[SOLVED] PVE 7.3 with CVE-2022-35508

Yes, the fixes got rolled out in May and July, respectively as written in the post you quoted:

Timeline

  • 2022-05-17 Reported the XSS vulnerability to vendor
  • 2022-05-17 Vendor acknowledged and patched XSS
  • 2022-06-16 CVE-2022-31358 assigned to the XSS vulnerability
  • 2022-07-01 Reported CRLF injection and SSRF to vendor
  • 2022-07-02 Vendor acknowledged and patched both vulnerabilities
  • 2022-07-06 Submitted CVE ID request form for CRLF injection and SSRF, no reply from MITRE since then
  • 2022-09-03 Emailed MITRE but no reply again
Click to expand...
We got the fixes also confirmed by StarLabs quickly.
We also backported the fixes to Proxmox VE 6.4, which was then still supported (but now EOL since a few months).

So yeah, Proxmox VE 7.3 and also latest 6.4 are both safe against those issues.

I'd also here take the time to publicly thank StarLabs for reporting these issues to us in private, in a detailed manner and confirming our fixes, the whole procedure and communication with them was smooth.
 
  • Like
Reactions: alsicorp, Neobin, liberodark and 2 others
For completeness’ sake, these are the specific package versions that include the fix.

Release SeriesPackage>= Version that has fix
PMG/PVE 6.x (Debian 10 Buster based)libpve-http-server-perl
3.2-5​
PMG/PVE 7.x (Debian 11 Bullseye based)libpve-http-server-perl
4.1-3​

You could check the version installed on a PVE host with pveversion -v | grep libpve-http-server-perl or, alternatively use:
apt show libpve-http-server-perl
 
Ok the package is
Code: 
libpve-http-server-perl
I thought it was :
Code: 
pve-http-server

Code: 
apt show libpve-http-server-perl
Package: libpve-http-server-perl
Version: 4.1-5

Thanks for the additional information
 
liberodark said:
pve-http-server
Click to expand...
That's the source code repository, the build binary package follows standard Debian packaging name convention, prefixing lib as it's not doing anything on its own.

Searching with, e.g., apt search pve-http-server can often help for correlation; alternatively one can check the debian/control file in the respective git source code repo, that's the "source of truth".
 
Yes I saw that
I especially wanted confirmation that everything was OK on the new version.
And you were very responsive again thank you.
 
CVE-2022-31358 and CVE-2022-35508 and CVE-2022-35507 are fixed in 6.4-15 , right?
 
Hi,
TheMrg said:
CVE-2022-31358 and CVE-2022-35508 and CVE-2022-35507 are fixed in 6.4-15 , right?
Click to expand...
it depends on the version of the libpve-http-server-perl package. In Proxmox VE 6, version 3.2-5 of the package contains the fixes: https://git.proxmox.com/?p=pve-http-server.git;a=shortlog;h=refs/heads/stable-6
However, Proxmox VE 6 is end-of-life since more than a year, it's highly recommended to upgrade: https://pve.proxmox.com/wiki/Upgrade_from_6.x_to_7.0 While 7.x is still supported, the current version is 8: https://pve.proxmox.com/wiki/Upgrade_from_7_to_8
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back