Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2100.outbound.protection.outlook.com [40.107.20.100])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 99A9B782B4D
	for <~alpine/devel@lists.alpinelinux.org>; Wed, 28 Apr 2021 21:08:06 +0000 (UTC)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=SUmQMZDMgJhaVk8lyjGqzvUvz9Go25B/rnskfflGl6YIMkh86TBduZu1udfsoS2fiZwqpQySaTs7KmCgLc/N9lTuGbYqLlv3sG1bcN9RSBPnjMN7Ed00eI58prfd2sG5KHQ4gaat2B7xlM2BfyXc9F3ByyzbJ24DYDl40dl7uY+ir0IUEnGiu+hvzYroQbPqOwNtOI2/QL0sSJltjtPp1CE54ahLKXy8+TcN6AO81FjZ8aJKWG/NoVNqpuG4+CgEwJ43p6dhzAxmpfr6EXCwocn4R5ZdVaCgRTU8IcqdV8cO6h2cq6SHIHq3FdC3fWLYAcDQX5Xu5c5B6pg/9sL2ew==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=RKpIV/j7kLBgWTbAGisSUWbKUpO9zHTa1cdsbph3vNg=;
 b=h4YbsdqaKuijyTfcq0vBNWG70QWJvZCHkdDmtssjupk9m/vDLIaSXRFiUyaaMO22odsXp3OEIM/krXl7nxZige7zob+OM3KG9CkB/vnXYluIvZZNi49AFeH0GxAR2F4zQdnhzJSzlSRfKeK/icR7VwtlFiMfe+NXFSTGpuW0lQLWJ942Xr36YBhq7ji/uLLRIaFFEhS8Y5rBaSM92D/w9+2Ndr91rAZyyhpt5Ga/gA1qnVIlYrumJGzvV98C3hTS9RnbJACvDVppZBh5ptT9u17bi35Xv8KVjkh1TWBbtWrnDwIrEVZ9ast/+msuv26u1cRZY7hkHJHwIjieKZiLxQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=aquasec.com; dmarc=pass action=none header.from=aquasec.com;
 dkim=pass header.d=aquasec.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Aquasec.com;
 s=selector2;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=RKpIV/j7kLBgWTbAGisSUWbKUpO9zHTa1cdsbph3vNg=;
 b=hgen1NojLxwuol9BGBDeO9ozSGwohvSrMJFtPH+6tQ0i+8IgOv7qiSY8/cWTASx5d8rAWk2bPs3+KhTeu0XUiyYXyVa16dLfGUL+UjP9o+yJOWqoiFdY0UPfje+XiXzW/2Qn2f6KbUN7BZBX0q0I6BLqMFZT0az3VZMlgNk3CU2LedbsGFt8YAxLeUaoP/rXLZYbfZXZVpbc5V02pBkeeLZFOo48EsO/7Fro59m+2SLL6PwPh1E2VLhlVwDtUZVBxFJkJp7O775oEXHIrFTMbDpwVLXakGTz87MIjS3Vze+Xhu7wxIIJQJkiZlvepADcwt/9VDuM8b0dDk8I2gxzyg==
Received: from AM6PR03MB4711.eurprd03.prod.outlook.com (2603:10a6:20b:b::25)
 by AS8PR03MB6901.eurprd03.prod.outlook.com (2603:10a6:20b:29e::8) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4065.21; Wed, 28 Apr
 2021 21:08:04 +0000
Received: from AM6PR03MB4711.eurprd03.prod.outlook.com
 ([fe80::a1e9:e357:f67a:6a00]) by AM6PR03MB4711.eurprd03.prod.outlook.com
 ([fe80::a1e9:e357:f67a:6a00%7]) with mapi id 15.20.4065.027; Wed, 28 Apr 2021
 21:08:04 +0000
From: Nir Ben-Eliezer <nir.ben-eliezer@aquasec.com>
To: "~alpine/devel@lists.alpinelinux.org"
	<~alpine/devel@lists.alpinelinux.org>
Subject: Security dispute over nodejs vulnerability in Alpine - Help!
Thread-Topic: Security dispute over nodejs vulnerability in Alpine - Help!
Thread-Index: Adc8ZJoE1wXjMpkARyK94xZIcwCv1wADeZLg
Date: Wed, 28 Apr 2021 21:08:04 +0000
Message-ID: 
 <AM6PR03MB47117F359009F8F9A1231595B3409@AM6PR03MB4711.eurprd03.prod.outlook.com>
References: 
 <AM6PR03MB471180AD19195D25E1BC462AB3409@AM6PR03MB4711.eurprd03.prod.outlook.com>
In-Reply-To: 
 <AM6PR03MB471180AD19195D25E1BC462AB3409@AM6PR03MB4711.eurprd03.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: lists.alpinelinux.org; dkim=none (message not signed)
 header.d=none;lists.alpinelinux.org; dmarc=none action=none
 header.from=aquasec.com;
x-originating-ip: [212.59.64.171]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 6e69a9e9-9879-43cd-1c6b-08d90a89b708
x-ms-traffictypediagnostic: AS8PR03MB6901:
x-microsoft-antispam-prvs: 
 <AS8PR03MB6901561FD15A727F3A9A0DBAB3409@AS8PR03MB6901.eurprd03.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 
 j4i+kt5ErgEZCHHSAeY8JmBHlRn7GFLmVbSCidCCs5RBSCe4oGJOL+Fg/PWiy75U1pLlt5Ckjia4cCkObouqurLfZOKQhM6F/GBAJEQ0E43FIlZ9q1XFy18OFW6g+P21Bk6M4Tv4kZKVdtrs6D2rrafuC+Uk10Gz70+lmW1DcCWiBt8HbeD6oBLQ6TX65VR4q6StHKAE2geWkOeg9k/HP+s1Yy1qYrngBtePa69A2tZQMMXY0rTznSoaLFzRcJbcdmsoGeWQ5r1N7ezJzMWU4sgDy4wBbLG5zIheYkZL00Uo8ypRsJK3adaeztnx9h8+68dL+9qm0Z5JfiwSYa4y/83iIaHVOXxUngiwUItHBdTst4V7/bK5wFcrF+RdOs94AcoAvN+fhyknmyZdPRmBS1WafrHiwCviZ17F/JxUDfG87EJI2iksfJwbgRV/UquYzfTyki3qxnvm+yqS1S+u3udjozVTEhuXWClCV0PSC4SNdPREuSbBr+g+RleEY7ZuUWj4Dy1VNLxBmLaVJwFG+yyrowJPtsJPwhLPUhP3fBud2op51vtNpi/UnzqCsrDrwJKiCy93CUurL0bZheo8pXqwqo4ERRThto8DOfiZH9sGxSsWjnQEUL014Ql87JS5Q7LZXKK2JWXk/9SSd38WJesvClSzyvxJdYl/9cydlFRB9rPL1ZjbfVQ/rdgFDdiY
x-forefront-antispam-report: 
 CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AM6PR03MB4711.eurprd03.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(376002)(136003)(346002)(396003)(39850400004)(366004)(83380400001)(66476007)(478600001)(66556008)(122000001)(8676002)(66446008)(2940100002)(71200400001)(38100700002)(52536014)(15650500001)(186003)(6506007)(5660300002)(33656002)(2906002)(8936002)(26005)(966005)(86362001)(64756008)(9686003)(55016002)(316002)(7696005)(66946007)(76116006);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata: 
 =?iso-8859-1?Q?1pVA4UjGlrrPsIbVk6/Zu+a8JpEcA4eQLXdiJ2WrvQRyQUEKRWk4R6Hswt?=
 =?iso-8859-1?Q?6oa8L+rbyxRpV7n9ZMEajdMmXlEUvIn/shl3mEhLhZTnZ+2KoEMU5W711l?=
 =?iso-8859-1?Q?72AUeRV/5zB8+HHeMltZY3jYk6GD2+wbtVi1u7lEk6fiBdYnnGhRts6jOo?=
 =?iso-8859-1?Q?4Uz/aEQdaGR0Kp2mrA7TReEMeooh3gwQhwqgvwSlc1zBXFyW+lMTyrtQ34?=
 =?iso-8859-1?Q?X9bbKbMuiNX4a/PVQ2kbEtdRST7t/fm2yf6IAxFyYELRqdBNx1as8/b0xN?=
 =?iso-8859-1?Q?7nQJlbDr1zTdJ5dg8tU64jjS5PLzOVyu/KC4QHuIXyM+rGyG8uymoDZ1mj?=
 =?iso-8859-1?Q?fcf4D6amWJMXEBaNtEVI4xeikS37PI+SD3Zyhbf8w1jALyEBcdMM+aImYy?=
 =?iso-8859-1?Q?CmnpeVM+ulHODmLawyOx1fMF9eor0EgbwAlCUZGxIgj1/7F/i23L0MVdqr?=
 =?iso-8859-1?Q?040OHd3lSID99iNpMwtAjfWVjgah0L8fPaSeZhPtUBVVz+XtnN2nP6nywI?=
 =?iso-8859-1?Q?vtl8J4jKMakhQzGseX/dkOWLTjiVPIMA847MvKeePjNdYzaW0/eSGiGWHg?=
 =?iso-8859-1?Q?sJxtmVsQzmDUPCr2oq9s8XmneZvCfUFkHFUs749MK1l/t7RBtGK9V9xrHt?=
 =?iso-8859-1?Q?1a0GQuYG//4w07uft3kSID2BIpBmW6qvpu8yScLFYZyfce+RjBlj+np16Y?=
 =?iso-8859-1?Q?BZjydUvxmR9qg5IUHoFQUNTKuaIy7AfMZgX8U5GbbnV2bIS9nJc3dJVWoU?=
 =?iso-8859-1?Q?yQu9fMmW/L2bBDXVpUNlfUo/xysUMQNeG5ATxyFL0jnB2BfQXZhJhYJOGD?=
 =?iso-8859-1?Q?WkTDbOGR/fdhRzFqhebMDW22pmZ425XvS+W4ttRvX7EDmauRWrBMEgh/Hf?=
 =?iso-8859-1?Q?xeldww0xvhe/akfzSsJrSxjDgT5Y7QxsjNZJ01LiLEHjXNOTAZwP43n8Ms?=
 =?iso-8859-1?Q?0kfcFRC6aeMHAdc3eC/fLg7tb9ECu0pZOOmnMm/IjeIu+rCji6I5OHkL2t?=
 =?iso-8859-1?Q?5BnqNhoPJQpdgBiJiG6/wTgs3hfDOrq1dJGhArpd5f/+tXDcKouz7AuD/0?=
 =?iso-8859-1?Q?E6QF86OSpQf2Buxn/eU64BA1jyD38gXj91C6uNEF6KYDc2aYDYDGOcjt8t?=
 =?iso-8859-1?Q?jSc2QjpX3l6HjSqON1MiqCKaYMiEjDkMeIjRApRJiQzzv2JTWkf8zY159C?=
 =?iso-8859-1?Q?3j+y9MD4jpjlUz+ShSATeBnmXlqhMDIgvQgFpWHFMsDgqHyGRAiYbsyX0A?=
 =?iso-8859-1?Q?68AIJx7KxLQyf8b/N4OZiDjP+G3GpyOkVGUDpEc+NZQfa+6WyPE4xfj6xG?=
 =?iso-8859-1?Q?HyBisVcl83CeHI2LDvEPCyfHsMQ1p1QabdSOFxY2x0QUsOQSQqX6NAcAbY?=
 =?iso-8859-1?Q?kTMcRWEBVC?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: aquasec.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM6PR03MB4711.eurprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 6e69a9e9-9879-43cd-1c6b-08d90a89b708
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Apr 2021 21:08:04.6175
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bc034cf3-566b-41ca-9f24-5dc49474b05e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 92jntKKTKg8gYUOG/JPw2GrM96B7YOO6Umd2MSQQoKTb7Xno68jXQwBUJxL6K76pOerNYZc+rXLDvXkWh7R7zQuDILj5WLIYuC48f6NPuCU=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR03MB6901

Hello,
I've encountered a security dispute while working with nodejs and I'd appre=
ciate the opinions of the Alpine community and maintainers on this importan=
t subject.

I've recently upgraded my nodejs package version to v12.20.1 on my Alpine i=
mage, through Alpine's package manager (release notes of node community:=A0=
https://nodejs.org/en/blog/release/v12.20.1/). As you will see in the relea=
se notes, one of the vulnerabilities that is fixed in this version, is CVE-=
2020-8265.

I've also upgraded my Alpine image to Alpine v3.13. However, looking into A=
lpine's v3.13 release notes (here:=A0https://git.alpinelinux.org/aports/bla=
me/main/nodejs/APKBUILD?h=3D3.13-stable) you'll see that this same vulnerab=
ility appears to be fixed only in nodejs v14.15.4-r0.

I am running a vulnerability scanner on my Alpine 3.13 image, and it identi=
fies CVE-2020-8265, even though it was supposed to be fixed in as early as =
nodejs v12.20.1, according to the node community.

And therefore - the dispute.

My question: Should I consider this vulnerability a false positive, and fol=
low the release notes of node? Or should I use Alpine's determination and u=
pgrade my nodejs version to v14.15.4-r0, where Alpine claim it to be fixed?=
 Why does Alpine state the fix for said vulnerability exists in v14.15.4-r0=
 of nodejs, whereas the node maintainers indicate the fix is present in an =
earlier version?=20

Thank you very much!
Nir