nginx: CVE-2013-0337: Directory /var/log/nginx is world readable

Debian Bug report logs - #701112
nginx: CVE-2013-0337: Directory /var/log/nginx is world readable

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Henri Salo <henri@nerv.fi>

To: submit@bugs.debian.org

Subject: Directory /var/log/nginx is world readable

Date: Thu, 21 Feb 2013 20:19:24 +0200

Package: nginx
Version: 0.7.67-3+squeeze3
Severity: normal
Tags: security

After installing nginx in squeeze directory /var/log/nginx is world readable as
reported in http://www.openwall.com/lists/oss-security/2013/02/21/15

I suggest something like this for a fix:

"""puppet-common postinst in unstable sets dpkg-statoverride --update --add puppet
puppet 0750 /var/log/puppet"""

Logging is enabled after service is started.

-- System Information:
Debian Release: 6.0.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages nginx depends on:
ii  libc6                 2.11.3-4           Embedded GNU C Library: Shared lib
ii  libgeoip1             1.4.7~beta6+dfsg-1 A non-DNS IP-to-country resolver l
ii  libpcre3              8.02-1.1           Perl 5 Compatible Regular Expressi
ii  libssl0.9.8           0.9.8o-4squeeze14  SSL shared libraries
ii  lsb-base              3.2-23.2squeeze1   Linux Standard Base 3.2 init scrip
ii  zlib1g                1:1.2.3.4.dfsg-3   compression library - runtime
nginx recommends no packages.
nginx suggests no packages.
-- no debconf information

Message #10 received at 701112@bugs.debian.org (full text, mbox, reply):

From: Steven Chamberlain <steven@pyro.eu.org>

To: Henri Salo <henri@nerv.fi>, 701112@bugs.debian.org

Subject: Re: Bug#701112: Directory /var/log/nginx is world readable

Date: Thu, 21 Feb 2013 18:25:07 +0000

Hi,

On 21/02/13 18:19, Henri Salo wrote:
> After installing nginx in squeeze directory /var/log/nginx is world readable as
> reported in http://www.openwall.com/lists/oss-security/2013/02/21/15

What about the permissions of the files themselves?

Logs that have been rotated are recreated by logrotate with mode -rw-r-----

But I notice if nginx creates new a log file itself, it sets mode -rw-r--r--

Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org

Message #17 received at 701112@bugs.debian.org (full text, mbox, reply):

From: Henri Salo <henri@nerv.fi>

To: Steven Chamberlain <steven@pyro.eu.org>, 701112@bugs.debian.org

Subject: Re: Bug#701112: Directory /var/log/nginx is world readable

Date: Thu, 21 Feb 2013 20:29:12 +0200

On Thu, Feb 21, 2013 at 06:25:07PM +0000, Steven Chamberlain wrote:
> Hi,
> 
> On 21/02/13 18:19, Henri Salo wrote:
> > After installing nginx in squeeze directory /var/log/nginx is world readable as
> > reported in http://www.openwall.com/lists/oss-security/2013/02/21/15
> 
> What about the permissions of the files themselves?
> 
> Logs that have been rotated are recreated by logrotate with mode -rw-r-----
> 
> But I notice if nginx creates new a log file itself, it sets mode -rw-r--r--
> 
> Regards,
> -- 
> Steven Chamberlain
> steven@pyro.eu.org

As you said. For new files: -rw-r--r--, which in my opinion should be fixed. Do
you agree?

--
Henri Salo

Message #22 received at 701112@bugs.debian.org (full text, mbox, reply):

From: Steven Chamberlain <steven@pyro.eu.org>

To: Henri Salo <henri@nerv.fi>

Cc: 701112@bugs.debian.org

Subject: Re: Bug#701112: Directory /var/log/nginx is world readable

Date: Thu, 21 Feb 2013 18:40:58 +0000

On 21/02/13 18:29, Henri Salo wrote:
> As you said. For new files: -rw-r--r--, which in my opinion should be fixed. Do
> you agree?

I agree this is not a good default.

Some admins may want to allow (read-only) access to logs by log-analyser
scripts like awstats/logwatch, running as an unprivileged user, but
there is an "adm" group for this.

It seems like changing /var/log/nginx to root.adm mode 0750 would work
best (and it won't matter if nginx creates any files as root.root 0644).

But the decision rests with nginx maintainers now.

Thanks for pointing it out!

Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org

Message #27 received at 701112@bugs.debian.org (full text, mbox, reply):

From: Henri Salo <henri@nerv.fi>

To: Steven Chamberlain <steven@pyro.eu.org>, 701112@bugs.debian.org

Subject: Re: Bug#701112: Directory /var/log/nginx is world readable

Date: Thu, 21 Feb 2013 20:42:23 +0200

On Thu, Feb 21, 2013 at 06:40:58PM +0000, Steven Chamberlain wrote:
> But the decision rests with nginx maintainers now.

Ok. Please notify me in case any help is needed.

--
Henri Salo

Message #32 received at 701112@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Henri Salo <henri@nerv.fi>, 701112@bugs.debian.org

Subject: Re: Bug#701112: Directory /var/log/nginx is world readable

Date: Fri, 22 Feb 2013 07:36:39 +0100

Control: retitle -1 nginx: CVE-2013-0337: Directory /var/log/nginx is world readable

Hi

CVE was assigned now to this issue: CVE-2013-0337 .

Regards,
Salvatore

Message #39 received at 701112@bugs.debian.org (full text, mbox, reply):

From: Michael Lustfield <michael@lustfield.net>

To: 701112@bugs.debian.org

Date: Mon, 11 Mar 2013 22:33:39 -0500

In debian/nginx-common.postinst we have:

  configure)
    logdir="/var/log/nginx"
    # Ensure existance and right state of log files and directory
    if [ ! -d "$logdir" -a ! -L "$logdir" ]; then
      mkdir "$logdir"
      chown www-data:adm $logdir
      chmod 0750 $logdir
    fi

This should create the log directory if it doesn't already exist. We're not
enforcing this because the permissions could be changed. Is there any better
way to handle this than what we're doing now? I haven't tested, but it seems
that this should work. I'm sure I'm missing something...

-- 
Michael Lustfield

Message #44 received at 701112@bugs.debian.org (full text, mbox, reply):

From: Steven Chamberlain <steven@pyro.eu.org>

To: Michael Lustfield <michael@lustfield.net>, 701112@bugs.debian.org

Subject: Re: Bug#701112: (no subject)

Date: Tue, 12 Mar 2013 12:53:25 +0000

Hi,

On 12/03/13 03:33, Michael Lustfield wrote:
> In debian/nginx-common.postinst we have:
> 
>   configure)
>     logdir="/var/log/nginx"
>     # Ensure existance and right state of log files and directory
>     if [ ! -d "$logdir" -a ! -L "$logdir" ]; then
>       mkdir "$logdir"
>       chown www-data:adm $logdir
>       chmod 0750 $logdir
>     fi

> This should create the log directory if it doesn't already exist. We're not
> enforcing this because the permissions could be changed. Is there any better
> way to handle this than what we're doing now? I haven't tested, but it seems
> that this should work. I'm sure I'm missing something...

Else if it already exists as a directory, and are upgrading from package
version 1.2.1-2.2 or earlier, do a precautionary `chmod o-rx`?

If ownership is still 'root:root', should chown to 'www-data:adm' so
that log parsers retain access.  Maybe a NEWS entry could advise about
adding things into that group if they don't run as root or www-data but
still need to be able to read the nginx logs?


Some test cases I can think of are:

* no log parsers in use - chmod o-rx is the important thing to do

* logwatch - runs as root?  changing the ownership/perms doesn't matter

* awstats - the log parser part (update.sh) runs as user www-data

* other CGI/PHP apps running as user www-data

* other CGI/PHP apps running under separate uids - should be added to a
group that has read access.  If the admin already changed the user or
group of /var/log/nginx, respect that, otherwise chgrp to adm and
suggest they add their log parsers into that group if necessary.  The
alternative would be to just keep wide-open access...


Wide-open HTTP logs could be a breach of privacy, reveals usernames for
HTTP authentication, IP addresses of visitors, search queries or other
HTML form input with a GET action, locations of potentially sensitive
documents that would be otherwise impractical to guess, and provides a
catalogue of installed web apps that would likely assist an attacker if
this were some kind of shared host with other users.

Thanks,
Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org

Message #49 received at 701112@bugs.debian.org (full text, mbox, reply):

From: Michael Lustfield <michael@lustfield.net>

To: 701112@bugs.debian.org

Subject: Re: Bug#701112: (no subject)

Date: Tue, 12 Mar 2013 08:57:17 -0500

[Message part 1 (text/plain, inline)]

precautionary - That would mean we assume that making the change won't
break anything. We're setting this for new installs but forcing it on
already deployed systems wouldn't be a good idea. We could add a NEWS entry
to recommend making this change. It's definitely not a good idea to force
it to happen.


On Tue, Mar 12, 2013 at 7:53 AM, Steven Chamberlain <steven@pyro.eu.org>wrote:

> Hi,
>
> On 12/03/13 03:33, Michael Lustfield wrote:
> > In debian/nginx-common.postinst we have:
> >
> >   configure)
> >     logdir="/var/log/nginx"
> >     # Ensure existance and right state of log files and directory
> >     if [ ! -d "$logdir" -a ! -L "$logdir" ]; then
> >       mkdir "$logdir"
> >       chown www-data:adm $logdir
> >       chmod 0750 $logdir
> >     fi
>
> > This should create the log directory if it doesn't already exist. We're
> not
> > enforcing this because the permissions could be changed. Is there any
> better
> > way to handle this than what we're doing now? I haven't tested, but it
> seems
> > that this should work. I'm sure I'm missing something...
>
> Else if it already exists as a directory, and are upgrading from package
> version 1.2.1-2.2 or earlier, do a precautionary `chmod o-rx`?
>
> If ownership is still 'root:root', should chown to 'www-data:adm' so
> that log parsers retain access.  Maybe a NEWS entry could advise about
> adding things into that group if they don't run as root or www-data but
> still need to be able to read the nginx logs?
>
>
> Some test cases I can think of are:
>
> * no log parsers in use - chmod o-rx is the important thing to do
>
> * logwatch - runs as root?  changing the ownership/perms doesn't matter
>
> * awstats - the log parser part (update.sh) runs as user www-data
>
> * other CGI/PHP apps running as user www-data
>
> * other CGI/PHP apps running under separate uids - should be added to a
> group that has read access.  If the admin already changed the user or
> group of /var/log/nginx, respect that, otherwise chgrp to adm and
> suggest they add their log parsers into that group if necessary.  The
> alternative would be to just keep wide-open access...
>
>
> Wide-open HTTP logs could be a breach of privacy, reveals usernames for
> HTTP authentication, IP addresses of visitors, search queries or other
> HTML form input with a GET action, locations of potentially sensitive
> documents that would be otherwise impractical to guess, and provides a
> catalogue of installed web apps that would likely assist an attacker if
> this were some kind of shared host with other users.
>
> Thanks,
> Regards,
> --
> Steven Chamberlain
> steven@pyro.eu.org
>

[Message part 2 (text/html, inline)]

Message #54 received at 701112@bugs.debian.org (full text, mbox, reply):

From: Steven Chamberlain <steven@pyro.eu.org>

To: Michael Lustfield <michael@lustfield.net>, 701112@bugs.debian.org

Cc: Henri Salo <henri@nerv.fi>

Subject: Re: Bug#701112: (no subject)

Date: Tue, 12 Mar 2013 14:40:33 +0000

On 12/03/13 13:57, Michael Lustfield wrote:
> precautionary - That would mean we assume that making the change won't
> break anything. We're setting this for new installs but forcing it on
> already deployed systems wouldn't be a good idea. We could add a NEWS
> entry to recommend making this change. It's definitely not a good idea
> to force it to happen.

I think there is a duty to fix it on upgrade, otherwise having <fixed
version> installed will not be an indication that the system is patched
for CVE-2013-0337.

Of course if owner/group/permissions were changed in any way since the
older nginx package version was installed, I would leave them alone.

Otherwise, if removing world read/execute permissions, changing the
owner/group to www-data:adm eliminates most risk of anything breaking.
The only problem I foresee is the last (unlikely, and inherently secure)
example I gave in [#44], where world readable logs are assumed.  That
could be so easily fixed by adding appropriate users into the adm group,
or overriding owner/group/permissions of /var/log/nginx afterward.

[#44]: http://bugs.debian.org/701112#44

Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org

Message #59 received at 701112@bugs.debian.org (full text, mbox, reply):

From: Michael Lustfield <michael@lustfield.net>

To: 701112@bugs.debian.org

Subject: Delay...

Date: Tue, 29 Oct 2013 01:22:08 -0500

This one sure slipped under the cracks for me.

So... check if it's root:root 755;
if so, change to www-data:adm 750

Would that sufficiently deal with this?

-- 
Michael Lustfield

Message #64 received at 701112@bugs.debian.org (full text, mbox, reply):

From: Steven Chamberlain <steven@pyro.eu.org>

To: Michael Lustfield <michael@lustfield.net>, 701112@bugs.debian.org

Cc: Henri Salo <henri@nerv.fi>

Subject: Re: Bug#701112: nginx: CVE-2013-0337: Directory /var/log/nginx is world readable

Date: Wed, 20 Nov 2013 00:54:17 +0000

On Tue, 29 Oct 2013 01:22:08 -0500, Michael Lustfield wrote:
> This one sure slipped under the cracks for me.

Ouch, same here.  I also forgot to subscribe to this bug it seems...

> So... check if it's root:root 755;
> if so, change to www-data:adm 750
> 
> Would that sufficiently deal with this?

Yes I think that's exactly right.  I've also applied this change to
trial it on a couple of production servers, in case it throws up
anything unexpected.  One of them runs a log parser, which it turns out
was already added into the adm group, so no issues there.

Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org

Message #69 received at 701112@bugs.debian.org (full text, mbox, reply):

From: Michael Lustfield <michael@lustfield.net>

To: 701112@bugs.debian.org

Date: Sun, 24 Nov 2013 15:56:29 -0600

In debian/nginx-common.preinst:

    # http://bugs.debian.org/701112
    if [ `stat -c '%U:%G.%a' /var/log/nginx` == 'root:root.755' ]; then
      chown root:adm /var/log/nginx
      chmod 750 /var/log/nginx
    fi

This has been changed. I will create a NEWS entry and push. It will be resolved
in the next upload.

-- 
Michael Lustfield

Message #74 received at 701112-close@bugs.debian.org (full text, mbox, reply):

From: Kartik Mistry <kartik@debian.org>

To: 701112-close@bugs.debian.org

Subject: Bug#701112: fixed in nginx 1.4.4-2

Date: Fri, 27 Dec 2013 17:34:19 +0000

Source: nginx
Source-Version: 1.4.4-2

We believe that the bug you reported is fixed in the latest version of
nginx, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 701112@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Kartik Mistry <kartik@debian.org> (supplier of updated nginx package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 27 Dec 2013 21:16:01 +0530
Source: nginx
Binary: nginx nginx-doc nginx-common nginx-full nginx-full-dbg nginx-light nginx-light-dbg nginx-extras nginx-extras-dbg nginx-naxsi nginx-naxsi-dbg nginx-naxsi-ui
Architecture: source all amd64
Version: 1.4.4-2
Distribution: unstable
Urgency: low
Maintainer: Kartik Mistry <kartik@debian.org>
Changed-By: Kartik Mistry <kartik@debian.org>
Description: 
 nginx      - small, powerful, scalable web/proxy server
 nginx-common - small, powerful, scalable web/proxy server - common files
 nginx-doc  - small, powerful, scalable web/proxy server - documentation
 nginx-extras - nginx web/proxy server (extended version)
 nginx-extras-dbg - nginx web/proxy server (extended version) - debugging symbols
 nginx-full - nginx web/proxy server (standard version)
 nginx-full-dbg - nginx web/proxy server (standard version) - debugging symbols
 nginx-light - nginx web/proxy server (basic version)
 nginx-light-dbg - nginx web/proxy server (basic version) - debugging symbols
 nginx-naxsi - nginx web/proxy server (version with naxsi)
 nginx-naxsi-dbg - nginx web/proxy server (version with naxsi) - debugging symbols
 nginx-naxsi-ui - nginx web/proxy server - naxsi configuration front-end
Closes: 701112 701508 728103 729860 730142 730432 733107
Changes: 
 nginx (1.4.4-2) unstable; urgency=low
 .
   [ Michael Lustfield ]
   * debian/control:
     + Added Provides: httpd-cgi to packages. (Closes: #701508)
     + Added other options to nginx depends. (Closes: #729860)
     + Added Spdy to nginx-full package description.
   * debian/nginx-common.nginx.init:
     + Added missing line from patch. (Closes: #728103)
   * debian/conf/sites-available/default:
     + Changed ssl_protocols and ssl_ciphers. (Closes: 730142)
   * debian/nginx-common.preinst:
     + Modify permissions of /var/log/nginx. (Closes: #701112)
   * debian/rules:
     + Added spdy support to nginx-full. (Closes: #730432)
 .
   [ Christos Trochalakis ]
   * debian/nginx-doc,docs, debian/nginx-common.NEWS:
     + Ship NEWS with nginx-common instead of nginx-doc.
   * debian/conf/proxy_params:
     + Host header should be passed unmodified to the proxied server.
     + Pass X-Forwarded-Proto header to the proxied server.
   * debian/control:
     + Fix nginx-naxsi-ui Depends and Conflicts lines.
 .
   [ Neutron Soutmun ]
   * debian/patches/guard-use-of-deprecated-openssl-definition.patch:
     + Fix FTBFS against the recent libssl-dev. (Closes: #733107)
 .
   [ Kartik Mistry ]
   * debian/control:
     + Updated to Standards-Version 3.9.5
   * debian/watch, debian/upstream-signing-key.pgp:
     + Use upstream PGP signature to verify by watch file.
Checksums-Sha1: 
 2e0004e1df8fdb62a240b408fe48e1fc8e206ba2 2171 nginx_1.4.4-2.dsc
 389e1d55b9e42983fa788f100f8fc89f58843390 1568356 nginx_1.4.4-2.debian.tar.gz
 52129204efb1abd7bffccf82f8a95260a557f962 66970 nginx_1.4.4-2_all.deb
 bdbf1bdb345d13e689eb1f33d30f611bc7f26226 78288 nginx-doc_1.4.4-2_all.deb
 8152be457d888909f6d72dba718d080d98c83eec 79018 nginx-common_1.4.4-2_all.deb
 596341c51d67fad5d306cbeae139d41871bcbacc 309248 nginx-naxsi-ui_1.4.4-2_all.deb
 bbf2bf467e18c84599d847150b6e4431b8c0b2ac 404844 nginx-full_1.4.4-2_amd64.deb
 f75fd7b2fbe6c043ac26219a72d42a50a73cfa90 3157182 nginx-full-dbg_1.4.4-2_amd64.deb
 d27df5c385c453b40e3c0230e0be3d34b95eab69 294480 nginx-light_1.4.4-2_amd64.deb
 ea298b7ea5210fea709d4ef6a9275c38cdeaa238 2090026 nginx-light-dbg_1.4.4-2_amd64.deb
 8526cb6ba5456bb9d1f1868fee419026c5700788 545852 nginx-extras_1.4.4-2_amd64.deb
 71ddf444a5f004711662c6c72b49eb872ed401e9 4788332 nginx-extras-dbg_1.4.4-2_amd64.deb
 ffdd753f3cb415837af8d29726d180926140ae9f 330144 nginx-naxsi_1.4.4-2_amd64.deb
 b156f46fe093bae70a4b65ea507c3f98bbfd0995 2249314 nginx-naxsi-dbg_1.4.4-2_amd64.deb
Checksums-Sha256: 
 f48a16df02cf73440bed5a912241913966d9256e1eea674da20a17f5e0eac142 2171 nginx_1.4.4-2.dsc
 6304f3fc6d0ee8ac7784c473e9d6e11738b83b65af0ac1bcf848e36188779d84 1568356 nginx_1.4.4-2.debian.tar.gz
 b535c75a27f6070dd847bad16779949e2e01f5e5dfbbf65a7754cd296ab8bd3c 66970 nginx_1.4.4-2_all.deb
 b35ced3227486ee3d859facc15ecc6d586bec6ac9ff1b1b3c19dc0f15974475e 78288 nginx-doc_1.4.4-2_all.deb
 d49841818f85ee82fb186b88a87eb4bedb3f821398a890b0e385b6aeaebfa60e 79018 nginx-common_1.4.4-2_all.deb
 4a038c7ee2387594d1fb9e39f3c5535f87257808193e58a5d4ad966b6598b555 309248 nginx-naxsi-ui_1.4.4-2_all.deb
 fee401ae60d3677dd71705b387adf47644417df342ea53262d111693cdb5d267 404844 nginx-full_1.4.4-2_amd64.deb
 237407e05d6dea29a06058c4f3e791c65286f60234a2043261245ad9dd092dd1 3157182 nginx-full-dbg_1.4.4-2_amd64.deb
 4c43aef1480d9e1fd401ad0a8e2a045865b45cf33bb0d8d0646e7b6de28d2d39 294480 nginx-light_1.4.4-2_amd64.deb
 73927fad702e732f070df78df2a35a4ab20f4c75aae021c55e63387668f49c0c 2090026 nginx-light-dbg_1.4.4-2_amd64.deb
 97c8dc52cd2fadb89c58c0806145e62bfca376486b12037a092ce3f20306dc72 545852 nginx-extras_1.4.4-2_amd64.deb
 a82a6cdfaa9cc7f3ddfe2d49ae46f1ee9a42c9c2cde4749327e818f2cdd7031e 4788332 nginx-extras-dbg_1.4.4-2_amd64.deb
 35cb0ebd8f4dadd061f4127e420f879d6397b02c222cee3331df66f3ab022c85 330144 nginx-naxsi_1.4.4-2_amd64.deb
 215fc6aff5dcbce8fdf2c06722a3e2fdb016a285147c917a755c381f81313c1b 2249314 nginx-naxsi-dbg_1.4.4-2_amd64.deb
Files: 
 960bf7b8a924548a4eaff24bc4d6a161 2171 httpd optional nginx_1.4.4-2.dsc
 3a9f310277ac60f83becb900926a689c 1568356 httpd optional nginx_1.4.4-2.debian.tar.gz
 c00ed2a08cadfe2fecad77c86631a93b 66970 httpd optional nginx_1.4.4-2_all.deb
 0671c3f0bd19ac80667aa062a6e97cf5 78288 doc optional nginx-doc_1.4.4-2_all.deb
 2af73f3558b728de18c96051d43bcc64 79018 httpd optional nginx-common_1.4.4-2_all.deb
 362178d4e9a59c8d899856c2def4c66e 309248 httpd extra nginx-naxsi-ui_1.4.4-2_all.deb
 02288bb6a37013c50a7f31931c975775 404844 httpd optional nginx-full_1.4.4-2_amd64.deb
 4c54cccf822b964256a0af99399415de 3157182 debug extra nginx-full-dbg_1.4.4-2_amd64.deb
 aa0915e6f107f8979dde107a7a3b1879 294480 httpd extra nginx-light_1.4.4-2_amd64.deb
 e84d5953ba3e0c1d292051b0358484d0 2090026 debug extra nginx-light-dbg_1.4.4-2_amd64.deb
 5f8b478d937c59680e8ae38d8596d07f 545852 httpd extra nginx-extras_1.4.4-2_amd64.deb
 018789c6d81237f033ad5ba4e58b99a9 4788332 debug extra nginx-extras-dbg_1.4.4-2_amd64.deb
 28391966be823763a9459b16a363fa42 330144 httpd extra nginx-naxsi_1.4.4-2_amd64.deb
 814c5362a383bc7e34cdeecf2da46d53 2249314 debug extra nginx-naxsi-dbg_1.4.4-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iEYEARECAAYFAlK9raoACgkQoRg/jtECjI0iswCeInTTUAB6cwmUl4S2tYiWcYzs
weUAn0eg5SGLSMbkLkxeZ80Za79ckQOP
=XS4O
-----END PGP SIGNATURE-----

Message #101 received at 701112@bugs.debian.org (full text, mbox, reply):

From: Sweetypie Mmm <sweetypiemmn@gmail.com>

To: 701112@bugs.debian.org

Subject: Re: Directory /var/log/nginx is world readable

Date: Mon, 20 Mar 2017 21:11:23 -0700

[Message part 1 (text/plain, inline)]

On Thu, 21 Feb 2013 20:19:24 +0200 Henri Salo <henri@nerv.fi> wrote:
> Package: nginx
> Version: 0.7.67-3+squeeze3
> Severity: normal
> Tags: security
>
> After installing nginx in squeeze directory /var/log/nginx is world
readable as
> reported in http://www.openwall.com/lists/oss-security/2013/02/21/15
>
> I suggest something like this for a fix:
>
> """puppet-common postinst in unstable sets dpkg-statoverride --update
--add puppet
> puppet 0750 /var/log/puppet"""
>
> Logging is enabled after service is started.
>
> -- System Information:
> Debian Release: 6.0.6
>   APT prefers stable-updates
>   APT policy: (500, 'stable-updates'), (500, 'stable')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored:
LC_ALL set to en_US.UTF-8)
> Shell: /bin/sh linked to /bin/dash
>
> Versions of packages nginx depends on:
> ii  libc6                 2.11.3-4           Embedded GNU C Library:
Shared lib
> ii  libgeoip1             1.4.7~beta6+dfsg-1 A non-DNS IP-to-country
resolver l
> ii  libpcre3              8.02-1.1           Perl 5 Compatible Regular
Expressi
> ii  libssl0.9.8           0.9.8o-4squeeze14  SSL shared libraries
> ii  lsb-base              3.2-23.2squeeze1   Linux Standard Base 3.2 init
scrip
> ii  zlib1g                1:1.2.3.4.dfsg-3   compression library - runtime
> nginx recommends no packages.
> nginx suggests no packages.
> -- no *debconf* information
>
>
>-STOP BUGGING MY MOBILE

[Message part 2 (text/html, inline)]

Send a report that this bug log contains spam.