Will updating Python on Proxmox compromise the system? [CVE-2025-4517]

[renankempoficial]

Hello everyone,

https://cti.wazuh.com/vulnerabilities/cves/CVE-2025-4517

I'm following the CVE-2025-4517 vulnerability that affects the Python tarfile module (especially since Python 3.12) and I have an important question:

The vulnerability has been fixed in the most recent versions of Python (3.9.23, 3.10.18, 3.11.13 etc). The question is:

If I update Python on my Proxmox server, can this compromise the operation of Proxmox or the Debian base?

I know that Proxmox depends on the version of Python provided by the distribution, so I'm afraid of updating manually and ending up breaking something on the system.

 

[ggoller]

Hi!
As far as I can see this has been fixed on latest python3.11=3.11.2-6+deb11u1 which is already available on stable. https://security-tracker.debian.org/tracker/CVE-2025-4517.

 

[renankempoficial]

Exactly.
The problem is that Proxmox did not update the internal version of Python.

My concern is that manually updating Python could end up compromising the proper functioning of the system.

The ideal would be for Proxmox itself to update its core,
so that everyone who updates Proxmox would automatically have the new version of Python.

 

[Impact]

How did you update? I have this after apt update && apt full-upgrade

# apt list python3.11
Listing... Done
python3.11/stable,now 3.11.2-6+deb12u6 amd64 [installed]

 

[renankempoficial]

Como você atualizou? Eu tenho isso depoisapt update && apt full-upgrade
[CÓDIGO]# apt list python3.11
Listagem... Concluída
python3.11/stable, agora 3.11.2-6+deb12u6 amd64 [instalado][/CODE]

você está certo!

Verificações "Wazuh":

root@usuário: python3 --versão
Python 3.11.2[/CÓDIGO]

Se encontrar:
[CODE=bash]root@usuário: apt list python3.11
Listagem... Concluída
python3.11/stable, agora 3.11.2-6+deb12u6 amd64 [instalado]
N: Há uma versão adicional. Use a opção '-a' para visualizá-la.

então deveríamos ver a saída esperada "python3.11/stable, agora 3.11.2-6+deb12u6"

Portanto, é um "falso positivo" devido à forma como o "wazuh" verifica

Agradeço a atenção de todos e aqui estão as informações caso alguém esteja passando por isso!

Obrigado

 

[pvps1]

Exactly.
The problem is that Proxmox did not update the internal version of Python.

My concern is that manually updating Python could end up compromising the proper functioning of the system.

The ideal would be for Proxmox itself to update its core,
so that everyone who updates Proxmox would automatically have the new version of Python.

if you want "automatic" updates, take a look at unattended-upgrade

 

[Johannes S]

My concern is that manually updating Python could end up compromising the proper functioning of the system.

The same could happen with an automatic update. By default unattended-upgrade will only update the Debian packages but not the Proxmox-specific packages.

See https://wiki.debian.org/UnattendedUpgrades and https://forum.proxmox.com/threads/is-unattended-upgrade-package-safe-to-use.139808/#post-638481 for information how to configure it

The ideal would be for Proxmox itself to update its core,
so that everyone who updates Proxmox would automatically have the new version of Python.

Well different people have different opinion what's optimal and what's not. I know a lot of people who prefer to NOT update automatically so they can first try the update on a test-environment and ensure that the update doesn't break anything. Other people prefer to have always the latest versions because they prefer the risc of a downtime due to a broken update compared to a hacked system.

There is no such thing as a "one size fits ift all"-solution and never will be