[pve-devel] Alpine Linux Templates update to address bugs in its package manager APK

Thomas Lamprecht t.lamprecht at proxmox.com
Fri Sep 14 10:35:33 CEST 2018

Hi all,

As you may have read[0], some bugs in the package manager APK in Alpine Linux surfaced.
The most serious one allowing Remote Code Execution (RCE) if the host suffers a Man In
The Middle Attack.

To mitigate this please update your APK version to:
* Alpine Linux v3.5: 2.6.10
* Alpine Linux v3.6: 2.7.6
* Alpine Linux v3.7: 2.10.1
* Alpine Linux v3.8: 2.10.1

(or later).

We updated all our provided template images to a newer version including those fixes[1].
We also unlinked the problematic ones, this is something we normally don't do as we only
remove them from the index, but it seemed justified in this case.
So you will have to update the appliance info index manually (or wait till the
pve-daily-update.timer triggers and updates it automatically):

# pveam update

Then you should have an up to date index and will be able to download Alpine Linux
images again.

Upgrading a existing container:
If you mistrust your network you can manually download the package and verify its
signature manually.
Either use 'apk fetch' and check the downloaded updates with 'apk verify' or download
the package manually from an mirror.

>From https://mirrors.alpinelinux.org/ select a mirror of your choice, ideally with
https, open it and navigate to your version and architecture, e.g.:

search for 'apk-tools-static' and download the respective version, e.g.:

# wget https://repository.fit.cvut.cz/mirrors/alpine/v3.8/main/x86_64/apk-tools-2.10.1-static-r0.apk
# wget https://repository.fit.cvut.cz/mirrors/alpine/v3.8/main/x86_64/apk-tools-static-2.10.1-r0.apk

then verify manually:

# apk verify apk-tools-static-2.10.1-r0.apk

if all's OK you can install it:

# apk add ./apk-tools-static-2.10.1-r0.apk
(apk may still fetch indexes, but it installs from local)

A check could also be done by extracting the .apk in a tmp directory, e.g.:
# mkdir /tmp/apk
# tar xf apk-tools-static-2.10.1-r0.apk -C /tmp/apk

then verify it's content and signatures manually - this can also be done on another box,
if you cannot trust the CT (currently) at all.


[0]: https://justi.cz/security/2018/09/13/alpine-apk-rce.html
[1]: https://git.alpinelinux.org/cgit/apk-tools/commit/?id=6484ed9849f03971eb48ee1fdc21a2f128247eb1

More information about the pve-devel mailing list