Your message dated Sat, 29 Oct 2016 06:21:30 +0000 with message-id <e1c0n1g-0006wl...@franck.debian.org> and subject line Bug#842295: fixed in nginx 1.10.2-1 has caused the Debian Bug report #842295, regarding nginx: CVE-2016-1247 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 842295: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842295 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: nginx Version: 1.6.2-5 Severity: grave Tags: security Justification: user security hole Control: fixed -1 1.6.2-5+deb8u3 Hi, the following vulnerability was published for nginx. This bug is to track the CVE-2016-1247 as well in the Debian BTS. CVE-2016-1247[0]: www-data to root privilege escalation via log file handling If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2016-1247 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: nginx Source-Version: 1.10.2-1 We believe that the bug you reported is fixed in the latest version of nginx, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 842...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Christos Trochalakis <yati...@ideopolis.gr> (supplier of updated nginx package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 29 Oct 2016 08:45:09 +0300 Source: nginx Binary: nginx nginx-doc nginx-common nginx-full nginx-light nginx-extras libnginx-mod-http-geoip libnginx-mod-http-image-filter libnginx-mod-http-xslt-filter libnginx-mod-mail libnginx-mod-stream libnginx-mod-http-perl libnginx-mod-http-auth-pam libnginx-mod-http-lua libnginx-mod-http-ndk libnginx-mod-nchan libnginx-mod-http-echo libnginx-mod-http-upstream-fair libnginx-mod-http-headers-more-filter libnginx-mod-http-cache-purge libnginx-mod-http-fancyindex libnginx-mod-http-uploadprogress libnginx-mod-http-subs-filter Architecture: source Version: 1.10.2-1 Distribution: unstable Urgency: high Maintainer: Debian Nginx Maintainers <pkg-nginx-maintain...@lists.alioth.debian.org> Changed-By: Christos Trochalakis <yati...@ideopolis.gr> Description: libnginx-mod-http-auth-pam - PAM authentication module for Nginx libnginx-mod-http-cache-purge - Purge content from Nginx caches libnginx-mod-http-echo - Bring echo and more shell style goodies to Nginx libnginx-mod-http-fancyindex - Fancy indexes module for the Nginx libnginx-mod-http-geoip - GeoIP HTTP module for Nginx libnginx-mod-http-headers-more-filter - Set and clear input and output headers for Nginx libnginx-mod-http-image-filter - HTTP image filter module for Nginx libnginx-mod-http-lua - LUA module for Nginx libnginx-mod-http-ndk - Nginx Development Kit module libnginx-mod-http-perl - Perl module for Nginx libnginx-mod-http-subs-filter - Substitution filter module for Nginx libnginx-mod-http-uploadprogress - Upload progress system for Nginx libnginx-mod-http-upstream-fair - Nginx Upstream Fair Proxy Load Balancer libnginx-mod-http-xslt-filter - XSLT Transformation module for Nginx libnginx-mod-mail - Mail module for Nginx libnginx-mod-nchan - Fast, flexible pub/sub server for Nginx libnginx-mod-stream - Stream module for Nginx nginx - small, powerful, scalable web/proxy server nginx-common - small, powerful, scalable web/proxy server - common files nginx-doc - small, powerful, scalable web/proxy server - documentation nginx-extras - nginx web/proxy server (extended version) nginx-full - nginx web/proxy server (standard version) nginx-light - nginx web/proxy server (basic version) Closes: 841230 842295 Changes: nginx (1.10.2-1) unstable; urgency=high . [ Christos Trochalakis ] * New upstream release. * debian/nginx-common.postinst: + CVE-2016-1247: Secure log file handling (owner & permissions) against privilege escalation attacks. /var/log/nginx is now owned by root:adm. Thanks ro Dawid Golunski for the report. Changing /var/log/nginx permissions effectively reopens #701112, since log files can be world-readable. This is a trade-off until a better log opening solution is implemented upstream (trac:376). (Closes: #842295) * debian/control: + Version depend on lsb-base (>= 3.0-6). Fixes lintian init.d-script-needs-depends-on-lsb-base. * debian/nginx-*.lintian-overrides: + Drop unused spelling-error-in-binary override. . [ Michael Lustfield ] * debian/conf/sites-available/default: + Updated PHP sample configuration block. (Closes: #841230) Checksums-Sha1: bbf4978af7e9da1c9418022d429bc589052b6660 4076 nginx_1.10.2-1.dsc 1bafb1557b8d5f992714c0dcbde77036bde98547 910812 nginx_1.10.2.orig.tar.gz 9e67c377956c700d829159a569b82612d1a390de 897364 nginx_1.10.2-1.debian.tar.xz Checksums-Sha256: 820f213cff42fea65b98372fbbafe5105a0217f03f2bb35f642bcb28e5fccf42 4076 nginx_1.10.2-1.dsc 1045ac4987a396e2fa5d0011daf8987b612dd2f05181b67507da68cbe7d765c2 910812 nginx_1.10.2.orig.tar.gz a7d1b1d16d6da58c38704bf1da3a6c2556804d83175361eb347c00c26fb97cf9 897364 nginx_1.10.2-1.debian.tar.xz Files: ab8ade385dbfdaee520c80016ea0ed5e 4076 httpd optional nginx_1.10.2-1.dsc e8f5f4beed041e63eb97f9f4f55f3085 910812 httpd optional nginx_1.10.2.orig.tar.gz 7de29574642885ded2d73f8635b149f9 897364 httpd optional nginx_1.10.2-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIcBAEBCAAGBQJYFDiHAAoJEBE2JgCnR+zZbg8P/j3KhDqdzQ2Q39vl4YdK3vwp EW5DlOFvHLTq4ZZ6AeYSVvV2gNI46u/6ogeXPWYuw6l7R5tJYDuh8ocDEbgMjKpO zPJfCdh1XxdpquLO+RlujyjkwnHDPs88FlTN6cfKoJaYzH86edJx0fmS1szeTzM0 xglvWmjF+Mvjfl+5hIfCFnwb0sA6SliBiIVvNKkUlxl0sUGd143xyVbRrtaC6Zda Y3gpa0mQpn5dfPZODVW2wNLayDWmd6QthlQ3b2BFND7J/E3Gk7xhKW2Xw6LpzSvW vWltGOBm8SF+bHt6wOaY98jvozET4kcB/gyYZdxk5pz60MzlP0u9fBUGb0gYyno3 azFzt1AdnfIe/qJKpcbooRLufopQSF++e/HWDuxd8hyO8H8brv+y/uJuWCa1Psvx VViiwLRHdbCPUc8q1s22pHAWZV4CX0oVJtuPtUd+/1CBby7km27IdNB/R/+UJdrP 7UId5OqHWaor6YpvLJgMfVD2R2iNNJCk/g3mWLN1xdXM2IOBgkz2LyElpRPZn4dz 4Nust32UUZVfoq1292/Ar9/mA1ELf7cxYT8Ucarfn2DeKx2l6acWBiU+rEIj7FWI 8VkXKA9ii3qEtmyGiiKXx3mFZPkVbGlF465sYFf9e0NOZqsDZvtE//YltMn7RcN4 a5F+Az3e1YXHpf1mtIID =8+rr -----END PGP SIGNATURE-----
--- End Message ---
