Received: from mx1.mailbun.net (unknown [170.39.20.100]) by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 489FF782B2D for <~alpine/devel@lists.alpinelinux.org>; Wed, 28 Apr 2021 22:44:12 +0000 (UTC) Received: from 192.168.8.162 (unknown [107.125.25.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: ariadne@dereferenced.org) by mx1.mailbun.net (Postfix) with ESMTPSA id 3BA49145913; Wed, 28 Apr 2021 22:44:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dereferenced.org; s=mailbun; t=1619649849; bh=3B3cpriBNvLZffGNMpLmBdT7V3LcxS+dcrD9M/q15r8=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=dg6Jtal5VIpg7tDocI4zxcvIVfwFYsuIbGd1FEmXdN11JJukcsoM2GnO8oCcA9+9p ZLP4zGAPqirRmSyaYwJE4X23Vh9F8izr1C0lkYiVBHDbcg4QZqbDMKWthpTPoAiXhP WI50o0LFMi+RpttjDlu3cmrebl6cD/j5kxPXqj5ipQYShXWp3tVrwJ+wzfuNhLSlJ7 dwc4fPfy71OmSIIa4HRRuTg2n9SgdGTAJzGmPgnAgvolqQKBsKle9yb/hK2G0woNeC i374omI7y2aHjsTvVqIYzOR2ZYa07ErZ8Q3xB6aGVZq/9tybAPkyzbUdp3F4wOxDxO xhO5uRiQVHVyQ== Date: Wed, 28 Apr 2021 16:44:09 -0600 (MDT) From: Ariadne Conill To: Ariadne Conill cc: Nir Ben-Eliezer , "~alpine/devel@lists.alpinelinux.org" <~alpine/devel@lists.alpinelinux.org> Subject: RE: Security dispute over nodejs vulnerability in Alpine - Help! In-Reply-To: Message-ID: <1933c278-6817-4ff3-13d9-bbaaaa91da1@dereferenced.org> References: <617756a6-b38c-aa47-86bd-269661b85522@dereferenced.org> MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset=US-ASCII Hello, On Wed, 28 Apr 2021, Ariadne Conill wrote: > Hello, > > On Wed, 28 Apr 2021, Nir Ben-Eliezer wrote: > >> Hi Ariadne, and thank you very much for your quick response. >> >> I am asking this on behalf of one of our customers. I've used three >> different scanners, all yield the same result, identifying nodejs v12.20.1 >> as vulnerable in Alpine 3.13, and recommending to upgrade it to >> v14.15.4-r0, where it is fixed. >> >> The reason why the scanners behave this way is due to the information >> listed on this >> page:https://git.alpinelinux.org/aports/blame/main/nodejs/APKBUILD?h=3.13-stable. >> If you scroll down to rows 18-19, you'll see this: >> +# 14.15.4-r0: >> +# - CVE-2020-8265 >> +# - CVE-2020-8287 >> >> Indicating that CVE-2020-8265 is fixed in nodejs 14.15.4-r0 on Alpine's >> 3.13 branch. I did not find any place indicating that nodejs v12.20.1 also >> contains the fix in Alpine branch 3.13. > > It appears that your scanners are probably using our security databases > incorrectly, or at least making the wrong assumptions about how the version > lifecycle works in secfixes land. > > To explain: we publish security databases for every branch of Alpine, these > can be fetched at https://secdb.alpinelinux.org/. These databases are > compiled from the perspective of each branch. Or in other words, they only > describe versions that are published in that branch. > > Incidentally, one or more security companies are presently scraping our cgit > instance for this information. It may be that you have stale information > about the v3.13 branch if your security scanners were doing > this, as we have recently taken action to stop abuse of our cgit instance for > this purpose. In that case, see the above note about secdb.alpinelinux.org > and you will have more reliable data. > > Anyway, Alpine 3.13 does not credit v12.20.1 with the fix for CVE-2020-8265 > because that version was never published in Alpine 3.13, only Alpine 3.12. > > Each security database publishes information based on what packages have been > published in that branch. > > You may also wish to look at our security database viewer at > https://security.alpinelinux.org/vuln/CVE-2020-8265, which shows both Alpine > 3.12 and 3.13 having fixes in their respective versions of Node. Or they would if the CPE rules matched the actual package name... :) But you can at least view the CPE rules for that one. Ariadne