"copy.fail" mitigations and pve-container package

VictorSTS

VictorSTS

Distinguished Member
Proxmox Subscriber
Oct 7, 2019
1,131
650
158
Spain
As I understand it, the "copy.fail" vulnerability is mitigated on PVE by either:
  • Upgrading the kernel on PVE 8 or 9.
  • Disabling module algif_aead and unloading it.
The official post about this vulnerability [1] also mentions package pve-container. Why is that package update also needed?

Asking because I have two legacy PVE7.4 clusters that can't be upgraded due to dependencies with old LXC (systemd vs cgroup2 compatibility) and they won't receive that pve-container packate update.

Thanks!


[1] https://forum.proxmox.com/threads/proxmox-virtual-environment-security-advisories.149331/post-850782
 
  • Like
Reactions: Johannes S
Isn't it clear that AF_ALG is enabled, and isn't this just a temporary workaround until we apply the patched kernel and reboot?

After all, we can't just reboot whenever we want.
 
uzumo said:
Isn't it clear that AF_ALG is enabled, and isn't this just a temporary workaround until we apply the patched kernel and reboot?
Click to expand...
It is, but:
  • There won't be an updated kernel for PVE7 and permanently disabling the module seems the only option (which is fine for me).
  • And that doesn't answer my question about why the official mitigation statement mentions the package pve-container as needed to mitigate the issue so I can evaluate the impact of whatever changes it includes may impact PVE7.

uzumo said:
After all, we can't just reboot whenever we want.
Click to expand...
Nor upgrade, unfortunately :rolleyes:


ness1602 said:
Then recommendation is to have nested proxmox for me atleast.
Click to expand...
At the time proposed that too, but customer doesn't want to invest in those clusters as they are already migrating apps to a different architecture without LXC on a different cluster. That will take them time, though.
 
PVE itself is safe as long as you don't use real linux / PAM users, which could elevate privileges.

It is more important in containers and therefore, they updated the pve-container image. The actual change which disables the syscall or call to the function is this:

https://github.com/proxmox/pve-container/commit/00d7fa88b7520507d884bc09335078a3be5a93f8

If you're lucky, you can just apply the patch to the PVE 7 package, if the code in that segment hasn't changed much.
 
  • Like
Reactions: Johannes S
You must log in or register to reply here.
Top Bottom
Back