Comment 8 for bug 929334

The problem is that module in question is used by default config (see 'deny all' in '/doc' in config above). This is not a huge security problem by itself (after all only static doc becomes available on machine with ipv6 connectivity. The more serious issue is that users might use that '/doc' definition as an example for their own configurations and get serious security holes (especially considering similarity with apache config in this case). And I think it is pretty reasonable for the user to assume that stock config performs in reasonable and expected way.

The problem might become more frequent as users move to ipv6 support on existing installations - this might be not that infrequent with all this 'ipv6 day' buzz.

The fix would be to use 'return 403;' instead of 'deny all' in default nginx config in '/doc' section.

Unfortunately I'm not familiar with debdiff tool and I'll have to spend some time learning it. I'll try to do this, but this won't be very fast.

In any case I would appreciate if you could incorporate trivial fix I mentioned above along with some explanation why this is being done into changes for #956150.

Thanks for your attention to this problem.