Directory /var/log/nginx is world readable [CVE-2013-0337]
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| nginx (Debian) |
Fix Released
|
Unknown
|
||
| nginx (Ubuntu) |
Low
|
Unassigned | ||
| Precise |
Low
|
Unassigned | ||
| Quantal |
Low
|
Unassigned | ||
| Raring |
Low
|
Unassigned | ||
| Saucy |
Low
|
Unassigned | ||
| Trusty |
Low
|
Unassigned |
Bug Description
This is CVE-2013-0337.
After installing nginx, /var/log/nginx is world readable as reported in http://
(this description is lifted from the Debian bug)
This is reported in Debian as #701112.
CVE References
description: | updated |
description: | updated |
Changed in nginx (Debian): | |
status: | Unknown → New |
Thomas Ward (teward) wrote : | #1 |
Changed in nginx (Ubuntu Precise): | |
status: | New → Confirmed |
importance: | Undecided → Medium |
Changed in nginx (Ubuntu Quantal): | |
status: | New → Confirmed |
Changed in nginx (Ubuntu Raring): | |
status: | New → Confirmed |
Changed in nginx (Ubuntu Saucy): | |
status: | New → Confirmed |
importance: | Undecided → Medium |
Changed in nginx (Ubuntu Raring): | |
importance: | Undecided → Medium |
Changed in nginx (Ubuntu Quantal): | |
importance: | Undecided → Medium |
Thomas Ward (teward) wrote : | #2 |
1.4.4-2ubuntu1 was uploaded by cjwatson and was published on December 28, 2013 in Trusty. This merge of 1.4.4-2 from Debian Unstable contained the changes which closed Debian bug 701112 (which is linked to this bug). This fix is now in Trusty, however the changelog for 1.4.4-2ubuntu1 did not reference this bug number so it was not automatically "Fix Released" for Trusty.
Changed in nginx (Ubuntu Trusty): | |
status: | Confirmed → Fix Released |
Changed in nginx (Debian): | |
status: | New → Fix Released |
Thomas Ward (teward) wrote : | #3 |
Importance changed to "Low" with the blessings of the security team.
Marc Deslauriers (mdeslaur) on IRC stated that the CVE is getting a "Low" importance state in the tracker, so I have adjusted the importance on this bug accordingly.
Changed in nginx (Ubuntu Precise): | |
importance: | Medium → Low |
Changed in nginx (Ubuntu Quantal): | |
importance: | Medium → Low |
Changed in nginx (Ubuntu Raring): | |
importance: | Medium → Low |
Changed in nginx (Ubuntu Saucy): | |
importance: | Medium → Low |
Changed in nginx (Ubuntu Trusty): | |
importance: | Medium → Low |
Changed in nginx (Ubuntu Raring): | |
status: | Confirmed → Won't Fix |
Changed in nginx (Ubuntu Quantal): | |
status: | Confirmed → Won't Fix |
Rolf Leggewie (r0lf) wrote : | #4 |
saucy has seen the end of its life and is no longer receiving any updates. Marking the saucy task for this ticket as "Won't Fix".
Changed in nginx (Ubuntu Saucy): | |
status: | Confirmed → Won't Fix |
Changed in nginx (Debian): | |
status: | Fix Released → Confirmed |
Changed in nginx (Debian): | |
status: | Confirmed → Fix Released |
I know that at the very least, Precise, Quantal, Raring, Saucy, and Trusty are affected by this bug. I believe that Lucid may also be affected and I will have to look into that to confirm.
I have asked Colin Watson (cjwatson) to merge 1.4.4-2 from Debian to Trusty, as 1.4.4-2 contains the fix for this, as well as other Debian bugfixes.
I have the diff from Debian git (see http:// anonscm. debian. org/gitweb/ ?p=collab- maint/nginx. git;a=commitdif f_plain; h=3a4f08671c87b 7fc89e077542edf d6eb651f1803 for the diff) that applies a fix for this, and will nit-pick the specific changes from this for the security fixes for the affected Ubuntu versions.