APT CVE-2019-3462 (please read before upgrading!)

Discussion in 'Proxmox VE: Installation and configuration' started by fabian, Jan 23, 2019.

  1. fabian

    fabian Proxmox Staff Member
    Staff Member

    Joined:
    Jan 7, 2016
    Messages:
    3,199
    Likes Received:
    496
    The APT package manager used by Proxmox VE and Proxmox Mail Gateway was recently discovered to be affected by CVE-2019-3462, allowing a Man-In-The-Middle or malicious mirror server to execute arbitrary code
    with root privileges when affected systems attempt to install upgrades.

    To securely upgrade your systems, run the following commands as root:

    Code:
    # apt -o Acquire::http::AllowRedirect=false update
    # apt -o Acquire::http::AllowRedirect=false full-upgrade
    
    and verify that apt is now at least version 1.4.9 on Debian Stretch:

    Code:
    $ apt -v
    apt 1.4.9 (amd64)
    
    Please see the Debian Security Advisory DSA-4371 for details.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    Rainerle, EuroDomenii and Max P like this.
  2. martin

    martin Proxmox Staff Member
    Staff Member

    Joined:
    Apr 28, 2005
    Messages:
    633
    Likes Received:
    319
    ebiss likes this.
  3. Gaston Senac

    Gaston Senac New Member

    Joined:
    Jan 4, 2019
    Messages:
    13
    Likes Received:
    1
    If we do the upgrade from the web GUI will the apt package get updated to version 1.4.9? or is it mandatory to do the command above?
    Thanks
     
  4. Gaston Senac

    Gaston Senac New Member

    Joined:
    Jan 4, 2019
    Messages:
    13
    Likes Received:
    1
    I think I've got the answer :p
    the code above will do the update/upgrade procedure, but not going to any mirrors. I assume this is a security precaution to avoid any risk of compromised repositories.
     
  5. fabian

    fabian Proxmox Staff Member
    Staff Member

    Joined:
    Jan 7, 2016
    Messages:
    3,199
    Likes Received:
    496
    The commands above will ensure that you will not get exploited by an attacker while upgrading to the fixed version of apt.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    Gaston Senac likes this.
  6. David Herselman

    David Herselman Active Member
    Proxmox Subscriber

    Joined:
    Jun 8, 2016
    Messages:
    185
    Likes Received:
    38
    Most systems processed updates without problems but we have one which exhibits the following. Is this possibly due to us being routed to an out of sync mirror or necessitate more careful investigation?

    Code:
    [admin@kvm2 ~]# apt -o Acquire::http::AllowRedirect=false update
    Ign:1 http://ftp.debian.org/debian stretch InRelease
    Ign:2 http://hwraid.le-vert.net/debian stretch InRelease
    Hit:3 http://ftp.debian.org/debian stretch Release
    Ign:4 http://security.debian.org stretch/updates InRelease
    Hit:5 http://hwraid.le-vert.net/debian stretch Release
    Err:7 http://security.debian.org stretch/updates Release
      302  Found
    Hit:9 https://enterprise.proxmox.com/debian/pve stretch InRelease
    Reading package lists... Done
    E: The repository 'http://security.debian.org stretch/updates Release' does no longer have a Release file.
    N: Updating from such a repository can't be done securely, and is therefore disabled by default.
    N: See apt-secure(8) manpage for repository creation and user configuration details.
    [admin@kvm2 ~]# apt -o Acquire::http::AllowRedirect=false full-upgrade
    Reading package lists... Done
    Building dependency tree
    Reading state information... Done
    Calculating upgrade... Done
    The following NEW packages will be installed:
      pve-kernel-4.15.18-10-pve
    The following packages will be upgraded:
      apt apt-transport-https apt-utils base-files libapt-inst2.0 libapt-pkg5.0 libpam-systemd libpve-guest-common-perl libpve-storage-perl librados2-perl
      libsystemd0 libudev1 lxc-pve pve-cluster pve-container pve-firewall pve-ha-manager pve-kernel-4.15 pve-manager pve-xtermjs qemu-server systemd systemd-sysv
      udev
    24 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
    Need to get 4,259 kB/63.4 MB of archives.
    After this operation, 260 MB of additional disk space will be used.
    Do you want to continue? [Y/n]
    Err:1 http://security.debian.org stretch/updates/main amd64 systemd-sysv amd64 232-25+deb9u8
      302  Found
    Err:2 http://security.debian.org stretch/updates/main amd64 libpam-systemd amd64 232-25+deb9u8
      302  Found
    Err:3 http://security.debian.org stretch/updates/main amd64 libsystemd0 amd64 232-25+deb9u8
      302  Found
    Err:4 http://security.debian.org stretch/updates/main amd64 systemd amd64 232-25+deb9u8
      302  Found
    Err:5 http://security.debian.org stretch/updates/main amd64 udev amd64 232-25+deb9u8
      302  Found
    Err:6 http://security.debian.org stretch/updates/main amd64 libudev1 amd64 232-25+deb9u8
      302  Found
    E: Failed to fetch http://security.debian.org/pool/updates/main/s/systemd/systemd-sysv_232-25+deb9u8_amd64.deb  302  Found
    E: Failed to fetch http://security.debian.org/pool/updates/main/s/systemd/libpam-systemd_232-25+deb9u8_amd64.deb  302  Found
    E: Failed to fetch http://security.debian.org/pool/updates/main/s/systemd/libsystemd0_232-25+deb9u8_amd64.deb  302  Found
    E: Failed to fetch http://security.debian.org/pool/updates/main/s/systemd/systemd_232-25+deb9u8_amd64.deb  302  Found
    E: Failed to fetch http://security.debian.org/pool/updates/main/s/systemd/udev_232-25+deb9u8_amd64.deb  302  Found
    E: Failed to fetch http://security.debian.org/pool/updates/main/s/systemd/libudev1_232-25+deb9u8_amd64.deb  302  Found
    E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?
    

    Another system in the same subnet updated without errors. We have no caching proxies anywhere either...
     
    #6 David Herselman, Jan 26, 2019
    Last edited: Jan 26, 2019
  7. fabian

    fabian Proxmox Staff Member
    Staff Member

    Joined:
    Jan 7, 2016
    Messages:
    3,199
    Likes Received:
    496
    As indicated in the DSA linked in the initial post, you can (temporarily) use an alternative direct URL for a security.debian.org mirror:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. EuroDomenii

    EuroDomenii Member
    Proxmox Subscriber

    Joined:
    Sep 30, 2016
    Messages:
    102
    Likes Received:
    15
    For Jessie, If that mirror doesn't work, we can install the package directly "If your current package mirrors redirect by default (meaning you can’t update apt when using that flag) you’ll need to pick different mirrors or download the package directly" via original reporter https://justi.cz/security/2019/01/22/apt-rce.html

    Code:
    wget http://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-pkg4.12_1.0.9.8.5_amd64.deb
    
    sha256sum libapt-pkg4.12_1.0.9.8.5_amd64.deb
    Compare with checksum here https://packages.debian.org/jessie/amd64/libapt-pkg4.12/download
    
    dpkg -i libapt-pkg4.12_1.0.9.8.5_amd64.deb
    
    wget http://security.debian.org/debian-security/pool/updates/main/a/apt/apt_1.0.9.8.5_amd64.deb
    
    sha256sum apt_1.0.9.8.5_amd64.deb
    Compare with checksum here  https://packages.debian.org/jessie/amd64/apt/download
    
    dpkg -i apt_1.0.9.8.5_amd64.deb
    
     
  9. RobFantini

    RobFantini Active Member
    Proxmox Subscriber

    Joined:
    May 24, 2012
    Messages:
    1,490
    Likes Received:
    21
    on Jan 21 we had updated our systems a few hours before getting notification of the apt bug.

    We want to make sure debian files / packages are legitimate .

    I assume that running this on all systems ensures that we have no issue. However I am not certain.
    Code:
    debsums --changed
    
    if someone has a suggestion for a better way to check all files, I'd appreciate the advice.
     
    #9 RobFantini, Jan 31, 2019
    Last edited: Feb 3, 2019
    DerDanilo and EuroDomenii like this.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice