Received: from mx1.mailbun.net (unknown [170.39.20.100]) by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 821C7782CC7 for <~alpine/devel@lists.alpinelinux.org>; Thu, 29 Apr 2021 12:24:48 +0000 (UTC) Received: from 192.168.8.162 (unknown [107.125.25.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: ariadne@dereferenced.org) by mx1.mailbun.net (Postfix) with ESMTPSA id 4D6BA145A1D; Thu, 29 Apr 2021 12:24:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dereferenced.org; s=mailbun; t=1619699085; bh=GfPy8yf759v43ti2c0X/3tUbu2rm3NGyBkJxvjF4QsA=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=hZz4nXaQmAAl3yodq+Y6X3GmNLJp60ZxQ1pSkUuDMOyK7Ykm6zW7Ytqt9t2yc4qT9 +/gsSH7hfH4ikZLSnT9cCXA0kdjBooe2Lt3kRcsqWDxS7YZJvoHTWIM2hcK6nZTSKN M6Sc7zceL6lz7VYwRvYqdJ8T3MdQk4EXTz1i4m8cQnwH4nCvkz9Gt32/u1euErJLGW KvLSLZUEaPy4y2nCfdrjNsPTSFMEHL8Ab1E56Wm2y1DjLbzSguFscZunrdifJH4qnR p60Jxda4M3Xn+qJVB64871RSIpVrbqnBHwaJJP9loiATABNtTE42HpKAUZz29RzzC0 /CMDGQ2kMn/hw== Date: Thu, 29 Apr 2021 06:24:45 -0600 (MDT) From: Ariadne Conill To: Nir Ben-Eliezer cc: "~alpine/devel@lists.alpinelinux.org" <~alpine/devel@lists.alpinelinux.org> Subject: RE: Re: Security dispute over nodejs vulnerability in Alpine - Help! In-Reply-To: Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Hello, On Thu, 29 Apr 2021, Nir Ben-Eliezer wrote: > Thanks Ariadne. > > But one thing still bugs me here. Consider the following scenario: I install Alpine 3.13. I then install nodejs V12.20.1 through APK - this is possible. Bottom line - Am I vulnerable to CVE-2020-8265? If you install Alpine 3.13, it is not possible for this scenario to happen. Alpine 3.13 shipped from day 1 with Node 14, as Node 14 was pushed to Alpine edge in October 2020, which predated the Alpine 3.13 release. > Per Alpine's security advisory - I am, because Alpine indicates CVE-2020-8265 is only fixed on nodejs V14.15.4-r0. Our security advisory indicates that CVE-2020-8265 was fixed in Alpine edge (and therefore later in 3.13 release) by nodejs 14.15.4-r0. It also indicates that CVE-2020-8265 was fixed in Alpine 3.12 by 12.20.1-r0, because Alpine 3.12 follows the Node 12.x branch. > But per the node community, I'm not, because they fixed this vulnerability in V12.20.1 (according to their release notes). As previously stated, it depends on what version of the distribution you are using. Alpine 3.13 never shipped a node package that was vulnerable to CVE-2020-8265, because we fixed it in edge before Alpine 3.13 shipped. But we still record security fix data for edge, as users do use Alpine edge (which is like Debian sid, or Fedora rawhide). > What I'm asking ultimately, is this: If the node community indicated a certain CVE is fixed in version X, why would Alpine indicate a different version? Is it merely an issue of testing, and the fact that version X was not certified to be used with a certain branch of Alpine, or is there a different reason? We record the version that we published which resolved the CVE. That is not necessarily the same version upstream. And as I have said before, different Node branches will have CVE fixes in different versions. > Furthermore, if I compared nodejs V12.20.1 source which I downloaded from the node project on github, to nodejs V12.20.1 which I downloaded using APK, will they be the same? Generally speaking, yes. However, Alpine, like other distributions, does occasionally make modifications to what upstream has shipped. The source of truth, therefore, is the Alpine aports repository, which contains all of the build recipe (APKBUILD) files for every package in the distribution. Ariadne