Nginx advisories with not vulnerable versions inside the vulnerable range

Hritik Vijay hritikxx8 at
Tue Dec 28 08:44:07 UTC 2021


I'm trying to parse the advisories page present at So far, I've understood
the even-odd minor versioning scheme for branches (thanks to Maxim at
There still exists some advisories that are hard to understand. 
For example:
	Excessive CPU usage in HTTP/2 with small window updates
	Severity: medium
	Not vulnerable: 1.17.3+, 1.16.1+
	Vulnerable: 1.9.5-1.17.2

Here, the vulnerable versions are through 1.9.5 to 1.17.2, even though
the versions 1.16.1+ are marked not vulnerable.
Looking at the odd numbers in the vulnerable range, I could infer that
perhaps the vulnerability spanned through the mainline branch only. Even
then it raises some questions. Following are some interpretations and
the problems with them:

	All versions from 1.9.5 to 1.17.2 are vulnerable, regardless of the
	1.16.1+ is marked as not vulnerable so the vulnerability must have
	been fixed in the 1.16 stable branch as well.

	Only mainline versions between 1.9.5-1.17.2 are vulnerable (as the
	upper and lower bounds have odd minor)
	This implies the stable versions 1.10.1+, 1.12.1+ ... 1.16.1+ are
	not vulnerable, this is less likely as these ranges did not make it
	into the not vulnerable range.

	All versions from 1.9.5 to 1.17.2 are vulnerable, regardless of the
	branch, except the ones mentioned in the not vulnerable range
	If the not vulnerable range is to be interpreted as an "exception"
	to the vulnerable range then there's no point in mentioning 1.17.3+
	as it already lies outside the vulnerable range.

The last interpretation sounds most reasonable to me with the following
	All versions from 1.9.5 to 1.17.2 are vulnerable, regardless of the
	branch. It was fixed in the only provided mainline branch that is
	1.17.3+, although some fixes were provided to the stable branches as
	well (here only one stable branch, that is 1.16.1+).

This will require a hard requirement for the following:
Not Vulnerable: 
	One mainline version with plus sign,
	One or many stable branch version with plus sign
	A range independent of branching scheme (mainline and stable)

Although, this sounds right and suits for most of the advisories present
on the page, it doesn't handle:
	Buffer underflow vulnerability
	Severity: major
	VU#180065  CVE-2009-2629
	Not vulnerable: 0.8.15+, 0.7.62+, 0.6.39+, 0.5.38+
	Vulnerable: 0.1.0-0.8.14

As there are more than one mainline branch - 0.7.62+ and 0.5.38+ - in
the "Not Vulnerable" range, where there should only be one. Once a
vulnerability is fixed in a lower mainline version (0.5.38) it must have
been fixed in later mainline and stable versions, which doesn't seem to
be the case here (as 0.7.62+ and 0.6.39+ are mentioned explicitly).

Is there any other interpretation that I'm missing that is more suitable
here ?
Also, are there any plans to document the same ?

More information about the nginx mailing list