[dnssec-trigger] * Tue May 13 2014 Paul Wouters <pwouters at redhat.com> - 0.11-21 - Enable full hardening (includig PIE
Paul Wouters
pwouters at fedoraproject.org
Tue May 13 18:03:57 UTC 2014
commit bf7ee128834d4ca40ea454142c1fb8e47ac505f5
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue May 13 13:49:33 2014 -0400
* Tue May 13 2014 Paul Wouters <pwouters at redhat.com> - 0.11-21
- Enable full hardening (includig PIE)
- Resolves: rhbz#1045689 dnssec-trigger creates long-time RSA key with inappropriate size
dnssec-trigger.spec | 12 ++++++++++--
1 files changed, 10 insertions(+), 2 deletions(-)
---
diff --git a/dnssec-trigger.spec b/dnssec-trigger.spec
index c1a3557..f0fb46a 100644
--- a/dnssec-trigger.spec
+++ b/dnssec-trigger.spec
@@ -1,7 +1,9 @@
+%global _hardened_build 1
+
Summary: NetworkManager plugin to update/reconfigure DNSSEC resolving
Name: dnssec-trigger
Version: 0.11
-Release: 20%{?dist}
+Release: 21%{?dist}
License: BSD
Url: http://www.nlnetlabs.nl/downloads/dnssec-trigger/
Source: http://www.nlnetlabs.nl/downloads/dnssec-trigger/%{name}-%{version}.tar.gz
@@ -53,9 +55,11 @@ sed -i "s/^dnssec-trigger-control/\/usr\/sbin\/dnssec-trigger-control/" 01-dnsse
%patch2 -p1
%patch3 -p1
%patch4 -p1
+# change default RSA key between deamon/control from 1536 to 3072
+sed -i "s/BITS=1536/BITS=3072/" dnssec-trigger-control-setup.sh.in
%build
-export LDFLAGS="$LDFLAGS -Wl,-z,now"
+export LDFLAGS="$LDFLAGS -pie -Wl,-z,relro,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld"
%configure --with-keydir=/etc/dnssec-trigger
%{__make} %{?_smp_mflags}
@@ -138,6 +142,10 @@ fi
%systemd_postun_with_restart %{name}d.service
%changelog
+* Tue May 13 2014 Paul Wouters <pwouters at redhat.com> - 0.11-21
+- Enable full hardening (includig PIE)
+- Resolves: rhbz#1045689 dnssec-trigger creates long-time RSA key with inappropriate size
+
* Wed Feb 19 2014 Tomas Hozza <thozza at redhat.com> - 0.11-20
- Restart NM on dnssec-trigger shutdown (let NM handle the resolv.conf content)
- HN-hook: Handle situation when connection does not have a device
More information about the scm-commits
mailing list