Bugzilla – Bug 1007000
VUL-0: CVE-2016-1247: nginx,nginx-1.0: local privilege escalation via log files
Last modified: 2020-04-23 12:10:36 UTC
> Dawid Golunski reported the nginx web server packages in Debian suffered from a > privilege escalation vulnerability (www-data to root) due to the way log files > are handled. This security update changes ownership of the /var/log/nginx
> directory root. In addition, /var/log/nginx has to be made accessible to local > users, and local users may be able to read the log files themselves local until > the next logrotate invocation.
In openSUSE, /var/log/nginx is nginx:nginx 760.
We should check in which way this affects out package.
nginx-1.0 still active maintained for studio/webyast
probably similar to the old logrotate bug 677335
(we lack the "su nginx nginx" and "create nginx nginx" there probably, but it needs review)
bugbot adjusting priority
We are not affected by it in all our current codestreams. Closing