Q: Which components and vulnerabilities are covered by Proxmox Security Announcements?
A: First and foremost, vulnerabilities in first party software such as the Proxmox VE management stack or the Proxmox Backup Server/Client. Major vulnerabilities in third party components like QEMU and the Linux kernel are included as well, if they affect common setups of Proxmox products or provide a core part of their functionality. Security information regarding packages shipped directly by the Debian project can be found on its website: https://www.debian.org/security/
Q: Since when are announcements made?
A: This forum started in June 2024, and announcements got retroactively posted from the 2024-01-01 cut-off date. While we kept track of any issue internally before that date, and also posted publicly about them, we see no point in adding these more structured advisories for outdated (point) releases.
Q: When are PSA advisories published?
A: Shortly after there is a fixed and tested package available on the enterprise repositories, or sooner if there is a readily available workaround that does not require upgrading packages, unless embargoed information requires a longer delay.
Note that the first set of advisories prior to June were made visible when the new Security Advisory forum was first made public.
Q: What is the structure of these announcements?
A: There will be one thread per Proxmox project, with a post per announcement each with their own identifier in the format PSA-YEAR-COUNTER-REVISION, for example PSA-2024-00001-1. Note that the counter may have gaps between announced issues due to other pending issues with a longer release/embargo time, issues that have been determined to be invalid, or issues that have been split into multiple issues.
Q: Why are these threads locked?
A: The forum is designed such that users can watch (subscribe) for new posts for the specific set of Proxmox projects they are interested in. User replies would add noise to these notifications, making them less useful.
Q: How can I discuss any such announcement?
A: You can open a thread in the respective product category and ask your question together with a reference to this issue. If you got a valid enterprise support subscription you can also create a ticket in the customer support portal.
Q: I have found a (potential) security issue in a component, how can I report it correctly?
A: We ask you to report any confirmed or potential security issue by email security@proxmox.com. You can encrypt any messages with our dedicated GPG key with the fingerprint
For more details see our https://pve.proxmox.com/wiki/Security_Reporting wiki (archived).
A: First and foremost, vulnerabilities in first party software such as the Proxmox VE management stack or the Proxmox Backup Server/Client. Major vulnerabilities in third party components like QEMU and the Linux kernel are included as well, if they affect common setups of Proxmox products or provide a core part of their functionality. Security information regarding packages shipped directly by the Debian project can be found on its website: https://www.debian.org/security/
Q: Since when are announcements made?
A: This forum started in June 2024, and announcements got retroactively posted from the 2024-01-01 cut-off date. While we kept track of any issue internally before that date, and also posted publicly about them, we see no point in adding these more structured advisories for outdated (point) releases.
Q: When are PSA advisories published?
A: Shortly after there is a fixed and tested package available on the enterprise repositories, or sooner if there is a readily available workaround that does not require upgrading packages, unless embargoed information requires a longer delay.
Note that the first set of advisories prior to June were made visible when the new Security Advisory forum was first made public.
Q: What is the structure of these announcements?
A: There will be one thread per Proxmox project, with a post per announcement each with their own identifier in the format PSA-YEAR-COUNTER-REVISION, for example PSA-2024-00001-1. Note that the counter may have gaps between announced issues due to other pending issues with a longer release/embargo time, issues that have been determined to be invalid, or issues that have been split into multiple issues.
Q: Why are these threads locked?
A: The forum is designed such that users can watch (subscribe) for new posts for the specific set of Proxmox projects they are interested in. User replies would add noise to these notifications, making them less useful.
Q: How can I discuss any such announcement?
A: You can open a thread in the respective product category and ask your question together with a reference to this issue. If you got a valid enterprise support subscription you can also create a ticket in the customer support portal.
Q: I have found a (potential) security issue in a component, how can I report it correctly?
A: We ask you to report any confirmed or potential security issue by email security@proxmox.com. You can encrypt any messages with our dedicated GPG key with the fingerprint
E6792AA698E11855375AB9E35D0CBD4361F204C5 (public key download).For more details see our https://pve.proxmox.com/wiki/Security_Reporting wiki (archived).