Agostino Sarubbo reported on the oss-security mailing list [1] that, on Gentoo, /var/log/nginx is world-accessible and the log files inside the directory are world-readable. This could allow an unprivileged user to read the log files. Checking on Fedora and EPEL, /var/log/nginx is provided with 0755 permissions. These should be reduced to 0700 permissions, like /var/log/httpd. [1] http://www.openwall.com/lists/oss-security/2013/02/21/15
Created nginx tracking bugs for this issue Affects: fedora-all [bug 913735] Affects: epel-all [bug 913736]
This was assigned CVE-2013-0337: http://www.openwall.com/lists/oss-security/2013/02/22/1
nginx-1.0.15-9.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
nginx-1.0.15-4.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
nginx-0.8.55-3.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.