Hi all!
As you may have read[0], some bugs in the package manager APK in Alpine Linux surfaced.
The most serious one allowing Remote Code Execution (RCE) if somewhere between the CT and the package repository mirror a Man In The Middle Attack takes place.
To mitigate this please update your APK version to:
* Alpine Linux v3.5: 2.6.10
* Alpine Linux v3.6: 2.7.6
* Alpine Linux v3.7: 2.10.1
* Alpine Linux v3.8: 2.10.1
We updated all our provided template images to a newer version including those fixes[1]. We also unlinked the problematic ones, this is something we normally don't do as we only remove them from the index, but it seemed justified in this case. So you will have to update the appliance info index manually (or wait till the pve-daily-update.timer triggers and updates it automatically):
Then you should have an up to date index and will be able to download Alpine Linux images again.
Upgrading a existing container:
If you mistrust your network you can manually download the package and verify its signature manually. The way which combines trustworthy and easiness the most would be pulling the new image we provide, it's signed with our release key and is as secure as package updates from our side.
You then could use the apk from this image to fetch and verify a current apk-tools-static package and deploy it on other CTs - static is not required but makes it easier as all dependencies are linked statically.
Either use 'apk fetch' and check the downloaded updates with 'apk verify' or download the package manually from an mirror. I checked on older apk version that apk verify did not unpacked the archive on the disk at any time (it just gets read), thus this should be safe.
From https://mirrors.alpinelinux.org/ select a mirror of your choice, ideally with https, open it and navigate to your version and architecture, e.g.:
https://repository.fit.cvut.cz/mirrors/alpine/v3.8/main/x86_64/
search for 'apk-tools-static' and download the respective version, e.g.:
then verify manually:
if all's OK you can install it:
(apk may still fetch indexes, but it installs from local)
A check could also be done by extracting the .apk in a tmp directory, e.g.:
then verify it's content and signatures manually - this can also be done on another box, if you cannot trust the CT (currently) at all.
cheers,
Thomas
[0]: https://justi.cz/security/2018/09/13/alpine-apk-rce.html
[1]: https://git.alpinelinux.org/cgit/apk-tools/commit/?id=6484ed9849f03971eb48ee1fdc21a2f128247eb1
(this is an adaption of a post to pve-user and pve-devel mailing lists a bit earlier from me: https://pve.proxmox.com/pipermail/pve-user/2018-September/169971.html )
As you may have read[0], some bugs in the package manager APK in Alpine Linux surfaced.
The most serious one allowing Remote Code Execution (RCE) if somewhere between the CT and the package repository mirror a Man In The Middle Attack takes place.
To mitigate this please update your APK version to:
* Alpine Linux v3.5: 2.6.10
* Alpine Linux v3.6: 2.7.6
* Alpine Linux v3.7: 2.10.1
* Alpine Linux v3.8: 2.10.1
We updated all our provided template images to a newer version including those fixes[1]. We also unlinked the problematic ones, this is something we normally don't do as we only remove them from the index, but it seemed justified in this case. So you will have to update the appliance info index manually (or wait till the pve-daily-update.timer triggers and updates it automatically):
Code:
# pveam update
Then you should have an up to date index and will be able to download Alpine Linux images again.
Upgrading a existing container:
If you mistrust your network you can manually download the package and verify its signature manually. The way which combines trustworthy and easiness the most would be pulling the new image we provide, it's signed with our release key and is as secure as package updates from our side.
You then could use the apk from this image to fetch and verify a current apk-tools-static package and deploy it on other CTs - static is not required but makes it easier as all dependencies are linked statically.
Either use 'apk fetch' and check the downloaded updates with 'apk verify' or download the package manually from an mirror. I checked on older apk version that apk verify did not unpacked the archive on the disk at any time (it just gets read), thus this should be safe.
From https://mirrors.alpinelinux.org/ select a mirror of your choice, ideally with https, open it and navigate to your version and architecture, e.g.:
https://repository.fit.cvut.cz/mirrors/alpine/v3.8/main/x86_64/
search for 'apk-tools-static' and download the respective version, e.g.:
Code:
# wget https://repository.fit.cvut.cz/mirrors/alpine/v3.8/main/x86_64/apk-tools-static-2.10.1-r0.apk
then verify manually:
Code:
# apk verify apk-tools-static-2.10.1-r0.apk
if all's OK you can install it:
Code:
# apk add ./apk-tools-static-2.10.1-r0.apk
A check could also be done by extracting the .apk in a tmp directory, e.g.:
Code:
# mkdir /tmp/apk
# tar xf apk-tools-static-2.10.1-r0.apk -C /tmp/apk
then verify it's content and signatures manually - this can also be done on another box, if you cannot trust the CT (currently) at all.
cheers,
Thomas
[0]: https://justi.cz/security/2018/09/13/alpine-apk-rce.html
[1]: https://git.alpinelinux.org/cgit/apk-tools/commit/?id=6484ed9849f03971eb48ee1fdc21a2f128247eb1
(this is an adaption of a post to pve-user and pve-devel mailing lists a bit earlier from me: https://pve.proxmox.com/pipermail/pve-user/2018-September/169971.html )
Last edited: