Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80093.outbound.protection.outlook.com [40.107.8.93])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 154B1782C24
	for <~alpine/devel@lists.alpinelinux.org>; Thu, 29 Apr 2021 10:34:31 +0000 (UTC)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=A+IuXujraS6YWj6Vc8nIryA8Fv9s9/uW4G8KWKwnSG7MhMhTvLOyr9+DmqrKE92ucKu1hN/vHd6C+zowSKJNNMVODBY1WXjn3xKsCP/9uYpnrdNPfj7mqJO94B1mwATGf3FXW0MJ4Qims21+z03n3HooEe4KjyaAeAWbOmnqDnU2X3Z8R74npJG7ftPbRspY+a6ibBT8UKe/O7wFDJs5FEA4I0/HM3aZsH402tgHqzGgYBymUvm/1g5/yF4SCpduJVzVHAtPkDuHXefSItTEnP1IPqfxtRv5KjvOPOE4sLwmgWZWfiDKmYW01OBs2i0QDrRXGCnYwFS68M5Dmj9ygQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=3NZKr24+Bsc1y9dOm0FEA48lnG54ogtREbtBYI7UkaM=;
 b=DNbbGMExo85YrR7tZGJTA5tovwOOx5chp+AYJZ+QUFh3bSOPuSnSU2F9ReujiOXEXNrFsXwE0neS5a11RMLWk7VuTz/kE1JEyE2uCKHJrw6lkDgH1dBU+R2Gvk8RNEQOSQIW4oTBdGVxptj4ZpgOzxVQsv2k6ArNxbBxbHqtJt7rI2qUdZNO8k1ZftQfRXBVoRV4Vxc7hAP+0i/4gxryz8sqHanRIzTxvi/jckmqvfJPrgGWAemz8T9Buu1NzeShhSWgHSZhwq6CZaopBtnKqEfEf87EMhB315q0AGYQo+w4OZ2djd5ypLDYLYsJFx+/6pvGW8ULUQtHZ7k70up/7Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=aquasec.com; dmarc=pass action=none header.from=aquasec.com;
 dkim=pass header.d=aquasec.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Aquasec.com;
 s=selector2;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=3NZKr24+Bsc1y9dOm0FEA48lnG54ogtREbtBYI7UkaM=;
 b=lLkCgh3eZtxq1zL4gaK+UEZ5VfE0vsLvxt5YYty4y5KPBnbOk2w83x3kRGK04b+HVjUnkEEzBMw0bs+Nd8hs+zi71pHRQjXfVer2kU92uodjURZ1gCgqd4VSAm04UtzTGFeP2jsbkiJKV+NEc7aQbDz9oHWbXOHgC1CUFX//fXnx5PY/+P5rZydbbcDPhA3zv05PLUAgE8pog8iFAAj1l3ZXaodWlameF5cAayRZdeTtXRhsK+gD4lr8p0FgJonE+fUeQ7Xu3K5BUYPQ66WEYQld3EiZAj+WHJ8dTX6wgFmTkgLMBxHBs0JIttm34jJb/snKLVLsfU+xlXvjeIRF+w==
Received: from AM6PR03MB4711.eurprd03.prod.outlook.com (2603:10a6:20b:b::25)
 by AS8PR03MB7304.eurprd03.prod.outlook.com (2603:10a6:20b:2e1::9) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4065.20; Thu, 29 Apr
 2021 10:34:29 +0000
Received: from AM6PR03MB4711.eurprd03.prod.outlook.com
 ([fe80::a1e9:e357:f67a:6a00]) by AM6PR03MB4711.eurprd03.prod.outlook.com
 ([fe80::a1e9:e357:f67a:6a00%7]) with mapi id 15.20.4065.027; Thu, 29 Apr 2021
 10:34:29 +0000
From: Nir Ben-Eliezer <nir.ben-eliezer@aquasec.com>
To: "~alpine/devel@lists.alpinelinux.org"
	<~alpine/devel@lists.alpinelinux.org>
CC: Nir Ben-Eliezer <nir.ben-eliezer@aquasec.com>
Subject: Re: Security dispute over nodejs vulnerability in Alpine - Help!
Thread-Topic: Re: Security dispute over nodejs vulnerability in Alpine - Help!
Thread-Index: Adc84Wah4na/ptoZQ7+FKoL+ctu62w==
Date: Thu, 29 Apr 2021 10:34:29 +0000
Message-ID: 
 <AM6PR03MB4711B475D15586303F7AD1B8B35F9@AM6PR03MB4711.eurprd03.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: lists.alpinelinux.org; dkim=none (message not signed)
 header.d=none;lists.alpinelinux.org; dmarc=none action=none
 header.from=aquasec.com;
x-originating-ip: [212.59.64.171]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: e3ffdc66-99b0-4cc5-3ffb-08d90afa5ec3
x-ms-traffictypediagnostic: AS8PR03MB7304:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: 
 <AS8PR03MB7304E94CD779B9F0C20F79BCB35F9@AS8PR03MB7304.eurprd03.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 
 ekhz29Vq0BFGeWRUGomZJq47XgRbEzWX1DR83ZcwH2xUYV0h2pJuEQLSrSSedoLz+z7aLQ1P8lswpxiGHDID8GQ30AiMkECaScT5obqDrhK7QtVX2VKyBXLu5Fxd3NcBUxGuN/Gsw9U+9+m12H0Qd7m1jIBFot/KSJ9xatMBwXiZR1iS261o3esXWMYDj1bhAuMB3QuJwvqyO7sow67cxT2r6PPuGh+pTXp5W3Ej0sz2dfqEgYVJBI5FkVrKw5jzVyOOTaG6C8nJm3o39jJd7KUeyWZMmJITnsYd6lIGsXwPhTohKH/LENLzrtwDnm4E/2fJMTVDRO3aF5K3SBoOGO3X4BhRo55+9mb35IsQTjSUhhwKjAGHLsZ8kq3v4yYPTKweAzAws5ZLxZSSY8wIxSO1VJszjiC57w4bH8k8vgcnQFDuDvcvW2783tbhDoiykKbfUJC9A63Ab0fOjNrkjDQJS1bfGs6QNnYIpc3wrpDCIgNaSHNAtnr7DJP1iPyBW7D8DgRyG75BC7sW+xYU2sKnaFklUxaifdzuqifnRamiivGscL0ieb28ymW3thNeLwuRwbSn/jIRHQjLNCHxQRj18UpMNT528d93Jy9n7LI=
x-forefront-antispam-report: 
 CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AM6PR03MB4711.eurprd03.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(396003)(39840400004)(346002)(136003)(366004)(376002)(66446008)(8676002)(316002)(5660300002)(52536014)(66476007)(38100700002)(7696005)(122000001)(76116006)(71200400001)(86362001)(66556008)(8936002)(55016002)(66946007)(9686003)(2906002)(478600001)(33656002)(26005)(15650500001)(186003)(6506007)(4326008)(64756008)(107886003)(83380400001);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata: 
 =?us-ascii?Q?15DDcSgiwk4sV1reqEYM8s22BFK4zCJNFDbpbqyY/Zigb8WA4eXsiA0rM13y?=
 =?us-ascii?Q?mvoQ7gjFdwtSqvJD29toboi5r+JCfnDXMDN8ydLsM5vj9wgFxVS1iLgratJm?=
 =?us-ascii?Q?XFzo8Qzw6bjZppqmFeonbf7TyGg+bXPerL7HUPr3Hz3JWsFo4Edjli6s4GaW?=
 =?us-ascii?Q?txKJ10hPj63/eCf5ea6WKOiUwCEV7bSlZNaK+LopJB4PKhMSU5u5+G0+Ungb?=
 =?us-ascii?Q?i9IPw3olYk2Cde+dH51oXqcTDtM6+zZjWqhhZW70j8UZkOhLcE9ZnORRTvXl?=
 =?us-ascii?Q?lC1fmc5PWCW0lu5UiE+iDZtddNt9pP/hjz5TERy/mEj/NF0v1sRMge21q0ED?=
 =?us-ascii?Q?qNrCjVnYi4CNbJtNnjqbh/OBrP3iLoe0RNpnlOVzFlU8L8HADgEg65GvnZiV?=
 =?us-ascii?Q?NPx6x93b0fdppzfgZQLqCdOeq4qxmdcpJDV0auuct+h3waTn2TufJeI47NcG?=
 =?us-ascii?Q?v66w7TONBe/1HOmwqKnU6qwk1yzEHo+lNVQRYfhA4m68RvbgzHc4IFOOWIy0?=
 =?us-ascii?Q?ic+jN463F6xULTx2QzVUXWX2mwmi18jyiYX1zyjzj+mGwAColxTHMwMyrqIc?=
 =?us-ascii?Q?8RAH6SAP2gPB42LcGfkzhqKp3TiW5u2Oq35Z3MK92LwJgl0eTkoXQIc+IOXV?=
 =?us-ascii?Q?zJ0V8MNZxdhYo2hqfeGkna9qRwkMTXBq6l6K3cfTzamLa0uO/xbMcirUWTcS?=
 =?us-ascii?Q?ociUJU7O0ccyZFXNG0tds6rTLY8zbZhzJA6yAs4TLHgOUhy2SWlEENOqqiVZ?=
 =?us-ascii?Q?c3gqCApbgsagFyRPj20V8Ojzu1BMCSkn76t/0W6qgPzxGhyukNTAkkOy7D/Y?=
 =?us-ascii?Q?x2JanKQpw6in8RsS6+WiRqfSzzlqxddwKx6eiXzJ6MVzkm531IWhAKyfjkzU?=
 =?us-ascii?Q?mr6Os5wbgq/NLfqtb5MCOyAe6/5ii6JYlBqlXHNSlkMv/SrWRp3tte0Vngtt?=
 =?us-ascii?Q?VqDdww4achFKCYFrbyBq19r2fCBS4NeShdXL2Wr07QoRucliyljOl4H+uQ57?=
 =?us-ascii?Q?MPRax/2DLUW155GQ1dlbTNFUke1h5qrbqsm+1DyV1plW8hvWTIg8DMr233I4?=
 =?us-ascii?Q?sUNhWRVlByHS7JJWv9PrAGCwfSBqCzMJjBKiS1Eq7igd0myYUAycrZYzUKP8?=
 =?us-ascii?Q?qOLJg9nBbukK+ReaNf2dzdxMiLZeucmKMiKsiEKBsWaZ1ZDpP0cBIbHDDwH4?=
 =?us-ascii?Q?efAoCpS3YNpjmFhuSoUaMJVEjTQ8dzTftZnc9KGxx62kDSAqV5HG7n2kHtaS?=
 =?us-ascii?Q?zLbtMShRlW8TufnB43JXFKOJDa5KVsnSTQpe80uYgJBolQDxgJ3VLZI26wxi?=
 =?us-ascii?Q?cQMh3wUlMjiyg5D8UPTnmn0L?=
Content-Type: multipart/alternative;
	boundary="_000_AM6PR03MB4711B475D15586303F7AD1B8B35F9AM6PR03MB4711eurp_"
MIME-Version: 1.0
X-OriginatorOrg: aquasec.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM6PR03MB4711.eurprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: e3ffdc66-99b0-4cc5-3ffb-08d90afa5ec3
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Apr 2021 10:34:29.6962
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bc034cf3-566b-41ca-9f24-5dc49474b05e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: RZsxWLpiJXzrbADVpMHdbh3LfmTJxxqsfJa2Qg780moyRLO0R96FBcnapj71LSTmEQXbBp+rY2uJWrEk3e+ik4ZUcN89ilJPpe8hU+FNDeg=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR03MB7304

--_000_AM6PR03MB4711B475D15586303F7AD1B8B35F9AM6PR03MB4711eurp_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Thanks Ariadne.

But one thing still bugs me here. Consider the following scenario: I instal=
l Alpine 3.13. I then install nodejs V12.20.1 through APK - this is possibl=
e. Bottom line - Am I vulnerable to CVE-2020-8265?

Per Alpine's security advisory - I am, because Alpine indicates CVE-2020-82=
65 is only fixed on nodejs V14.15.4-r0.

But per the node community, I'm not, because they fixed this vulnerability =
in V12.20.1 (according to their release notes).

What I'm asking ultimately, is this: If the node community indicated a cert=
ain CVE is fixed in version X, why would Alpine indicate a different versio=
n? Is it merely an issue of testing, and the fact that version X was not ce=
rtified to be used with a certain branch of Alpine, or is there a different=
 reason?

Furthermore, if I compared nodejs V12.20.1 source which I downloaded from t=
he node project on github, to nodejs V12.20.1 which I downloaded using APK,=
 will they be the same?

Again I thank you for your time and effort, and your help in sorting this o=
ut for us.
Nir

--_000_AM6PR03MB4711B475D15586303F7AD1B8B35F9AM6PR03MB4711eurp_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
<meta name=3D"Generator" content=3D"Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;}
span.EmailStyle17
	{mso-style-type:personal-compose;
	font-family:"Calibri",sans-serif;
	color:windowtext;}
.MsoChpDefault
	{mso-style-type:export-only;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3D"EN-US" link=3D"#0563C1" vlink=3D"#954F72" style=3D"word-wrap:=
break-word">
<div class=3D"WordSection1">
<p class=3D"MsoNormal">Thanks Ariadne.<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">But one thing still bugs me here. Consider the follo=
wing scenario: I install Alpine 3.13. I then install nodejs V12.20.1 throug=
h APK - this is possible. Bottom line - Am I vulnerable to CVE-2020-8265?
<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">Per Alpine&#8217;s security advisory - I am, because=
 Alpine indicates CVE-2020-8265 is only fixed on nodejs V14.15.4-r0.
<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">But per the node community, I&#8217;m not, because t=
hey fixed this vulnerability in V12.20.1 (according to their release notes)=
.<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">What I&#8217;m asking ultimately, is this: If the no=
de community indicated a certain CVE is fixed in version X, why would Alpin=
e indicate a different version? Is it merely an issue of testing, and the f=
act that version X was not certified to
 be used with a certain branch of Alpine, or is there a different reason?<o=
:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">Furthermore, if I compared nodejs V12.20.1 source wh=
ich I downloaded from the node project on github, to nodejs V12.20.1 which =
I downloaded using APK, will they be the same?<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">Again I thank you for your time and effort, and your=
 help in sorting this out for us.<o:p></o:p></p>
<p class=3D"MsoNormal">Nir<o:p></o:p></p>
</div>
</body>
</html>

--_000_AM6PR03MB4711B475D15586303F7AD1B8B35F9AM6PR03MB4711eurp_--