[arch-security] [ASA-201701-24] nginx-mainline: privilege escalation
anthraxx at archlinux.org
Sun Jan 15 21:41:26 UTC 2017
Arch Linux Security Advisory ASA-201701-24
Date : 2017-01-15
CVE-ID : CVE-2016-1247
Package : nginx-mainline
Type : privilege escalation
Remote : No
Link : https://security.archlinux.org/AVG-139
The package nginx-mainline before version 1.11.8-2 is vulnerable to
Upgrade to 1.11.8-2.
# pacman -Syu "nginx-mainline>=1.11.8-2"
The problem has been fixed upstream but no release is available yet.
A symlink attack vulnerability was discovered in nginx. An attacker who
could already run commands under the nginx user id could use this
access to append data to files owned by root, potentially elevating
their own privileges to root.
A remote attacker who managed to compromise a web application is able
to obtain root privileges on the affected host.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the arch-security