Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => fundawang, guillomovitch, jquelin, marja11, sam, shlomif, thierry.vignaud
Assignee: bugsquad => pkg-bugs

Found the following at http://metadata.ftp-master.debian.org/changelogs/main/n/nginx/nginx_1.6.2-5+deb8u4_changelog

nginx (1.6.2-5+deb8u3) jessie-security; urgency=high
[ Christos Trochalakis ]
* debian/nginx-common.postinst:
  + CVE-2016-1247: Secure log file handling (owner & permissions)
    against privilege escalation attacks. /var/log/nginx is now owned
    by root:adm. Thanks ro Dawid Golunski for the report.
    Changing /var/log/nginx permissions effectively reopens #701112,
    since log files can be world-readable. This is a trade-off until
    a better log opening solution is implemented upstream (trac:376).

and this at https://packetstormsecurity.com/files/cve/CVE-2016-1247

Debian Linux Security Advisory 3701-1 - Dawid Golunski reported the nginx web server packages in Debian suffered from a privilege escalation vulnerability (www-data to root) due to the way log files are handled. This security update changes ownership of the /var/log/nginx directory root. In addition, /var/log/nginx has to be made accessible to local users, and local users may be able to read the log files themselves local until the next logrotate invocation.


The current mga spec file has /var/log/nginx owned by nginx.nginx with permissions "%{__install} -d -m 0755 %{buildroot}%{nginx_logdir}". If I'm understanding this right it does look like we are vulnerable.

CC: (none) => mrambo

Thanks Mike.  Maybe this is one you can fix once we get your account updated.

Whiteboard: https://www.debian.org/security/2016/dsa-3701 => (none)

Patched package nginx-1.10.2-2 which changes the ownership of the nginx log directory has been uploaded for Cauldron.

Status: NEW => RESOLVED
Resolution: (none) => FIXED