Received: from mx1.mailbun.net (unknown [170.39.20.100])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id C19D5782B77
	for <~alpine/devel@lists.alpinelinux.org>; Wed, 28 Apr 2021 21:16:05 +0000 (UTC)
Received: from 192.168.8.162 (unknown [107.125.25.50])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	(Authenticated sender: ariadne@dereferenced.org)
	by mx1.mailbun.net (Postfix) with ESMTPSA id 2FE6C145913;
	Wed, 28 Apr 2021 21:16:02 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dereferenced.org;
	s=mailbun; t=1619644562;
	bh=kn3Cp2eROwArVIp7zMD5elaLGTDQZAtFz8+zzU0D3EI=;
	h=Date:From:To:cc:Subject:In-Reply-To:References;
	b=f8oxS7DmzQNlH92iGu8MyaTi58/0DFwQQbmdCm0K8/Mv4yIn/6sMMRykmYeTyFMRk
	 vv0dbnU6/EOnkpGKA2huNHX1294mwNysnDYdDb680ExiVpWeD178cf0sXdOi480FbB
	 NQAQS+d7PpjUcqzaghKLnGWbXZU+zxQI6xw44pEsio1WPFdmZO6zL6vMTur8KiV+Q8
	 /A1vspYwZupw4V1hC5k/4BhtEJ5jHI+EmdNZdue6rBjFrsWp3+q3MwEChklQg5SaRo
	 BU0UlnRT9gDEbLgJ4jzGZjo/BTw52LEK2Y30wDN1ezBmwQmoxVlvva1LHVoRiaTdkC
	 JmuCvzaeoi17w==
Date: Wed, 28 Apr 2021 15:16:01 -0600 (MDT)
From: Ariadne Conill <ariadne@dereferenced.org>
To: Nir Ben-Eliezer <nir.ben-eliezer@aquasec.com>
cc: "~alpine/devel@lists.alpinelinux.org" <~alpine/devel@lists.alpinelinux.org>
Subject: Re: Security dispute over nodejs vulnerability in Alpine - Help!
In-Reply-To: <AM6PR03MB47117F359009F8F9A1231595B3409@AM6PR03MB4711.eurprd03.prod.outlook.com>
Message-ID: <617756a6-b38c-aa47-86bd-269661b85522@dereferenced.org>
References: <AM6PR03MB471180AD19195D25E1BC462AB3409@AM6PR03MB4711.eurprd03.prod.outlook.com>  <AM6PR03MB47117F359009F8F9A1231595B3409@AM6PR03MB4711.eurprd03.prod.outlook.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-174144465-1619644563=:15938"

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

--0-174144465-1619644563=:15938
Content-Type: text/plain; charset="iso-8859-1"; format="flowed"
Content-Transfer-Encoding: quoted-printable

Hello,

On Wed, 28 Apr 2021, Nir Ben-Eliezer wrote:

> Hello,
> I've encountered a security dispute while working with nodejs and I'd app=
reciate the opinions of the Alpine community and maintainers on this import=
ant subject.
>
> I've recently upgraded my nodejs package version to v12.20.1 on my Alpine=
 image, through Alpine's package manager (release notes of node community:=
=A0https://nodejs.org/en/blog/release/v12.20.1/). As you will see in the re=
lease notes, one of the vulnerabilities that is fixed in this version, is C=
VE-2020-8265.
>
> I've also upgraded my Alpine image to Alpine v3.13. However, looking into=
 Alpine's v3.13 release notes (here:=A0https://git.alpinelinux.org/aports/b=
lame/main/nodejs/APKBUILD?h=3D3.13-stable) you'll see that this same vulner=
ability appears to be fixed only in nodejs v14.15.4-r0.
>
> I am running a vulnerability scanner on my Alpine 3.13 image, and it iden=
tifies CVE-2020-8265, even though it was supposed to be fixed in as early a=
s nodejs v12.20.1, according to the node community.
>
> And therefore - the dispute.
>
> My question: Should I consider this vulnerability a false positive, and f=
ollow the release notes of node? Or should I use Alpine's determination and=
 upgrade my nodejs version to v14.15.4-r0, where Alpine claim it to be fixe=
d? Why does Alpine state the fix for said vulnerability exists in v14.15.4-=
r0 of nodejs, whereas the node maintainers indicate the fix is present in a=
n earlier version?

Please see my previous response:=20
https://lists.alpinelinux.org/~alpine/devel/%3CAM6PR03MB471180AD19195D25E1B=
C462AB3409%40AM6PR03MB4711.eurprd03.prod.outlook.com%3E#%3Ccabebb1a-591d-ef=
d1-31da-e690dad14@dereferenced.org%3E

Thanks,
Ariadne
--0-174144465-1619644563=:15938--