APT CVE-2019-3462 (please read before upgrading!)

[fabian]

The APT package manager used by Proxmox VE and Proxmox Mail Gateway was recently discovered to be affected by CVE-2019-3462, allowing a Man-In-The-Middle or malicious mirror server to execute arbitrary code
with root privileges when affected systems attempt to install upgrades.

To securely upgrade your systems, run the following commands as root:

# apt -o Acquire::http::AllowRedirect=false update
# apt -o Acquire::http::AllowRedirect=false full-upgrade

and verify that apt is now at least version 1.4.9 on Debian Stretch:

$ apt -v
apt 1.4.9 (amd64)

Please see the Debian Security Advisory DSA-4371 for details.

 

[martin]

Additionally we released a new Proxmox VE 5.3 ISO containing the fix for CVE-2019-3462 and all other security fixes since the first 5.3 ISO.

ISO Download
https://www.proxmox.com/en/downloads/category/iso-images-pve
http://download.proxmox.com/iso/

And we updated the affected LXC templates as well (Debian and Ubuntu).
__________________
Best regards,

Martin Maurer
Proxmox VE project leader

 

[Gaston Senac]

If we do the upgrade from the web GUI will the apt package get updated to version 1.4.9? or is it mandatory to do the command above?
Thanks

 

[Gaston Senac]

If we do the upgrade from the web GUI will the apt package get updated to version 1.4.9? or is it mandatory to do the command above?
Thanks

I think I've got the answer
the code above will do the update/upgrade procedure, but not going to any mirrors. I assume this is a security precaution to avoid any risk of compromised repositories.

 

[fabian]

The commands above will ensure that you will not get exploited by an attacker while upgrading to the fixed version of apt.

 

[David Herselman]

Most systems processed updates without problems but we have one which exhibits the following. Is this possibly due to us being routed to an out of sync mirror or necessitate more careful investigation?

[admin@kvm2 ~]# apt -o Acquire::http::AllowRedirect=false update
Ign:1 http://ftp.debian.org/debian stretch InRelease
Ign:2 http://hwraid.le-vert.net/debian stretch InRelease
Hit:3 http://ftp.debian.org/debian stretch Release
Ign:4 http://security.debian.org stretch/updates InRelease
Hit:5 http://hwraid.le-vert.net/debian stretch Release
Err:7 http://security.debian.org stretch/updates Release
  302  Found
Hit:9 https://enterprise.proxmox.com/debian/pve stretch InRelease
Reading package lists... Done
E: The repository 'http://security.debian.org stretch/updates Release' does no longer have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
[admin@kvm2 ~]# apt -o Acquire::http::AllowRedirect=false full-upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following NEW packages will be installed:
  pve-kernel-4.15.18-10-pve
The following packages will be upgraded:
  apt apt-transport-https apt-utils base-files libapt-inst2.0 libapt-pkg5.0 libpam-systemd libpve-guest-common-perl libpve-storage-perl librados2-perl
  libsystemd0 libudev1 lxc-pve pve-cluster pve-container pve-firewall pve-ha-manager pve-kernel-4.15 pve-manager pve-xtermjs qemu-server systemd systemd-sysv
  udev
24 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 4,259 kB/63.4 MB of archives.
After this operation, 260 MB of additional disk space will be used.
Do you want to continue? [Y/n]
Err:1 http://security.debian.org stretch/updates/main amd64 systemd-sysv amd64 232-25+deb9u8
  302  Found
Err:2 http://security.debian.org stretch/updates/main amd64 libpam-systemd amd64 232-25+deb9u8
  302  Found
Err:3 http://security.debian.org stretch/updates/main amd64 libsystemd0 amd64 232-25+deb9u8
  302  Found
Err:4 http://security.debian.org stretch/updates/main amd64 systemd amd64 232-25+deb9u8
  302  Found
Err:5 http://security.debian.org stretch/updates/main amd64 udev amd64 232-25+deb9u8
  302  Found
Err:6 http://security.debian.org stretch/updates/main amd64 libudev1 amd64 232-25+deb9u8
  302  Found
E: Failed to fetch http://security.debian.org/pool/updates/main/s/systemd/systemd-sysv_232-25+deb9u8_amd64.deb  302  Found
E: Failed to fetch http://security.debian.org/pool/updates/main/s/systemd/libpam-systemd_232-25+deb9u8_amd64.deb  302  Found
E: Failed to fetch http://security.debian.org/pool/updates/main/s/systemd/libsystemd0_232-25+deb9u8_amd64.deb  302  Found
E: Failed to fetch http://security.debian.org/pool/updates/main/s/systemd/systemd_232-25+deb9u8_amd64.deb  302  Found
E: Failed to fetch http://security.debian.org/pool/updates/main/s/systemd/udev_232-25+deb9u8_amd64.deb  302  Found
E: Failed to fetch http://security.debian.org/pool/updates/main/s/systemd/libudev1_232-25+deb9u8_amd64.deb  302  Found
E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?

Another system in the same subnet updated without errors. We have no caching proxies anywhere either...

 

[fabian]

Most systems processed updates without problems but we have one which exhibits the following. Is this possibly due to us being routed to an out of sync mirror or necessitate more careful investigation?

[admin@kvm2 ~]# apt -o Acquire::http::AllowRedirect=false update
Ign:1 http://ftp.debian.org/debian stretch InRelease
Ign:2 http://hwraid.le-vert.net/debian stretch InRelease
Hit:3 http://ftp.debian.org/debian stretch Release
Ign:4 http://security.debian.org stretch/updates InRelease
Hit:5 http://hwraid.le-vert.net/debian stretch Release
Err:7 http://security.debian.org stretch/updates Release
  302  Found
Hit:9 https://enterprise.proxmox.com/debian/pve stretch InRelease
Reading package lists... Done
E: The repository 'http://security.debian.org stretch/updates Release' does no longer have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
[admin@kvm2 ~]# apt -o Acquire::http::AllowRedirect=false full-upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following NEW packages will be installed:
  pve-kernel-4.15.18-10-pve
The following packages will be upgraded:
  apt apt-transport-https apt-utils base-files libapt-inst2.0 libapt-pkg5.0 libpam-systemd libpve-guest-common-perl libpve-storage-perl librados2-perl
  libsystemd0 libudev1 lxc-pve pve-cluster pve-container pve-firewall pve-ha-manager pve-kernel-4.15 pve-manager pve-xtermjs qemu-server systemd systemd-sysv
  udev
24 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 4,259 kB/63.4 MB of archives.
After this operation, 260 MB of additional disk space will be used.
Do you want to continue? [Y/n]
Err:1 http://security.debian.org stretch/updates/main amd64 systemd-sysv amd64 232-25+deb9u8
  302  Found
Err:2 http://security.debian.org stretch/updates/main amd64 libpam-systemd amd64 232-25+deb9u8
  302  Found
Err:3 http://security.debian.org stretch/updates/main amd64 libsystemd0 amd64 232-25+deb9u8
  302  Found
Err:4 http://security.debian.org stretch/updates/main amd64 systemd amd64 232-25+deb9u8
  302  Found
Err:5 http://security.debian.org stretch/updates/main amd64 udev amd64 232-25+deb9u8
  302  Found
Err:6 http://security.debian.org stretch/updates/main amd64 libudev1 amd64 232-25+deb9u8
  302  Found
E: Failed to fetch http://security.debian.org/pool/updates/main/s/systemd/systemd-sysv_232-25+deb9u8_amd64.deb  302  Found
E: Failed to fetch http://security.debian.org/pool/updates/main/s/systemd/libpam-systemd_232-25+deb9u8_amd64.deb  302  Found
E: Failed to fetch http://security.debian.org/pool/updates/main/s/systemd/libsystemd0_232-25+deb9u8_amd64.deb  302  Found
E: Failed to fetch http://security.debian.org/pool/updates/main/s/systemd/systemd_232-25+deb9u8_amd64.deb  302  Found
E: Failed to fetch http://security.debian.org/pool/updates/main/s/systemd/udev_232-25+deb9u8_amd64.deb  302  Found
E: Failed to fetch http://security.debian.org/pool/updates/main/s/systemd/libudev1_232-25+deb9u8_amd64.deb  302  Found
E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?

Another system in the same subnet updated without errors. We have no caching proxies anywhere either...

As indicated in the DSA linked in the initial post, you can (temporarily) use an alternative direct URL for a security.debian.org mirror:

This is known to break some proxies when used against security.debian.org. If that happens, people can switch their security APT source to use:

deb http://cdn-fastly.deb.debian.org/debian-security stable/updates main

 

[EuroDomenii]

For Jessie, If that mirror doesn't work, we can install the package directly "If your current package mirrors redirect by default (meaning you can’t update apt when using that flag) you’ll need to pick different mirrors or download the package directly" via original reporter https://justi.cz/security/2019/01/22/apt-rce.html

wget http://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-pkg4.12_1.0.9.8.5_amd64.deb

sha256sum libapt-pkg4.12_1.0.9.8.5_amd64.deb
Compare with checksum here https://packages.debian.org/jessie/amd64/libapt-pkg4.12/download

dpkg -i libapt-pkg4.12_1.0.9.8.5_amd64.deb

wget http://security.debian.org/debian-security/pool/updates/main/a/apt/apt_1.0.9.8.5_amd64.deb

sha256sum apt_1.0.9.8.5_amd64.deb
Compare with checksum here  https://packages.debian.org/jessie/amd64/apt/download

dpkg -i apt_1.0.9.8.5_amd64.deb

 

[RobFantini]

on Jan 21 we had updated our systems a few hours before getting notification of the apt bug.

We want to make sure debian files / packages are legitimate .

I assume that running this on all systems ensures that we have no issue. However I am not certain.

debsums --changed

if someone has a suggestion for a better way to check all files, I'd appreciate the advice.