Thanks Ariadne.
But one thing still bugs me here. Consider the following scenario: I install Alpine 3.13. I then install nodejs V12.20.1 through APK - this is possible. Bottom line - Am I vulnerable to CVE-2020-8265?
Per Alpine's security advisory - I am, because Alpine indicates CVE-2020-8265 is only fixed on nodejs V14.15.4-r0.
But per the node community, I'm not, because they fixed this vulnerability in V12.20.1 (according to their release notes).
What I'm asking ultimately, is this: If the node community indicated a certain CVE is fixed in version X, why would Alpine indicate a different version? Is it merely an issue of testing, and the fact that version X was not certified to be used with a certain branch of Alpine, or is there a different reason?
Furthermore, if I compared nodejs V12.20.1 source which I downloaded from the node project on github, to nodejs V12.20.1 which I downloaded using APK, will they be the same?
Again I thank you for your time and effort, and your help in sorting this out for us.
Nir
Thanks Ariadne.
But one thing still bugs me here. Consider the following scenario: I install Alpine 3.13. I then install nodejs V12.20.1 through APK - this is possible. Bottom line - Am I vulnerable to CVE-2020-8265?
Per Alpine's security advisory - I am, because Alpine indicates CVE-2020-8265 is only fixed on nodejs V14.15.4-r0.
But per the node community, I'm not, because they fixed this vulnerability in V12.20.1 (according to their release notes).
What I'm asking ultimately, is this: If the node community indicated a certain CVE is fixed in version X, why would Alpine indicate a different version? Is it merely an issue of testing, and the fact that version X was not certified to be used with a certain branch of Alpine, or is there a different reason?
Furthermore, if I compared nodejs V12.20.1 source which I downloaded from the node project on github, to nodejs V12.20.1 which I downloaded using APK, will they be the same?
Again I thank you for your time and effort, and your help in sorting this out for us.
Nir
Re: Security dispute over nodejs vulnerability in Alpine - Help!
How exactly are you loading nodejs 12.20.1 when you are already running Alpine 3.13? The current nodejs version in Alpine 3.13 is 14.16.1. I think the problem comes from a mismatch between your Alpine version and your nodejs package. If you upgraded your Alpine version after installing nodejs, you apparently did not upgrade properly. Try running “apk upgrade —available”.
Ted
> On Apr 29, 2021, at 6:36 AM, Nir Ben-Eliezer <nir.ben-eliezer@aquasec.com> wrote:> > > Thanks Ariadne.> > But one thing still bugs me here. Consider the following scenario: I install Alpine 3.13. I then install nodejs V12.20.1 through APK - this is possible. Bottom line - Am I vulnerable to CVE-2020-8265?> > Per Alpine’s security advisory - I am, because Alpine indicates CVE-2020-8265 is only fixed on nodejs V14.15.4-r0.> > But per the node community, I’m not, because they fixed this vulnerability in V12.20.1 (according to their release notes).> > What I’m asking ultimately, is this: If the node community indicated a certain CVE is fixed in version X, why would Alpine indicate a different version? Is it merely an issue of testing, and the fact that version X was not certified to be used with a certain branch of Alpine, or is there a different reason?> > Furthermore, if I compared nodejs V12.20.1 source which I downloaded from the node project on github, to nodejs V12.20.1 which I downloaded using APK, will they be the same?> > Again I thank you for your time and effort, and your help in sorting this out for us.> Nir
Re: Security dispute over nodejs vulnerability in Alpine - Help!
> But one thing still bugs me here. Consider the following scenario: I install Alpine 3.13. I then install nodejs V12.20.1 through APK - this is possible.
How exactly are you loading nodejs 12.20.1 when you are already running Alpine 3.13? The current nodejs version in Alpine 3.13 is 14.16.1. I think the problem comes from a mismatch between your Alpine version and your nodejs package. If you upgraded your Alpine version after installing nodejs, you apparently did not upgrade properly. Try running “apk upgrade —available”.
Ted Trask
RE: Security dispute over nodejs vulnerability in Alpine - Help!
Hi Ted, thank you for your quick response.
It's a good question. I do not know how my customer does it because I have no access to their environment. I know that my customer upgraded from Alpine 3.11 to 3.13, but I don't know how their developers did it. All I know is that at the bottom line, they are using nodejs 12.20.1 on an Alpine 3.13 machine.
But as an example, I just did it myself the following way:
1. Pulled alpine:3.13 from Docker Hub.
2. Ran the container with an interactive shell.
3. Added the nodejs v12.20.1 apk.
Please see below my copy-paste showing the commands I used and the output.
Also, I'd appreciate it if you could relate to my previous question:
What I’m asking ultimately, is this: If the node community indicated a certain CVE is fixed in version X, why would Alpine indicate a different version? Is it merely an issue of testing, and the fact that version X was not certified to be used with a certain branch of Alpine, or is there a different reason?
I am trying to find out what the bottom line is, and whether the older nodejs version I installed through APK, is vulnerable or not.
Thank you,
Nir
/ # apk add --repository http://dl-cdn.alpinelinux.org/alpine/v3.11/main --no-cache nodejs=12.22.1-r0
fetch http://dl-cdn.alpinelinux.org/alpine/v3.11/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/community/x86_64/APKINDEX.tar.gz
(1/6) Installing ca-certificates (20191127-r5)
(2/6) Installing c-ares (1.17.1-r1)
(3/6) Installing libgcc (10.2.1_pre1-r3)
(4/6) Installing nghttp2-libs (1.42.0-r1)
(5/6) Installing libstdc++ (10.2.1_pre1-r3)
(6/6) Installing nodejs (12.22.1-r0)
Executing busybox-1.32.1-r6.trigger
Executing ca-certificates-20191127-r5.trigger
OK: 38 MiB in 20 packages
/ # apk info nodejs
nodejs-12.22.1-r0 description:
JavaScript runtime built on V8 engine - LTS version
nodejs-12.22.1-r0 webpage:
https://nodejs.org/
nodejs-12.22.1-r0 installed size:
29 MiB
nodejs-14.16.1-r1 description:
JavaScript runtime built on V8 engine - LTS version
nodejs-14.16.1-r1 webpage:
https://nodejs.org/
nodejs-14.16.1-r1 installed size:
34 MiB
nodejs-current-15.10.0-r0 description:
JavaScript runtime built on V8 engine - current stable version
nodejs-current-15.10.0-r0 webpage:
https://nodejs.org/
nodejs-current-15.10.0-r0 installed size:
55 MiB
/ #
-----Original Message-----
From: Ted Trask <ttrask01@yahoo.com>
Sent: Thursday, April 29, 2021 2:47 PM
To: ~alpine/devel@lists.alpinelinux.org; Nir Ben-Eliezer <nir.ben-eliezer@aquasec.com>
Subject: Re: Security dispute over nodejs vulnerability in Alpine - Help!
> But one thing still bugs me here. Consider the following scenario: I install Alpine 3.13. I then install nodejs V12.20.1 through APK - this is possible.
How exactly are you loading nodejs 12.20.1 when you are already running Alpine 3.13? The current nodejs version in Alpine 3.13 is 14.16.1. I think the problem comes from a mismatch between your Alpine version and your nodejs package. If you upgraded your Alpine version after installing nodejs, you apparently did not upgrade properly. Try running “apk upgrade —available”.
Ted Trask
Hello,
On Thu, 29 Apr 2021, Nir Ben-Eliezer wrote:
> Thanks Ariadne.>> But one thing still bugs me here. Consider the following scenario: I install Alpine 3.13. I then install nodejs V12.20.1 through APK - this is possible. Bottom line - Am I vulnerable to CVE-2020-8265?
If you install Alpine 3.13, it is not possible for this scenario to
happen. Alpine 3.13 shipped from day 1 with Node 14, as Node 14 was
pushed to Alpine edge in October 2020, which predated the Alpine 3.13
release.
> Per Alpine's security advisory - I am, because Alpine indicates CVE-2020-8265 is only fixed on nodejs V14.15.4-r0.
Our security advisory indicates that CVE-2020-8265 was fixed in Alpine
edge (and therefore later in 3.13 release) by nodejs 14.15.4-r0.
It also indicates that CVE-2020-8265 was fixed in Alpine 3.12 by
12.20.1-r0, because Alpine 3.12 follows the Node 12.x branch.
> But per the node community, I'm not, because they fixed this vulnerability in V12.20.1 (according to their release notes).
As previously stated, it depends on what version of the distribution you
are using. Alpine 3.13 never shipped a node package that was vulnerable
to CVE-2020-8265, because we fixed it in edge before Alpine 3.13 shipped.
But we still record security fix data for edge, as users do use Alpine
edge (which is like Debian sid, or Fedora rawhide).
> What I'm asking ultimately, is this: If the node community indicated a certain CVE is fixed in version X, why would Alpine indicate a different version? Is it merely an issue of testing, and the fact that version X was not certified to be used with a certain branch of Alpine, or is there a different reason?
We record the version that we published which resolved the CVE. That is
not necessarily the same version upstream. And as I have said before,
different Node branches will have CVE fixes in different versions.
> Furthermore, if I compared nodejs V12.20.1 source which I downloaded from the node project on github, to nodejs V12.20.1 which I downloaded using APK, will they be the same?
Generally speaking, yes. However, Alpine, like other distributions, does
occasionally make modifications to what upstream has shipped. The source
of truth, therefore, is the Alpine aports repository, which contains all
of the build recipe (APKBUILD) files for every package in the
distribution.
Ariadne
RE: Security dispute over nodejs vulnerability in Alpine - Help!
Hello,
On Thu, 29 Apr 2021, Nir Ben-Eliezer wrote:
> Hi Ted, thank you for your quick response.>> It's a good question. I do not know how my customer does it because I have no access to their environment. I know that my customer upgraded from Alpine 3.11 to 3.13, but I don't know how their developers did it. All I know is that at the bottom line, they are using nodejs 12.20.1 on an Alpine 3.13 machine.>> But as an example, I just did it myself the following way:> 1. Pulled alpine:3.13 from Docker Hub.> 2. Ran the container with an interactive shell.> 3. Added the nodejs v12.20.1 apk.>> Please see below my copy-paste showing the commands I used and the output.>> Also, I'd appreciate it if you could relate to my previous question:>> What I’m asking ultimately, is this: If the node community indicated a certain CVE is fixed in version X, why would Alpine indicate a different version? Is it merely an issue of testing, and the fact that version X was not certified to be used with a certain branch of Alpine, or is there a different reason?>> I am trying to find out what the bottom line is, and whether the older nodejs version I installed through APK, is vulnerable or not.>> Thank you,> Nir>> / # apk add --repository http://dl-cdn.alpinelinux.org/alpine/v3.11/main --no-cache nodejs=12.22.1-r0
Here you add the nodejs from Alpine 3.11. Node 12.12.1 was never
published in Alpine 3.13. Thusly, the security data for your container is
incomplete, as you have introduced packages from a different version of
Alpine. You will need to figure out how to detect that yourself in your
security scanning software, I guess.
But none the less, that version you added is not part of Alpine 3.13, and
so the security data that we publish for Alpine 3.13 is not going to
discuss nodejs 12.22.1-r0 because it was not in edge at the time Alpine
3.13 was branched, and it was never in Alpine 3.13 itself.
If you need security data that can cover this scenario, then you should
probably use the union intersection of both the Alpine 3.11 and 3.13
databases. That's all I can tell you as this is not a contingency we
provide support for.
Ariadne
Re: Security dispute over nodejs vulnerability in Alpine - Help!