That’s a fairly old package and likely is still vulnerable. Igor or
another developer would be best to say whether the Debian team
integrates patches into their packages. (Igor is on vacation) However,
personally, I would download the source for the newest legacy version
(if that’s what you want) and compile it yourself.
There are detailed instructions in the wiki for installation manually.
Prior to doing that, simply use:
apt-get remove nginx
In either case, vulnerable or not, there were quite a few fixes between
.2 and .9. You would benefit from the most updated branch of your
choosing.
-Kevin