<p dir="ltr">On Thu, 21 Feb 2013 20:19:24 +0200 Henri Salo <<a href="mailto:henri@nerv.fi">henri@nerv.fi</a>> wrote:<br>
> Package: nginx<br>
> Version: 0.7.67-3+squeeze3<br>
> Severity: normal<br>
> Tags: security<br>
> <br>
> After installing nginx in squeeze directory /var/log/nginx is world readable as<br>
> reported in <a href="http://www.openwall.com/lists/oss-security/2013/02/21/15">http://www.openwall.com/lists/oss-security/2013/02/21/15</a><br>
> <br>
> I suggest something like this for a fix:<br>
> <br>
> """puppet-common postinst in unstable sets dpkg-statoverride --update --add puppet<br>
> puppet 0750 /var/log/puppet"""<br>
> <br>
> Logging is enabled after service is started.<br>
> <br>
> -- System Information:<br>
> Debian Release: 6.0.6<br>
>Â Â APT prefers stable-updates<br>
>Â Â APT policy: (500, 'stable-updates'), (500, 'stable')<br>
> Architecture: amd64 (x86_64)<br>
> <br>
> Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)<br>
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)<br>
> Shell: /bin/sh linked to /bin/dash<br>
> <br>
> Versions of packages nginx depends on:<br>
> ii libc6                2.11.3-4          Embedded GNU C Library: Shared lib<br>
> ii libgeoip1            1.4.7~beta6+dfsg-1 A non-DNS IP-to-country resolver l<br>
> ii libpcre3             8.02-1.1          Perl 5 Compatible Regular Expressi<br>
> ii libssl0.9.8          0.9.8o-4squeeze14 SSL shared libraries<br>
> ii lsb-base             3.2-23.2squeeze1  Linux Standard Base 3.2 init scrip<br>
> ii zlib1g               1:1.2.3.4.dfsg-3  compression library - runtime<br>
> nginx recommends no packages.<br>
> nginx suggests no packages.<br>
> -- no <b><span style="background:#a5d6a7">debconf</span></b> information<br>
> <br>
> <br>
>-STOP BUGGING MY MOBILE</p>