[Bug 1313224] [NEW] Outdated naxsi version, incorrect learning tools included in packages

Ove Jobring captain.sweatpants at cmail.nu
Sun Apr 27 00:42:16 UTC 2014 

Public bug reported:

I'm using the following package versions.

ii  nginx-common                        1.4.7-1+trusty0               all          small, powerful, scalable web/proxy server - common files
ii  nginx-naxsi                         1.4.7-1+trusty0               amd64        nginx web/proxy server (version with naxsi)
ii  nginx-naxsi-ui                      1.4.7-1+trusty0               all          nginx web/proxy server - naxsi configuration front-end

apt-cache policy nginx-naxsi-ui
nginx-naxsi-ui:
  Installed: 1.4.7-1+trusty0
  Candidate: 1.4.7-1+trusty0
  Version table:
 *** 1.4.7-1+trusty0 0
        500 http://ppa.launchpad.net/nginx/stable/ubuntu/ trusty/main amd64 Packages
        100 /var/lib/dpkg/status

lsb_release -rd
Description:	Ubuntu 14.04 LTS
Release:	14.04

The included version of naxsi is 0.50 as stated in the source file
debian/modules/naxsi/naxsi_src/naxsi.h

Version 0.50.0 was released 2013-03-19, more then a year ago. IMHO  a
quite long time for a security related component. The current release is
0.53-2, released 5 months ago. I suggest a version upgrade of the
included naxsi component.

But the more direct "bug" is the included tool naxsi-ui. This tool is
over 2 years old, and not maintained by upstream for equally long. It
was intended to be used with an even older version of naxsi and
frequently generates white-list-rules with incorrect syntax for the
included version of naxsi.

The package naxsi-ui should be removed.

Version 0.50.0  used the learning/white-list tool rules_generator.py as
stated in debian/modules/naxsi/README.txt and that tool is not included
in the package.

The current version 0.53-2 uses yet another learning tool, nx_util.py
which should be included by default in the nginx-naxsi package.

Since the original packaging was created naxsi have been repatriated
from google code to github, current correct upstream for naxsi should be
https://github.com/nbs-system/naxsi

Thank you for packaging two great pieces of software!

** Affects: nginx (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to nginx in Ubuntu.
https://bugs.launchpad.net/bugs/1313224

Title:
  Outdated naxsi version, incorrect learning tools included in packages

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1313224/+subscriptions

More information about the Ubuntu-server-bugs mailing list