Hello I'm trying to parse the advisories page present at https://nginx.org/en/security_advisories.html. So far, I've understood the even-odd minor versioning scheme for branches (thanks to Maxim at https://marc.info/?l=nginx&m=163174223924231&w=2). There still exists some advisories that are hard to understand. For example: Excessive CPU usage in HTTP/2 with small window updates Severity: medium Advisory CVE-2019-9511 Not vulnerable: 1.17.3+, 1.16.1+ Vulnerable: 1.9.5-1.17.2
Here, the vulnerable versions are through 1.9.5 to 1.17.2, even though the versions 1.16.1+ are marked not vulnerable. Looking at the odd numbers in the vulnerable range, I could infer that perhaps the vulnerability spanned through the mainline branch only. Even then it raises some questions. Following are some interpretations and the problems with them: Interpretation: All versions from 1.9.5 to 1.17.2 are vulnerable, regardless of the branch. Problem: 1.16.1+ is marked as not vulnerable so the vulnerability must have been fixed in the 1.16 stable branch as well. Interpretation: Only mainline versions between 1.9.5-1.17.2 are vulnerable (as the upper and lower bounds have odd minor) Problem: This implies the stable versions 1.10.1+, 1.12.1+ ... 1.16.1+ are not vulnerable, this is less likely as these ranges did not make it into the not vulnerable range. Interpretation: All versions from 1.9.5 to 1.17.2 are vulnerable, regardless of the branch, except the ones mentioned in the not vulnerable range Problem: If the not vulnerable range is to be interpreted as an "exception" to the vulnerable range then there's no point in mentioning 1.17.3+ as it already lies outside the vulnerable range. The last interpretation sounds most reasonable to me with the following changes: All versions from 1.9.5 to 1.17.2 are vulnerable, regardless of the branch. It was fixed in the only provided mainline branch that is 1.17.3+, although some fixes were provided to the stable branches as well (here only one stable branch, that is 1.16.1+). This will require a hard requirement for the following: Not Vulnerable: One mainline version with plus sign, One or many stable branch version with plus sign Vulnerable: A range independent of branching scheme (mainline and stable) Although, this sounds right and suits for most of the advisories present on the page, it doesn't handle: Buffer underflow vulnerability Severity: major VU#180065 CVE-2009-2629 Not vulnerable: 0.8.15+, 0.7.62+, 0.6.39+, 0.5.38+ Vulnerable: 0.1.0-0.8.14 As there are more than one mainline branch - 0.7.62+ and 0.5.38+ - in the "Not Vulnerable" range, where there should only be one. Once a vulnerability is fixed in a lower mainline version (0.5.38) it must have been fixed in later mainline and stable versions, which doesn't seem to be the case here (as 0.7.62+ and 0.6.39+ are mentioned explicitly). Is there any other interpretation that I'm missing that is more suitable here ? Also, are there any plans to document the same ? _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx