tag 842295 pending
thanks
Hello,
Bug #842295 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:
http://git.debian.org/?p=collab-maint/nginx.git;a=commitdiff;h=333595d
---
commit 333595dc8382e728bc9d57c1e533fa656b2fd6b3
Author: Christos Trochalakis <yati...@ideopolis.gr>
Date: Wed Sep 14 12:23:49 2016 +0300
CVE-2016-1247: Secure log file handling
Backporting patches from 1.6.2-5+deb8u{3,4} and adjusting
the compare-versions check to 1.10.2-1~.
diff --git a/debian/changelog b/debian/changelog
index 3671be9..d36950e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,14 @@ nginx (1.10.2-1) UNRELEASED; urgency=medium
[ Christos Trochalakis ]
* New upstream release.
+ * debian/nginx-common.postinst:
+ + CVE-2016-1247: Secure log file handling (owner & permissions)
+ against privilege escalation attacks. /var/log/nginx is now owned
+ by root:adm. Thanks ro Dawid Golunski for the report.
+ Changing /var/log/nginx permissions effectively reopens #701112,
+ since log files can be world-readable. This is a trade-off until
+ a better log opening solution is implemented upstream (trac:376).
+ (Closes: #842295)
* debian/control:
+ Version depend on lsb-base (>= 3.0-6).
Fixes lintian init.d-script-needs-depends-on-lsb-base.
