Does Debian 6.0 (Squeeze) have buffer overflow protection mechanisms?

security debian debian-squeeze

My question is: Which buffer overflow / stack smashing defenses (if any) are enabled by default in Debian 6.0 (Squeeze)?

Ubuntu has a handy summary table showing the main security features of each Server edition release, but I haven't found something similar for Debian. Ubuntu mentions:

  • Stack Protector (gcc's -fstack-protector)
  • Heap Protector (GNU C Library heap protector)
  • Pointer Obfuscation (Some pointers stored in glibc are obfuscated)
  • Address Space Layout Randomisation (ASLR) (Stack ASLR; Libs/mmap ASLR; Exec ASLR; brk ASLR; VDSO ASLR)
  • Several daemons built as Position Independent Executables (PIE)
  • Some daemons (?) built with Fortify Source "-D_FORTIFY_SOURCE=2"

To which extent does Debian 6.0 use similar techniques (by default)?


Unfortunately most (all?) of these defenses are not enabled on Debian. They have talked about it for years and there was some "hardened debian" project, but it has not lead to anything concrete so far from user's perspective. It is one of the rare distros which have not implemented these measures yet.

There is some more information at http://wiki.debian.org/Hardening:

After their meeting on the 14-16 January 2011, the debian security team announced in an email they intend to push the inclusion of hardening features for the wheezy release. A Birds of a Feather-session will be organized during the 2011 debconf to setup a process.

The referenced email is here: http://lists.debian.org/debian-devel-announce/2011/01/msg00006.html.

So maybe it is finally coming in "wheezy"...

This is the biggest single reason why I personally prefer running Ubuntu over Debian on my servers.

Related

Cloud hosting for windows domain controller, possible?
Gmail rejects emails. Openspf.net fails the tests
How do you monitor SSD wear in Windows when the drives are presented as 'generic' devices?
What effect does setting the manager field for a computer object in Active Directory have?
Everything says Applocker is supposed to work: Why doesn't it?
How to get puppet to stop on the first error in a Manifest?
how to do I/O sniffing
jenkins fails to connect to git repository
20Mbps WAN limited to 10Mbps over IPSec Tunnel
nginx proxy_pass rewrite of response header location
Risks of using django manage.py runserver for production in a small scale server, for internal use?
How to configure IIS 7.5 SSL \ TLS to work with iOS 9 ATS