Outdated naxsi version, incorrect learning tools included in packages
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Nginx |
Won't Fix
|
Medium
|
Thomas Ward | ||
nginx (Debian) |
Fix Released
|
Unknown
|
Bug Description
I'm using the following package versions.
ii nginx-common 1.4.7-1+trusty0 all small, powerful, scalable web/proxy server - common files
ii nginx-naxsi 1.4.7-1+trusty0 amd64 nginx web/proxy server (version with naxsi)
ii nginx-naxsi-ui 1.4.7-1+trusty0 all nginx web/proxy server - naxsi configuration front-end
apt-cache policy nginx-naxsi-ui
nginx-naxsi-ui:
Installed: 1.4.7-1+trusty0
Candidate: 1.4.7-1+trusty0
Version table:
*** 1.4.7-1+trusty0 0
500 http://
100 /var/lib/
lsb_release -rd
Description: Ubuntu 14.04 LTS
Release: 14.04
The included version of naxsi is 0.50 as stated in the source file debian/
Version 0.50.0 was released 2013-03-19, more then a year ago. IMHO a quite long time for a security related component. The current release is 0.53-2, released 5 months ago. I suggest a version upgrade of the included naxsi component.
But the more direct "bug" is the included tool naxsi-ui. This tool is over 2 years old, and not maintained by upstream for equally long. It was intended to be used with an even older version of naxsi and frequently generates white-list-rules with incorrect syntax for the included version of naxsi.
The package naxsi-ui should be removed.
Version 0.50.0 used the learning/white-list tool rules_generator.py as stated in debian/
The current version 0.53-2 uses yet another learning tool, nx_util.py which should be included by default in the nginx-naxsi package.
Since the original packaging was created naxsi have been repatriated from google code to github, current correct upstream for naxsi should be https:/
Thank you for packaging two great pieces of software!
tags: | added: stable-ppa |
Changed in nginx (Ubuntu): | |
status: | New → Invalid |
Changed in nginx: | |
status: | Incomplete → New |
Changed in nginx: | |
status: | New → Triaged |
no longer affects: | nginx (Ubuntu) |
Changed in nginx (Debian): | |
status: | Unknown → New |
tags: |
added: mainline stable removed: stable-ppa |
Changed in nginx: | |
importance: | Undecided → Critical |
importance: | Critical → Medium |
Changed in nginx (Debian): | |
status: | New → Fix Released |
This bug was misfiled, this is an issue with the PPAs.
The PPAs are behind because I haven't had a chance to update the PPAs yet. I'll see if I can get to it tomorrow.