Received: from griffin.geeknet.cz (griffin.geeknet.cz [94.142.237.48]) by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id E474778109B for <~alpine/users@lists.alpinelinux.org>; Tue, 25 Jan 2022 16:58:07 +0000 (UTC) Received: by griffin.geeknet.cz (OpenSMTPD) with ESMTP id 3a585134; Tue, 25 Jan 2022 17:58:06 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=jirutka.cz; h=subject:to :references:from:message-id:date:mime-version:in-reply-to :content-type; s=mail; bh=ozzJ1rROo1b9I2I+l1H9JkyqJPg=; b=ibeojr vHRgeZI+xL4zrg2cfVdmVARsVIV1hFPEQAzGTmJt5hZsNm1lZnVl4i/yRDQqLaHw laHBpvZ4f6dk98r1ecGJxvHLqSUl5liStmb1MN9kMYCz3yDiZmD0tyoQvXeH7l5j 0hw8X5YsG7ea1Vru+t7lXixw8YyBXpx4WfKgA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=jirutka.cz; h=subject:to :references:from:message-id:date:mime-version:in-reply-to :content-type; q=dns; s=mail; b=ssF+v9iIJ4mMmOCJis1pU7Gm+8psfXI/ T+7AyNfkKA7ngJ3kwGaexRzOsWRjKdGFZnlLIDVhWeXF+I271xEkiY9FTOaRY3b9 OxIHsrrvTRIR8ICtHBsiREi6Azh5MXIV2zw6mRW9eoZ/xmyRwpz51wDmR47J+J2m mV3koXbOpmE= Received: by griffin.geeknet.cz (OpenSMTPD) with ESMTPSA id 5e8110c4 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Tue, 25 Jan 2022 17:58:06 +0100 (CET) Subject: Re: Alpine Linux affected by CVE-2022-0185? To: Markus Kolb , ~alpine/users@lists.alpinelinux.org, Paul References: From: Jakub Jirutka Openpgp: preference=signencrypt Autocrypt: addr=jakub@jirutka.cz; keydata= mDMEXTx3jBYJKwYBBAHaRw8BAQdAyJmVgj7DHR6w2TLD0/37Es0RePi5EzT/7r8AHyTmXhK0 IEpha3ViIEppcnV0a2EgPGpha3ViQGppcnV0a2EuY3o+iJgEExYJAEACGwEECwkKBAUVCgkI AwUWAgMBAAIeAQIXgAIZARYhBNeFiRJmnTog9PRr0vlb1nkQTTEVBQJhED+SBQkJd2KGAAoJ EPlb1nkQTTEV0ZMBAJdqXstUoAqJGTAJm4lA74Cy7EYNJFNLL144GqeYaH+jAPsG0q/Y5eYt w2Ki0a3CC2VR+IQfC35/qajyDunYM1XCAbQkSmFrdWIgSmlydXRrYSA8amlydXRqYWtAZml0 LmN2dXQuY3o+iJUEExYJAD0CGwEECwkKBAUVCgkIAwUWAgMBAAIeAQIXgBYhBNeFiRJmnTog 9PRr0vlb1nkQTTEVBQJhED+SBQkJd2KGAAoJEPlb1nkQTTEVtEgBALqAMdtyiAQ6fhfIgm4a q3/eHPCjbQ4IJGZEqGJv0Y9FAP4leBvyDRMzjuZ0UFxgA6Jhe2KZ11+il7eDE/hSrGeaDrQp SmFrdWIgSmlydXRrYSA8amFrdWIuamlydXRrYUBkYXRhbW9sZS5jej6IeAQwFgkAIBYhBNeF iRJmnTog9PRr0vlb1nkQTTEVBQJhEECZAh0gAAoJEPlb1nkQTTEVKTQA/Rt1llQafW66lmq6 M8T4o5W+D3yMSzjsVFfPQamQr4+RAQD/yCWPty9xq+pUqLa+f82uo4stntL89nFvF8mH6nr2 B7QpSmFrdWIgSmlydXRrYSA8amFrdWIuamlydXRrYUBmaXQuY3Z1dC5jej6IlgQTFgkAPhYh BNeFiRJmnTog9PRr0vlb1nkQTTEVBQJhEECDAhsBBQkJd2KGBQsJCAoHBRUJCgsIBRYCAwEA Ah4BAheAAAoJEPlb1nkQTTEVoBoA/itzK17bT+dAvAKkKzCPF6EfE9++FpgLk8JnvWD6jl+F AP4vjp05WsdPat7qZJtXFvkHDESI55LJvRMyMurEO/ULDrkBjQRdPHe4AQwAyNlnBplbnolj R1Qoam3Qwy/wC6GdQCGuA6nEUIVdtp9dfMC0Yz8zQFkjF/EA0p4hE+BkrxTyo19GayzwSlFr VVZwrkgFMpZ9LZs2Q6XAvmzsigznUF+1TfA3xj/YsXtp7gKUbKSDcYm24bAkSlfmkrcB7F0m J32rLxL7IPvPQ+iI8fjjlGogO8KOtRepTCpcnTJjtvoGcsnFVLkXyIQEQr/xe1MGNkr2TGaE UeEC3NW/9JRBwE3SW8lQ2U8MhBWpCflLv9h6uM3DatLhVAERuKvkzQmlW0FKX5P9Zw0huQoP 4wps3KlteEjmfpIqnWVED42FDsCUucxLk1z6E+nc3ZmgesCiP/yjl/YdU806mjf5EwZ4sYtI RxB3xTnDor8YomH/epLLv/vDdmDtOQq0vmFzDbiazvGVGmVWSPMo4YnhbfEXRAS/pBxGTQz0 or/0iWdvprc78oDco4qZpkcO2q9vpIsmG2bwCqG3+v9+GLI4lNE0nHQXfhMWwS0jltW/ABEB AAGIfgQYFgoAJhYhBNeFiRJmnTog9PRr0vlb1nkQTTEVBQJdPHe4AhsMBQkDwmcAAAoJEPlb 1nkQTTEVYs4BALS0QAnLDKT4+QmyGr9ZPsE0SZgQ+ik8AjCmtUSORRCTAP0VSVe0lnWwwY10 4PR9A+ZbADiYn3+z6/0OnEkocuiFBYh+BBgWCQAmAhsMFiEE14WJEmadOiD09GvS+VvWeRBN MRUFAmEQPaUFCQl3YG0ACgkQ+VvWeRBNMRUIxwD/UcIapa7c5lFk2Tg/q+XlZH/5pKU/uOGj VxzHvs+8naMBAPo8LZT02iL6uTkecw1rk0Jc98MEDl0wfWCTtj6KDlQAuQGNBF08d90BDAC5 ixk/+Ll/TnEIy2qvTWkDIsWXpWm8MMtG8j7LdLv/53sQ79YAcycyoKSfSM2vetiW+h1GQx/S 3YfRBq8kRbWeiUQbo5gMabnkRLTqIn+m53rxExgvmAyNvAdgDakbay0NX43mO1xcLH7OsCz8 KSElnkzjSORawov56XdwBm4ojHYJcodXSmEz7qJ886HUorzgWES1kQ4GgOuwLODs2cHgzx6g hCdPTZtCDVfgg70U5e0rFMBxvwiN9nx6RlOCqxePgL1TsrsBv4XfCptDPvtLOp5kI1NU6ATR zzcWxOEGz+3D1N5T3z8mvWHp6c1+Iqi3ipsu/U0lCLwhSWdIgU187VApBMEfC/XR6dKfJuqV dHljZL28JFqkwootsnpAZTm9uUIBUJQ0p+KMmQloPUXGENDzO4yjDeMwPMLsYUH2I4V7Uqio ex8KnSExisXAgN3Wnz+Ci1yzkSGgFJTN5gV8QU00ox2aNwjatr/ftGXGixx654Q+vpPBQjBU 0B4Va9MAEQEAAYkCNAQYFgoAJhYhBNeFiRJmnTog9PRr0vlb1nkQTTEVBQJdPHfdAhsCBQkD wmcAAcAJEPlb1nkQTTEVwPQgBBkBCgAdFiEEv7UV5T50WUImhovnefKZsENajiMFAl08d90A CgkQefKZsENajiPD8wv/RS7+f8XXQQXh/raTSyRTrJzrpoP7fmq82hrVjMIW/BvRn04mMrb8 SCun7rXR0CdSpCkgtVi0ZSQjJIYg8DRT2T+R1lUgPoeTJQyH6zZFHO1RQpjVuBQEJ/uDnWdJ RCI1tO7qNSJaNsoaN8QXYO5hdmEV/ZKYNJBUuJ+tVZPD9ysa+E5lJm2DkHqwje0HGsf32Jig /8O34fGhNfUSRLqLEhlt4jj9J+SHmrXi+vXPthdyWY2p78JpKMwG4sFrvWmDufwEs5vEtxqV ZPpJn1IuQbAZTujhmIZg9Dn8AmBy/oSKT15kZ2OIxP9qO+BastypuQ043wTtWvawxaYSOAKX HWidzzjL+9GymCygaVOdVwlymrjFBLQtz7TlR0//cbot5tHIIA4wSg2I5ICuZdIBwh7LVbGZ m9R0I81JT2a0dy8VoTho8X6COs+CQQmZA8YIn6d8aKM8ir98Q5MZHQSRsspf8fEVMZAzHDQ0 ghxdUcXJenkhUF38VGHqe9VT68Bw/SEBAPIMnmCGhRSMz8jP7Pxc1dTFFl4ZTic6qH9WDCDK ovwNAQDOY8alqx0Aei84zpCcQ2xlGd66RxbJqsU0/iVfkwb2BIkCNAQYFgkAJgIbAhYhBNeF iRJmnTog9PRr0vlb1nkQTTEVBQJhED2zBQkJd2BIAcDA9CAEGQEKAB0WIQS/tRXlPnRZQiaG i+d58pmwQ1qOIwUCXTx33QAKCRB58pmwQ1qOI8PzC/9FLv5/xddBBeH+tpNLJFOsnOumg/t+ arzaGtWMwhb8G9GfTiYytvxIK6futdHQJ1KkKSC1WLRlJCMkhiDwNFPZP5HWVSA+h5MlDIfr NkUc7VFCmNW4FAQn+4OdZ0lEIjW07uo1Ilo2yho3xBdg7mF2YRX9kpg0kFS4n61Vk8P3Kxr4 TmUmbYOQerCN7Qcax/fYmKD/w7fh8aE19RJEuosSGW3iOP0n5IeateL69c+2F3JZjanvwmko zAbiwWu9aYO5/ASzm8S3GpVk+kmfUi5BsBlO6OGYhmD0OfwCYHL+hIpPXmRnY4jE/2o74Fqy 3Km5DTjfBO1a9rDFphI4ApcdaJ3POMv70bKYLKBpU51XCXKauMUEtC3PtOVHT/9xui3m0cgg DjBKDYjkgK5l0gHCHstVsZmb1HQjzUlPZrR3LxWhOGjxfoI6z4JBCZkDxgifp3xoozyKv3xD kxkdBJGyyl/x8RUxkDMcNDSCHF1Rxcl6eSFQXfxUYep71VPrwHAJEPlb1nkQTTEV7jEBAIuF LjQgBQqXNJ0QEhhLjBgsgmUQZ3WMY6cm+AFqgRuHAP9G+n+JkF+JxDWJLbY3N7B2l6S7BaKW ezza5jqUCp6tCLkBjQRdPHgsAQwApA2i6aZVOa/sOtveGmNStDSylZtXbMfzDEpdg7rwyq6l cGs7D8xEZJrJj0H25zUJzGVDfI3IfnQYNabAlRfseqBS2JJvjOVzy7wFmLKmrOGZ571MURM+ SieTd6DLQb07+46/m65f94ItE9A007j9JqI788JTWwC1gQhrsK6JmhOOOsdvZRcoGFd9ENwa OuXJkMnBFpug3EHmhKEtxFXRx19LjpuREX8930p2+Io9tL4KJV2+r4RJ/C3xUwWG5ErkJwRW Gd5eOYIqHYegll9mxxgcc6+THWwLM2toulU8SWdQ1qNwFcaLAThdR4941/NL0QiOkPf+6SQM oNWmSArhO34wrPkDfMum2U/UB1EFrBB/eNWIuGh9bzDc744zdD7P0ERz8AbzJjE22MHa7yz2 r3Blf442F7Bc9o0AJwYiUUHPoaJd5YTbyvFQchuhGaN1hB4TLH9n3iyuL6iJwE3rvolvcASE L+73qf24PHpXtMX8MhWu9+gVaH68uKtOqIz/ABEBAAGIfgQYFgoAJhYhBNeFiRJmnTog9PRr 0vlb1nkQTTEVBQJdPHgsAhsgBQkDwmcAAAoJEPlb1nkQTTEV260BAItJ2AO0xuE9GsfnJQAw 5+juYsvzDRzeZXW2UdKuq3OAAQDV2X8BFduxeWHsjyAzdVT+icjxJYxUWEYZks1+OxD5Coh+ BBgWCQAmAhsgFiEE14WJEmadOiD09GvS+VvWeRBNMRUFAmEQPbMFCQl3X/kACgkQ+VvWeRBN MRVISAD+IL0KYzpOFdbUHHPbgaWaOdIvifxzbxvTxPkixJBtT34BAJqa5pDudq99qbVueLqj Oi5b1JL0j2noJljRzmNxCS8DuQGLBF08x6kBDADMTgFFkwT2KIWXf+WYH1sQ6hsBLiwwKYjv S/X9gWmIdxA6Kn32ye7ssd/GP4m7GfVgVX2wr5VTNR9K1v+k7R5Cqkk2EbWYekB1TB6B7VZb D20gc4P3qpv0oLQcIVoqWg68dGEGMYYhTaMx5HKKP8QS1HJHRbe9pRsZEdOsijEBlCBYyGe8 IMOMO0SwdaaCPSqhM+ZLFrBpKZbCYMUlQWqsLCENsUx83kaz2oe2h92mpKY9e2G7S6AA0zGy 1RIyc1ti/x3a+PkdYhehTFWyRqIssZrrk6kVSyNg5qGOfphFdsKYC6EK3KU1EVH1SnpiPIC1 kdPiW/PUC0+c/JyklLH5gIniJfafvwiNihX+3HKFNAl/PCWb3GN3/Cy0rhC+h3tkiPMZ3s8D KgDvC5Ntiljueg+B20EYde4nHbmsE6qwk8M9kCh5Ev8/++BMDMZEnNg1qsI1EcolIAN5IUeK OXFrCEBnKmAC0d/JnXmYvB1Wqz5sv9DX30sG9v0IxBMMipcABiOIeAQYFggAIBYhBNeFiRJm nTog9PRr0vlb1nkQTTEVBQJdPMepAhsgAAoJEPlb1nkQTTEVPPgBAOZbf1jNYybRw8QOqjB/ RFnqzmw0xCCqmupdbayyddBYAP0akn7w+b0PRsB5K+jPmOSxF0AwAzs1HujupldHywWUBA== Message-ID: <2b551cfe-9642-4b03-93ab-1a23442dee3b@jirutka.cz> Date: Tue, 25 Jan 2022 17:58:02 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha384; protocol="application/pgp-signature"; boundary="yJPf0gErTqrL8WP1rm2J1HyHmV9rkoKnr" This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --yJPf0gErTqrL8WP1rm2J1HyHmV9rkoKnr Content-Type: multipart/mixed; boundary="N2pLUNendgFpHMsS8YkfU282FdJtEUD7T"; protected-headers="v1" From: Jakub Jirutka To: Markus Kolb , ~alpine/users@lists.alpinelinux.org, Paul Message-ID: <2b551cfe-9642-4b03-93ab-1a23442dee3b@jirutka.cz> Subject: Re: Alpine Linux affected by CVE-2022-0185? References: In-Reply-To: --N2pLUNendgFpHMsS8YkfU282FdJtEUD7T Content-Type: text/plain; charset=utf-8 Content-Language: en-GB Content-Transfer-Encoding: quoted-printable I didn=E2=80=99t find this patch on merge requests (https://gitlab.alpine= linux.org/alpine/aports/-/merge_requests), so it predates the integration= of the aports mailing list and GitLab. That=E2=80=99s why it didn=E2=80=99= t get any attention. Even in those time, the preferred way for contributi= ng changes was through merge requests on GitLab, not mailing list. Your patch is for main/nodejs; coincidentally, I=E2=80=99m the maintainer= of this aport. I=E2=80=99ve never been following the aports mailing list= , only GitLab (and before that GitHub). There was no automation over apo= rts ML, not even notifying of the maintainer, so I just didn=E2=80=99t kn= ow about this patch (or any other there). Fortunately, that=E2=80=99s in = the past, when you send a patch to the aports ML, it automatically opens = a MR on GitLab and the maintainer of the target aport is automatically as= signed on it. Comments should be synced in both ways, but still, it=E2=80= =99s much better to use GitLab interface (web UI or API) to create and in= teract with merge requests, instead of this archaic and limited mail-base= d approach. So that=E2=80=99s what is/was going on. Additional man power is very much= needed and welcome. Jakub J. On 1/25/22 4:46 PM, Markus Kolb wrote: > Am 25. Januar 2022 14:24:17 UTC schrieb Jakub Jirutka : >=20 > But I've provided some months ago a patch for a security relate= d issue and never got an answer. >=20 >=20 > Can you please provide a link to your merge request on https://gitl= ab.alpinelinux.org that were closed without answer? >=20 > Thanks, > Jakub J. >=20 > On 1/25/22 2:42 PM, Markus Kolb wrote: >=20 > It is kernel 5.15.15 and patched is the vuln in 5.15.16. So yes= =2E > Looks like the maintenance becomes somewhat resource limited. > But I've provided some months ago a patch for a security relate= d issue and never got an answer. So looks like they don't want to have ad= ditional man power. The issue has been closed some weeks later with provi= ding a new package. So somewhat questioning what is going on. >=20 >=20 >=20 > https://lists.alpinelinux.org/~alpine/aports/patches/3549 --N2pLUNendgFpHMsS8YkfU282FdJtEUD7T-- --yJPf0gErTqrL8WP1rm2J1HyHmV9rkoKnr Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQGzBAEBCQAdFiEEv7UV5T50WUImhovnefKZsENajiMFAmHwLBsACgkQefKZsENa jiPMKgv9F99cyRfzE70FSqnEddhPg8b3NDZXXhO3zvl5jFM543l+7ScK3XILjXu8 tHY2mD3fCwT5IhbolMT2EMz9Ko5URiB6CiYTxtr3yP8zZebDAz86MaMLM2o7Saut ebblLvbxJoQUKSFXPCtNvOmQOvbMcJ1gBubFZWpPip/RxU36E7uNdJ2vEQn2EfOj SAcvdk2npgpJ+jQkoDRCAW3L1KeqRmqWbsgsCNCQjs2KXua6RjbSZc1tNmtDsoea BSndBT+jBnxMkBJYkIbo1lZpJ0ZcZhjsqTOvwnSwLzfOQ/lY1wELhhvbJPkwoZB2 EZfo0nBV9EgUOXm+PjSN8NhYaJUHr5X3NJVhhiHm4Y3nZVfL1ewLzGSRfFSVz9kk 2f2cllSRxrJsM4SB2WOmiO8SXM/od8ocoH5FZOfwonXpGoJPvmWFa/JO8vuOLh5n yWxAuaqPa+vmHVNFZHwkmVEnDXMPsPXpXqf+lGfIJxs2+WdOGbEZcoqBPBKwD1HJ O9IOyHwf =ZJWo -----END PGP SIGNATURE----- --yJPf0gErTqrL8WP1rm2J1HyHmV9rkoKnr--