Bug 9268 - nginx new security issue CVE-2013-0337
Summary: nginx new security issue CVE-2013-0337
Status: RESOLVED WONTFIX
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: Cauldron
Hardware: i586 Linux
Priority: Normal minor
Target Milestone: ---
Assignee: Funda Wang
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/541311/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-03-05 21:20 CET by David Walser
Modified: 2013-04-17 16:52 CEST (History)
2 users (show)

See Also:
Source RPM: nginx-1.2.6-2.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-03-05 21:20:29 CET
Fedora has issued an advisory on February 24:
http://lists.fedoraproject.org/pipermail/package-announce/2013-March/099643.html

The change they made is this:
http://pkgs.fedoraproject.org/cgit/nginx.git/commit/?id=0b5a896201729695a64278faabd3f9ea823fd1b6

Our spec is clearly based on theirs, so we might want this change, just for that reason.  Otherwise, I'm not sure it's strictly neccesary, as we have msec which changes those directories to 700 in secure mode.  I suppose you could have a system without msec and maybe argue that it should install with 700 out of the box.  Either way, I see no reason to issue an update for Mageia 2 for this, but if it's desirable, this change could be made in Cauldron.

Reproducible: 

Steps to Reproduce:
David Walser 2013-03-05 21:20:49 CET

CC: (none) => guillomovitch, shikamaru

Comment 1 Guillaume Rousse 2013-04-17 15:31:47 CEST
Deciding which file permissions are needed is highly context-dependant. That's why it does make sense to allow the end user to eventually modify then after installation if needed. But there is not much reason to enforce a specific set of permissions in the package itself. And excepted for very objectives reasons, such as mandatory presence of a password in a configuration file, I'd prefer to stick with default 644/755 default for any file or directory, for every package. Otherwise we'll quickly have a patchwork of default perms according to each maintainer sensibility...

So, I don't think that change is either needed, nor even desirable in the package itself. However, defining nginx-specific file perms in msec could be eventually interesting.
Comment 2 David Walser 2013-04-17 16:52:46 CEST
Thanks Guillaume.

I'm marking this as WONTFIX.

Status: NEW => RESOLVED
Resolution: (none) => WONTFIX


Note You need to log in before you can comment on or make changes to this bug.