Search results

Subject: PSA-2025-00005-1: Various SecureBoot bypasses, data integrity violations and sensitive data leaks in Grub Advisory date: 2025-03-06 Packages: grub-pc-bin, grub-efi-amd64-bin, grub-efi-amd64-signed, grub-efi-amd64-unsigned Details: 21 issues in Grub's codebase were found that could...

Subject: PSA-2025-00005-1: Various SecureBoot bypasses, data integrity violations and sensitive data leaks in Grub Advisory date: 2025-03-06 Packages: grub-pc-bin, grub-efi-amd64-bin, grub-efi-amd64-signed, grub-efi-amd64-unsigned Details: 21 issues in Grub's codebase were found that could...

Subject: PSA-2025-00004-1: Automatic format detection in vma create, used for template VMs Advisory date: 2025-02-25 Packages: pve-qemu-kvm, qemu-server Details: The vma create CLI command lacked an option to specify an explicit format for images to be included in the created backup archive...

Subject: PSA-2025-00003-1: Missing format enforcement for snapshot state volumes Advisory date: 2025-02-18 Packages: pve-qemu-kvm Details: An attacker could cause Qemu to load a malicious snapshot state volume triggering arbitrary host file reads. A successful attack requires...

Subject: PSA-2025-00002-1: UI: missing HTML-encoding of potentially user-provided data Advisory date: 2025-01-21 Packages: pve-manager, proxmox-widget-toolkit Details: Some fields displayed in the web interface could contain potentially user-provided data without escaping contained HTML tags...

Subject: PSA-2025-00001-1: Image format confusion with hot-changed CDROM media Advisory date: 2025-01-21 Packages: qemu-server Details: Missing checks when hot-swapping a CDROM drive's media could result in an image's format being automatically detected without proper verification...

Subject: PSA-2024-00016-1: XSS via Qemu guest agent response Advisory date: 2024-12-18 Packages: pve-manager Details: The VM summary panel of the Proxmox VE web interface was missing encoding of values returned by the QEMU Guest Agent (QGA). A malicious agent implementation inside the VM...

Subject: PSA-2024-00015-1: XSS in mail queue fields Advisory date: 2024-12-18 Packages: pmg-gui Details: Missing encoding in the Proxmox Mail Gateway UI led to HTML code contained in fields of the mail queue view to be rendered by the browser. This issue was reported by Niels Hendriks from...

Subject: PSA-2024-00012-1: Proxmox Mail Gateway: unexpected handling of single-part attachments Advisory date: 2024-12-12 Packages: pmg-api Details: The Remove Attachments and Attachment Quarantine actions in the rule system ignored the Content-Disposition: attachment header for the first...

Subject: PSA-2024-00014-1: image format confusion issues Advisory date: 2024-12-11 Packages: libpve-storage-perl, qemu-server, proxmox-backup-file-restore Details: Multiple ways of tricking a Proxmox VE system into using specially crafted, user-provided image data with an unexpected format...

Subject: PSA-2024-00013-1: Proxmox VE OVA/OVF importer: Insufficient validation of untrusted input Advisory date: 2024-12-11 Packages: - libpve-storage-perl == 8.2.8 (pvetest and pve-no-subscription only) Details: On a Proxmox VE system with an active storage with content type "import", a...

Subject: PSA-2024-00011-1: Proxmox Backup Server: unauthenticated DOS vulnerability Advisory date: 2024-12-03 Packages: proxmox-backup-server (== 3.2.8-1, pbstest and pbs-no-subscription only) Details: Proxmox Backup Server in version 3.2.8-1 was vulnerable to a remote unauthenticated DOS...

Subject: PSA-2024-00010-1: Proxmox VE iSCSI plugin volume path confusion Advisory date: 2024-11-20 Packages: libpve-storage-perl Details: On a Proxmox VE system with an active storage of type 'iscsi', a sufficiently privileged user can trick the system into accessing arbitrary host block...

Subject: PSA-2024-00009-1: Proxmox VE/Mail Gateway API: post-authentication privileged file read vulnerabilities Advisory date: 2024-09-23 Packages: - Proxmox Virtual Environment: pve-manager, libpve-storage-perl, libpve-http-server-perl, qemu-server - Proxmox Mail Gateway: pmg-api...

Subject: PSA-2024-00009-1: Proxmox VE/Mail Gateway API: post-authentication privileged file read vulnerabilities Advisory date: 2024-09-23 Packages: - Proxmox Virtual Environment: pve-manager, libpve-storage-perl, libpve-http-server-perl, qemu-server - Proxmox Mail Gateway: pmg-api...

Subject: PSA-2024-00008-1: kernel: DoS via short ethernet frames over tun/tap interfaces Advisory date: 2024-07-29 Packages: Proxmox 5.15 kernel packages (Proxmox VE 7), Proxmox 6.5 and 6.8 kernel packages (Proxmox VE 8) Details: The tun and tap network drivers in the Linux kernel lacked...

Subject: PSA-2024-00007-1: Shim bootloader remote code execution via http response Advisory date: 2024-06-28 Packages: shim-unsigned, shim-signed Details: A remote code execution vulnerability was found in the secure boot Shim bootloader. The Shim boot support trusts attacker-controlled...

Subject: PSA-2024-00007-1: Shim bootloader remote code execution via http response Advisory date: 2024-06-28 Packages: shim-unsigned, shim-signed Details: A remote code execution vulnerability was found in the secure boot Shim bootloader. The Shim boot support trusts attacker-controlled...

Subject: PSA-2024-00007-1: Shim bootloader remote code execution via http response Advisory date: 2024-06-28 Packages: shim-unsigned, shim-signed Details: A remote code execution vulnerability was found in the secure boot Shim bootloader. The Shim boot support trusts attacker-controlled...

Subject: PSA-2024-00005-1: SMTP Smuggling Publication date: 2024-03-28 Packages: pmg-api, postfix Details: Postfix was affected by an email spoofing attack that involves a composition of email services with specific differences in the way they handle line endings other than <CR><LF>...