Welcome! Log In Create A New Profile

Advanced

Confusing version ranges in security advisories

Hritik Vijay
September 15, 2021 03:36PM
Hello

We're working on an open source tool to aggregate security advisories
and build an open vulnerabilities database.
(https://github.com/nexB/vulnerablecode/).
This requires us to parse affected and fixed versions from nginx
advisories published at https://nginx.org/en/security_advisories.html.
Going through the page, I'm having a hard time understanding the plus
(+) notation used to denote the version range. Please help me in this
regard.

I'm assuming that the versions are in semver format. Given the
following information:
CVE-2021-23017
Not vulnerable: 1.21.0+, 1.20.1+
Vulnerable: 0.6.18-1.20.0
If I consider + to mean >= for versions, the bound 1.20.1+ should be
enough for the "Not vulnerable" field. How does it make sense to have
another 1.21.0+ ?
Does the plus notation only apply for the patch field in semver (the
number after the second dot) ? In this case, does it mean that the
upcoming version 1.22.0 will be vulnerable as well ?

To further clarify, I'll like to quote
CVE-2019-9511
Not vulnerable: 1.17.3+, 1.16.1+
Vulnerable: 1.9.5-1.17.2
Here, if I take + as >=, 1.16.1+ means that versions >= 1.16.1 are
fixed but this version clearly lies in the range 1.9.5-1.17.2, which
is the vulnerable range.
I'm assuming that this was done for a stable release of 1.16. This
further favors the assumption that the plus operator only stands for
the patch field in the semver.
Thus making the not vulnerable range as >=1.16.1 AND < 1.17.0, using
the same assumption for 1.17.3+ would mean >=1.17.3 AND <1.18.0.
Would this again mean that future versions will be vulnerable ? This
is highly unlikely.

As per my current understanding I'd define the plus operator as:
"If the version before it appears in the vulnerable range, the plus
operator only denotes a >= range for the patch field in semver and <=
the next minor version.
Otherwise, it operates on the entire version string thus marking *all*
the future versions"

This definition is not perfect at all as it does not justify the first
example where neither 1.21.0 nor 1.20.1 is in the vulnerable range
thus making 1.21.0 totally redundant. However, if we ignore the
redundancies, I hope that the definition could work.

Please let me know if there's something wrong with my deduction, also
it would be very helpful to define the plus operator as a
footnote/topnote on the advisories page for future.

--
Regards
Hritik Vijay
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

Confusing version ranges in security advisories

Hritik Vijay September 15, 2021 03:36PM

Re: Confusing version ranges in security advisories

Maxim Dounin September 15, 2021 05:46PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 74
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready