Outdated naxsi version, incorrect learning tools included in packages

Bug #1313224 reported by Ove Jobring on 2014-04-27
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Nginx
Medium
Thomas Ward
nginx (Debian)
Fix Released
Unknown

Bug Description

I'm using the following package versions.

ii nginx-common 1.4.7-1+trusty0 all small, powerful, scalable web/proxy server - common files
ii nginx-naxsi 1.4.7-1+trusty0 amd64 nginx web/proxy server (version with naxsi)
ii nginx-naxsi-ui 1.4.7-1+trusty0 all nginx web/proxy server - naxsi configuration front-end

apt-cache policy nginx-naxsi-ui
nginx-naxsi-ui:
  Installed: 1.4.7-1+trusty0
  Candidate: 1.4.7-1+trusty0
  Version table:
 *** 1.4.7-1+trusty0 0
        500 http://ppa.launchpad.net/nginx/stable/ubuntu/ trusty/main amd64 Packages
        100 /var/lib/dpkg/status

lsb_release -rd
Description: Ubuntu 14.04 LTS
Release: 14.04

The included version of naxsi is 0.50 as stated in the source file debian/modules/naxsi/naxsi_src/naxsi.h

Version 0.50.0 was released 2013-03-19, more then a year ago. IMHO a quite long time for a security related component. The current release is 0.53-2, released 5 months ago. I suggest a version upgrade of the included naxsi component.

But the more direct "bug" is the included tool naxsi-ui. This tool is over 2 years old, and not maintained by upstream for equally long. It was intended to be used with an even older version of naxsi and frequently generates white-list-rules with incorrect syntax for the included version of naxsi.

The package naxsi-ui should be removed.

Version 0.50.0 used the learning/white-list tool rules_generator.py as stated in debian/modules/naxsi/README.txt and that tool is not included in the package.

The current version 0.53-2 uses yet another learning tool, nx_util.py which should be included by default in the nginx-naxsi package.

Since the original packaging was created naxsi have been repatriated from google code to github, current correct upstream for naxsi should be https://github.com/nbs-system/naxsi

Thank you for packaging two great pieces of software!

Thomas Ward (teward) wrote :

This bug was misfiled, this is an issue with the PPAs.

The PPAs are behind because I haven't had a chance to update the PPAs yet. I'll see if I can get to it tomorrow.

Changed in nginx (Ubuntu):
status: New → Invalid
Thomas Ward (teward) wrote :

If after the PPAs are updated, this still applies, comment on the bug.

Ove Jobring (ovejo) wrote :

Sorry for misfiling the bug, this is more or less my first non-casual launchpad visit and my first time as a bug reporter. It's not always trivial to find your way around.

As I understand, this issue is inherited from the upstream debian package, but it turned out to be even more non-trivial to file a bug report with them.

Perhaps you could share any changes and the reason making them with upstream?

I'll look at the changes made once committed and released and pitch in any info/knowledge I may have on the matter.

Last I checked, Debian is ahead of the PPAs and Ubuntu. It may be possible they already updated the naxsi version already.

If that is not the case I'll forward this bug to Debian.

Thomas
LP: ~teward

Thomas Ward (teward) on 2014-04-27
tags: added: stable-ppa
Thomas Ward (teward) wrote :

Ove, please check the 1.6.0 upload that I just made to the Stable PPA. It may take a little bit to show up, but it will be there, as 1.6.x is now the stable branch.

If this bug still applies there, please change the status of this bug from "Incomplete" to "New" and then if I confirm it's out of date, I'll forward this bug to Debian.

Changed in nginx:
assignee: nobody → Thomas Ward (teward)
status: New → Incomplete
Ove Jobring (ovejo) wrote :

A quick look at the source file http://ppa.launchpad.net/nginx/stable/ubuntu/pool/main/n/nginx/nginx_1.6.0-1+trusty0.debian.tar.gz tells me that the naxsi version is still the same and there is still as far as can see a discrepancy between naxsi version and the learning/white-list tools included.

I left a comment in bug #1168720 , I think the root cause for the problem described in that bug is also due to difference between white-list tool and version of naxsi, although in that bug it's the current white-list tool being used to generate white-list rules for the older version of naxsi included in the nginx-naxsi package.

An upgrade of the naxsi version included would be very desirable if changes are made.

To my knowledge there are extensions to the naxsi config-file format between 0.50.0 and 0.53-2 but not the same compatibility issues that have been seen in combination with previous version upgrades of naxsi. Authoritative answer to this question is best found at the naxsi upstream, https://github.com/nbs-system/naxsi

I think this naxsi faq answer is relevant with regards to this bug-report: https://github.com/nbs-system/naxsi/wiki/faq#Why_do_you_keep_radically_changing_learning_tools_

I'll change the bug status to new.

Thank you for your time and effort!

Ove Jobring (ovejo) wrote :

Changing status to new as requested after inspecting current status.

Changed in nginx (Ubuntu):
status: Invalid → New
Thomas Ward (teward) on 2014-04-27
Changed in nginx (Ubuntu):
status: New → Invalid
Changed in nginx:
status: Incomplete → New
Thomas Ward (teward) on 2014-04-27
Changed in nginx:
status: New → Triaged
Thomas Ward (teward) wrote :

Bug forwarded to Debian, as it also needs fixing there. I've linked to the Debian bug here on the Launchpad system, so the Debian status will be seen here as well.

Thomas Ward (teward) on 2014-04-28
no longer affects: nginx (Ubuntu)
Changed in nginx (Debian):
status: Unknown → New
Ove Jobring (ovejo) wrote :

When I take a look at the debian bug report page I think I know how Merry and Pippin must have felt when they first met the ents.

After a brief look at the build process it doesn't look overly complicated to do the actual work and bundle the latest released stable version of naxsi and the corresponding learning/white-list tool, I would be happy to provide a patch if requested or invited.

But some package reorganization would be required and I guess this is just like my normal life, I don't get to decide what goes into where and when.

Are there any formal policy documents that can be uses as guidelines for an issue like this? Or is there any place were such issues are discussed?

As of now I consider the state of nginx and naxsi broken for anything but simple use-cases, and it's very confusing when a naxsi proselyte tries to read up on why things don't work and all the information you can find doesn't look or behave like the installation that is done by these packages .

Is the debian upstream package the proper place to try to fix this issue or could it be done using the ubuntu package version and afterwards "push" the change-set upstream?

Thomas Ward (teward) wrote :

Don't forget, there's three entities involved in this:
(1) Debian, where the PPA and Ubuntu packages are based off of.
(2) Ubuntu, which is based off the Debian packages
(3) The PPAs, which will very rarely differ from the Debian packages.

What we'd be doing is changing the PPAs, and then hoping for a retroactive change in Debian. Unfortunately, as the primary PPA maintainer, I don't have any say in what Debian does or doesn't do, I just forward the bugs up to them when their packaging is affected. In this case, their packaging is affected, so having a delta between the PPAs and Debian adds work for me because then I have to nit-pick the merging of changes when I update the PPA later. It's easier from a maintenance standpoint to keep everything in sync with Debian for now. Especially since this bug affects Debian.

As for Ubuntu, there's a whole separate workflow for that, and right now I want to let things settle from the 14.04 release.

Ove Jobring (ovejo) wrote :

I do perceive the debian-devs as older, wiser, with a language that's hard to understand, caught up in their own business of protecting the linux world in ways I as an ordinary user don't always understand ... and since they are creatures of immense powers, they are better left undisturbed.

I'm not a clever man, but if I read you correctly you are telling me to head over to debian and try fix the naxsi issues over at their place?

Is it that a quest hobbits like myself can succeed at or is it best to the let the ents discuss the issue among themselves?

Thomas: Don't forget that patching the PPA first is also a way that you can test a change and send us a debdiff that we can use to more quickly the bug you reported in Debian resolved.

Ove: No, your work beyond testing and verifying a resolution is finished unless you choose to try to fix things yourself.

Ove Jobring (ovejo) wrote :

I consider naxsi to be a higher priority than the convenience of packages and updates handled by a distributor and I already compiled/installed nginx - including latest stable naxsi version and nx_util.py as white-list tool. It is not a difficult task for a one-time installation.

The current deb/ubuntu packaging of naxsi can be improved. At a quick glance it appears as the current nginx packagers aren't using naxsi themselves - or at least not frequently modifying white-lists and rule sets.

I was hoping that I could help other users and give something back to my peers by offering any knowledge I may have picked up along the way.

Please let me know if, how and where I can be of any assistance.

Thomas Ward (teward) wrote :

I have updated the bug status here in accordance with the Debian bug. (This is done because the PPAs are effectively the Debian packages just rebuilt for Ubuntu, and the idea is to keep almost no delta between them.)

According to the Debian bug, the Debian maintainers are no longer providing support for naxsi and have plans to drop the naxsi packages. The following is a quote from one of the maintainers on this issue (source: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746199#18):

"After discussing it with the fellow maintainers we have decided that it is
better to remove the nginx-naxsi package before jessie is freezed.

Packaging naxsi is not trivial and, unfortunately, none of the maintainers uses
it. That's the reason nginx-naxsi is not in a good shape and we are not feeling
comfortable to release and support it.

We are sorry for any inconvenience caused."

Changed in nginx:
status: Triaged → Won't Fix
Thomas Ward (teward) on 2014-09-15
tags: added: mainline stable
removed: stable-ppa
Changed in nginx:
importance: Undecided → Critical
importance: Critical → Medium
Changed in nginx (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.