Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2109.outbound.protection.outlook.com [40.107.20.109]) by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id C384A782B17 for <~alpine/devel@lists.alpinelinux.org>; Wed, 28 Apr 2021 21:57:00 +0000 (UTC) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=AoSinVHUN028aheDDta/yNnFJgcRwN7Lrgm9UG2iofq1cYvayTo86hGUXNZ/Vb0pU1zfBhaPli6SgpnU/G7qkW0ogi8V0FkjkGMhPNR1PzPxnZwpOmh7R1xZi6eO/w/O3IoeKbXDMyqZ2KOvAbUizh+ccvmRv4sKcTTraIcTkqJLpX+5e6glGFw9zFoW3u5PWBUeRMQABVjMM7tp7Hg4fZAnpZMFnjZ5nhZbCyIjC0XWuQpbiT28i4PN0HiQvXm0zxd7D9KFQJSXKKXwjk2jqpY0gqWe8j7p0G/looVQEut216eDGPR42BzxggtA9Se21BSu8wORouLRx5Bfi/fucQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Q1zLBU3j3LjxwR3kWrVhCPJbbgNDFjVfmMKI6LBZmZk=; b=GimHKoKKkR4patStjrgE1l5b35udwPNZVTd+gw7VhFh+TfwvIHm2kB2Elf63RlHOOtU7sTG7ySOTp+3spQ/rrZaKtQsVvVFCZ4PHH0BHAF7YWGSem3jXazKUXbT3OOMejvOxZAzWVa6kOATHQDE/kn1o+aLWuMGB1aabPO34tHxeZuORh2v6YOUTkmvNytSttMWs3ItZVoYTRGtXNhU2ZhGJOK7jgvNZDBkqffjjR55uK2srC5OOECnlBZE3+6uuzAYfQLIR8MW3Xmgv66yp74qARFLYA6AqciKCCG5/md9iHqICKxMXxWthFwcv1bzxTl41GKttwT8Hmam5fyXSZw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=aquasec.com; dmarc=pass action=none header.from=aquasec.com; dkim=pass header.d=aquasec.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Aquasec.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Q1zLBU3j3LjxwR3kWrVhCPJbbgNDFjVfmMKI6LBZmZk=; b=mvh8Iu8sXtfkIw2/iBB/n9tstdDyqpDRe3rjDlQiMEmUVV5hSWTSCALb6OOIAFPpEdJIumHG9deenXDy4e5guouavfGj9EYJGxY2bTA89GlszgXgbKvybOKp6eeZW1+lprvfiGMCUi6jd/yzw38yFbg5xnCam2UkZ+/79KUmizdd4MXVHVMYEPbTTIRA/4vlf+z+Av/JGtMxZNVbHg8ZN6O5SgxT226AeXTIjESZm3fsJj1BqR4G1CBAMmkTyZzSMLuNV1BLTt0CRPXpbUn+7ysg3X1NY0d9XjnEesPNzLq/GHAlvrdkP00JhcK+lioiqyAH5MnDTpz0Q7Mk5H4XEQ== Received: from AM6PR03MB4711.eurprd03.prod.outlook.com (2603:10a6:20b:b::25) by AS8PR03MB6966.eurprd03.prod.outlook.com (2603:10a6:20b:290::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4065.21; Wed, 28 Apr 2021 21:56:59 +0000 Received: from AM6PR03MB4711.eurprd03.prod.outlook.com ([fe80::a1e9:e357:f67a:6a00]) by AM6PR03MB4711.eurprd03.prod.outlook.com ([fe80::a1e9:e357:f67a:6a00%7]) with mapi id 15.20.4065.027; Wed, 28 Apr 2021 21:56:59 +0000 From: Nir Ben-Eliezer To: Ariadne Conill CC: "~alpine/devel@lists.alpinelinux.org" <~alpine/devel@lists.alpinelinux.org> Subject: RE: Security dispute over nodejs vulnerability in Alpine - Help! Thread-Topic: Security dispute over nodejs vulnerability in Alpine - Help! Thread-Index: Adc8ZJoE1wXjMpkARyK94xZIcwCv1wADeZLgAABMCYAAAOd0QA== Date: Wed, 28 Apr 2021 21:56:58 +0000 Message-ID: References: <617756a6-b38c-aa47-86bd-269661b85522@dereferenced.org> In-Reply-To: <617756a6-b38c-aa47-86bd-269661b85522@dereferenced.org> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: dereferenced.org; dkim=none (message not signed) header.d=none;dereferenced.org; dmarc=none action=none header.from=aquasec.com; x-originating-ip: [212.59.64.171] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 2ccae2fc-7844-4b87-ab46-08d90a908c05 x-ms-traffictypediagnostic: AS8PR03MB6966: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:8882; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: /5viwJjMfuZDOgWd6429itCIOXGgxuLKremyZuI9CnTzLqR9nX+Ap/W9ImylYhESgk4LKDmaIZQ4HjJAI77w7mzy9JZQuJLmlcimnWuhwjOj8Gcrv+QX7GJc1YiI6PgRFSPIozOqaByjlGl3ACg/qNOPdEK5KvlDWYaezWdyGnprRSm+5eyMSMmuhd+zRmtnxL8pmir2vZvZSp90mmwM43SdDyPtcGBXCaJpxoV0vNu36gmq/m4KU8tg4J3am/XfshBQKVW1VGdvCz//bq3OZEdvy0Gom/WlAV4Z3ZtgkyjLGIGQ32TRCtK+Je4kd802VC0awM+vYrvgASj/SdVgTpwNgYm/6fkHtzk/+05+TBxhKpUM9DfIvSrOIZ1b+Et0MtxteIVIVqMxJrh7N5TLKDEJBSW1lZDkJjlJWlnL3I06mf4D887aazU+emnMu/KJlrEZLOHSFgx8VkXikV/sASZMKdDnKTyMWfEyHn3/f1psLEqjC8OtllEvMNXp/TZrJpgYUgOumRRA/rI2oj4VyNrJRERjRdQTsqz1N8Pm6rtCSdq2E4a5Hizb+1Yo0W9G5ifxq8wPl51AhIVv1M9dMNsGMFMOrD6R+JtOP6DxaH1rz7JEC5XRH8al/oJoiEACdA0qbSNjEM2JaibiCk97SskVuHmlh1dMkR6n8IsqXGCyQm78kctsBUWrISU0S2Jl x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AM6PR03MB4711.eurprd03.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(376002)(346002)(136003)(39850400004)(366004)(396003)(45080400002)(86362001)(478600001)(7696005)(2906002)(33656002)(8936002)(83380400001)(53546011)(4326008)(122000001)(15650500001)(6506007)(9686003)(8676002)(26005)(316002)(66476007)(6916009)(66946007)(966005)(5660300002)(55016002)(186003)(38100700002)(64756008)(66556008)(71200400001)(52536014)(76116006)(66446008);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata: =?iso-8859-1?Q?v02F9FsrXs4+5VPDMshrpru5rk402a2K4qohobi62CUVLOG4AXGtpRO2cj?= =?iso-8859-1?Q?24hDUohuaxYT7HKoBbqgCAUA3P9StgSy/KHBs03ofn+xnJiyeWRjkLkjV+?= =?iso-8859-1?Q?8rS3sH4Cp2tnQO94nGb4eRvumnBDh2UPe07/O3z4RSeYEhTGYWR/LSVut5?= =?iso-8859-1?Q?gfJTfeGSx2G4HmnVe9rdrvVaAYiaHZaaC2ki55SvsmmeNAwNBqqEOQGR3b?= =?iso-8859-1?Q?vo8nKKxlMRfe8sJsvHUhLcTjUyXQjUlGkY/0tGrbyhaTiPYqQ/YpeiaAmf?= =?iso-8859-1?Q?JpFm3fYLlLdqLbMvVMnbWw8GopY2/+19PDB+nlwz+0Twl5O1Ej8xRUcYlY?= =?iso-8859-1?Q?r7/MY5FoKM8GUQ/CnTDr+MEzBlChd/b/19VFtGxNGixLqixN4VnTQd8TXD?= =?iso-8859-1?Q?1kuYpOEqWq3NxI2/dC3aRUYo5VWPnP6SUiqstzE1eD0G1UkJ2rFcwUaqGi?= =?iso-8859-1?Q?v/m1Ko3dayM3E2Z8Cl7ftBZwjRkVqaVf5M+m4i8sqhQu2A1VRRlQPg01ft?= =?iso-8859-1?Q?0gpoEkYIMpT/w0Y/lzpmcqrNEoBdC+YS2IVA5xNXcdKivyv+dewymec5pS?= =?iso-8859-1?Q?qJnR2HthvOmOrC4NEzkWOrYrIhTs5trmnpzQDVmY2xsIsNBtM8fnMZzInu?= =?iso-8859-1?Q?s+iQwzPfSM46iT570y203GsE4QBCDd2ertKIWntVk5u+fi+Enb5rQwOS+x?= =?iso-8859-1?Q?N67gRfJd9HOgXpp6dcCuksHOWZ6PQZ8yZ49wKBl3ERRIP+s/AkPnENyJcC?= =?iso-8859-1?Q?sWKETgTXyK/WZCKUTMZfAyw7WngnOnb4KYn2lUSMFn+HQHzK4LA0aOwMWf?= =?iso-8859-1?Q?PxABV12qtGf/CZda4d4yVTgOLuPaa+TbcNWJzuxqsydhJOHU9DUR0ZSedy?= =?iso-8859-1?Q?5Rt4MAlDQbwEwdgwarepNOQldGNif7TC9jSEESG/IVJF9PEHR7Ijy/mT0r?= =?iso-8859-1?Q?FKPA3OS/tJIo0nZtBC1K//8qT1nK4A7z8pJInb12FqD6JDhj0FC/IEWWXg?= =?iso-8859-1?Q?TnShh9k2mglzBgJ+f28hXVCLn2dVnzUbfqYBLGxXas8qQGIidG1tiiGYYG?= =?iso-8859-1?Q?UcqxEL2T9LIjGbStnn+edEFDMOX5pQOS2MEYSqrcJT2EagVSHOQVMvZNEW?= =?iso-8859-1?Q?ksdqR8KFuLZxRERvbEYMwz24akIeekNuWMJhoBwMdX0sbQFTCmZ7vCBCER?= =?iso-8859-1?Q?z+aiPgmi353FSpa7VqVS0wUxmbQXgfc16msvVQTlCwoz/sBkcESS/8teSK?= =?iso-8859-1?Q?Lryzusqwg0XhUa+mnSm/sAxZ66TjyxNnjJ9zqYAYVPGPZzaxR+RMvmCKhU?= =?iso-8859-1?Q?0DKE9Y+uQcIb0djsU4Bo5ofCos8L3cZwZft1O9u8/2mKqPoRw8UceOdLA3?= =?iso-8859-1?Q?TbTRmT6FuB?= x-ms-exchange-transport-forked: True Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: aquasec.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: AM6PR03MB4711.eurprd03.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 2ccae2fc-7844-4b87-ab46-08d90a908c05 X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Apr 2021 21:56:58.9576 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: bc034cf3-566b-41ca-9f24-5dc49474b05e X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: UftS9xJ42yzpfPC6n0F+9Is4Y+cSi7LCUp98Cj8FL2HdQ33IEMxEg0pNy7HuUT1BvPKP0WU3Fn38msQnbX8oEFOTX+3ay4crTCSAo8uMjCg= X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR03MB6966 Hi Ariadne, and thank you very much for your quick response. I am asking this on behalf of one of our customers. I've used three differe= nt scanners, all yield the same result, identifying nodejs v12.20.1 as vuln= erable in Alpine 3.13, and recommending to upgrade it to v14.15.4-r0, where= it is fixed. The reason why the scanners behave this way is due to the information liste= d on this page:https://git.alpinelinux.org/aports/blame/main/nodejs/APKBUIL= D?h=3D3.13-stable. If you scroll down to rows 18-19, you'll see this: +# 14.15.4-r0: +# - CVE-2020-8265 +# - CVE-2020-8287 Indicating that CVE-2020-8265 is fixed in nodejs 14.15.4-r0 on Alpine's 3.1= 3 branch. I did not find any place indicating that nodejs v12.20.1 also con= tains the fix in Alpine branch 3.13.=20 I'd appreciate your clarification on this issue. Thank you, Nir -----Original Message----- From: Ariadne Conill =20 Sent: Thursday, April 29, 2021 12:16 AM To: Nir Ben-Eliezer Cc: ~alpine/devel@lists.alpinelinux.org Subject: Re: Security dispute over nodejs vulnerability in Alpine - Help! Hello, On Wed, 28 Apr 2021, Nir Ben-Eliezer wrote: > Hello, > I've encountered a security dispute while working with nodejs and I'd app= reciate the opinions of the Alpine community and maintainers on this import= ant subject. > > I've recently upgraded my nodejs package version to v12.20.1 on my Alpine= image, through Alpine's package manager (release notes of node community:= =A0https://eur02.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fnode= js.org%2Fen%2Fblog%2Frelease%2Fv12.20.1%2F&data=3D04%7C01%7Cnir.ben-eli= ezer%40aquasec.com%7C8902f1029435429727b208d90a8ad5e0%7Cbc034cf3566b41ca9f2= 45dc49474b05e%7C0%7C0%7C637552414283503706%7CUnknown%7CTWFpbGZsb3d8eyJWIjoi= MC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata= =3DHhFHpnK9noQ%2BL7Gd2In1JEtcyNnzEa14DsDzt4%2Bj8xQ%3D&reserved=3D0). As= you will see in the release notes, one of the vulnerabilities that is fixe= d in this version, is CVE-2020-8265. > > I've also upgraded my Alpine image to Alpine v3.13. However, looking into= Alpine's v3.13 release notes (here:=A0https://eur02.safelinks.protection.o= utlook.com/?url=3Dhttps%3A%2F%2Fgit.alpinelinux.org%2Faports%2Fblame%2Fmain= %2Fnodejs%2FAPKBUILD%3Fh%3D3.13-stable&data=3D04%7C01%7Cnir.ben-eliezer= %40aquasec.com%7C8902f1029435429727b208d90a8ad5e0%7Cbc034cf3566b41ca9f245dc= 49474b05e%7C0%7C0%7C637552414283503706%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4w= LjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=3Dz= QqwWBOA%2Bw3EcOSZSttypGnNCF4VJKitFW2w6wsCIxw%3D&reserved=3D0) you'll se= e that this same vulnerability appears to be fixed only in nodejs v14.15.4-= r0. > > I am running a vulnerability scanner on my Alpine 3.13 image, and it iden= tifies CVE-2020-8265, even though it was supposed to be fixed in as early a= s nodejs v12.20.1, according to the node community. > > And therefore - the dispute. > > My question: Should I consider this vulnerability a false positive, and f= ollow the release notes of node? Or should I use Alpine's determination and= upgrade my nodejs version to v14.15.4-r0, where Alpine claim it to be fixe= d? Why does Alpine state the fix for said vulnerability exists in v14.15.4-= r0 of nodejs, whereas the node maintainers indicate the fix is present in a= n earlier version? Please see my previous response:=20 https://eur02.safelinks.protection.outlook.com/?url=3Dhttps:%2F%2Flists.alp= inelinux.org%2F~alpine%2Fdevel%2F%253CAM6PR03MB471180AD19195D25E1BC462AB340= 9%2540AM6PR03MB4711.eurprd03.prod.outlook.com%253E%23%253Ccabebb1a-591d-efd= 1-31da-e690dad14%40dereferenced.org%253E&data=3D04%7C01%7Cnir.ben-eliez= er%40aquasec.com%7C8902f1029435429727b208d90a8ad5e0%7Cbc034cf3566b41ca9f245= dc49474b05e%7C0%7C0%7C637552414283503706%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC= 4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata= =3DI2De9GsoeaeY2yqAQvIy%2FiFFs83U32%2BRpTBiTDM%2Bvfg%3D&reserved=3D0 Thanks, Ariadne