APT CVE-2019-3462 (please read before upgrading!)

fabian

Proxmox Staff Member
Staff member
Jan 7, 2016
11,127
2,752
303
The APT package manager used by Proxmox VE and Proxmox Mail Gateway was recently discovered to be affected by CVE-2019-3462, allowing a Man-In-The-Middle or malicious mirror server to execute arbitrary code
with root privileges when affected systems attempt to install upgrades.

To securely upgrade your systems, run the following commands as root:

Code:
# apt -o Acquire::http::AllowRedirect=false update
# apt -o Acquire::http::AllowRedirect=false full-upgrade

and verify that apt is now at least version 1.4.9 on Debian Stretch:

Code:
$ apt -v
apt 1.4.9 (amd64)

Please see the Debian Security Advisory DSA-4371 for details.
 
If we do the upgrade from the web GUI will the apt package get updated to version 1.4.9? or is it mandatory to do the command above?
Thanks
 
If we do the upgrade from the web GUI will the apt package get updated to version 1.4.9? or is it mandatory to do the command above?
Thanks
I think I've got the answer :p
the code above will do the update/upgrade procedure, but not going to any mirrors. I assume this is a security precaution to avoid any risk of compromised repositories.
 
The commands above will ensure that you will not get exploited by an attacker while upgrading to the fixed version of apt.
 
  • Like
Reactions: Gaston Senac
Most systems processed updates without problems but we have one which exhibits the following. Is this possibly due to us being routed to an out of sync mirror or necessitate more careful investigation?

Code:
[admin@kvm2 ~]# apt -o Acquire::http::AllowRedirect=false update
Ign:1 http://ftp.debian.org/debian stretch InRelease
Ign:2 http://hwraid.le-vert.net/debian stretch InRelease
Hit:3 http://ftp.debian.org/debian stretch Release
Ign:4 http://security.debian.org stretch/updates InRelease
Hit:5 http://hwraid.le-vert.net/debian stretch Release
Err:7 http://security.debian.org stretch/updates Release
  302  Found
Hit:9 https://enterprise.proxmox.com/debian/pve stretch InRelease
Reading package lists... Done
E: The repository 'http://security.debian.org stretch/updates Release' does no longer have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
[admin@kvm2 ~]# apt -o Acquire::http::AllowRedirect=false full-upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following NEW packages will be installed:
  pve-kernel-4.15.18-10-pve
The following packages will be upgraded:
  apt apt-transport-https apt-utils base-files libapt-inst2.0 libapt-pkg5.0 libpam-systemd libpve-guest-common-perl libpve-storage-perl librados2-perl
  libsystemd0 libudev1 lxc-pve pve-cluster pve-container pve-firewall pve-ha-manager pve-kernel-4.15 pve-manager pve-xtermjs qemu-server systemd systemd-sysv
  udev
24 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 4,259 kB/63.4 MB of archives.
After this operation, 260 MB of additional disk space will be used.
Do you want to continue? [Y/n]
Err:1 http://security.debian.org stretch/updates/main amd64 systemd-sysv amd64 232-25+deb9u8
  302  Found
Err:2 http://security.debian.org stretch/updates/main amd64 libpam-systemd amd64 232-25+deb9u8
  302  Found
Err:3 http://security.debian.org stretch/updates/main amd64 libsystemd0 amd64 232-25+deb9u8
  302  Found
Err:4 http://security.debian.org stretch/updates/main amd64 systemd amd64 232-25+deb9u8
  302  Found
Err:5 http://security.debian.org stretch/updates/main amd64 udev amd64 232-25+deb9u8
  302  Found
Err:6 http://security.debian.org stretch/updates/main amd64 libudev1 amd64 232-25+deb9u8
  302  Found
E: Failed to fetch http://security.debian.org/pool/updates/main/s/systemd/systemd-sysv_232-25+deb9u8_amd64.deb  302  Found
E: Failed to fetch http://security.debian.org/pool/updates/main/s/systemd/libpam-systemd_232-25+deb9u8_amd64.deb  302  Found
E: Failed to fetch http://security.debian.org/pool/updates/main/s/systemd/libsystemd0_232-25+deb9u8_amd64.deb  302  Found
E: Failed to fetch http://security.debian.org/pool/updates/main/s/systemd/systemd_232-25+deb9u8_amd64.deb  302  Found
E: Failed to fetch http://security.debian.org/pool/updates/main/s/systemd/udev_232-25+deb9u8_amd64.deb  302  Found
E: Failed to fetch http://security.debian.org/pool/updates/main/s/systemd/libudev1_232-25+deb9u8_amd64.deb  302  Found
E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?


Another system in the same subnet updated without errors. We have no caching proxies anywhere either...
 
Last edited:
Most systems processed updates without problems but we have one which exhibits the following. Is this possibly due to us being routed to an out of sync mirror or necessitate more careful investigation?

Code:
[admin@kvm2 ~]# apt -o Acquire::http::AllowRedirect=false update
Ign:1 http://ftp.debian.org/debian stretch InRelease
Ign:2 http://hwraid.le-vert.net/debian stretch InRelease
Hit:3 http://ftp.debian.org/debian stretch Release
Ign:4 http://security.debian.org stretch/updates InRelease
Hit:5 http://hwraid.le-vert.net/debian stretch Release
Err:7 http://security.debian.org stretch/updates Release
  302  Found
Hit:9 https://enterprise.proxmox.com/debian/pve stretch InRelease
Reading package lists... Done
E: The repository 'http://security.debian.org stretch/updates Release' does no longer have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
[admin@kvm2 ~]# apt -o Acquire::http::AllowRedirect=false full-upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following NEW packages will be installed:
  pve-kernel-4.15.18-10-pve
The following packages will be upgraded:
  apt apt-transport-https apt-utils base-files libapt-inst2.0 libapt-pkg5.0 libpam-systemd libpve-guest-common-perl libpve-storage-perl librados2-perl
  libsystemd0 libudev1 lxc-pve pve-cluster pve-container pve-firewall pve-ha-manager pve-kernel-4.15 pve-manager pve-xtermjs qemu-server systemd systemd-sysv
  udev
24 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 4,259 kB/63.4 MB of archives.
After this operation, 260 MB of additional disk space will be used.
Do you want to continue? [Y/n]
Err:1 http://security.debian.org stretch/updates/main amd64 systemd-sysv amd64 232-25+deb9u8
  302  Found
Err:2 http://security.debian.org stretch/updates/main amd64 libpam-systemd amd64 232-25+deb9u8
  302  Found
Err:3 http://security.debian.org stretch/updates/main amd64 libsystemd0 amd64 232-25+deb9u8
  302  Found
Err:4 http://security.debian.org stretch/updates/main amd64 systemd amd64 232-25+deb9u8
  302  Found
Err:5 http://security.debian.org stretch/updates/main amd64 udev amd64 232-25+deb9u8
  302  Found
Err:6 http://security.debian.org stretch/updates/main amd64 libudev1 amd64 232-25+deb9u8
  302  Found
E: Failed to fetch http://security.debian.org/pool/updates/main/s/systemd/systemd-sysv_232-25+deb9u8_amd64.deb  302  Found
E: Failed to fetch http://security.debian.org/pool/updates/main/s/systemd/libpam-systemd_232-25+deb9u8_amd64.deb  302  Found
E: Failed to fetch http://security.debian.org/pool/updates/main/s/systemd/libsystemd0_232-25+deb9u8_amd64.deb  302  Found
E: Failed to fetch http://security.debian.org/pool/updates/main/s/systemd/systemd_232-25+deb9u8_amd64.deb  302  Found
E: Failed to fetch http://security.debian.org/pool/updates/main/s/systemd/udev_232-25+deb9u8_amd64.deb  302  Found
E: Failed to fetch http://security.debian.org/pool/updates/main/s/systemd/libudev1_232-25+deb9u8_amd64.deb  302  Found
E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?


Another system in the same subnet updated without errors. We have no caching proxies anywhere either...

As indicated in the DSA linked in the initial post, you can (temporarily) use an alternative direct URL for a security.debian.org mirror:
This is known to break some proxies when used against security.debian.org. If that happens, people can switch their security APT source to use:

deb http://cdn-fastly.deb.debian.org/debian-security stable/updates main
 
For Jessie, If that mirror doesn't work, we can install the package directly "If your current package mirrors redirect by default (meaning you can’t update apt when using that flag) you’ll need to pick different mirrors or download the package directly" via original reporter https://justi.cz/security/2019/01/22/apt-rce.html

Code:
wget http://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-pkg4.12_1.0.9.8.5_amd64.deb

sha256sum libapt-pkg4.12_1.0.9.8.5_amd64.deb
Compare with checksum here https://packages.debian.org/jessie/amd64/libapt-pkg4.12/download

dpkg -i libapt-pkg4.12_1.0.9.8.5_amd64.deb

wget http://security.debian.org/debian-security/pool/updates/main/a/apt/apt_1.0.9.8.5_amd64.deb

sha256sum apt_1.0.9.8.5_amd64.deb
Compare with checksum here  https://packages.debian.org/jessie/amd64/apt/download

dpkg -i apt_1.0.9.8.5_amd64.deb
 
on Jan 21 we had updated our systems a few hours before getting notification of the apt bug.

We want to make sure debian files / packages are legitimate .

I assume that running this on all systems ensures that we have no issue. However I am not certain.
Code:
debsums --changed

if someone has a suggestion for a better way to check all files, I'd appreciate the advice.
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!