tag 842295 pending
thanks
Hello,
Bug #842295 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:
http://git.debian.org/?p=collab-maint/nginx.git;a=commitdiff;h=962a960
---
commit 962a960e3f0fe9847a71580b43a6e207f10c420a
Author: Christos Trochalakis <[email protected]>
Date: Wed Sep 14 12:23:49 2016 +0300
Release 1.9.10-1~bpo8+4 (CVE-2016-1247)
CVE-2016-1247: Secure log file handling
Backporting patches from 1.6.2-5+deb8u{3,4} and adjusting
the compare-versions check for backports.
diff --git a/debian/changelog b/debian/changelog
index 8dc93f7..f71a4eb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,17 @@
+nginx (1.9.10-1~bpo8+4) jessie-backports; urgency=high
+
+ [ Christos Trochalakis ]
+ * debian/nginx-common.postinst:
+ + CVE-2016-1247: Secure log file handling (owner & permissions)
+ against privilege escalation attacks. /var/log/nginx is now owned
+ by root:adm. Thanks ro Dawid Golunski for the report.
+ Changing /var/log/nginx permissions effectively reopens #701112,
+ since log files can be world-readable. This is a trade-off until
+ a better log opening solution is implemented upstream (trac:376).
+ (Closes: #842295)
+
+ -- Christos Trochalakis <[email protected]> Thu, 20 Oct 2016 09:49:25
+0300
+
nginx (1.9.10-1~bpo8+3) jessie-backports; urgency=medium
[ Christos Trochalakis ]
