Security bulletins

[NetUser]

Hi,

I've looked for proxmox security bulletins or so on, but i couldn't find anything but single CVEs when they happens.
Is there a dedicated newsletter when i can find fixed vulnerabilities in this version etc?

Thanks in advance!

 

[Dunuin]

Would be interested in that too.
I guess following Debian + Ubuntu bulletins should work too, as PVE is based on Debian and using a modified ubuntu kernel.

 

[fabian]

There is currently no centralized place where such announcements are collected. We monitor relevant upstreams like the Linux kernel project, Qemu, LXC as well as dependencies we use in our software and pull in fixes in a timely fashion. Any packages provided directly by the stock Debian repositories is covered by DSAs (https://security.debian.org).

For the kernel in particular, each upstream stable release usually fixes multiple security relevant issues/bugs, both with CVEs assigned and without any special identifiers attached. We don't reproduce the full changelog of our base kernel (which is maintained by Ubuntu), but include its version number so that you can look it up. Whenever we cherry-pick a CVE fix ahead of or in parallel of Ubuntu, we do call it out in our kernel changelog. The same applies to Qemu as well.

 

[Dunuin]

I guess a centralized list summing up all CVEs would be quite terrifying to see for all those people sticking with PVE 5.X and 6.X

 

[JuergenW]

We are also really missing a security bulletin mailing list that informs us of critical issues!

 

[guletz]

We are also really missing a security bulletin mailing list that informs us of critical issues!

Or you can create a VM with Wazuh(linux base)

Good luck / Bafta !