August in the archive – a view from the Ubuntu Server Team

The month of August saw a lot of activity in the archive reaching Feature Freeze on Thursday, August the 28th.

PIE hardening

Kees Cook tackled one of the last point on his hardening ubuntu list: enabling PIE for a subset of the archive. While other hardening measures have been implemented directly in gcc PIE is enabled at the packaging level. Some of the packages natively support PIE  in their build process. But for the vast majority PIE is enabled by adding a build dependency on hardening-wrapper and exporting DEB_BUILD_HARDENING=1″ in the debian/rules file.

The lucky packages to provide increased protection against vulnerabilities include:

  • apache2
  • bind9
  • dhcp3
  • dovecot
  • openldap
  • postfix
  • postgresql
  • samba
  • openssh

UFW package integration

Jamie Strandboge updated ufw to support application profiles. Packages can simply add profiles to /etc/ufw/applications.d and dpkg triggers will discover the changes and update ufw accordingly. Nicolas Valcárcel and Didier Roche jumped in and added ufw application profiles to the following packages:

  • apache2
  • bind9
  • dovecot
  • openssh
  • postfix
  • samba

Dovecot 1.1

Dovecot has been merged from Debian experimental repository. This brings in support for the manage sieve protocol. Although Dovecot LDA has had support for sieve scripts for some time end-users management of sieve scripts is greatly enhanced now. End users don’t need shell or FTP access to upload their sieve scripts any more.

Pam-auth-update support

Steve Langasek improved the support for pam modules by implementing the Pam Config Framework specification. Packages can now declare which pam modules they’re providing. A central tool can be used by system administrators to choose which modules should be enabled for the system.

Several packages have been updated to support the new pam-auth-update command:

  • libpam-ldap
  • libpam-smbpass
  • libpam-cracklib
  • ecryptfs-utils (provides pam_ecryptfs)
  • libpam-ck-connector

Latest MySQL Community Edition

Following the upstream relase mysql 5.0.67 has been uploaded to the intrepid archive.

Openldap stable release

Openldap has been updated to version 2.4.11 which has been declared stable by the Openldap project:

The OpenLDAP Software stable release is the last release which has proven through general use to be the most reliable release available. OpenLDAP-2.4.11, as of 20080813, is considered stable.

The upload also marks the move from slapd.conf to the cn=config backend. Although slapd.conf support is still available new installs and package upgrades will only support the cn=config backend.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: