Directory /var/log/nginx is world readable [CVE-2013-0337]
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | nginx (Debian) |
Fix Released
|
Unknown
|
||
| | nginx (Ubuntu) |
Low
|
Unassigned | ||
| | Precise |
Low
|
Unassigned | ||
| | Quantal |
Low
|
Unassigned | ||
| | Raring |
Low
|
Unassigned | ||
| | Saucy |
Low
|
Unassigned | ||
| | Trusty |
Low
|
Unassigned | ||
Bug Description
This is CVE-2013-0337.
After installing nginx, /var/log/nginx is world readable as reported in http://
(this description is lifted from the Debian bug)
This is reported in Debian as #701112.
CVE References
| description: | updated |
| description: | updated |
| Changed in nginx (Debian): | |
| status: | Unknown → New |
| Thomas Ward (teward) wrote : | #1 |
| Changed in nginx (Ubuntu Precise): | |
| status: | New → Confirmed |
| importance: | Undecided → Medium |
| Changed in nginx (Ubuntu Quantal): | |
| status: | New → Confirmed |
| Changed in nginx (Ubuntu Raring): | |
| status: | New → Confirmed |
| Changed in nginx (Ubuntu Saucy): | |
| status: | New → Confirmed |
| importance: | Undecided → Medium |
| Changed in nginx (Ubuntu Raring): | |
| importance: | Undecided → Medium |
| Changed in nginx (Ubuntu Quantal): | |
| importance: | Undecided → Medium |
| Thomas Ward (teward) wrote : | #2 |
1.4.4-2ubuntu1 was uploaded by cjwatson and was published on December 28, 2013 in Trusty. This merge of 1.4.4-2 from Debian Unstable contained the changes which closed Debian bug 701112 (which is linked to this bug). This fix is now in Trusty, however the changelog for 1.4.4-2ubuntu1 did not reference this bug number so it was not automatically "Fix Released" for Trusty.
| Changed in nginx (Ubuntu Trusty): | |
| status: | Confirmed → Fix Released |
| Changed in nginx (Debian): | |
| status: | New → Fix Released |
| Thomas Ward (teward) wrote : | #3 |
Importance changed to "Low" with the blessings of the security team.
Marc Deslauriers (mdeslaur) on IRC stated that the CVE is getting a "Low" importance state in the tracker, so I have adjusted the importance on this bug accordingly.
| Changed in nginx (Ubuntu Precise): | |
| importance: | Medium → Low |
| Changed in nginx (Ubuntu Quantal): | |
| importance: | Medium → Low |
| Changed in nginx (Ubuntu Raring): | |
| importance: | Medium → Low |
| Changed in nginx (Ubuntu Saucy): | |
| importance: | Medium → Low |
| Changed in nginx (Ubuntu Trusty): | |
| importance: | Medium → Low |
| Changed in nginx (Ubuntu Raring): | |
| status: | Confirmed → Won't Fix |
| Changed in nginx (Ubuntu Quantal): | |
| status: | Confirmed → Won't Fix |
| Rolf Leggewie (r0lf) wrote : | #4 |
saucy has seen the end of its life and is no longer receiving any updates. Marking the saucy task for this ticket as "Won't Fix".
| Changed in nginx (Ubuntu Saucy): | |
| status: | Confirmed → Won't Fix |
| Changed in nginx (Debian): | |
| status: | Fix Released → Confirmed |
| Changed in nginx (Debian): | |
| status: | Confirmed → Fix Released |
I know that at the very least, Precise, Quantal, Raring, Saucy, and Trusty are affected by this bug. I believe that Lucid may also be affected and I will have to look into that to confirm.
I have asked Colin Watson (cjwatson) to merge 1.4.4-2 from Debian to Trusty, as 1.4.4-2 contains the fix for this, as well as other Debian bugfixes.
I have the diff from Debian git (see http://