Packages of Nginx 1.10.2 for Jessie and Wheezy – amd64 and i386 – have been updated to fix CVE 2016-1247.
Secure log file handling (owner & permissions) against privilege escalation attacks. /var/log/nginx is now owned by root:adm. Thanks Dawid Golunski for the report. Changing /var/log/nginx permissions effectively reopens #701112, since log files can be world-readable. This is a trade-off until a better log opening solution is implemented upstream (trac:376).
This update can also bring full HTTP2 support to Jessie with a new additional repository. As a reminder, Chrome as a browser was not supported on stock Jessie, because it requires a more recent OpenSSL 1.0.2 for its ALPN protocol. Now that jessie-backports includes such an OpenSSL version, Dotdeb provides Nginx packages with full HTTP2 support for Chrome. Here is how to install them :
- Activate the jessie-backports repository because you will now rely on its OpenSSL 1.0.2+ backport
- Add the following additional repo to your sources.list :
deb http://packages.dotdeb.org jessie-nginx-http2 all
- Upgrade your Nginx packages as usual
Please note that this change will not be available on Wheezy.