[PVE-User] APT CVE-2019-3462 (please read before upgrading!)

Thomas Lamprecht t.lamprecht at proxmox.com
Fri Jan 25 15:05:04 CET 2019


On 1/23/19 10:27 AM, Fabian Gr├╝nbichler wrote:
> The APT package manager used by Proxmox VE and Proxmox Mail Gateway was
> recently discovered to be affected by CVE-2019-3462, allowing a
> Man-In-The-Middle or malicious mirror server to execute arbitrary code
> with root privileges when affected systems attempt to install upgrades.
> 
> To securely upgrade your systems, run the following commands as root:
> 
> # apt -o Acquire::http::AllowRedirect=false update
> # apt -o Acquire::http::AllowRedirect=false full-upgrade
> 
> and verify that apt is now at least version 1.4.9 on Debian Stretch:
> 
> $ apt -v
> apt 1.4.9 (amd64)
> 
> Please see the Debian Security Advisory for details:
> https://www.debian.org/security/2019/dsa-4371
> 

To allow you to install Proxmox VE with a package management system version not
affected by this issue, we additionally released a new Proxmox VE 5.3 ISO
containing the fix for CVE-2019-3462 and all other security fixes since the
first 5.3 ISO. Get it from:

https://www.proxmox.com/en/downloads/category/iso-images-pve
http://download.proxmox.com/iso/proxmox-ve_5.3-2.iso

All container templates based on apt (Debian and Ubuntu) got also updated
yesterday.

cheers,
Thomas




More information about the pve-user mailing list