Confusing version ranges in security advisories

Hritik Vijay hritikxx8 at gmail.com
Wed Sep 15 19:35:11 UTC 2021 

Hello

We're working on an open source tool to aggregate security advisories
and build an open vulnerabilities database.
(https://github.com/nexB/vulnerablecode/).
This requires us to parse affected and fixed versions from nginx
advisories published at https://nginx.org/en/security_advisories.html.
Going through the page, I'm having a hard time understanding the plus
(+) notation used to denote the version range. Please help me in this
regard.

I'm assuming that the versions are in semver format. Given the
following information:
    CVE-2021-23017
    Not vulnerable: 1.21.0+, 1.20.1+
    Vulnerable: 0.6.18-1.20.0
If I consider + to mean >= for versions, the bound 1.20.1+ should be
enough for the "Not vulnerable" field. How does it make sense to have
another 1.21.0+ ?
Does the plus notation only apply for the patch field in semver (the
number after the second dot) ? In this case, does it mean that the
upcoming version 1.22.0 will be vulnerable as well ?

To further clarify, I'll like to quote
    CVE-2019-9511
    Not vulnerable: 1.17.3+, 1.16.1+
    Vulnerable: 1.9.5-1.17.2
Here, if I take + as >=, 1.16.1+ means that versions >= 1.16.1 are
fixed but this version clearly lies in the range 1.9.5-1.17.2, which
is the vulnerable range.
I'm assuming that this was done for a stable release of 1.16. This
further favors the assumption that the plus operator only stands for
the patch field in the semver.
Thus making the not vulnerable range as >=1.16.1 AND  < 1.17.0, using
the same assumption for 1.17.3+ would mean >=1.17.3 AND <1.18.0.
Would this again mean that future versions will be vulnerable ? This
is highly unlikely.

As per my current understanding I'd define the plus operator as:
"If the version before it appears in the vulnerable range, the plus
operator only denotes a >= range for the patch field in semver and <=
the next minor version.
Otherwise, it operates on the entire version string thus marking *all*
the future versions"

This definition is not perfect at all as it does not justify the first
example where neither 1.21.0 nor 1.20.1 is in the vulnerable range
thus making 1.21.0 totally redundant. However, if we ignore the
redundancies, I hope that the definition could work.

Please let me know if there's something wrong with my deduction, also
it would be very helpful to define the plus operator as a
footnote/topnote on the advisories page for future.

-- 
Regards
Hritik Vijay

More information about the nginx mailing list