nginx deny all doesn't support ipv6

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Could you please supply the output from 'apt-cache policy nginx' as well as 'lsb_release -a'.
It would also be very useful if you could supply your nginx configuration (particularly server blocks).

apt-cache policy nginx:
nginx:
  Installed: 0.7.65-1ubuntu2.2
  Candidate: 0.7.65-1ubuntu2.2

lsb_release -a:
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 10.04.3 LTS
Release: 10.04
Codename: lucid

I do not think that my current nginx configuration is particularly relevant for this ticket since I've changed it to avoid the problem.

This is part of default /etc/nginx/site-available/default:

server {
        listen [::]:80 default;
        server_name localhost;

        access_log /var/log/nginx/localhost.access.log;

        location / {
                root /var/www/nginx-default;
                index index.html index.htm;
        }

        location /doc {
                root /usr/share;
                autoindex on;
                allow 127.0.0.1;
                deny all;
        }

        location /images {
                root /usr/share;
                autoindex on;
        }
}

That 'deny all' doesn't work with ipv6 according to http://wiki.nginx.org/HttpAccessModule (ipv6 support appeared at version 0.8.22).

I am closing this bug, since ipv6 support isn't in the nginx version that is currently in lucid. If you need ipv6 support, please use a more recent version of nginx, or a more recent version of Ubuntu.

This is not true. Stock nginx in Lucid does support ipv6 and is configured to support it by default - please see config above.
Also since 'deny all' doesn't work with ipv6 '/doc' is opened to everybody on ipv6 in the config above which is not exactly what was intended.

I'm not saying that nginx version should be updated since problem can be easily worked around. All I'm saying is that default config should be fixed to properly work with ipv6 - this is security problem in LTS version after all. Also it would be nice to have clear comment in default config that ipv6 doesn't work with 'deny all'.

Thanks.

OK, since this is community-supported, please submit a debdiff with your changes, and someone will sponsor it for a SRU.

Version exists in Quantal / Precise that already has this. Set as "Fix Released" in Quantal.

I should probably elaborate on my discussion with mdeslaur.

The version you are using does not have IPv6 support in that *module* that you are using. To quote you:

"That 'deny all' doesn't work with ipv6 according to http://wiki.nginx.org/HttpAccessModule (ipv6 support appeared at version 0.8.22)."

The version in Lucid of nginx (and therefore that module) is 0.7.65-1ubuntu2.2, which does not include IPv6 support for the module.

I will not mark the Lucid version as "Won't Fix", or "Invalid". However, if you can attach a patch or a debdiff or both that includes the changes required to make it work, I will include the patch in my release of debdiffs (and fixes) for Bug #956150, which addresses current public vulnerabilities in nginx. However, after I release those debdiffs, I will not file SRUs to include this functionality unless others can agree with you that it is a security vulnerability and has the requirement of absolute need (and/or a public CVE is filed to the effect that this is a security issue).

In the mean time, I believe that the NGINX team's PPAs (which are maintained by Michael Lustfield and myself) have 1.2.0 (stable) available for Lucid. If you would like to include the fixes for the other bug I referenced here (which addresses two CVEs), this should also include the IPv6 support unless you can confirm that this problem occurs in 1.2.0, which is in Quantal right now.

The problem is that module in question is used by default config (see 'deny all' in '/doc' in config above). This is not a huge security problem by itself (after all only static doc becomes available on machine with ipv6 connectivity. The more serious issue is that users might use that '/doc' definition as an example for their own configurations and get serious security holes (especially considering similarity with apache config in this case). And I think it is pretty reasonable for the user to assume that stock config performs in reasonable and expected way.

The problem might become more frequent as users move to ipv6 support on existing installations - this might be not that infrequent with all this 'ipv6 day' buzz.

The fix would be to use 'return 403;' instead of 'deny all' in default nginx config in '/doc' section.

Unfortunately I'm not familiar with debdiff tool and I'll have to spend some time learning it. I'll try to do this, but this won't be very fast.

In any case I would appreciate if you could incorporate trivial fix I mentioned above along with some explanation why this is being done into changes for #956150.

Thanks for your attention to this problem.

kolya: After discussing with the Security team, this bug will be handled in a separate SRU. Modifying the documentation can be done within that SRU. Note though that a documentation change may not be enough for an SRU.

For anyone working on fixing this: I have removed my assignment on this. If any patches exist for this, please attach them here. Better yet, if you have debdiffs, those are appreciated.

lucid has seen the end of its life and is no longer receiving any updates. Marking the lucid task for this ticket as "Won't Fix".