Confusing version ranges in security advisories

Maxim Dounin mdounin at mdounin.ru
Wed Sep 15 21:44:09 UTC 2021


Hello!

On Thu, Sep 16, 2021 at 01:05:11AM +0530, Hritik Vijay wrote:

> We're working on an open source tool to aggregate security advisories
> and build an open vulnerabilities database.
> (https://github.com/nexB/vulnerablecode/).
> This requires us to parse affected and fixed versions from nginx
> advisories published at https://nginx.org/en/security_advisories.html.
> Going through the page, I'm having a hard time understanding the plus
> (+) notation used to denote the version range. Please help me in this
> regard.
> 
> I'm assuming that the versions are in semver format. Given the
> following information:
>     CVE-2021-23017
>     Not vulnerable: 1.21.0+, 1.20.1+
>     Vulnerable: 0.6.18-1.20.0
> If I consider + to mean >= for versions, the bound 1.20.1+ should be
> enough for the "Not vulnerable" field. How does it make sense to have
> another 1.21.0+ ?
> Does the plus notation only apply for the patch field in semver (the
> number after the second dot) ? In this case, does it mean that the
> upcoming version 1.22.0 will be vulnerable as well ?

The 1.21.0+ notation means "1.21.0 and newer", or, more 
formally, "1.21.0 and derived versions".  This includes all 
future nginx versions on the mainline branch, and all future 
stable branches (which aren't yet created).

The 1.20.1+ means the same for 1.20.1 and derived versions on the 
1.20.x stable branch.  This includes all future versions on the 
1.20.x branch, but not versions on the other branches.

> To further clarify, I'll like to quote
>     CVE-2019-9511
>     Not vulnerable: 1.17.3+, 1.16.1+
>     Vulnerable: 1.9.5-1.17.2
> Here, if I take + as >=, 1.16.1+ means that versions >= 1.16.1 are
> fixed but this version clearly lies in the range 1.9.5-1.17.2, which
> is the vulnerable range.
> I'm assuming that this was done for a stable release of 1.16. This
> further favors the assumption that the plus operator only stands for
> the patch field in the semver.
> Thus making the not vulnerable range as >=1.16.1 AND  < 1.17.0, using
> the same assumption for 1.17.3+ would mean >=1.17.3 AND <1.18.0.
> Would this again mean that future versions will be vulnerable ? This
> is highly unlikely.

See above, 1.16.1+ only applies to 1.16.x stable branch, while 
1.17.3+, which is on the mainline branch, applies to all newer 
versions on the mainline branch and newer stable branches.

> As per my current understanding I'd define the plus operator as:
> "If the version before it appears in the vulnerable range, the plus
> operator only denotes a >= range for the patch field in semver and <=
> the next minor version.
> Otherwise, it operates on the entire version string thus marking *all*
> the future versions"
> 
> This definition is not perfect at all as it does not justify the first
> example where neither 1.21.0 nor 1.20.1 is in the vulnerable range
> thus making 1.21.0 totally redundant. However, if we ignore the
> redundancies, I hope that the definition could work.

That's a reasonable heuristic to find out if the version is 
vulnerable without considering the branch structure.

> Please let me know if there's something wrong with my deduction, also
> it would be very helpful to define the plus operator as a
> footnote/topnote on the advisories page for future.

Hope the above explains things formally enough.  Not sure it needs 
any additional clarification though, as the notation never caused 
questions and is believed to be obvious to anybody at least 
minimally familiar with nginx branches.

-- 
Maxim Dounin
http://mdounin.ru/


More information about the nginx mailing list