Date: Wed, 28 Apr 2021 13:56:11 -0600 (MDT)
From: Ariadne Conill <ariadne@dereferenced.org>
To: Nir Ben-Eliezer <nir.ben-eliezer@aquasec.com>
cc: "~alpine/devel@lists.alpinelinux.org" <~alpine/devel@lists.alpinelinux.org>
Subject: Re: Security dispute over nodejs vulnerability in Alpine - Help!
In-Reply-To: <AM6PR03MB471180AD19195D25E1BC462AB3409@AM6PR03MB4711.eurprd03.prod.outlook.com>
Message-ID: <cabebb1a-591d-efd1-31da-e690dad14@dereferenced.org>
References: <AM6PR03MB471180AD19195D25E1BC462AB3409@AM6PR03MB4711.eurprd03.prod.outlook.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; BOUNDARY="0-1524531139-1619639690=:15938"
Content-ID: <af1c687a-3a24-44f9-df5e-52fd4d232e27@dereferenced.org>

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

--0-1524531139-1619639690=:15938
Content-Type: text/plain; charset="iso-8859-15"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Content-ID: <93827e3-453c-364-93fa-12df10a492bf@dereferenced.org>

Hello,

On Wed, 28 Apr 2021, Nir Ben-Eliezer wrote:

> Hello,
>=20
> I've encountered a security dispute while working with nodejs and I'd app=
reciate the opinions of the Alpine community and maintainers on this import=
ant subject.

I am presently in charge of the security team in Alpine, which maintains=20
the security database we publish.

> I've recently upgraded my nodejs package version to v12.20.1 on my Alpine=
 image, through Alpine's package manager (release notes of node community:=
=A0https://nodejs.org/en/blog/release/v12.20.1/). As you will see in the re=
lease notes,
> one of the vulnerabilities that is fixed in this version, is CVE-2020-826=
5.
>=20
> =A0
>=20
> I've also upgraded my Alpine image to Alpine v3.13. However, looking into=
 Alpine's v3.13 release notes (here:=A0https://git.alpinelinux.org/aports/b=
lame/main/nodejs/APKBUILD?h=3D3.13-stable) you'll see that this same vulner=
ability
> appears to be fixed only in nodejs v14.15.4-r0.
>=20
> =A0
>=20
> I am running a vulnerability scanner on my Alpine 3.13 image, and it iden=
tifies CVE-2020-8265, even though it was supposed to be fixed in as early a=
s nodejs v12.20.1, according to the node community.

Node has multiple maintenance branches, so it is important to=20
realize that something being fixed in 12.x is therefore unrelated to=20
whether it has been fixed in 14.x.

Our internal security database lists CVE-2020-8265 as fixed in nodejs=20
12.20.1-r0 (Alpine 3.12 branch) and 14.15.4-r0 (Alpine 3.13 branch).

I see no reason to disbelieve our security database.  It lines up with CPE =

data published by the US National Vulnerability Database, which says that=20
CVE-2020-8265 was fixed in upstream versions 12.20.1 and 14.15.4=20
respectively.

> And therefore - the dispute.
>=20
> =A0
>=20
> My question: Should I consider this vulnerability a false positive, and f=
ollow the release notes of node? Or should I use Alpine's determination and=
 upgrade my nodejs version to v14.15.4-r0, where Alpine claim it to be fixe=
d? Why
> does Alpine state the fix for said vulnerability exists in v14.15.4-r0 of=
 nodejs, whereas the node maintainers indicate the fix is present in an ear=
lier version?

This is definitely a false positive.  What security scanner are you using? =

The vendor may be incorrectly using the security database we publish, this =

has happened before.

Ariadne
--0-1524531139-1619639690=:15938--