Directory /var/log/nginx is world readable [CVE-2013-0337]
Bug #1193445 reported by
Thomas Ward
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
nginx (Debian) |
Fix Released
|
Unknown
|
|||
nginx (Ubuntu) |
Fix Released
|
Low
|
Unassigned | ||
Precise |
Won't Fix
|
Low
|
Unassigned | ||
Quantal |
Won't Fix
|
Low
|
Unassigned | ||
Raring |
Won't Fix
|
Low
|
Unassigned | ||
Saucy |
Won't Fix
|
Low
|
Unassigned | ||
Trusty |
Fix Released
|
Low
|
Unassigned |
Bug Description
This is CVE-2013-0337.
After installing nginx, /var/log/nginx is world readable as reported in http://
(this description is lifted from the Debian bug)
This is reported in Debian as #701112.
CVE References
description: | updated |
description: | updated |
Changed in nginx (Debian): | |
status: | Unknown → New |
Changed in nginx (Ubuntu Precise): | |
status: | New → Confirmed |
importance: | Undecided → Medium |
Changed in nginx (Ubuntu Quantal): | |
status: | New → Confirmed |
Changed in nginx (Ubuntu Raring): | |
status: | New → Confirmed |
Changed in nginx (Ubuntu Saucy): | |
status: | New → Confirmed |
importance: | Undecided → Medium |
Changed in nginx (Ubuntu Raring): | |
importance: | Undecided → Medium |
Changed in nginx (Ubuntu Quantal): | |
importance: | Undecided → Medium |
Changed in nginx (Debian): | |
status: | New → Fix Released |
Changed in nginx (Ubuntu Raring): | |
status: | Confirmed → Won't Fix |
Changed in nginx (Ubuntu Quantal): | |
status: | Confirmed → Won't Fix |
Changed in nginx (Debian): | |
status: | Fix Released → Confirmed |
Changed in nginx (Debian): | |
status: | Confirmed → Fix Released |
To post a comment you must log in.
I know that at the very least, Precise, Quantal, Raring, Saucy, and Trusty are affected by this bug. I believe that Lucid may also be affected and I will have to look into that to confirm.
I have asked Colin Watson (cjwatson) to merge 1.4.4-2 from Debian to Trusty, as 1.4.4-2 contains the fix for this, as well as other Debian bugfixes.
I have the diff from Debian git (see http:// anonscm. debian. org/gitweb/ ?p=collab- maint/nginx. git;a=commitdif f_plain; h=3a4f08671c87b 7fc89e077542edf d6eb651f1803 for the diff) that applies a fix for this, and will nit-pick the specific changes from this for the security fixes for the affected Ubuntu versions.