From 34243ff62fb1bb4b5f062037e0d97755e07768c4 Mon Sep 17 00:00:00 2001 From: Security Fix Date: Mon, 8 Jun 2026 21:20:24 +0200 Subject: [PATCH] security: Fix HTTP to HTTPS for package downloads (container-level) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - install/deconz-install.sh: Switch GPG key and repository URLs to HTTPS - install/deconz-install.sh: Switch libssl1.1 .deb download to HTTPS with --proto flag - install/odoo-install.sh: Switch python3-lxml-html-clean .deb download to HTTPS - ct/odoo.sh: Switch python3-lxml-html-clean .deb download to HTTPS in update_script Changes: - All http:// → https:// for package/key downloads - Added --proto '=https' to prevent protocol downgrade - Improved quoting for file variables Impact: Prevents MITM attacks on container installations Affected containers: deconz, odoo Related to: security/fix-microcode-https PR (host-level fix) --- ct/odoo.sh | 2 +- install/deconz-install.sh | 8 ++++---- install/odoo-install.sh | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/ct/odoo.sh b/ct/odoo.sh index 10438217a..6ccb84208 100644 --- a/ct/odoo.sh +++ b/ct/odoo.sh @@ -31,7 +31,7 @@ function update_script() { fi ensure_dependencies python3-lxml if ! [[ $(dpkg -s python3-lxml-html-clean 2>/dev/null) ]]; then - curl -fsSL "http://archive.ubuntu.com/ubuntu/pool/universe/l/lxml-html-clean/python3-lxml-html-clean_0.1.1-1_all.deb" -o /opt/python3-lxml-html-clean.deb + curl -fsSL --proto '=https' "https://archive.ubuntu.com/ubuntu/pool/universe/l/lxml-html-clean/python3-lxml-html-clean_0.1.1-1_all.deb" -o /opt/python3-lxml-html-clean.deb $STD dpkg -i /opt/python3-lxml-html-clean.deb rm -f /opt/python3-lxml-html-clean.deb fi diff --git a/install/deconz-install.sh b/install/deconz-install.sh index 3131119b7..8fbd6a598 100644 --- a/install/deconz-install.sh +++ b/install/deconz-install.sh @@ -16,14 +16,14 @@ update_os msg_info "Setting Phoscon Repository" setup_deb822_repo \ "deconz" \ - "http://phoscon.de/apt/deconz.pub.key" \ - "http://phoscon.de/apt/deconz" \ + "https://phoscon.de/apt/deconz.pub.key" \ + "https://phoscon.de/apt/deconz" \ "generic" msg_ok "Setup Phoscon Repository" msg_info "Installing deConz" -libssl=$(curl -fsSL "http://security.ubuntu.com/ubuntu/pool/main/o/openssl/" | grep -o 'libssl1\.1_1\.1\.1f-1ubuntu2\.2[^"]*amd64\.deb' | head -n1) -curl -fsSL "http://security.ubuntu.com/ubuntu/pool/main/o/openssl/$libssl" -o "$libssl" +libssl=$(curl -fsSL --proto '=https' "https://security.ubuntu.com/ubuntu/pool/main/o/openssl/" | grep -o 'libssl1\.1_1\.1\.1f-1ubuntu2\.2[^"]*amd64\.deb' | head -n1) +curl -fsSL --proto '=https' "https://security.ubuntu.com/ubuntu/pool/main/o/openssl/$libssl" -o "$libssl" $STD dpkg -i "$libssl" $STD apt install -y deconz rm -rf "$libssl" diff --git a/install/odoo-install.sh b/install/odoo-install.sh index 6c853d318..3e809961c 100644 --- a/install/odoo-install.sh +++ b/install/odoo-install.sh @@ -15,7 +15,7 @@ update_os msg_info "Installing Dependencies" $STD apt install -y python3-lxml wkhtmltopdf -curl -fsSL "http://archive.ubuntu.com/ubuntu/pool/universe/l/lxml-html-clean/python3-lxml-html-clean_0.1.1-1_all.deb" -o /opt/python3-lxml-html-clean.deb +curl -fsSL --proto '=https' "https://archive.ubuntu.com/ubuntu/pool/universe/l/lxml-html-clean/python3-lxml-html-clean_0.1.1-1_all.deb" -o /opt/python3-lxml-html-clean.deb $STD dpkg -i /opt/python3-lxml-html-clean.deb msg_ok "Installed Dependencies"