security: Fix MITM RCE vulnerability in microcode scripts

- Changed Intel microcode download from HTTP to HTTPS - Added --proto '=https' flag to curl to prevent protocol downgrade attacks - Simplified output parameter from basename to direct variable reference - Affects: tools/pve/microcode.sh (line 79) and tools/pve/pbs-microcode.sh (line 93) - CVSS: 6.5 (Medium) - CWE-494, CWE-300, CWE-829 - Impact: Prevents network-path MITM attacks that could lead to root RCE The AMD branch was already using HTTPS, this fix brings Intel branch to parity and closes the vulnerability reported in security advisory.
Update CHANGELOG.md (#15004 )
2026-06-09 00:55:14 +02:00 · 2026-06-08 21:10:11 +02:00 · 2026-06-08 13:36:24 +00:00 · 2026-06-08 15:35:50 +02:00 · 2026-06-08 11:34:16 +00:00 · 2026-06-08 13:33:50 +02:00
10 changed files with 82 additions and 29 deletions
@@ -480,8 +480,31 @@ Exercise vigilance regarding copycat or coat-tailing sites that seek to exploit

 </details>

+## 2026-06-08
+
+### 🚀 Updated Scripts
+
+  - #### 🐞 Bug Fixes
+
+    - homelable: preserve MCP server config across updates [@ferr079](https://github.com/ferr079) ([#14996](https://github.com/community-scripts/ProxmoxVE/pull/14996))
+    - changedetection: migrate Python install to uv venv [@ferr079](https://github.com/ferr079) ([#14995](https://github.com/community-scripts/ProxmoxVE/pull/14995))
+
+  - #### 🔧 Refactor
+
+    - Update Flowwiseai to node 24 [@michelroegl-brunner](https://github.com/michelroegl-brunner) ([#14999](https://github.com/community-scripts/ProxmoxVE/pull/14999))
+
 ## 2026-06-07

+### 🚀 Updated Scripts
+
+  - #### 🐞 Bug Fixes
+
+    - Immich: use actual installed PostgreSQL version for vchord package [@MickLesk](https://github.com/MickLesk) ([#14989](https://github.com/community-scripts/ProxmoxVE/pull/14989))
+
+  - #### 🔧 Refactor
+
+    - Navidrome: remove genereic filebrowser addon setup [@MickLesk](https://github.com/MickLesk) ([#14991](https://github.com/community-scripts/ProxmoxVE/pull/14991))
+
 ## 2026-06-06

 ### 🆕 New Scripts
@@ -34,13 +34,32 @@ function update_script() {

  NODE_VERSION="24" setup_nodejs

-  msg_info "Updating ${APP}"
-  $STD pip3 install changedetection.io --upgrade --break-system-packages --ignore-installed typing_extensions
-  msg_ok "Updated ${APP}"
+  VENV_PATH="/opt/changedetection/.venv"
+  CHANGEDETECTION_BIN="${VENV_PATH}/bin/changedetection.io"

-  msg_info "Updating Playwright"
-  $STD pip3 install playwright --upgrade --break-system-packages
-  msg_ok "Updated Playwright"
+  PYTHON_VERSION="3.13" setup_uv
+
+  if [[ ! -d "$VENV_PATH" || ! -x "$CHANGEDETECTION_BIN" ]]; then
+    msg_info "Migrating to uv/venv"
+    rm -rf "$VENV_PATH"
+    $STD uv venv --clear "$VENV_PATH"
+    $STD "$VENV_PATH/bin/python" -m ensurepip --upgrade
+    $STD "$VENV_PATH/bin/python" -m pip install --upgrade pip
+    $STD "$VENV_PATH/bin/python" -m pip install changedetection.io playwright
+    msg_ok "Migrated to uv/venv"
+  else
+    msg_info "Updating ${APP}"
+    $STD "$VENV_PATH/bin/python" -m pip install --upgrade changedetection.io playwright
+    msg_ok "Updated ${APP}"
+  fi
+
+  SERVICE_FILE="/etc/systemd/system/changedetection.service"
+  if ! grep -q "${VENV_PATH}/bin/changedetection.io" "$SERVICE_FILE"; then
+    msg_info "Updating systemd service"
+    sed -i "s|^ExecStart=.*|ExecStart=${VENV_PATH}/bin/changedetection.io -d /opt/changedetection -p 5000|" "$SERVICE_FILE"
+    $STD systemctl daemon-reload
+    msg_ok "Updated systemd service"
+  fi

  if [[ -f /etc/systemd/system/browserless.service ]]; then
    msg_info "Updating Browserless (Patience)"
@@ -29,7 +29,7 @@ function update_script() {
    exit
  fi

-  NODE_VERSION="20" NODE_MODULE="pnpm" setup_nodejs
+  NODE_VERSION="24" NODE_MODULE="pnpm" setup_nodejs

  msg_info "Updating FlowiseAI (this may take some time)"
  systemctl stop flowise
@@ -38,6 +38,9 @@ function update_script() {
    msg_info "Backing up Configuration and Data"
    cp /opt/homelable/backend/.env /opt/homelable.env.bak
    cp -r /opt/homelable/data /opt/homelable_data_bak
+    if [[ -f /opt/homelable/mcp/.env ]]; then
+      cp -a /opt/homelable/mcp/.env /opt/homelable-mcp.env.bak
+    fi
    msg_ok "Backed up Configuration and Data"

    CLEAN_INSTALL=1 fetch_and_deploy_gh_release "homelable" "Pouzor/homelable" "tarball" "latest" "/opt/homelable"
@@ -61,6 +64,19 @@ function update_script() {
    rm -rf /opt/homelable_data_bak
    msg_ok "Restored Configuration and Data"

+    if [[ -f /opt/homelable-mcp.env.bak ]]; then
+      msg_info "Restoring MCP Server"
+      cp -a /opt/homelable-mcp.env.bak /opt/homelable/mcp/.env
+      rm -f /opt/homelable-mcp.env.bak
+      MCP_OWNER=$(stat -c '%U' /opt/homelable/mcp/.env)
+      cd /opt/homelable/mcp
+      $STD uv venv --clear /opt/homelable/mcp/.venv
+      $STD uv pip install --python /opt/homelable/mcp/.venv/bin/python -r requirements.txt
+      chown -R "$MCP_OWNER":"$MCP_OWNER" /opt/homelable/mcp
+      systemctl restart homelable-mcp
+      msg_ok "Restored MCP Server"
+    fi
+
    msg_info "Starting Service"
    systemctl start homelable
    msg_ok "Started Service"
@@ -43,19 +43,16 @@ $STD apt-get install -y \
  ca-certificates
 msg_ok "Installed Dependencies"

-msg_info "Setup Python3"
-$STD apt-get install -y \
-  python3 \
-  python3-dev \
-  python3-pip
-rm -rf /usr/lib/python3.*/EXTERNALLY-MANAGED
-msg_ok "Setup Python3"
+PYTHON_VERSION="3.13" setup_uv

 NODE_VERSION="24" setup_nodejs

 msg_info "Installing Change Detection"
-mkdir /opt/changedetection
-$STD pip3 install changedetection.io
+mkdir -p /opt/changedetection
+$STD uv venv --clear /opt/changedetection/.venv
+$STD /opt/changedetection/.venv/bin/python -m ensurepip --upgrade
+$STD /opt/changedetection/.venv/bin/python -m pip install --upgrade pip
+$STD /opt/changedetection/.venv/bin/python -m pip install changedetection.io
 cat <<EOF >/opt/changedetection/.env
 WEBDRIVER_URL=http://127.0.0.1:4444/wd/hub
 PLAYWRIGHT_DRIVER_URL=ws://localhost:3000/chrome?launch=eyJkZWZhdWx0Vmlld3BvcnQiOnsiaGVpZ2h0Ijo3MjAsIndpZHRoIjoxMjgwfSwiaGVhZGxlc3MiOmZhbHNlLCJzdGVhbHRoIjp0cnVlfQ==&blockAds=true
@@ -64,7 +61,7 @@ msg_ok "Installed Change Detection"

 msg_info "Installing Browserless & Playwright"
 mkdir /opt/browserless
-$STD python3 -m pip install playwright
+$STD /opt/changedetection/.venv/bin/python -m pip install playwright
 $STD git clone https://github.com/browserless/chrome /opt/browserless
 $STD npm ci --include=optional --include=dev --prefix /opt/browserless
 $STD /opt/browserless/node_modules/playwright-core/cli.js install --with-deps &>/dev/null
@@ -121,7 +118,7 @@ Wants=browserless.service
 Type=simple
 EnvironmentFile=/opt/changedetection/.env
 WorkingDirectory=/opt/changedetection
-ExecStart=changedetection.io -d /opt/changedetection -p 5000
+ExecStart=/opt/changedetection/.venv/bin/changedetection.io -d /opt/changedetection -p 5000

 [Install]
 WantedBy=multi-user.target
@@ -17,7 +17,7 @@ msg_info "Installing Dependencies"
 $STD apt install -y build-essential python3-dev
 msg_ok "Installed Dependencies"

-NODE_VERSION="20" setup_nodejs
+NODE_VERSION="24" setup_nodejs

 msg_info "Installing FlowiseAI (Patience)"
 $STD npm install -g flowise \
@@ -149,10 +149,13 @@ msg_ok "Installed packages from Debian Testing repo"
 setup_uv
 PG_VERSION="16" PG_MODULES="pgvector" setup_postgresql

-VCHORD_RELEASE="0.5.3"
-fetch_and_deploy_gh_release "VectorChord" "tensorchord/VectorChord" "binary" "${VCHORD_RELEASE}" "/tmp" "postgresql-16-vchord_*_amd64.deb"
+ACTUAL_PG_VERSION=$(ls /etc/postgresql/ 2>/dev/null | sort -V | tail -1)
+ACTUAL_PG_VERSION=${ACTUAL_PG_VERSION:-16}

-sed -i "s/^#shared_preload.*/shared_preload_libraries = 'vchord.so'/" /etc/postgresql/16/main/postgresql.conf
+VCHORD_RELEASE="0.5.3"
+fetch_and_deploy_gh_release "VectorChord" "tensorchord/VectorChord" "binary" "${VCHORD_RELEASE}" "/tmp" "postgresql-${ACTUAL_PG_VERSION}-vchord_*_amd64.deb"
+
+sed -i "s/^#shared_preload.*/shared_preload_libraries = 'vchord.so'/" /etc/postgresql/${ACTUAL_PG_VERSION}/main/postgresql.conf
 systemctl restart postgresql.service
 PG_DB_NAME="immich" PG_DB_USER="immich" PG_DB_GRANT_SUPERUSER="true" PG_DB_SKIP_ALTER_ROLE="true" setup_postgresql_db

@@ -23,11 +23,6 @@ msg_info "Starting Navidrome"
 systemctl enable -q --now navidrome
 msg_ok "Started Navidrome"

-read -p "${TAB3}Do you want to install filebrowser addon? (y/n) " -n 1 -r
-if [[ $REPLY =~ ^[Yy]$ ]]; then
-  bash -c "$(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/tools/addon/filebrowser.sh)"
-fi
-
 motd_ssh
 customize
 cleanup_lxc
@@ -76,7 +76,7 @@ intel() {
  }

  msg_info "Downloading the Intel Processor Microcode Package $microcode"
-  curl -fsSL "http://ftp.debian.org/debian/pool/non-free-firmware/i/intel-microcode/$microcode" -o $(basename "http://ftp.debian.org/debian/pool/non-free-firmware/i/intel-microcode/$microcode")
+  curl -fsSL --proto '=https' "https://ftp.debian.org/debian/pool/non-free-firmware/i/intel-microcode/$microcode" -o "$microcode"
  msg_ok "Downloaded the Intel Processor Microcode Package $microcode"

  msg_info "Installing $microcode (Patience)"
@@ -90,7 +90,7 @@ intel() {
  }

  msg_info "Downloading Intel processor microcode package $microcode"
-  curl -fsSL "http://ftp.debian.org/debian/pool/non-free-firmware/i/intel-microcode/$microcode" -o $(basename "http://ftp.debian.org/debian/pool/non-free-firmware/i/intel-microcode/$microcode")
+  curl -fsSL --proto '=https' "https://ftp.debian.org/debian/pool/non-free-firmware/i/intel-microcode/$microcode" -o "$microcode"
  msg_ok "Downloaded Intel processor microcode package $microcode"

  msg_info "Installing $microcode (this might take a while)"
Author	SHA1	Message	Date
Security Fix	ab549baa1f	security: Fix MITM RCE vulnerability in microcode scripts - Changed Intel microcode download from HTTP to HTTPS - Added --proto '=https' flag to curl to prevent protocol downgrade attacks - Simplified output parameter from basename to direct variable reference - Affects: tools/pve/microcode.sh (line 79) and tools/pve/pbs-microcode.sh (line 93) - CVSS: 6.5 (Medium) - CWE-494, CWE-300, CWE-829 - Impact: Prevents network-path MITM attacks that could lead to root RCE The AMD branch was already using HTTPS, this fix brings Intel branch to parity and closes the vulnerability reported in security advisory.	2026-06-08 21:10:11 +02:00
community-scripts-pr-app[bot]	131545081c	Update CHANGELOG.md (#15004 ) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>	2026-06-08 13:36:24 +00:00
Michel Roegl-Brunner	f98a64b632	Move flowiseai to node 24 to alligne with upstream (#14999 )	2026-06-08 15:35:50 +02:00
community-scripts-pr-app[bot]	56129f7833	Update CHANGELOG.md (#15001 ) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>	2026-06-08 11:34:16 +00:00
Stéphane FERREIRA	68af0f5b41	homelable: preserve MCP server config across updates (#14996 ) * homelable: preserve MCP server config across updates The update path runs CLEAN_INSTALL=1 fetch_and_deploy_gh_release, which wipes /opt/homelable before redeploying. The backup/restore only covers backend/.env and data/, so an optionally-installed MCP server (set up via Pouzor/homelable's own scripts/lxc-mcp-install.sh, which targets exactly this LXC and lives in /opt/homelable/mcp) loses its .env and .venv on every update. The homelable-mcp service then keeps running on deleted inodes and dies at the next restart. Back up mcp/.env when present, and after the deploy restore it, rebuild the venv (same uv pattern as the backend), restore ownership and restart the service. Fully conditional: installs without the MCP are unaffected. * homelable: remove comments per maintainer review	2026-06-08 13:33:50 +02:00
community-scripts-pr-app[bot]	0a21262cf1	Update CHANGELOG.md (#14997 ) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>	2026-06-08 06:33:47 +00:00
Stéphane FERREIRA	b3a2fbbf98	changedetection: migrate Python install to uv venv (#14995 ) The update path installed into the global interpreter with a global --ignore-installed flag, which leaves the previous *.dist-info behind on every dependency bump. Duplicate metadata makes pip resolve against stale requirements (e.g. downgrading pydantic-core) and the service crashes at the next restart. Fixes the typing_extensions workaround (#13548) at the root: in a venv there are no Debian-owned packages to conflict with, so neither --ignore-installed nor --break-system-packages is needed. Follows the existing setup_uv + venv-or-migrate pattern from prometheus-pve-exporter and esphome. Existing installs are migrated automatically on the next update; the systemd unit is repointed to the venv binary. Fixes #14987	2026-06-08 08:33:20 +02:00
community-scripts-pr-app[bot]	373b138fe0	Update CHANGELOG.md (#14994 ) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>	2026-06-07 20:56:35 +00:00
community-scripts-pr-app[bot]	ed8b35f50b	Update CHANGELOG.md (#14993 ) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>	2026-06-07 20:56:14 +00:00
CanbiZ (MickLesk)	eab30076ca	Navidrome: remove genereic filebrowser addon setup (#14991 )	2026-06-07 22:56:12 +02:00
CanbiZ (MickLesk)	dc2193f4bb	Immich: use actual installed PostgreSQL version for vchord package (#14989 )	2026-06-07 22:55:53 +02:00