Received: from sonic304-9.consmr.mail.bf2.yahoo.com (sonic304-9.consmr.mail.bf2.yahoo.com [74.6.128.32]) by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id CBD57782C7E for <~alpine/devel@lists.alpinelinux.org>; Thu, 29 Apr 2021 11:04:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1619694267; bh=g6iQc+fDWV26Ux0LMjgu6wpYWyXUaxzPpNb9l+dl8H8=; h=From:Subject:Date:References:Cc:In-Reply-To:To:From:Subject:Reply-To; b=qGww/ejpMFYkpUJyE02mj4OBeF8yzSAZSuhl01kyNd9XPBOnqr862uRRuV0AHCdmQbUzmuLF/UjrECwxVdw+QtlVbeekS7dE/D42jjOGODL/SiGuwJezk5hxHrayjm86nIUBaVVyIrFUTEKTbZJ5Hu0KQT1zvCrymzmbeKcOVMrLHvWlpdXSK+zKHJjhI5Dmm+0CW7rKmzqDhZIIW1cboh+aRvOFwA1WAdjGqYML2NjUmLCww2xnhojbF2pJNvmsFTFTwvzP+9cAgTHsVDb/G8EWNK3SaZ1rgRA1Ecq+q3F5qN/XAg+MoC5Bv3cYIe8c2A9axM0/NDtxVReNdX+bDg== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1619694267; bh=4asWm5Zn04DdawK7l7RZbZ8CVezD+0vl0+EIRk9ar75=; h=X-Sonic-MF:From:Subject:Date:To:From:Subject; b=m51LYXjW9/oKz016ObLHv+xTIuKFLPO8cy249+48oBOSBApYkCmdvfkYEnNPUARWkwn8+R1xP8tFyGK0uu5d5Kf+f3BmFgKTS7U/TOF0triR2g05HIt4P/dbdFeNwKWnSeSMSklKCwxV/dZokeN2u2HmSv9CE+/9HOB6CFu3EZrpw7VsXp/2CeHYEDEIHyKIcjIXabcnNjNT2iBKKrHShFanhJAe1IkfT2u09uDZlNm7VtNNMhues5qe0DYvF2tlaspDVQyqmxYu3xKHmZfPJzwwa7kMOm2MaT32d79kFmZKVFZjclTx75SJfJisGn+jcf+exhwbnM1blxzSC9rH0w== X-YMail-OSG: 7jsytGwVM1mSLOV17bB2M2V_6Qzyz5NKmiz2V.pFz9Q4hpoVikH.aG_YG62Z_Tg eq9ue3obaSRwMMTPrSKN4l.dFa_P_MMZY0vF6c7Op80O0tYcB4qfcccKKAc.mkivv6yfB.sj2F0O CuHTXK730LJGWCN6PdksMK5.B.2HXCedYwk4PawVBsauj2i3ymmgds3NwkeaB8krpSXY3MfWqxG2 NgT1guQgU.u_2.RUB4xrPWHqqAPBI2Xt.bPQ9CaYbL36xxkI1XWfbqjSwIJK9bD3lsCAehLZzMIt Jz5swwDhdN2eqvyVpZ9K3NmV1C_UEUzD6XBHG8hNjqeAbHpT4Jv9_8sZbf6SrAdENYnbj2QWOfst eW2DYmbqLEiDI9kb.KpZU9Eg5WhekuP_Taz8LnNFS8rf8EEpyxfIs4gSBsEx1H6VmcwE.1ZZYsVi bRTILY4AWB.2aQmG9kDa37J4XCSnt4yVwoAlqCP.6ZqS6RKqOI5JqezNMpFjrLz.0Giin_EEqkDW w_p27qjCDF4s_OOy3ccWPhQZEPH40l4ohcbI_gQfgSusIxkMPFCa473GNF_YeS93kTDEKsxtwr7i 2ZKW64FC9t4yj2QTZPLR2.kRfZEQddxpIjSVK92.g.ospDTxJwBubrBvKxcpzkTd_mvBodCWbf6X v3PdJ8BoJiUbWyiPtbkL1i_l33cuHG7Ueo5eGi0QVPWA5Qd3CBoV9svZO6dJlOjkgOhYv2_g6I_G bj8BwOigeDpbcT56cS0mGBP.7Jo2HDFirXPs.ip9i0Swzc6X2bpAMSn79pD_EpnCTsrwLlTqupRv tlUUevRvb7DgAY9NcbyvA7v41Pf714vA6bj_5bLS61MnM8LdngxpHvbT1q2TBhqury6cy.L3WSe0 uAGX4SWa_A4e4CcqlyPJRg2Wlj4QoMV6rVEjxyuRfiVWBVJDoLtYi.UiFPVsuIr63ThBwuHXV67q V1tOUsY48_Y.i4H9YaR_B1j7NiJr3oLADAnta22erRFk6CqoVTe6Uv7eYxBTQAiDWgH10XtdTe9i b4KhlOLIE_0eR.q9G9aWVRxSC4UqER2XzHXD866wDeS.4_DDD285_.FmKArRxjPQh.G38Q.wilKt 89cqHQ8Veyz4j4RBPu1U5wcqAQdmoZgQxF35vMO9fp2eUex0FhjzvygKZUkMdrqCrp1ZLkDWir2b vSGdC42WpHml4JfvzUriUjp_QC.95lpasih0y3wXuPWR4B6jeoyV2h7T4kLH_mj.PV3UTmnidzRZ geBZv_O9anadDyNt5v9A9qsQy3JJEuxocNcMPqq72z5W2NWOByRXvZbHZNm_8kOyeVCKE.1MF8ra HGcie1nI8K0vVznr8n.6kmo9.UkrqFLS0rZkzhQAIQEmlf4N3vkKPYTIxmI0tUMPgPymm_weL4Cu rKBCDcpk6YRv8AnXyAiP9hxJpbGoSgbskZoVUN_9WEEr2qy0aLFks6ZNuY6aujerpQX_LTlXPBZZ IV_fDu7qa6uHQzpyxFQnc4yLpxdmel8pKLQv7c2yLUIZVi70okQVfow6XLM_1YgOgktk_0tFbL25 GHDYTfD7KZL3YnN1al8GZVa9wgZ4derDOcwbd_uRYLd6HEf8j65P3aRardep9kFlw8L_oPs2Ohma nE0DPawwfbbFsI0U8j.FfjOju1akPH6TomollpSY.cGp0esmowFBZO8Gr133E2YXGPPA_YP7ARHj 5JPTW5Q3Y6UHGfcIBUEH6iy6nfnqmbGj6rrALm9JpLQqQxUdRxLGh1LcCRc.tAYFQjdoHa5N6wUp n4e.PGk_I6rugSFuRuOYhOsX6ZW.Bg3s7z0geLTs0AwV0B9765lNw4PZNrFMKUzfqZN8I3TsPci1 TOj46.tjjdV4WhzMbpYgGLZaQT.qCLHVRx9khIqok0KY1PLQ053mOUu750og7hAIzHDf0XnTmU0b TG41nrB31mpBCQ.pW2jh1ZMVpE5liyO8WkZlUCD_9WD6I1YOPD5sfLSIWkD2zcMc.yObrtbXKNML qWi1aWiY7DxhUh..FjJ9QNkTjPd9iH.R6juMuMH1kCAVkOrAvDNyDkicEQpQHvPG3jbLOX8tdsPj s56YU7bZ8tOTBcdKBt_XUJ1aPXM1GPZzXdeYgKlTLGUeMOB9nKlgbDIWduxSuqazvGk6Wp3J0q_8 EG_FSFIdvzUCSBPc728z3OUKb2R2rBXNsbfyngCRgl1IRxe4bDRePJXjSx9QFmiDR5gOvpd1Q4x1 9m47Yf8IAUA3S3h7u.Jk2G3fwHcNxdY2Vq21jlpqWpib8z38f5nPZQHvNGxg_JdARZOXYtOqwZpI S44uhs3vjCWXzEqJT6xJYL5t929hpSxh5qv4MQQE6SsC6IeYu7s6XEocogobkYC2Rs_zWurcZBjf sqy5zRdo90GL6BWibrUab4DvlgqTJaHgz3bYxj54DlIOu7rPiBY6_FQpSM7WPKnm5aJjOnP7FJfE J0MfG3uLUwEYVUpcQ7ELbiETB4kU44flj338BlbnEL8OIM3Gx.ENCeduhBh7YSAvRomtEpgV3KAZ 9PsKn4VJsZDLbkWNgHeNq7QuDzNNh.BH6wPjF X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic304.consmr.mail.bf2.yahoo.com with HTTP; Thu, 29 Apr 2021 11:04:27 +0000 Received: by kubenode514.mail-prod1.omega.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 4aed8eea6fcd193510f5d563137c5c83; Thu, 29 Apr 2021 11:04:25 +0000 (UTC) Content-Type: multipart/alternative; boundary=Apple-Mail-279F6130-C0A0-497F-8271-DF14454308A8 Content-Transfer-Encoding: 7bit From: Ted Trask Mime-Version: 1.0 (1.0) Subject: Re: Security dispute over nodejs vulnerability in Alpine - Help! Date: Thu, 29 Apr 2021 07:04:24 -0400 Message-Id: References: Cc: ~alpine/devel@lists.alpinelinux.org In-Reply-To: To: Nir Ben-Eliezer X-Mailer: iPad Mail (18D70) --Apple-Mail-279F6130-C0A0-497F-8271-DF14454308A8 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable How exactly are you loading nodejs 12.20.1 when you are already running Alpi= ne 3.13? The current nodejs version in Alpine 3.13 is 14.16.1. I think the p= roblem comes from a mismatch between your Alpine version and your nodejs pac= kage. If you upgraded your Alpine version after installing nodejs, you appar= ently did not upgrade properly. Try running =E2=80=9Capk upgrade =E2=80=94av= ailable=E2=80=9D. Ted > On Apr 29, 2021, at 6:36 AM, Nir Ben-Eliezer = wrote: >=20 > =EF=BB=BF > Thanks Ariadne. > =20 > But one thing still bugs me here. Consider the following scenario: I insta= ll Alpine 3.13. I then install nodejs V12.20.1 through APK - this is possibl= e. Bottom line - Am I vulnerable to CVE-2020-8265? > =20 > Per Alpine=E2=80=99s security advisory - I am, because Alpine indicates CV= E-2020-8265 is only fixed on nodejs V14.15.4-r0. > =20 > But per the node community, I=E2=80=99m not, because they fixed this vulne= rability in V12.20.1 (according to their release notes). > =20 > What I=E2=80=99m asking ultimately, is this: If the node community indicat= ed a certain CVE is fixed in version X, why would Alpine indicate a differen= t version? Is it merely an issue of testing, and the fact that version X was= not certified to be used with a certain branch of Alpine, or is there a dif= ferent reason? > =20 > Furthermore, if I compared nodejs V12.20.1 source which I downloaded from t= he node project on github, to nodejs V12.20.1 which I downloaded using APK, w= ill they be the same? > =20 > Again I thank you for your time and effort, and your help in sorting this o= ut for us. > Nir --Apple-Mail-279F6130-C0A0-497F-8271-DF14454308A8 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable How exactly are you loading nodejs 12.20.1 w= hen you are already running Alpine 3.13? The current nodejs version in Alpin= e 3.13 is 14.16.1. I think the problem comes from a mismatch between your Al= pine version and your nodejs package. If you upgraded your Alpine version af= ter installing nodejs, you apparently did not upgrade properly. Try running =E2= =80=9Capk upgrade =E2=80=94available=E2=80=9D.

Ted

On Apr 29, 2021, at 6:36 A= M, Nir Ben-Eliezer <nir.ben-eliezer@aquasec.com> wrote:

=EF=BB=BF =

Thanks Ariadne.

 

But one thing still bugs me here. Consider the follow= ing scenario: I install Alpine 3.13. I then install nodejs V12.20.1 through A= PK - this is possible. Bottom line - Am I vulnerable to CVE-2020-8265?

 

Per Alpine=E2=80=99s security advisory - I am, becaus= e Alpine indicates CVE-2020-8265 is only fixed on nodejs V14.15.4-r0.

 

But per the node community, I=E2=80=99m not, because t= hey fixed this vulnerability in V12.20.1 (according to their release notes).=

 

What I=E2=80=99m asking ultimately, is this: If the n= ode community indicated a certain CVE is fixed in version X, why would Alpin= e indicate a different version? Is it merely an issue of testing, and the fa= ct that version X was not certified to be used with a certain branch of Alpine, or is there a different reason?

 

Furthermore, if I compared nodejs V12.20.1 source whi= ch I downloaded from the node project on github, to nodejs V12.20.1 which I d= ownloaded using APK, will they be the same?

 

Again I thank you for your time and effort, and your h= elp in sorting this out for us.

Nir

= --Apple-Mail-279F6130-C0A0-497F-8271-DF14454308A8--