Promox CVEs

[mbkb]

I have been looking to utilize Proxmox VE. I have looking at the most recent CVEs discovered in order to find out how long it typically takes for CVEs to be addresses, how security patches and fixes for CVEs get published to Promox users.

The CVEs I have been researching are:
CVE-2022-35508
CVE-2023-43320 - public exploit available
CVE-2023-46854

Looked online and it did not seem obvious at a glance on proxmox forums or website about bug fixes. I did notice there is a git hub and commits of changes seem to get updated there. Is this commonly where CVE updates go? I did see there is a bugzilla too, is this where it would be for CVE updates?

I'm new to this community and would like to understand the above. I also would like to know how often new releases of software tend to appear and what the differences are between open source and enterprise versions?

Any information on this, I would be grateful.
Thanks in advance

 

[Dunuin]

If there is a vulnerability or bug this usually gets fixed within a few days (unless it could only be fixed upstream) and updates will roll out immediately. There is a changelog in the webUI for every updated package that will tell you what CVE or bugs this update addresses. So you could decide if you want to do this update right now or wait for the next maintainance window.

Staff is also very active in this forum.
If I'm right, whenever someone asked if PVE is affected by CVE XYZ there was an answer of one of the staff the same work day.

Most vulnerabilities are targeting Debian packages so here it depends on how fast the Debian updates roll out.