[manjaro-security] [arch-security] [ASA-201701-23] nginx: privilege escalation
anthraxx at archlinux.org
Sun Jan 15 22:40:19 CET 2017
Arch Linux Security Advisory ASA-201701-23
Date : 2017-01-15
CVE-ID : CVE-2016-1247
Package : nginx
Type : privilege escalation
Remote : No
Link : https://security.archlinux.org/AVG-138
The package nginx before version 1.10.2-3 is vulnerable to privilege
Upgrade to 1.10.2-3.
# pacman -Syu "nginx>=1.10.2-3"
The problem has been fixed upstream but no release is available yet.
A symlink attack vulnerability was discovered in nginx. An attacker who
could already run commands under the nginx user id could use this
access to append data to files owned by root, potentially elevating
their own privileges to root.
A remote attacker who managed to compromise a web application is able
to obtain root privileges on the affected host.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the manjaro-security