On 12/03/13 13:57, Michael Lustfield wrote: > precautionary - That would mean we assume that making the change won't > break anything. We're setting this for new installs but forcing it on > already deployed systems wouldn't be a good idea. We could add a NEWS > entry to recommend making this change. It's definitely not a good idea > to force it to happen.
I think there is a duty to fix it on upgrade, otherwise having <fixed version> installed will not be an indication that the system is patched for CVE-2013-0337. Of course if owner/group/permissions were changed in any way since the older nginx package version was installed, I would leave them alone. Otherwise, if removing world read/execute permissions, changing the owner/group to www-data:adm eliminates most risk of anything breaking. The only problem I foresee is the last (unlikely, and inherently secure) example I gave in [#44], where world readable logs are assumed. That could be so easily fixed by adding appropriate users into the adm group, or overriding owner/group/permissions of /var/log/nginx afterward. [#44]: http://bugs.debian.org/701112#44 Regards, -- Steven Chamberlain ste...@pyro.eu.org -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
