macros: use -fstack-protector-strong instead of '-fstack-protector --param=ssp-buffer-size=4' in %_ssp_cflags

Recommended in https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html

2 files changed, 2 insertions, 1 deletions

diff --git a/NEWS b/NEWS
index 45bffe3..78a5c25 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,7 @@
 - rpmrc: add -mbranch-protection=standard to aarch64 default flags
 - rpmrc: drop arches we don't really support
 - rpmrc: drop arch_compat also available in /usr/lib/rpm/rpmrc
+- macros: use -fstack-protector-strong instead of '-fstack-protector --param=ssp-buffer-size=4' in %_ssp_cflags
 - macros: use -Wl,-z,now with -Wl,-z,relro unless _disable_ld_now is defined
 - mangle script shebangs
 
diff --git a/macros.in b/macros.in
index 18178c0..0ee6fb3 100644
--- a/macros.in
+++ b/macros.in
@@ -251,7 +251,7 @@ GCONF_CONFIG_SOURCE=`%{_gconftool_bin} --get-default-source` %{_gconftool_bin} -
 # cf http://wiki.mandriva.com/en/Development/Packaging/Problems#format_not_a_string_literal_and_no_format_arguments
 %Werror_cflags -Wformat -Werror=format-security
 
-%_ssp_cflags -fstack-protector --param=ssp-buffer-size=4%{?_serverbuild_flags: %_serverbuild_flags}
+%_ssp_cflags -fstack-protector-strong %{?_serverbuild_flags: %_serverbuild_flags}
 %__common_cflags -O2 %{debugcflags} -pipe %{Werror_cflags} %{?_fortify_cflags}%{?_legacy_common_support: -fcommon}
 %__common_cflags_with_ssp %{__common_cflags} %{?_ssp_cflags}