Is Proxmox Vulnerable to CVE-2014-6271

Discussion in 'Proxmox VE: Installation and configuration' started by tincboy, Sep 25, 2014.

  1. tincboy

    tincboy Member

    Joined:
    Apr 13, 2010
    Messages:
    423
    Likes Received:
    2
  2. dietmar

    dietmar Proxmox Staff Member
    Staff Member

    Joined:
    Apr 28, 2005
    Messages:
    16,456
    Likes Received:
    310
    First, there is already a fix for that - just update:

    bash (4.2+dfsg-0.1+deb7u1) wheezy-security; urgency=high

    * Apply patch from Chet Ramey to fix CVE-2014-6271.

    Second, we do not use CGI so I think there is low risk.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. tincboy

    tincboy Member

    Joined:
    Apr 13, 2010
    Messages:
    423
    Likes Received:
    2
    Thanks,
    I've successfully upgrade bash to use 4.2+dfsg-0.1+deb7u1 which is Debian's officail patch for Proxmox 3
    But on Proxmox 2, I'm not able to install 4.1-3+deb6u1 which is official Debian's patch via `apt-get update && apt-get upgrade` command,
    https://security-tracker.debian.org/tracker/CVE-2014-6271


    Would you please let me know how to patch Proxmox 2 ?
     
  4. Erwin123

    Erwin123 Member

    Joined:
    May 14, 2008
    Messages:
    207
    Likes Received:
    0
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. tincboy

    tincboy Member

    Joined:
    Apr 13, 2010
    Messages:
    423
    Likes Received:
    2
  6. ejmerkel

    ejmerkel Member

    Joined:
    Sep 20, 2012
    Messages:
    65
    Likes Received:
    0
    I have numerous patches on some proxmox nodes waiting but I would like to just update the bash package from the command line (SSH). What is the proper command to do this? Is it just

    Code:
    [COLOR=#000000]apt[/COLOR][COLOR=#000000]-[/COLOR][COLOR=#000000]get install bash[/COLOR]
    Thanks,
    Eric
     
  7. tincboy

    tincboy Member

    Joined:
    Apr 13, 2010
    Messages:
    423
    Likes Received:
    2
    you can use
    Code:
    apt-get install --only-upgrade bash
    
     
  8. kobuki

    kobuki Member

    Joined:
    Dec 30, 2008
    Messages:
    457
    Likes Received:
    21
    When using Squeeze, don't forget to add the LTS repo to the apt sources. More info: https://wiki.debian.org/LTS/Using

    The LTS repository already contains the fixed Bash package. No need to fiddle with random patches and .deb downloads.
     
  9. Erwin123

    Erwin123 Member

    Joined:
    May 14, 2008
    Messages:
    207
    Likes Received:
    0
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. esud

    esud New Member

    Joined:
    Sep 26, 2014
    Messages:
    2
    Likes Received:
    0
  11. Erwin123

    Erwin123 Member

    Joined:
    May 14, 2008
    Messages:
    207
    Likes Received:
    0
    Excellent, thank you esud.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. sumsum

    sumsum Member
    Proxmox Subscriber

    Joined:
    Oct 26, 2009
    Messages:
    157
    Likes Received:
    2
    Do I need to reboot or restart services after installing this update?

    No, a reboot of your system or any of your services is not required. This vulnerability is in the initial import of the process environment from the kernel. This only happens when Bash is started. After the update that fixes this issue is installed, such new processes will use the new code, and will not be vulnerable. Conversely, old processes will not be started again, so the vulnerability does not materialize. If you have a strong reason to suspect that a system was compromised by this vulnerability then a system reboot should be performed after the update is installed as a best security practice and security checks should be analyzed for suspicious activity.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice