typo in hardened-c++ self-check regex (Closes: #462682).

 -- Kees Cook <kees@outflux.net>  Sun, 27 Jan 2008 12:14:59 -0800

hardening-wrapper (1.4) unstable; urgency=low

  * hardened-ld: fix relro argument passing (ld silently takes any -z arg).

 -- Kees Cook <kees@outflux.net>  Wed, 23 Jan 2008 09:59:06 -0800

hardening-wrapper (1.3) unstable; urgency=low

  * hardened-{cc,c++}: fix -Wformat-security typo.
  * debian/postinst: only clean up old diversions on a versioned upgrade.
  * debian/postrm: do not require known arguments.

 -- Kees Cook <kees@outflux.net>  Wed, 23 Jan 2008 02:56:57 -0800

hardening-wrapper (1.2) unstable; urgency=low

  * Move away from generic "builder" prefix to "hardened".
  * Provide links for gcc 4.1, 4.2, and 4.3 instead of top-level links.
  * Provide manpage link for package name.
  * Clean up previous diversions.
  * Move to "all" arch since arch-dep symlinks are no longer used.

 -- Kees Cook <kees@outflux.net>  Tue, 22 Jan 2008 16:48:49 -0800

hardening-wrapper (1.1) unstable; urgency=low

  * Initial release.

 -- Kees Cook <kees@outflux.net>  Tue, 08 Jan 2008 16:00:58 -0800