[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [scl.org] Queries regarding nodejs 12 image

Hi Abhinay,

On 3/19/20 8:28 AM, Abhinay Purty wrote:
Hello Team,

IHAC with a few queries.

1. Does the following images contain the security fixes that is mentioned in 'https://nodejs.org/en/blog/vulnerability/february-2020-security-releases'
(CVE-2019-15604, CVE-2019-15605, CVE-2019-15606)?
[*] https://access.redhat.com/containers/#/registry.access.redhat.com/ubi8/nodejs-12
[*] https://access.redhat.com/containers/#/registry.access.redhat.com/rhel8/nodejs-12
If I understand correctly, the latest version of those images are built before security fixes CVE-2019-15604[1], CVE-2019-15605[2], CVE-2019-15606[3] were released.

[1] https://access.redhat.com/security/cve/CVE-2019-15604
[2] https://access.redhat.com/security/cve/CVE-2019-15605
[3] https://access.redhat.com/security/cve/CVE-2019-15606

The released images seem to be affected by the CVEs mentioned, but do not show up as such in the catalog. This is a problem and I have opened up a ticket against container grading to check what went wrong: https://projects.engineering.redhat.com/projects/GRADING/issues/GRADING-125

The CVEs will soon be fixed (I have checked fixed builds are present) once the following advisory gets pushed: https://errata.devel.redhat.com/advisory/52592

2.  Is there any  plans to release ubi8/nodejs-12 and rhel8/nodejs-12 s2i builder images that would include current LTS version of nodejs (12.16.1)? 

3. Does the ubi8/nodejs-12 and rhel8/nodejs-12 have vanilla installation of the nodejs runtime? Or is the nodejs runtime in those images Red Hat's own implementation of the nodejs runtime ?

I will leave these two to be answered by nodejs maintainers (added to CC).



Abhinay Purty

Associate Technical Support Engineer

Red Hat India Pvt. Ltd.

SCLorg mailing list
SCLorg redhat com

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]