Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#33964 - [nginx] CVE-2013-0337 log files world-readable
Attached to Project:
Community Packages
Opened by Florian Pritz (bluewind) - Friday, 22 February 2013, 09:17 GMT
Last edited by Bartłomiej Piotrowski (Barthalion) - Saturday, 23 February 2013, 20:48 GMT
Opened by Florian Pritz (bluewind) - Friday, 22 February 2013, 09:17 GMT
Last edited by Bartłomiej Piotrowski (Barthalion) - Saturday, 23 February 2013, 20:48 GMT
|
Detailsnginx log files are world-readable by default and it looks like our logrotate file doesn't set proper permissions either.
References: http://seclists.org/oss-sec/2013/q1/389 nginx 1.2.7-1 |
This task depends upon
Closed by Bartłomiej Piotrowski (Barthalion)
Saturday, 23 February 2013, 20:48 GMT
Reason for closing: Fixed
Additional comments about closing: nginx 1.2.7-3
Saturday, 23 February 2013, 20:48 GMT
Reason for closing: Fixed
Additional comments about closing: nginx 1.2.7-3
Comment by Dan McGee (toofishes) -
Saturday, 23 February 2013, 19:10 GMT
Uh what? 750 marks log files executable, which is surely not correct. You definitely want 640 here.