CVE-2022-0185 got introduced in Linux Kernel 5.1- RC1 and Alpine 3.15 is 
on kernel version 5.15.

So am I correct that Alpine 5.15 is affected by CVE-2022-0185?


-- 
This email has been checked for viruses by AVG.
https://www.avg.com

It is kernel 5.15.15 and patched is the vuln in 5.15.16. So yes.
Looks like the maintenance becomes somewhat resource limited.
But I've provided some months ago a patch for a security related issue and never got an answer. So looks like they don't want to have additional man power. The issue has been closed some weeks later with providing a new package. So somewhat questioning what is going on.

> But I've provided some months ago a patch for a security related issue and never got an answer.

Can you please provide a link to your merge request on https://gitlab.alpinelinux.org that were closed without answer?

Thanks,
Jakub J.

On 1/25/22 2:42 PM, Markus Kolb wrote:
> It is kernel 5.15.15 and patched is the vuln in 5.15.16. So yes.
> Looks like the maintenance becomes somewhat resource limited.
> But I've provided some months ago a patch for a security related issue and never got an answer. So looks like they don't want to have additional man power. The issue has been closed some weeks later with providing a new package. So somewhat questioning what is going on.

Am 25. Januar 2022 14:24:17 UTC schrieb Jakub Jirutka <jakub@jirutka.cz>:
>> But I've provided some months ago a patch for a security related issue and never got an answer.
>
>Can you please provide a link to your merge request on https://gitlab.alpinelinux.org that were closed without answer?
>
>Thanks,
>Jakub J.
>
>On 1/25/22 2:42 PM, Markus Kolb wrote:
>> It is kernel 5.15.15 and patched is the vuln in 5.15.16. So yes.
>> Looks like the maintenance becomes somewhat resource limited.
>> But I've provided some months ago a patch for a security related issue and never got an answer. So looks like they don't want to have additional man power. The issue has been closed some weeks later with providing a new package. So somewhat questioning what is going on.
>

https://lists.alpinelinux.org/~alpine/aports/patches/3549

I didn’t find this patch on merge requests (https://gitlab.alpinelinux.org/alpine/aports/-/merge_requests), so it predates the integration of the aports mailing list and GitLab. That’s why it didn’t get any attention. Even in those time, the preferred way for contributing changes was through merge requests on GitLab, not mailing list.

Your patch is for main/nodejs; coincidentally, I’m the maintainer of this aport. I’ve never been following the aports mailing list, only GitLab (and before that GitHub). There was  no automation over aports ML, not even notifying of the maintainer, so I just didn’t know about this patch (or any other there). Fortunately, that’s in the past, when you send a patch to the aports ML, it automatically opens a MR on GitLab and the maintainer of the target aport is automatically assigned on it. Comments should be synced in both ways, but still, it’s much better to use GitLab interface (web UI or API) to create and interact with merge requests, instead of this archaic and limited mail-based approach.

So that’s what is/was going on. Additional man power is very much needed and welcome.

Jakub J.

On 1/25/22 4:46 PM, Markus Kolb wrote:
> Am 25. Januar 2022 14:24:17 UTC schrieb Jakub Jirutka <jakub@jirutka.cz>:
> 
>         But I've provided some months ago a patch for a security related issue and never got an answer.
> 
> 
>     Can you please provide a link to your merge request on https://gitlab.alpinelinux.org that were closed without answer?
> 
>     Thanks,
>     Jakub J.
> 
>     On 1/25/22 2:42 PM, Markus Kolb wrote:
> 
>         It is kernel 5.15.15 and patched is the vuln in 5.15.16. So yes.
>         Looks like the maintenance becomes somewhat resource limited.
>         But I've provided some months ago a patch for a security related issue and never got an answer. So looks like they don't want to have additional man power. The issue has been closed some weeks later with providing a new package. So somewhat questioning what is going on.
> 
> 
> 
> https://lists.alpinelinux.org/~alpine/aports/patches/3549

Hi,

On Tue, 25 Jan 2022, Markus Kolb wrote:

> It is kernel 5.15.15 and patched is the vuln in 5.15.16. So yes.
> Looks like the maintenance becomes somewhat resource limited.
> But I've provided some months ago a patch for a security related issue and never got an answer. So looks like they don't want to have additional man power. The issue has been closed some weeks later
> with providing a new package. So somewhat questioning what is going on.

Did you ping @team/security in Gitlab?

Ariadne

@ariande how exactly to ping the @team/security in GitLab about this?

I see no way to notify a team in GitLab, other than creating a case on a 
project, for example on 
https://gitlab.alpinelinux.org/alpine/infra/docker/secfixes-tracker/-/issues, 
but that project never seems to have had any issues registered on it before


-- 
This email has been checked for viruses by AVG.
https://www.avg.com

Hi Paul

I created an issue for this here

  https://gitlab.alpinelinux.org/alpine/aports/-/issues/13475

Later Natanael upgraded the kernel for 3.15-stable, it should be in a
repository mirror near you soon, if not already.


Ariadnes reply was directed to Markus and their unrelated issue.


-- 
omni

Tnx.

Created a followup case to get the Alpine Docker images updated: 
https://github.com/alpinelinux/docker-alpine/issues/229


-- 
This email has been checked for viruses by AVG.
https://www.avg.com

Am 25. Januar 2022 16:58:02 UTC schrieb Jakub Jirutka <jakub@jirutka.cz>:
>I didn’t find this patch on merge requests (https://gitlab.alpinelinux.org/alpine/aports/-/merge_requests), so it predates the integration of the aports mailing list and GitLab. That’s why it didn’t get any attention. Even in those time, the preferred way for contributing changes was through merge requests on GitLab, not mailing list.
>
>Your patch is for main/nodejs; coincidentally, I’m the maintainer of this aport. I’ve never been following the aports mailing list, only GitLab (and before that GitHub). There was  no automation over aports ML, not even notifying of the maintainer, so I just didn’t know about this patch (or any other there). Fortunately, that’s in the past, when you send a patch to the aports ML, it automatically opens a MR on GitLab and the maintainer of the target aport is automatically assigned on it. Comments should be synced in both ways, but still, it’s much better to use GitLab interface (web UI or API) to create and interact with merge requests, instead of this archaic and limited mail-based approach.
>
>So that’s what is/was going on. Additional man power is very much needed and welcome.
>
>Jakub J.
>
>On 1/25/22 4:46 PM, Markus Kolb wrote:
>> Am 25. Januar 2022 14:24:17 UTC schrieb Jakub Jirutka <jakub@jirutka.cz>:
>> 
>>         But I've provided some months ago a patch for a security related issue and never got an answer.
>> 
>> 
>>     Can you please provide a link to your merge request on https://gitlab.alpinelinux.org that were closed without answer?
>> 
>>     Thanks,
>>     Jakub J.
>> 
>>     On 1/25/22 2:42 PM, Markus Kolb wrote:
>> 
>>         It is kernel 5.15.15 and patched is the vuln in 5.15.16. So yes.
>>         Looks like the maintenance becomes somewhat resource limited.
>>         But I've provided some months ago a patch for a security related issue and never got an answer. So looks like they don't want to have additional man power. The issue has been closed some weeks later with providing a new package. So somewhat questioning what is going on.
>> 
>> 
>> 
>> https://lists.alpinelinux.org/~alpine/aports/patches/3549
>

Ok Jakub.
Well, I tried to follow the documented way on wiki.alpinelinux.org how to 
contribute patches at this time.
And there it is also today more or less documented like the months before.

It is also not your package or this single experience alone. There has been some more packages I've rebuilt myself in a newer version (not always from edge) before they were available in the repo days/weeks later. Not sure if it is really the case, but I got told on IRC that you (Alpine) would have the information about security related releases on the publication of CVE scores. This is at least sometimes not just-in-time and there are fixed upstream releases available long before this info is published. Sometimes there is also POC Code published to the same date. 

Next to this, there is not really much information how the "members" (are they members?) of 
Alpine Linux are organized. 
Who are you, organized in the TSC? Is this part of the main job of the 
core people or your hobby? Are you paid by the sponsors for the development 
on Alpine for your living? Is there some interest by the sponsors to drive Alpine or is it 
personal interest? Is there any relation to musl development and project?
Do you develop Alpine for a special purpose for yourself, your employer or 
customer?
What is the concept of trust for package maintainers?
At the moment it is like expecting everything and nothing. Not sure if it is responsible to recommend Alpine to boss or customer and base their platforms on it. Will the community stay alive if one of Timo, Natanael or Carlo have or want to do something different?
I'm using Alpine Linux some years with a very limited package selection, because I like the concept of the small base system, and I'm subscribed to the list also some similar time, but somehow I miss the insight I'm used to get from other Opensource OS community projects during this time. 

Thanks
Markus