Packages of Nginx 1.10.2 for Jessie and Wheezy - amd64 and i386 - have been updated to fix CVE 2016-1247.
Secure log file handling (owner & permissions) against privilege escalation attacks.
/var/log/nginxis now owned byroot:adm. Thanks Dawid Golunski for the report. Changing/var/log/nginxpermissions effectively reopens #701112, since log files can be world-readable. This is a trade-off until a better log opening solution is implemented upstream ( trac:376).
This update can also bring full HTTP2 support to Jessie with a new additional repository. As a reminder, Chrome as a browser was not supported on stock Jessie, because it requires a more recent OpenSSL 1.0.2 for its ALPN protocol. Now that jessie-backports includes such an OpenSSL version, Dotdeb provides Nginx packages with full HTTP2 support for Chrome. Here is how to install them :
Activate the jessie-backports repository because you will now rely on its OpenSSL 1.0.2+ backport
Add the following additional repo to your sources.list :
deb http://packages.dotdeb.org jessie-nginx-http2 allUpgrade your Nginx packages as usual
Please note that this change will not be available on Wheezy.