On Thu, 21 Feb 2013 20:19:24 +0200 Henri Salo <he...@nerv.fi> wrote: > Package: nginx > Version: 0.7.67-3+squeeze3 > Severity: normal > Tags: security > > After installing nginx in squeeze directory /var/log/nginx is world readable as > reported in http://www.openwall.com/lists/oss-security/2013/02/21/15 > > I suggest something like this for a fix: > > """puppet-common postinst in unstable sets dpkg-statoverride --update --add puppet > puppet 0750 /var/log/puppet""" > > Logging is enabled after service is started. > > -- System Information: > Debian Release: 6.0.6 > APT prefers stable-updates > APT policy: (500, 'stable-updates'), (500, 'stable') > Architecture: amd64 (x86_64) > > Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores) > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) > Shell: /bin/sh linked to /bin/dash > > Versions of packages nginx depends on: > ii libc6 2.11.3-4 Embedded GNU C Library: Shared lib > ii libgeoip1 1.4.7~beta6+dfsg-1 A non-DNS IP-to-country resolver l > ii libpcre3 8.02-1.1 Perl 5 Compatible Regular Expressi > ii libssl0.9.8 0.9.8o-4squeeze14 SSL shared libraries > ii lsb-base 3.2-23.2squeeze1 Linux Standard Base 3.2 init scrip > ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime > nginx recommends no packages. > nginx suggests no packages. > -- no *debconf* information > > >-STOP BUGGING MY MOBILE
