Nginx advisories with not vulnerable versions inside the vulnerable range
Hritik Vijay
hritikxx8 at gmail.com
Tue Dec 28 08:44:07 UTC 2021
Hello
I'm trying to parse the advisories page present at
https://nginx.org/en/security_advisories.html. So far, I've understood
the even-odd minor versioning scheme for branches (thanks to Maxim at https://marc.info/?l=nginx&m=163174223924231&w=2).
There still exists some advisories that are hard to understand.
For example:
Excessive CPU usage in HTTP/2 with small window updates
Severity: medium
Advisory
CVE-2019-9511
Not vulnerable: 1.17.3+, 1.16.1+
Vulnerable: 1.9.5-1.17.2
Here, the vulnerable versions are through 1.9.5 to 1.17.2, even though
the versions 1.16.1+ are marked not vulnerable.
Looking at the odd numbers in the vulnerable range, I could infer that
perhaps the vulnerability spanned through the mainline branch only. Even
then it raises some questions. Following are some interpretations and
the problems with them:
Interpretation:
All versions from 1.9.5 to 1.17.2 are vulnerable, regardless of the
branch.
Problem:
1.16.1+ is marked as not vulnerable so the vulnerability must have
been fixed in the 1.16 stable branch as well.
Interpretation:
Only mainline versions between 1.9.5-1.17.2 are vulnerable (as the
upper and lower bounds have odd minor)
Problem:
This implies the stable versions 1.10.1+, 1.12.1+ ... 1.16.1+ are
not vulnerable, this is less likely as these ranges did not make it
into the not vulnerable range.
Interpretation:
All versions from 1.9.5 to 1.17.2 are vulnerable, regardless of the
branch, except the ones mentioned in the not vulnerable range
Problem:
If the not vulnerable range is to be interpreted as an "exception"
to the vulnerable range then there's no point in mentioning 1.17.3+
as it already lies outside the vulnerable range.
The last interpretation sounds most reasonable to me with the following
changes:
All versions from 1.9.5 to 1.17.2 are vulnerable, regardless of the
branch. It was fixed in the only provided mainline branch that is
1.17.3+, although some fixes were provided to the stable branches as
well (here only one stable branch, that is 1.16.1+).
This will require a hard requirement for the following:
Not Vulnerable:
One mainline version with plus sign,
One or many stable branch version with plus sign
Vulnerable:
A range independent of branching scheme (mainline and stable)
Although, this sounds right and suits for most of the advisories present
on the page, it doesn't handle:
Buffer underflow vulnerability
Severity: major
VU#180065 CVE-2009-2629
Not vulnerable: 0.8.15+, 0.7.62+, 0.6.39+, 0.5.38+
Vulnerable: 0.1.0-0.8.14
As there are more than one mainline branch - 0.7.62+ and 0.5.38+ - in
the "Not Vulnerable" range, where there should only be one. Once a
vulnerability is fixed in a lower mainline version (0.5.38) it must have
been fixed in later mainline and stable versions, which doesn't seem to
be the case here (as 0.7.62+ and 0.6.39+ are mentioned explicitly).
Is there any other interpretation that I'm missing that is more suitable
here ?
Also, are there any plans to document the same ?
More information about the nginx
mailing list