Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2127.outbound.protection.outlook.com [40.107.21.127]) by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 70DAE782C5E for <~alpine/devel@lists.alpinelinux.org>; Thu, 29 Apr 2021 10:37:24 +0000 (UTC) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cKw7cEXBTvh2OZUMaKZw4BsHsugl1M0UQ1w6u7CbrQvpTNeEZzBsGC1V7evB3OGf70aQ7ypfAV8LQwXkGpou1MFZIGKgudsrinLu0EqnTrz+BtOZBUz8Kkzmkey5ic/1sphkZbt+gGjqnfocLx1UBZtTq1YMYSLd8wf9PBOVXEeHK/9JdWtyyIksAf/90rbFw0KLZzztBSQd1D2FUFkAsDl2MCCCI2R+rmSpu3NCMm7KzDFb8q/Tfy46OO1ULt4A/GXq7Mamzk5100H0ut1Wzngy4bXzBo2prtIENRXQXi22Xp881OYnEDxlYzypgcTAuamTFAlVkgNxlbEF3Iuufg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nwdqDWL7wvWPAzEg0CNHT5Elif2VG5GiPcRD9Doas44=; b=kE3N3PrsMmqXLrvrTdotRZ5JD720DY4OZ/4Ke0wrbmEDHOjQyWO+pV53RRyVrnrxqXIdx59ISRValSWU5LYAlZuZcEYwnvZDYrJSP1Ri166BOwW8RMMna7k0OwWwFntOPVKEWPGvcD1SkDBQFATh9jDj6WiVUlLMdyFF1DDTGBB3AB3vjGYx62j6O0f8tpziAgVvp4NNf0lZdK7ZQcouwSakRxJKpFf33zQBe0KSLkzXs7bYC0p+SnMAzNAkSyxFVHTVZllyt2KRQrec1BytJO9D2lYBvARpsvialB0ozxiMNEKKaRcO8ikrcvIbQuj47+0cBSZziwcOWf40Ctnlfw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=aquasec.com; dmarc=pass action=none header.from=aquasec.com; dkim=pass header.d=aquasec.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Aquasec.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nwdqDWL7wvWPAzEg0CNHT5Elif2VG5GiPcRD9Doas44=; b=Sq+lRjqKa0LJeLnFr6WMehgGBL5EUwlPdZLVbt+F/dtdrMvaWB1kXeCxasajJ7uncgzEMFOapwP/T+cEVggPHyOL5KwmkblGyDEFEBw+1yO9wAxefXwHy+vnt77g/i5Akl48FZ6ytQ0VOl9z25247qhPGUUiF4gSPy3oxq05oyKOCrE6lb7YoyEJLpHDpE0ar6DWH8Dwve/VLuJmhT2n0l5NndcvkaK1Jav+Fa+LSlM9rBl/M9lAG4LqkdOiwCPZtjzZjykptiLDs5sUl6QnbeNi7387AE1d54P4Lutrg9NPfqWmbfKLpaabwxvOyQ78t5bcyPO/Carh60jJHd54Rw== Received: from AM6PR03MB4711.eurprd03.prod.outlook.com (2603:10a6:20b:b::25) by AM6PR03MB4309.eurprd03.prod.outlook.com (2603:10a6:20b:a::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4065.24; Thu, 29 Apr 2021 10:37:21 +0000 Received: from AM6PR03MB4711.eurprd03.prod.outlook.com ([fe80::a1e9:e357:f67a:6a00]) by AM6PR03MB4711.eurprd03.prod.outlook.com ([fe80::a1e9:e357:f67a:6a00%7]) with mapi id 15.20.4065.027; Thu, 29 Apr 2021 10:37:21 +0000 From: Nir Ben-Eliezer To: "~alpine/devel@lists.alpinelinux.org" <~alpine/devel@lists.alpinelinux.org> Subject: RE: Re: Security dispute over nodejs vulnerability in Alpine - Help! Thread-Topic: Re: Security dispute over nodejs vulnerability in Alpine - Help! Thread-Index: Adc84Wah4na/ptoZQ7+FKoL+ctu62wAAjIIw Date: Thu, 29 Apr 2021 10:37:21 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: lists.alpinelinux.org; dkim=none (message not signed) header.d=none;lists.alpinelinux.org; dmarc=none action=none header.from=aquasec.com; x-originating-ip: [212.59.64.171] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 98cef9c4-e482-4b58-6e47-08d90afac52c x-ms-traffictypediagnostic: AM6PR03MB4309: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:10000; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: UjKLYp/HrZXQ4jWPPwDCt/CEZGWLvyWy6xANcKAQcM0l8Pn+UVj5mR8d6uhwjlzCMUx42mkM17Hd6rT1OEqwvZrkqZ0HDHLKap3Fxxy6OtBUuqsQkuTvH9QnbpmOh8JjWOGeaU0N7AEpI3KhNFC7iWw4WrJhfML0xdjVBxvostfLJ+87OksN3Rzp8nfOiP1GzmRnKP3+sEsghI0mtv6FOpSNEw+eod+eBakdCp0wtAqbQA7XNRfRIlB816gyJH1dVpHfKTwLxrqaFw7GL5WngouwVPwLV+EmcAmyCDwKjkDHI8sQi+TZuXIvRE+kNFpruLi1TfGsiBcdsh3sQjwl9YEogkYmybjmK5wZOL4RtBq0TRCB8wf7R1ePXXPiInzEjfVbU9w7K+wWnQxS/jF4dYBmw2k5pyMfUCDtbuagudgWz6+QGTNVBklE8PGpj1NO9TwIut9WhOBg2C56xN5uJdQxQSbcha6Ns2sylRn8KAQY+BvVlffskd/KjaE/tU6zs/y/aULKZLJRRmV3K5jv7jaG2YcCAMkTXX5rY/1UxFhAULawT7zophd/v1ZR687ALQi3/xFBH7etwPoXafJSXaVb9taEgo1qwvZpvhlU7RE= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AM6PR03MB4711.eurprd03.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(366004)(396003)(346002)(136003)(376002)(39840400004)(122000001)(7696005)(8936002)(26005)(76116006)(15650500001)(9686003)(6506007)(86362001)(66556008)(8676002)(38100700002)(478600001)(52536014)(316002)(2906002)(5660300002)(55016002)(66946007)(71200400001)(66446008)(83380400001)(33656002)(64756008)(186003)(2940100002)(66476007);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata: =?us-ascii?Q?fvAleQfQvMR9d2Q+DPSDfziAmrLaOZ/DS9T7qlkNjPhZQVkc3K2qMLdkWCpl?= =?us-ascii?Q?xRfe3V1iFSXj16emVQDVhhQARDEjYWv+b1izFihst8RXvz7KpjUFRk4LEJng?= =?us-ascii?Q?1v4cKNXAQ5H3zxFy3Jcnzm9L5jH43oL9znzSOu8IcSKXsD6teKXrw9LZBkAp?= =?us-ascii?Q?3geDkZn01y1V2jG6A8CT0Wa8S7Vxd9CK4ELIsePfLHAfXV1muGweJ4gj+22K?= =?us-ascii?Q?yUI5zcQKHdPP9jtUNb/00t1t0lCfJNiEIINyOOvMTEVadvX17ly1Tc55/hCs?= =?us-ascii?Q?9HBQCmmBr3s8tpEPX0GMlCBRUtmo+cS5G6WcWT+qsIM8rgSQ6+ujaPqhBIJh?= =?us-ascii?Q?/pNCFQn8dO6a7UgT6syuPgTB7rSB8onydLM1CWxBfpAQIaS2q3c7aRh3Pras?= =?us-ascii?Q?yQybgmhyU4WXJ1HW98cDcTKpWipb0bu/syn01JZInQq88d8vVnjQLCfwjlWt?= =?us-ascii?Q?r6MUCmrAVMFzOpTyXEuCUgXk/Ko8vx8JWJK1RPBipOtuBH/2vSDzzFDrpm/S?= =?us-ascii?Q?xUfVkcJkkFMG1M2KQbymTa7cAVdaAWgbyeUQNOo6W9aAtluHVM14vX0lLI8z?= =?us-ascii?Q?8imnxENzcZOxP24sQPw3ANXEWwR1XFYrTiHXN9Z7tLlnZmA9uhnJ/7XCzBS5?= =?us-ascii?Q?xVcRCBvdNWjG5W36UjqohPAD3jcH4uYxGv1WpwC86ouMuvHaidrDehMMyIs4?= =?us-ascii?Q?C0R/wCy3g6Bcy9gOLq6lwZzXRayDi0PH+S2NFnbH7fALn2vz4aLoDdKCwRHl?= =?us-ascii?Q?jZRafica/zM9RWqmneS0n+lDNqq1IQaf3aYEBS4Z0MCH0RKOqUQVUUnRJ2oo?= =?us-ascii?Q?XgBPGLkRJhGsrvZiXhoG24nBbeUNTFqP/0IHB403inbsyII9UDiF73+gy3gT?= =?us-ascii?Q?fG7hlJ6ZTNT/uuKlcmlMETI0MobGpane+gu9r8eI61d2mI7W0FGNRhIfgt4C?= =?us-ascii?Q?UCJXZjg9CY86PdGbNSoiO2VAXYLcp3gJ+p273XT/+SmRtfroK1O5nsJRJ2Dc?= =?us-ascii?Q?LCGCMRWXB+KKgBWarrPJrTtL2L2048wY/OCGwL1baE88wWyD184V1lh+Drs6?= =?us-ascii?Q?Kw6uMCen4LSIObs/TdrR0I5Dzz8SHrzJKJul7hoLnClBn8mi2UJ0N2TOqmbs?= =?us-ascii?Q?rFEYhndLV2DEbnQHHtm/jcrb6fTRp2YfbjSF8oG0UrAImvdmNKeQluhkT9VL?= =?us-ascii?Q?qct5AsvbBJtN+DBMq9OhqR1Ko3f30Te2YWkRrxPXJX3qT3TO7izqzBsPTqIh?= =?us-ascii?Q?vXg3OOhzcYcHbiJjzaCym+2phxUup+FQtG+5wTb4p/Rn0sIs6qrI6vZ/GNzj?= =?us-ascii?Q?NaPyMfdTGj53LpSBV8qQAEax?= x-ms-exchange-transport-forked: True Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: aquasec.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: AM6PR03MB4711.eurprd03.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 98cef9c4-e482-4b58-6e47-08d90afac52c X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Apr 2021 10:37:21.5421 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: bc034cf3-566b-41ca-9f24-5dc49474b05e X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: 66xXS5tkJPAYEDYGSeTy3fDGsroCR7hjjDwFnq9NbgH/tBcla1Pfjl2LPoNPT0Ks9nmTTyndzBp4JGuO4LCvV/5GhTFpic7WhOQd2iIUSfI= X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR03MB4309 Thanks Ariadne. But one thing still bugs me here. Consider the following scenario: I instal= l Alpine 3.13. I then install nodejs V12.20.1 through APK - this is possibl= e. Bottom line - Am I vulnerable to CVE-2020-8265?=20 Per Alpine's security advisory - I am, because Alpine indicates CVE-2020-82= 65 is only fixed on nodejs V14.15.4-r0.=20 But per the node community, I'm not, because they fixed this vulnerability = in V12.20.1 (according to their release notes). What I'm asking ultimately, is this: If the node community indicated a cert= ain CVE is fixed in version X, why would Alpine indicate a different versio= n? Is it merely an issue of testing, and the fact that version X was not ce= rtified to be used with a certain branch of Alpine, or is there a different= reason? Furthermore, if I compared nodejs V12.20.1 source which I downloaded from t= he node project on github, to nodejs V12.20.1 which I downloaded using APK,= will they be the same? Again I thank you for your time and effort, and your help in sorting this o= ut for us. Nir