August in the archive – a view from the Ubuntu Server Team
The month of August saw a lot of activity in the archive reaching Feature Freeze on Thursday, August the 28th.
Kees Cook tackled one of the last point on his hardening ubuntu list: enabling PIE for a subset of the archive. While other hardening measures have been implemented directly in gcc PIE is enabled at the packaging level. Some of the packages natively support PIE in their build process. But for the vast majority PIE is enabled by adding a build dependency on hardening-wrapper and exporting DEB_BUILD_HARDENING=1″ in the debian/rules file.
The lucky packages to provide increased protection against vulnerabilities include:
UFW package integration
Jamie Strandboge updated ufw to support application profiles. Packages can simply add profiles to /etc/ufw/applications.d and dpkg triggers will discover the changes and update ufw accordingly. Nicolas Valcárcel and Didier Roche jumped in and added ufw application profiles to the following packages:
Dovecot has been merged from Debian experimental repository. This brings in support for the manage sieve protocol. Although Dovecot LDA has had support for sieve scripts for some time end-users management of sieve scripts is greatly enhanced now. End users don’t need shell or FTP access to upload their sieve scripts any more.
Steve Langasek improved the support for pam modules by implementing the Pam Config Framework specification. Packages can now declare which pam modules they’re providing. A central tool can be used by system administrators to choose which modules should be enabled for the system.
Several packages have been updated to support the new pam-auth-update command:
- ecryptfs-utils (provides pam_ecryptfs)
Latest MySQL Community Edition
Following the upstream relase mysql 5.0.67 has been uploaded to the intrepid archive.
Openldap stable release
Openldap has been updated to version 2.4.11 which has been declared stable by the Openldap project:
The OpenLDAP Software stable release is the last release which has proven through general use to be the most reliable release available. OpenLDAP-2.4.11, as of 20080813, is considered stable.
The upload also marks the move from slapd.conf to the cn=config backend. Although slapd.conf support is still available new installs and package upgrades will only support the cn=config backend.