Bug 9268

Summary: nginx new security issue CVE-2013-0337
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Funda Wang <fundawang>
Status: RESOLVED WONTFIX QA Contact: Sec team <security>
Severity: minor    
Priority: Normal CC: guillomovitch, shikamaru
Version: Cauldron   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/541311/
Whiteboard:
Source RPM: nginx-1.2.6-2.mga3.src.rpm CVE:
Status comment:

Description David Walser 2013-03-05 21:20:29 CET 
Fedora has issued an advisory on February 24:
http://lists.fedoraproject.org/pipermail/package-announce/2013-March/099643.html

The change they made is this:
http://pkgs.fedoraproject.org/cgit/nginx.git/commit/?id=0b5a896201729695a64278faabd3f9ea823fd1b6

Our spec is clearly based on theirs, so we might want this change, just for that reason.  Otherwise, I'm not sure it's strictly neccesary, as we have msec which changes those directories to 700 in secure mode.  I suppose you could have a system without msec and maybe argue that it should install with 700 out of the box.  Either way, I see no reason to issue an update for Mageia 2 for this, but if it's desirable, this change could be made in Cauldron.

Reproducible: 

Steps to Reproduce:
David Walser 2013-03-05 21:20:49 CET

CC: (none) => guillomovitch, shikamaru

Comment 1 Guillaume Rousse 2013-04-17 15:31:47 CEST 
Deciding which file permissions are needed is highly context-dependant. That's why it does make sense to allow the end user to eventually modify then after installation if needed. But there is not much reason to enforce a specific set of permissions in the package itself. And excepted for very objectives reasons, such as mandatory presence of a password in a configuration file, I'd prefer to stick with default 644/755 default for any file or directory, for every package. Otherwise we'll quickly have a patchwork of default perms according to each maintainer sensibility...

So, I don't think that change is either needed, nor even desirable in the package itself. However, defining nginx-specific file perms in msec could be eventually interesting.
Comment 2 David Walser 2013-04-17 16:52:46 CEST 
Thanks Guillaume.

I'm marking this as WONTFIX.

Status: NEW => RESOLVED
Resolution: (none) => WONTFIX