[ubuntu-hardened] Probably not in time for Hardy, but just maybe...
jeffschroed at gmail.com
Thu Mar 27 23:27:58 GMT 2008
On Thu, Mar 27, 2008 at 3:58 PM, Kees Cook <kees at ubuntu.com> wrote:
> On Thu, Mar 27, 2008 at 03:44:25PM -0700, Jeff Schroeder wrote:
> > A little security never hurt anyone. If memory serves, these make ASLR
> > pretty much complete in Linux. Now you don't need to use PaX for ASLR
> > anymore.
> > http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=cc503c1b43e002e3f1fed70f46d947e2bf349bb6
> This is already in Hardy -- I made sure of it. Note that to use it,
> you need to have a PIE-compiled application to start with (same was true
> for PaX). We don't have a lot of those, but we do have some in Hardy
> (ssh and dbus, AFAIR).
> > http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=c1d171a002942ea2d93b4fbd0c9583c56fce0772
> This would have been nice to have, except that Jiri already went several
> rounds with the PIE patches (for which I was doing testing) that had
> various regressions, that I didn't want to introduce the brk offset
> randomization too. This will be in intrepid though, and hopefully with
> PIE builds by default we'll be totally done. :):)
>  http://www.outflux.net/blog/archives/2008/01/15/full-aslr-in-hardy/
Is there a sane way to get the compile flags without having every
single source archive in the repository to see what is PIE and whats
Is avahi on that list? Even with a chroot, it worries me that it is
installed and listening by default.
Don't drink and derive, alcohol and analysis don't mix.
More information about the ubuntu-hardened