Directory /var/log/nginx is world readable [CVE-2013-0337]

Bug #1193445 reported by Thomas Ward
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
nginx (Debian)
Fix Released
Unknown
nginx (Ubuntu)
Fix Released
Low
Unassigned
Precise
Won't Fix
Low
Unassigned
Quantal
Won't Fix
Low
Unassigned
Raring
Won't Fix
Low
Unassigned
Saucy
Won't Fix
Low
Unassigned
Trusty
Fix Released
Low
Unassigned

Bug Description

This is CVE-2013-0337.

After installing nginx, /var/log/nginx is world readable as reported in http://www.openwall.com/lists/oss-security/2013/02/21/15.
(this description is lifted from the Debian bug)

This is reported in Debian as #701112.

CVE References

Thomas Ward (teward)
description: updated
Thomas Ward (teward)
description: updated
Changed in nginx (Debian):
status: Unknown → New
Revision history for this message
Thomas Ward (teward) wrote :

I know that at the very least, Precise, Quantal, Raring, Saucy, and Trusty are affected by this bug. I believe that Lucid may also be affected and I will have to look into that to confirm.

I have asked Colin Watson (cjwatson) to merge 1.4.4-2 from Debian to Trusty, as 1.4.4-2 contains the fix for this, as well as other Debian bugfixes.

I have the diff from Debian git (see http://anonscm.debian.org/gitweb/?p=collab-maint/nginx.git;a=commitdiff_plain;h=3a4f08671c87b7fc89e077542edfd6eb651f1803 for the diff) that applies a fix for this, and will nit-pick the specific changes from this for the security fixes for the affected Ubuntu versions.

Thomas Ward (teward)
Changed in nginx (Ubuntu Precise):
status: New → Confirmed
importance: Undecided → Medium
Changed in nginx (Ubuntu Quantal):
status: New → Confirmed
Changed in nginx (Ubuntu Raring):
status: New → Confirmed
Changed in nginx (Ubuntu Saucy):
status: New → Confirmed
importance: Undecided → Medium
Changed in nginx (Ubuntu Raring):
importance: Undecided → Medium
Changed in nginx (Ubuntu Quantal):
importance: Undecided → Medium
Revision history for this message
Thomas Ward (teward) wrote :

1.4.4-2ubuntu1 was uploaded by cjwatson and was published on December 28, 2013 in Trusty. This merge of 1.4.4-2 from Debian Unstable contained the changes which closed Debian bug 701112 (which is linked to this bug). This fix is now in Trusty, however the changelog for 1.4.4-2ubuntu1 did not reference this bug number so it was not automatically "Fix Released" for Trusty.

Changed in nginx (Ubuntu Trusty):
status: Confirmed → Fix Released
Changed in nginx (Debian):
status: New → Fix Released
Revision history for this message
Thomas Ward (teward) wrote :

Importance changed to "Low" with the blessings of the security team.

Marc Deslauriers (mdeslaur) on IRC stated that the CVE is getting a "Low" importance state in the tracker, so I have adjusted the importance on this bug accordingly.

Changed in nginx (Ubuntu Precise):
importance: Medium → Low
Changed in nginx (Ubuntu Quantal):
importance: Medium → Low
Changed in nginx (Ubuntu Raring):
importance: Medium → Low
Changed in nginx (Ubuntu Saucy):
importance: Medium → Low
Changed in nginx (Ubuntu Trusty):
importance: Medium → Low
Changed in nginx (Ubuntu Raring):
status: Confirmed → Won't Fix
Changed in nginx (Ubuntu Quantal):
status: Confirmed → Won't Fix
Revision history for this message
Rolf Leggewie (r0lf) wrote :

saucy has seen the end of its life and is no longer receiving any updates. Marking the saucy task for this ticket as "Won't Fix".

Changed in nginx (Ubuntu Saucy):
status: Confirmed → Won't Fix
Changed in nginx (Debian):
status: Fix Released → Confirmed
Changed in nginx (Debian):
status: Confirmed → Fix Released
Revision history for this message
Steve Langasek (vorlon) wrote :

The Precise Pangolin has reached end of life, so this bug will not be fixed for that release

Changed in nginx (Ubuntu Precise):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.