Hacker News new | past | comments | ask | show | jobs | submit login

Currently, "node:10" is based on Stretch. The image is not totally up-to-date. Despite what the article says, Debian Jessie is still maintained, part of Debian LTS effort. After pulling "node:10-jessie", "apt update", "apt list --upgradable" says:

    curl/oldstable 7.38.0-4+deb8u14 amd64 [upgradable from: 7.38.0-4+deb8u13]
    libcurl3/oldstable 7.38.0-4+deb8u14 amd64 [upgradable from: 7.38.0-4+deb8u13]
    libcurl3-gnutls/oldstable 7.38.0-4+deb8u14 amd64 [upgradable from: 7.38.0-4+deb8u13]
    libcurl4-openssl-dev/oldstable 7.38.0-4+deb8u14 amd64 [upgradable from: 7.38.0-4+deb8u13]
    libpq-dev/oldstable 9.4.21-0+deb8u1 amd64 [upgradable from: 9.4.20-0+deb8u1]
    libpq5/oldstable 9.4.21-0+deb8u1 amd64 [upgradable from: 9.4.20-0+deb8u1]
    libsystemd0/oldstable 215-17+deb8u10 amd64 [upgradable from: 215-17+deb8u9]
    libtiff5/oldstable 4.0.3-12.3+deb8u8 amd64 [upgradable from: 4.0.3-12.3+deb8u7]
    libtiff5-dev/oldstable 4.0.3-12.3+deb8u8 amd64 [upgradable from: 4.0.3-12.3+deb8u7]
    libtiffxx5/oldstable 4.0.3-12.3+deb8u8 amd64 [upgradable from: 4.0.3-12.3+deb8u7]
    libudev1/oldstable 215-17+deb8u10 amd64 [upgradable from: 215-17+deb8u9]
    systemd/oldstable 215-17+deb8u10 amd64 [upgradable from: 215-17+deb8u9]
    systemd-sysv/oldstable 215-17+deb8u10 amd64 [upgradable from: 215-17+deb8u9]
    udev/oldstable 215-17+deb8u10 amd64 [upgradable from: 215-17+deb8u9]
There shouldn't be 500 vulnerabilities here. Of course, node itself may pull many outdated libraries outside of Debian (which is a common practice with software using bundled copies instead of system libraries), but without details, it's hard to know what is accounted for a vulnerability. Moreover, if the Alpine version has 0 vulnerability, it would mean all the vulnerabilities come from Debian.

The article mentions backports of fixes, so I suppose they just don't compare blindly package version numbers with the versions provided in the CVE report. For Debian, they could use the security tracker to know if a CVE is fixed and in which version (something Alpine is lacking, so it's difficult to assess the security of Alpine). However, many CVE are not fixed because the security issue is deemed to be too minor. A bit more details about the 500 vulnerabilities would help to understand.

Docker Hub has been providing 3rd party component details for some years now. And based on my limited exposure, they've been pretty spot on in regard to what 3rd party code is included, CVEs impacting shown components (meaning they appear to mostly correctly show backported patches to otherwise vulnerable libs). See below (requires DockerHub account):

URL: https://hub.docker.com/_/node/scans/library/node/current-sli...

URL: https://hub.docker.com/_/mongo/scans/library/mongo/4.1

For node:10-jessie, this is: https://hub.docker.com/_/node/scans/library/node/10-jessie. This seems credible.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact