Welcome! Log In Create A New Profile

Advanced

Nginx advisories with not vulnerable versions inside the vulnerable range

Previous Message Next Message
Forum List Message List New Topic Print View
Hritik Vijay
December 28, 2021 03:46AM
Hello

I'm trying to parse the advisories page present at
https://nginx.org/en/security_advisories.html. So far, I've understood
the even-odd minor versioning scheme for branches (thanks to Maxim at https://marc.info/?l=nginx&m=163174223924231&w=2).
There still exists some advisories that are hard to understand.
For example:
Excessive CPU usage in HTTP/2 with small window updates
Severity: medium
Advisory
CVE-2019-9511
Not vulnerable: 1.17.3+, 1.16.1+
Vulnerable: 1.9.5-1.17.2

Here, the vulnerable versions are through 1.9.5 to 1.17.2, even though
the versions 1.16.1+ are marked not vulnerable.
Looking at the odd numbers in the vulnerable range, I could infer that
perhaps the vulnerability spanned through the mainline branch only. Even
then it raises some questions. Following are some interpretations and
the problems with them:

Interpretation:
All versions from 1.9.5 to 1.17.2 are vulnerable, regardless of the
branch.
Problem:
1.16.1+ is marked as not vulnerable so the vulnerability must have
been fixed in the 1.16 stable branch as well.

Interpretation:
Only mainline versions between 1.9.5-1.17.2 are vulnerable (as the
upper and lower bounds have odd minor)
Problem:
This implies the stable versions 1.10.1+, 1.12.1+ ... 1.16.1+ are
not vulnerable, this is less likely as these ranges did not make it
into the not vulnerable range.

Interpretation:
All versions from 1.9.5 to 1.17.2 are vulnerable, regardless of the
branch, except the ones mentioned in the not vulnerable range
Problem:
If the not vulnerable range is to be interpreted as an "exception"
to the vulnerable range then there's no point in mentioning 1.17.3+
as it already lies outside the vulnerable range.

The last interpretation sounds most reasonable to me with the following
changes:
All versions from 1.9.5 to 1.17.2 are vulnerable, regardless of the
branch. It was fixed in the only provided mainline branch that is
1.17.3+, although some fixes were provided to the stable branches as
well (here only one stable branch, that is 1.16.1+).

This will require a hard requirement for the following:
Not Vulnerable:
One mainline version with plus sign,
One or many stable branch version with plus sign
Vulnerable:
A range independent of branching scheme (mainline and stable)

Although, this sounds right and suits for most of the advisories present
on the page, it doesn't handle:
Buffer underflow vulnerability
Severity: major
VU#180065 CVE-2009-2629
Not vulnerable: 0.8.15+, 0.7.62+, 0.6.39+, 0.5.38+
Vulnerable: 0.1.0-0.8.14

As there are more than one mainline branch - 0.7.62+ and 0.5.38+ - in
the "Not Vulnerable" range, where there should only be one. Once a
vulnerability is fixed in a lower mainline version (0.5.38) it must have
been fixed in later mainline and stable versions, which doesn't seem to
be the case here (as 0.7.62+ and 0.6.39+ are mentioned explicitly).

Is there any other interpretation that I'm missing that is more suitable
here ?
Also, are there any plans to document the same ?
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Reply Quote
RSS
Subject Author Posted

Nginx advisories with not vulnerable versions inside the vulnerable range

Hritik Vijay December 28, 2021 03:46AM

Re: Nginx advisories with not vulnerable versions inside the vulnerable range

Maxim Dounin December 28, 2021 09:30AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 177
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready