Nginx advisories with not vulnerable versions inside the vulnerable range

Hritik Vijay hritikxx8 at gmail.com
Tue Dec 28 08:44:07 UTC 2021 

Hello

I'm trying to parse the advisories page present at
https://nginx.org/en/security_advisories.html. So far, I've understood
the even-odd minor versioning scheme for branches (thanks to Maxim at https://marc.info/?l=nginx&m=163174223924231&w=2).
There still exists some advisories that are hard to understand. 
For example:
	Excessive CPU usage in HTTP/2 with small window updates
	Severity: medium
	Advisory
	CVE-2019-9511
	Not vulnerable: 1.17.3+, 1.16.1+
	Vulnerable: 1.9.5-1.17.2

Here, the vulnerable versions are through 1.9.5 to 1.17.2, even though
the versions 1.16.1+ are marked not vulnerable.
Looking at the odd numbers in the vulnerable range, I could infer that
perhaps the vulnerability spanned through the mainline branch only. Even
then it raises some questions. Following are some interpretations and
the problems with them:

Interpretation:
	All versions from 1.9.5 to 1.17.2 are vulnerable, regardless of the
	branch.
Problem:
	1.16.1+ is marked as not vulnerable so the vulnerability must have
	been fixed in the 1.16 stable branch as well.

Interpretation:
	Only mainline versions between 1.9.5-1.17.2 are vulnerable (as the
	upper and lower bounds have odd minor)
Problem:
	This implies the stable versions 1.10.1+, 1.12.1+ ... 1.16.1+ are
	not vulnerable, this is less likely as these ranges did not make it
	into the not vulnerable range.

Interpretation:
	All versions from 1.9.5 to 1.17.2 are vulnerable, regardless of the
	branch, except the ones mentioned in the not vulnerable range
Problem:
	If the not vulnerable range is to be interpreted as an "exception"
	to the vulnerable range then there's no point in mentioning 1.17.3+
	as it already lies outside the vulnerable range.

The last interpretation sounds most reasonable to me with the following
changes:
	All versions from 1.9.5 to 1.17.2 are vulnerable, regardless of the
	branch. It was fixed in the only provided mainline branch that is
	1.17.3+, although some fixes were provided to the stable branches as
	well (here only one stable branch, that is 1.16.1+).

This will require a hard requirement for the following:
Not Vulnerable: 
	One mainline version with plus sign,
	One or many stable branch version with plus sign
Vulnerable:
	A range independent of branching scheme (mainline and stable)

Although, this sounds right and suits for most of the advisories present
on the page, it doesn't handle:
	Buffer underflow vulnerability
	Severity: major
	VU#180065  CVE-2009-2629
	Not vulnerable: 0.8.15+, 0.7.62+, 0.6.39+, 0.5.38+
	Vulnerable: 0.1.0-0.8.14

As there are more than one mainline branch - 0.7.62+ and 0.5.38+ - in
the "Not Vulnerable" range, where there should only be one. Once a
vulnerability is fixed in a lower mainline version (0.5.38) it must have
been fixed in later mainline and stable versions, which doesn't seem to
be the case here (as 0.7.62+ and 0.6.39+ are mentioned explicitly).

Is there any other interpretation that I'm missing that is more suitable
here ?
Also, are there any plans to document the same ?

More information about the nginx mailing list