Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 605008 (CVE-2016-1247)

Summary: <www-servers/nginx-{1.10.2-r3,1.11.6-r1}: root privilege escalation (CVE-2016-1247)
Product: Gentoo Security Reporter: Thomas Deutschmann (RETIRED) <whissi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: major CC: bugs, dev-zero, jer, whissi
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B1 [glsa cve]
Package list:
Runtime testing required: ---

Description Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-07 23:24:29 UTC
It was discovered that the default installation of www-servers/nginx on
Gentoo sets similar problematic permissions like Debian on "/var/log/nginx"
and is therefore vulnerable to the same potentially root privilege
escalation described in CVE-2016-1247 [1].

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-07 23:34:51 UTC
Fixed ebuilds are now in repository,

@ Arches,

please test and mark stable: =www-servers/nginx-1.10.2-r3
Comment 2 Agostino Sarubbo gentoo-dev 2017-01-10 14:57:06 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2017-01-10 15:27:09 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-10 15:36:05 UTC
Cleaned up via 688c54e5f570cfe816f69f5452817a320427474a

New GLSA request filed.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2017-01-11 12:22:21 UTC
This issue was resolved and addressed in
 GLSA 201701-22 at
by GLSA coordinator Aaron Bauman (b-man).