Notice regading Alpine Linux Templates

Discussion in 'Proxmox VE: Installation and configuration' started by t.lamprecht, Sep 14, 2018.

  1. t.lamprecht

    t.lamprecht Proxmox Staff Member
    Staff Member

    Joined:
    Jul 28, 2015
    Messages:
    853
    Likes Received:
    85
    Hi all!

    As you may have read[0], some bugs in the package manager APK in Alpine Linux surfaced.
    The most serious one allowing Remote Code Execution (RCE) if somewhere between the CT and the package repository mirror a Man In The Middle Attack takes place.

    To mitigate this please update your APK version to:
    * Alpine Linux v3.5: 2.6.10
    * Alpine Linux v3.6: 2.7.6
    * Alpine Linux v3.7: 2.10.1
    * Alpine Linux v3.8: 2.10.1

    We updated all our provided template images to a newer version including those fixes[1]. We also unlinked the problematic ones, this is something we normally don't do as we only remove them from the index, but it seemed justified in this case. So you will have to update the appliance info index manually (or wait till the
    pve-daily-update.timer triggers and updates it automatically):

    Code:
    # pveam update
    Then you should have an up to date index and will be able to download Alpine Linux
    images again.

    Upgrading a existing container:
    If you mistrust your network you can manually download the package and verify its signature manually. The way which combines trustworthy and easiness the most would be pulling the new image we provide, it's signed with our release key and is as secure as package updates from our side.
    You then could use the apk from this image to fetch and verify a current apk-tools-static package and deploy it on other CTs - static is not required but makes it easier as all depedencies are linked statically.

    Either use 'apk fetch' and check the downloaded updates with 'apk verify' or download the package manually from an mirror. I checked on older apk version that apk verify did not unpacked the archive, thus this should be safe.

    From https://mirrors.alpinelinux.org/ select a mirror of your choice, ideally with https, open it and navigate to your version and architecture, e.g.:
    https://repository.fit.cvut.cz/mirrors/alpine/v3.8/main/x86_64/

    search for 'apk-tools-static' and download the respective version, e.g.:

    Code:
    # wget https://repository.fit.cvut.cz/mirrors/alpine/v3.8/main/x86_64/apk-tools-static-2.10.1-r0.apk 
    then verify manually:

    Code:
    # apk verify apk-tools-static-2.10.1-r0.apk
    if all's OK you can install it:

    Code:
    # apk add ./apk-tools-static-2.10.1-r0.apk
    (apk may still fetch indexes, but it installs from local)
    
    A check could also be done by extracting the .apk in a tmp directory, e.g.:
    [code]
    # mkdir /tmp/apk
    # tar xf apk-tools-static-2.10.1-r0.apk -C /tmp/apk
    
    then verify it's content and signatures manually - this can also be done on another box, if you cannot trust the CT (currently) at all.

    cheers,
    Thomas

    [0]: https://justi.cz/security/2018/09/13/alpine-apk-rce.html
    [1]: https://git.alpinelinux.org/cgit/apk-tools/commit/?id=6484ed9849f03971eb48ee1fdc21a2f128247eb1

    (this is a slgithly copy of a post to pve-user and pve-devel mailing lists: https://pve.proxmox.com/pipermail/pve-user/2018-September/169971.html )
     
    EuroDomenii likes this.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice