Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-eopbgr140102.outbound.protection.outlook.com [40.107.14.102])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 557727819C6
	for <~alpine/devel@lists.alpinelinux.org>; Wed, 28 Apr 2021 19:32:40 +0000 (UTC)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=Nl1wlGka7LtR7Lc/RcLoKwuY0XKKRcAiQmtSC9wy6U9Bu2CaeRBf7jKv/Ui5q/CRihn/zlcCKEKyr2x15/vS9IXM+/o4DUA9HibB6sWAaMbmzmEgdulZGWzQgiXnRk+A/gbngs1ckAAo2uToBgRQYqP9KkO3lyxOSRgR1DjdkSX+Kxzw/0jXyRdmUAgI558kl42660W9tGIOzfJviFM1+rt3b+VEB0SmaT+IPGBpQhTyi0AU3beMP0CpkC+xApL4yactn/ziGOk6lZXuiTc8ZB70RaLrjBMkj3BohnOHOM9XR68a1l6X6LdFA+Ecx1vn+vBOC8b0438hBl0g1ndcrg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=Fz5sZjj8KWzfE3CHvs5iOF8P/nU0Jp9l4uGRejzI/yk=;
 b=EvbXzX3KB/u02E6IbtqJ0jrkzXU/JU9jvUsA1Y/ViGMeFRp7h+Hbl6I299sfwJWMwULgvYItWG7QX8kcKJQemgbHrLC9Pt8F25T7l8xU8nfSqO/zjj/7nfMsCSJdSLO+STJrlehW9n6rUJbquLPSAH0eoKChgqIDBXAPLfAGWFbgUgAAzvnVLjIJCvmZRuqRpO/LB2bQUVjt3CcCCocoGG1Fg9KFcd4OgJC8HOWOEw1sJKoA4t8UJbCbxpVUiI9yRqK/ZfEezFvYZSiP+BC11RTaisdr8eRyJWmC4V+yaweJFJipjH3amDhko/pBd1TBSAim5bcA/IZ6KzxvXS4spQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=aquasec.com; dmarc=pass action=none header.from=aquasec.com;
 dkim=pass header.d=aquasec.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Aquasec.com;
 s=selector2;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=Fz5sZjj8KWzfE3CHvs5iOF8P/nU0Jp9l4uGRejzI/yk=;
 b=U8Z2+TADWeNxxnfEwEaAQHBjDY3PME6sTJ2gr3FiuCM0r+leo8ZD9X0wG7LjKDMZsqK43M6SAOqHZckCKbpeiRzeE0WXRZ57o7x0SsvccUHpFdvuNwTI9BQ5dwdWMh4XYvpJcGwGH3sa3Z40YMhfScFKMeX4yE+vGOnTUBfHeNBvbY4FoZJNEdNplEeJNXEUH/aKY3TJoUYGd7PHTDo6VALNJSLd5ztTSeJO2YJA1BmoYajopia19NoXa7wAwMhGXMJJSlNrz9xjcNFD0f0n/HIm26hxkBLr6Z0R77QCBwKtjMlCoBbMTPNjjCm0YClol9+IVosz8OKT46uKTrpKdA==
Received: from AM6PR03MB4711.eurprd03.prod.outlook.com (2603:10a6:20b:b::25)
 by AM5PR03MB2995.eurprd03.prod.outlook.com (2603:10a6:206:19::21) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4065.26; Wed, 28 Apr
 2021 19:32:38 +0000
Received: from AM6PR03MB4711.eurprd03.prod.outlook.com
 ([fe80::a1e9:e357:f67a:6a00]) by AM6PR03MB4711.eurprd03.prod.outlook.com
 ([fe80::a1e9:e357:f67a:6a00%7]) with mapi id 15.20.4065.027; Wed, 28 Apr 2021
 19:32:38 +0000
From: Nir Ben-Eliezer <nir.ben-eliezer@aquasec.com>
To: "~alpine/devel@lists.alpinelinux.org"
	<~alpine/devel@lists.alpinelinux.org>
Subject: Security dispute over nodejs vulnerability in Alpine - Help!
Thread-Topic: Security dispute over nodejs vulnerability in Alpine - Help!
Thread-Index: Adc8ZJoE1wXjMpkARyK94xZIcwCv1w==
Date: Wed, 28 Apr 2021 19:32:38 +0000
Message-ID: 
 <AM6PR03MB471180AD19195D25E1BC462AB3409@AM6PR03MB4711.eurprd03.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: lists.alpinelinux.org; dkim=none (message not signed)
 header.d=none;lists.alpinelinux.org; dmarc=none action=none
 header.from=aquasec.com;
x-originating-ip: [212.59.64.171]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 2bf8e1a0-65c5-40b5-0e17-08d90a7c622c
x-ms-traffictypediagnostic: AM5PR03MB2995:
x-microsoft-antispam-prvs: 
 <AM5PR03MB299583027DBDEB23084A556CB3409@AM5PR03MB2995.eurprd03.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 
 KA7WsfLqJVwCqPTLOKzEhsvXhH0/g1+U5mriP7hhuJj+ZYuuXRClC+xkLMDWOs70gAOpDqb20W6AH52w0Wx5/KSU1u7RlUYGk7JtTcrVsivArVTCk/AQGkNJ+7QAu+PuXxXfUwE9R+GRX1efFpZu36vvkgzjP8z9LsfCj1zONM3b/mfcXDHWReysrwoORqQmAt25O//oYW8TTZNXt5QIp1ywX47lN5xpyP/RMx2wggV0lRfjKNGLv+Nq+ORoPpQ/9BMskHRFUzxJ2rT/vrpF/md3rYhMd+d3VBtf4xS0qw9Z03asbWCDPMX5S4Xd2FKy0LUZfngRPjqrY+dEC4vZXuryw7k/5+ZXfbwFoq0Hq2TOrMn4fgu+TB7ASs4VWSPXcpKswlc6XSDGrxMJK4N/T1sIgSuolsCpmoIct8dnFg9H1x+HhpGfL4+6h5mBME9k3d2/3dyMebufnDmxcn2FH8hY+++uL4tnpxEq9dKrc5fpNOuG5L703DPFus/PHsAZzIVW8/o2orISqs57EeCV6klF0ie7/y9LGVbg7WFceOhf24n0crfwY2vRBvBin48WX0g7/FxrEkyx0Zar5BBe6t5mAaMlESDOiMtmamcLOGDVzkrK08q5RGKqSooxQMzMijockX4FScA3j90W/TTkscfqJ2lZmuLO5Z+dbbfxaNKJ4sFdajFXqGKRF+APJ1Ij
x-forefront-antispam-report: 
 CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AM6PR03MB4711.eurprd03.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(376002)(366004)(136003)(396003)(39850400004)(346002)(966005)(71200400001)(7696005)(26005)(15650500001)(5660300002)(66946007)(76116006)(33656002)(6506007)(8936002)(2906002)(66446008)(86362001)(64756008)(66476007)(122000001)(38100700002)(9326002)(186003)(166002)(52536014)(55016002)(83380400001)(8676002)(478600001)(9686003)(66556008)(316002);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata: 
 =?us-ascii?Q?ASd/hPo8DOcOoxELDDFAAOsHsiqHfNq0bAyNVcnNNR2ojMEcVLngkB3ITE0t?=
 =?us-ascii?Q?MHuY+O+b5bKyWg5Q5YloB1P81Tseibb+WEr1cmzso9kdtUwdEWeIS+vLb2K4?=
 =?us-ascii?Q?aPVZ+QnpBkzpSKX3G5KZbZzMUirzP+Gs6LPbQUfnYxXgn+dxZHdyai+50lfX?=
 =?us-ascii?Q?IkY3Y34GGQAredV1ED3/YPJp/IA19M0gRX1SpDBnSdyUzQaRHNTDJ2NczOnr?=
 =?us-ascii?Q?MYa7Nk5ip1ZBbWV1fSuF1VdlK8Skv24l+MDrzSoJvZ064T0I+ir8Fh0aFjT5?=
 =?us-ascii?Q?vuGhnrc9Sq3ioFA5ml5edDNvXMMyukDtDQ0DRnLdRP6KQjAlmxyrtYmDg5rP?=
 =?us-ascii?Q?xSDwpYv5mixUyRiOG4V0mM9Rak075DFwm9uCtgRKINeTYNpIu/UdViWI2Tn5?=
 =?us-ascii?Q?fVi7yI2gW2cjg5go2+dQWimQS2LA9iHU1MWQRwN5wacLN1wxzGiFPcImWy3g?=
 =?us-ascii?Q?Pgf4gn3vYeXD6KyT7H2ToCKYTQlMsvL0lWhzNJ08+DoTWr3Ss8lVGudalhLK?=
 =?us-ascii?Q?8LdIyRAUKxcD6Hs30mQfVvnCVYHzq5EAhfMxUzZyRZhqqgwd0RhNbjGNEyQU?=
 =?us-ascii?Q?hwEsSsO3bKSIt/0wEFBJwcxm2Xszn7P+O7l3jLsPIuNv+4tnsA/Emrosvx60?=
 =?us-ascii?Q?xTCoYHSz2dwRy7GX7Hip3wfqHmCMttUmDO5BVN0OqgnbiFSddg3nHUtJ23X4?=
 =?us-ascii?Q?WOp1K3GOG43eiULWEuM2najuDJt+tp6Yy4heITrjEUJUIsilU7ArZprpavBd?=
 =?us-ascii?Q?7ya900AJqFufg6A3FAzJrvd/mtQs9L/FSBgB/dl7H3xeuWje1PQcyY2qJg9H?=
 =?us-ascii?Q?jxk0oL7lPv3JqeTAv97V5rHsi6DFGjQDj5JjSdloXmJoqHhMnm95JJt1Y6UT?=
 =?us-ascii?Q?6l0QhvsA9yNtGIGw+sCeyAEaHkQHufzsw2+S2Lyl4datmjbSjCNAnDXk+k4c?=
 =?us-ascii?Q?DBTa+5Gz+h2usTJpNsJ60vbq2g0te82iwzqH+s57pv7+OVBGLZy6eRA4vEEH?=
 =?us-ascii?Q?LV425f0VaRft34BYWOSmETjry1hiMJ7s0VY5B3VsqWw1KhLImjthHSk9DlZR?=
 =?us-ascii?Q?hOrc3acFQ4peJN5zQ9HCBWfEr/Sd78vmFh82gIzT8DqTJdRVZw4csP28cYPr?=
 =?us-ascii?Q?Gxd0iheAUwxzek1mq+pqzAHSETSMgcj5I1+b1a0zpj8a3U8UHGQ5Sscs+pnE?=
 =?us-ascii?Q?vcsqpCP3JtGtmAN/a4/SHUFUF0ZH2TJ7T5kPHQHm5I+eswiQzfDqOxBIocRm?=
 =?us-ascii?Q?LQX4409YiGSn+wZ0+d4egoE3uibJYsP04DG8QPO2s4bFHPGi5HdDaCDyyx7l?=
 =?us-ascii?Q?BVF+dsILMHkBpgoU6IM8iRiJ?=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative;
	boundary="_000_AM6PR03MB471180AD19195D25E1BC462AB3409AM6PR03MB4711eurp_"
MIME-Version: 1.0
X-OriginatorOrg: aquasec.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM6PR03MB4711.eurprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2bf8e1a0-65c5-40b5-0e17-08d90a7c622c
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Apr 2021 19:32:38.8023
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bc034cf3-566b-41ca-9f24-5dc49474b05e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 5i+gHSOpx+r7lmctUuCRCWr4OH5GOKAGpeaUELoSnH53mAwWnR/kSXhycyeFEnMxDdQ7df7xNF0mjss8QCPXisI85LWO6X1uHXq83l9P+2w=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5PR03MB2995

--_000_AM6PR03MB471180AD19195D25E1BC462AB3409AM6PR03MB4711eurp_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Hello,
I've encountered a security dispute while working with nodejs and I'd appre=
ciate the opinions of the Alpine community and maintainers on this importan=
t subject.

I've recently upgraded my nodejs package version to v12.20.1 on my Alpine i=
mage, through Alpine's package manager (release notes of node community: ht=
tps://nodejs.org/en/blog/release/v12.20.1/). As you will see in the release=
 notes, one of the vulnerabilities that is fixed in this version, is CVE-20=
20-8265.

I've also upgraded my Alpine image to Alpine v3.13. However, looking into A=
lpine's v3.13 release notes (here: https://git.alpinelinux.org/aports/blame=
/main/nodejs/APKBUILD?h=3D3.13-stable) you'll see that this same vulnerabil=
ity appears to be fixed only in nodejs v14.15.4-r0.

I am running a vulnerability scanner on my Alpine 3.13 image, and it identi=
fies CVE-2020-8265, even though it was supposed to be fixed in as early as =
nodejs v12.20.1, according to the node community.

And therefore - the dispute.

My question: Should I consider this vulnerability a false positive, and fol=
low the release notes of node? Or should I use Alpine's determination and u=
pgrade my nodejs version to v14.15.4-r0, where Alpine claim it to be fixed?=
 Why does Alpine state the fix for said vulnerability exists in v14.15.4-r0=
 of nodejs, whereas the node maintainers indicate the fix is present in an =
earlier version?

Thank you very much!
Nir


--_000_AM6PR03MB471180AD19195D25E1BC462AB3409AM6PR03MB4711eurp_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
<meta name=3D"Generator" content=3D"Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;}
span.EmailStyle17
	{mso-style-type:personal-compose;
	font-family:"Calibri",sans-serif;
	color:windowtext;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-family:"Calibri",sans-serif;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3D"EN-US" link=3D"#0563C1" vlink=3D"#954F72" style=3D"word-wrap:=
break-word">
<div class=3D"WordSection1">
<p class=3D"MsoNormal">Hello,<o:p></o:p></p>
<p class=3D"MsoNormal" style=3D"box-sizing: border-box;font-variant-ligatur=
es: normal;font-variant-caps: normal;orphans: 2;text-align:start;widows: 2;=
-webkit-text-stroke-width: 0px;text-decoration-thickness: initial;text-deco=
ration-style: initial;text-decoration-color: initial;word-spacing:0px">
I've encountered a security dispute while working with nodejs and I'd appre=
ciate the opinions of the Alpine community and maintainers on this importan=
t subject.<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal" style=3D"box-sizing: border-box;font-variant-ligatur=
es: normal;font-variant-caps: normal;orphans: 2;text-align:start;widows: 2;=
-webkit-text-stroke-width: 0px;text-decoration-thickness: initial;text-deco=
ration-style: initial;text-decoration-color: initial;word-spacing:0px">
I've recently upgraded my nodejs package version to v12.20.1 on my Alpine i=
mage, through Alpine's package manager (release notes of node community:&nb=
sp;<a href=3D"https://nodejs.org/en/blog/release/v12.20.1/"><span style=3D"=
color:windowtext;text-decoration:none">https://nodejs.org/en/blog/release/v=
12.20.1/</span></a>).
 As you will see in the release notes, one of the vulnerabilities that is f=
ixed in this version, is CVE-2020-8265.<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal" style=3D"box-sizing: border-box;font-variant-ligatur=
es: normal;font-variant-caps: normal;orphans: 2;text-align:start;widows: 2;=
-webkit-text-stroke-width: 0px;text-decoration-thickness: initial;text-deco=
ration-style: initial;text-decoration-color: initial;word-spacing:0px">
I've also upgraded my Alpine image to Alpine v3.13. However, looking into A=
lpine's v3.13 release notes (here:&nbsp;<a href=3D"https://git.alpinelinux.=
org/aports/blame/main/nodejs/APKBUILD?h=3D3.13-stable"><span style=3D"color=
:windowtext;text-decoration:none">https://git.alpinelinux.org/aports/blame/=
main/nodejs/APKBUILD?h=3D3.13-stable</span></a>)
 you'll see that this same vulnerability appears to be fixed only in nodejs=
 v14.15.4-r0.<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal" style=3D"box-sizing: border-box;font-variant-ligatur=
es: normal;font-variant-caps: normal;orphans: 2;text-align:start;widows: 2;=
-webkit-text-stroke-width: 0px;text-decoration-thickness: initial;text-deco=
ration-style: initial;text-decoration-color: initial;word-spacing:0px">
I am running a vulnerability scanner on my Alpine 3.13 image, and it identi=
fies CVE-2020-8265, even though it was supposed to be fixed in as early as =
nodejs v12.20.1, according to the node community.<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal" style=3D"box-sizing: border-box;font-variant-ligatur=
es: normal;font-variant-caps: normal;orphans: 2;text-align:start;widows: 2;=
-webkit-text-stroke-width: 0px;text-decoration-thickness: initial;text-deco=
ration-style: initial;text-decoration-color: initial;word-spacing:0px">
And therefore - the dispute.<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal" style=3D"box-sizing: border-box;font-variant-ligatur=
es: normal;font-variant-caps: normal;orphans: 2;text-align:start;widows: 2;=
-webkit-text-stroke-width: 0px;text-decoration-thickness: initial;text-deco=
ration-style: initial;text-decoration-color: initial;word-spacing:0px">
My question: Should I consider this vulnerability a false positive, and fol=
low the release notes of node? Or should I use Alpine's determination and u=
pgrade my nodejs version to v14.15.4-r0, where Alpine claim it to be fixed?=
 Why does Alpine state the fix for
 said vulnerability exists in v14.15.4-r0 of nodejs, whereas the node maint=
ainers indicate the fix is present in an earlier version?
<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal" style=3D"box-sizing: border-box;font-variant-ligatur=
es: normal;font-variant-caps: normal;orphans: 2;text-align:start;widows: 2;=
-webkit-text-stroke-width: 0px;text-decoration-thickness: initial;text-deco=
ration-style: initial;text-decoration-color: initial;word-spacing:0px">
Thank you very much!<o:p></o:p></p>
<p class=3D"MsoNormal">Nir<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
</body>
</html>

--_000_AM6PR03MB471180AD19195D25E1BC462AB3409AM6PR03MB4711eurp_--