Hello! On Tue, Dec 28, 2021 at 02:14:07PM +0530, Hritik Vijay wrote:
> I'm trying to parse the advisories page present at > https://nginx.org/en/security_advisories.html. So far, I've understood > the even-odd minor versioning scheme for branches (thanks to Maxim at > https://marc.info/?l=nginx&m=163174223924231&w=2). > There still exists some advisories that are hard to understand. > For example: > Excessive CPU usage in HTTP/2 with small window updates > Severity: medium > Advisory > CVE-2019-9511 > Not vulnerable: 1.17.3+, 1.16.1+ > Vulnerable: 1.9.5-1.17.2 > > Here, the vulnerable versions are through 1.9.5 to 1.17.2, even though > the versions 1.16.1+ are marked not vulnerable. > Looking at the odd numbers in the vulnerable range, I could infer that > perhaps the vulnerability spanned through the mainline branch only. Even > then it raises some questions. Following are some interpretations and > the problems with them: [...] > Interpretation: > All versions from 1.9.5 to 1.17.2 are vulnerable, regardless of the > branch, except the ones mentioned in the not vulnerable range > Problem: > If the not vulnerable range is to be interpreted as an "exception" > to the vulnerable range then there's no point in mentioning 1.17.3+ > as it already lies outside the vulnerable range. That's the correct interpretation. While explicitly mentioning 1.17.3+ as not vulnerable is not strictly needed, it is just duplicate information to simplify reading. > The last interpretation sounds most reasonable to me with the following > changes: > All versions from 1.9.5 to 1.17.2 are vulnerable, regardless of the > branch. It was fixed in the only provided mainline branch that is > 1.17.3+, although some fixes were provided to the stable branches as > well (here only one stable branch, that is 1.16.1+). > > This will require a hard requirement for the following: > Not Vulnerable: > One mainline version with plus sign, > One or many stable branch version with plus sign > Vulnerable: > A range independent of branching scheme (mainline and stable) > > Although, this sounds right and suits for most of the advisories present > on the page, it doesn't handle: > Buffer underflow vulnerability > Severity: major > VU#180065 CVE-2009-2629 > Not vulnerable: 0.8.15+, 0.7.62+, 0.6.39+, 0.5.38+ > Vulnerable: 0.1.0-0.8.14 > > As there are more than one mainline branch - 0.7.62+ and 0.5.38+ - in > the "Not Vulnerable" range, where there should only be one. Once a > vulnerability is fixed in a lower mainline version (0.5.38) it must have > been fixed in later mainline and stable versions, which doesn't seem to > be the case here (as 0.7.62+ and 0.6.39+ are mentioned explicitly). Your interpretation of "mainline" and "stable" is incorrect here. The odd/even numbering scheme is in use only starting with nginx 1.0.x. In previous versions, a branch was simply declared stable at some point. For example, 0.5.x branch was mainline (current) till 0.5.25, and then 0.6.0 version was released, and 0.5.x branch was declared stable[1]. Similarly, 0.6.x branch was mainline till 0.6.31, and was declared stable after 0.7.0 release. For additional details about all existing branches check the download page (http://nginx.org/en/download.html) and relevant CHANGES and CHANGES-X.Y files. Note that it is generally trivial to find out if a version is vulnerable or not from the information about a vulnerability, without any knowledge about nginx branches. That is: - Check if the version is in "Vulnerable" range. If it's not, the version is not vulnerable. - If it is, check if the branch is explicitly listed in the "Not vulnerable". If it's not, the version is vulnerable. If it is, check the minor number: if it's greater or equal to the version listed as not vulnerable, the version is not vulnerable, else the version is vulnerable. Hope this helps. [1] http://mailman.nginx.org/pipermail/nginx/2007-June/001080.html -- Maxim Dounin http://mdounin.ru/ _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
