Welcome! Log In Create A New Profile

Advanced

Nginx advisories with not vulnerable versions inside the vulnerable range

Hritik Vijay
December 28, 2021 03:46AM
Hello

I'm trying to parse the advisories page present at
https://nginx.org/en/security_advisories.html. So far, I've understood
the even-odd minor versioning scheme for branches (thanks to Maxim at https://marc.info/?l=nginx&m=163174223924231&w=2).
There still exists some advisories that are hard to understand.
For example:
Excessive CPU usage in HTTP/2 with small window updates
Severity: medium
Advisory
CVE-2019-9511
Not vulnerable: 1.17.3+, 1.16.1+
Vulnerable: 1.9.5-1.17.2

Here, the vulnerable versions are through 1.9.5 to 1.17.2, even though
the versions 1.16.1+ are marked not vulnerable.
Looking at the odd numbers in the vulnerable range, I could infer that
perhaps the vulnerability spanned through the mainline branch only. Even
then it raises some questions. Following are some interpretations and
the problems with them:

Interpretation:
All versions from 1.9.5 to 1.17.2 are vulnerable, regardless of the
branch.
Problem:
1.16.1+ is marked as not vulnerable so the vulnerability must have
been fixed in the 1.16 stable branch as well.

Interpretation:
Only mainline versions between 1.9.5-1.17.2 are vulnerable (as the
upper and lower bounds have odd minor)
Problem:
This implies the stable versions 1.10.1+, 1.12.1+ ... 1.16.1+ are
not vulnerable, this is less likely as these ranges did not make it
into the not vulnerable range.

Interpretation:
All versions from 1.9.5 to 1.17.2 are vulnerable, regardless of the
branch, except the ones mentioned in the not vulnerable range
Problem:
If the not vulnerable range is to be interpreted as an "exception"
to the vulnerable range then there's no point in mentioning 1.17.3+
as it already lies outside the vulnerable range.

The last interpretation sounds most reasonable to me with the following
changes:
All versions from 1.9.5 to 1.17.2 are vulnerable, regardless of the
branch. It was fixed in the only provided mainline branch that is
1.17.3+, although some fixes were provided to the stable branches as
well (here only one stable branch, that is 1.16.1+).

This will require a hard requirement for the following:
Not Vulnerable:
One mainline version with plus sign,
One or many stable branch version with plus sign
Vulnerable:
A range independent of branching scheme (mainline and stable)

Although, this sounds right and suits for most of the advisories present
on the page, it doesn't handle:
Buffer underflow vulnerability
Severity: major
VU#180065 CVE-2009-2629
Not vulnerable: 0.8.15+, 0.7.62+, 0.6.39+, 0.5.38+
Vulnerable: 0.1.0-0.8.14

As there are more than one mainline branch - 0.7.62+ and 0.5.38+ - in
the "Not Vulnerable" range, where there should only be one. Once a
vulnerability is fixed in a lower mainline version (0.5.38) it must have
been fixed in later mainline and stable versions, which doesn't seem to
be the case here (as 0.7.62+ and 0.6.39+ are mentioned explicitly).

Is there any other interpretation that I'm missing that is more suitable
here ?
Also, are there any plans to document the same ?
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

Nginx advisories with not vulnerable versions inside the vulnerable range

Hritik Vijay December 28, 2021 03:46AM

Re: Nginx advisories with not vulnerable versions inside the vulnerable range

Maxim Dounin December 28, 2021 09:30AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 94
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready