Received: from mx1.mailbun.net (unknown [170.39.20.100]) by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 1D0FB782C2C for <~alpine/devel@lists.alpinelinux.org>; Thu, 29 Apr 2021 10:06:42 +0000 (UTC) Received: from 192.168.8.162 (unknown [107.125.25.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: ariadne@dereferenced.org) by mx1.mailbun.net (Postfix) with ESMTPSA id 969ED145A1D; Thu, 29 Apr 2021 10:06:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dereferenced.org; s=mailbun; t=1619690799; bh=JCvLrgsoJVOeOa1mH0BdEBem8BICXjkWe0T3boNSwqU=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=JncoK5GbmGKONkoc5Z262eMY9k1sMkQ6uGWcx6t1QWKFv/Lb/aqelbt96bpXTI9Vb I8EdwJ6mWx3O8r+n237xhvjYc0u/JWvOBLa5VarAHFagYX35ppOv3D18dSpjGmxxLW qjRAtseWQ7pwMteF94Fdyh3GJrbZL8h9sCg1Zu34aQRyZpFGKYCpVSu4EsvY8j1sAc /kT5/+nVDRYe6f6GnfIdlc6yOj/WlVJVhK5zp+CssZ6h8hZYWNtthZjYIbKdyMCP7Z jhc1xfSZrEVqMvZPb4t5koTt5vs5JHT0nJxaqpBBavvwnjhoYTpq0S2QXx+CJQZgSI 8FeIRNHlyR92g== Date: Thu, 29 Apr 2021 04:06:38 -0600 (MDT) From: Ariadne Conill To: Nir Ben-Eliezer cc: Ariadne Conill , "~alpine/devel@lists.alpinelinux.org" <~alpine/devel@lists.alpinelinux.org> Subject: RE: Security dispute over nodejs vulnerability in Alpine - Help! In-Reply-To: Message-ID: <5f129c7d-b379-5f4-e129-b761f99e5e0@dereferenced.org> References: <617756a6-b38c-aa47-86bd-269661b85522@dereferenced.org> <1933c278-6817-4ff3-13d9-bbaaaa91da1@dereferenced.org> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Hello, On Thu, 29 Apr 2021, Nir Ben-Eliezer wrote: > Hey, > > I checked https://secdb.alpinelinux.org/v3.13/main.json and https://secdb.alpinelinux.org/v3.13/community.json. As you said, this data should be the most reliable source. Note we are talking about Alpine 3.13. > > Here's what I found: > 1. "main.json" lists package "nodejs" and lists CVE-2020-8265 as fixed in version 14.15.4-r0. This CVE does not appear anywhere else in this json. > 2. "community.json" lists package "nodejs-current" and lists CVE-2020-8265 as fixed in version 15.5.1-r0. The nodejs-current package tracks whatever the development branch of Node was at the time. Stable branches of Node are even-numbered, while development branches are odd-numbered. So, the development branch (Node 15) fixed that CVE in 15.5.1-r0, which also agrees with the CPE data. > Do you know the reason for the difference? > > So... I'm a bit confused. At the beginning you said that the fact we find CVE-2020-8265 on an Alpine 3.13 image, running nodejs v12.20.1 - is a false positive. In your latest message, however, you mention that Alpine 3.13 does not credit v12.20.1 with the fix for CVE-2020-8265 because that version was never published in Alpine 3.13, only Alpine 3.12. > > And finally, when looking at the Alpine 3.13 branch in secdb, which is supposed to be reliable, I see information which indicates that the scanners are working correctly. This is what they all do: > 1. They identify the OS as Alpine 3.13 - correct. This is the OS the customer is running. > 2. They identify a nodejs v12.20.1 APK installed on the machine - correct. This is the package the customer installed. > 3. They identify it is vulnerable to CVE-2020-8265. Should be correct because Alpine doesn't credit v12.20.1 with the fix for this CVE, as you said before. > 4. They identify Alpine's recommendation to upgrade nodejs to 14.15.4-r0 in order to fix the problem. This is correct according to secdb.alpinelinux.org/v3.13/main.json > > I am failing to see what the scanners are doing incorrectly and why you consider this a false positive. Based on this, I don't consider that a false positive. Ariadne