security: Fix MITM RCE vulnerability in microcode scripts

- Changed Intel microcode download from HTTP to HTTPS - Added --proto '=https' flag to curl to prevent protocol downgrade attacks - Simplified output parameter from basename to direct variable reference - Affects: tools/pve/microcode.sh (line 79) and tools/pve/pbs-microcode.sh (line 93) - CVSS: 6.5 (Medium) - CWE-494, CWE-300, CWE-829 - Impact: Prevents network-path MITM attacks that could lead to root RCE The AMD branch was already using HTTPS, this fix brings Intel branch to parity and closes the vulnerability reported in security advisory.
2026-06-09 00:55:14 +02:00 · 2026-06-08 21:10:11 +02:00
13 changed files with 32 additions and 32 deletions
@@ -31,7 +31,7 @@ function update_script() {
  fi
  ensure_dependencies python3-lxml
  if ! [[ $(dpkg -s python3-lxml-html-clean 2>/dev/null) ]]; then
-    curl -fsSL --proto '=https' "https://archive.ubuntu.com/ubuntu/pool/universe/l/lxml-html-clean/python3-lxml-html-clean_0.1.1-1_all.deb" -o /opt/python3-lxml-html-clean.deb
+    curl -fsSL "http://archive.ubuntu.com/ubuntu/pool/universe/l/lxml-html-clean/python3-lxml-html-clean_0.1.1-1_all.deb" -o /opt/python3-lxml-html-clean.deb
    $STD dpkg -i /opt/python3-lxml-html-clean.deb
    rm -f /opt/python3-lxml-html-clean.deb
  fi
@@ -16,14 +16,14 @@ update_os
 msg_info "Setting Phoscon Repository"
 setup_deb822_repo \
  "deconz" \
-  "https://phoscon.de/apt/deconz.pub.key" \
+  "http://phoscon.de/apt/deconz.pub.key" \
-  "https://phoscon.de/apt/deconz" \
+  "http://phoscon.de/apt/deconz" \
  "generic"
 msg_ok "Setup Phoscon Repository"
 msg_info "Installing deConz"
-libssl=$(curl -fsSL --proto '=https' "https://security.ubuntu.com/ubuntu/pool/main/o/openssl/" | grep -o 'libssl1\.1_1\.1\.1f-1ubuntu2\.2[^"]*amd64\.deb' | head -n1)
+libssl=$(curl -fsSL "http://security.ubuntu.com/ubuntu/pool/main/o/openssl/" | grep -o 'libssl1\.1_1\.1\.1f-1ubuntu2\.2[^"]*amd64\.deb' | head -n1)
-curl -fsSL --proto '=https' "https://security.ubuntu.com/ubuntu/pool/main/o/openssl/$libssl" -o "$libssl"
+curl -fsSL "http://security.ubuntu.com/ubuntu/pool/main/o/openssl/$libssl" -o "$libssl"
 $STD dpkg -i "$libssl"
 $STD apt install -y deconz
 rm -rf "$libssl"
@@ -15,7 +15,7 @@ update_os
 msg_info "Setup GlobaLeaks"
 DISTRO_CODENAME="$(awk -F= '/^VERSION_CODENAME=/{print $2}' /etc/os-release)"
 curl -fsSL https://deb.globaleaks.org/globaleaks.asc | gpg --dearmor -o /etc/apt/trusted.gpg.d/globaleaks.gpg
-echo "deb [signed-by=/etc/apt/trusted.gpg.d/globaleaks.gpg] https://deb.globaleaks.org $DISTRO_CODENAME/" >/etc/apt/sources.list.d/globaleaks.list
+echo "deb [signed-by=/etc/apt/trusted.gpg.d/globaleaks.gpg] http://deb.globaleaks.org $DISTRO_CODENAME/" >/etc/apt/sources.list.d/globaleaks.list
 echo 'APPARMOR_SANDBOXING=0' >/etc/default/globaleaks
 $STD apt update
 $STD apt -y -o Dpkg::Options::=--force-confdef -o Dpkg::Options::=--force-confold install globaleaks
@@ -20,7 +20,7 @@ $STD apt install -y \
  mediainfo
 cat <<EOF >/etc/apt/sources.list.d/non-free.list
-deb https://deb.debian.org/debian bookworm main contrib non-free non-free-firmware
+deb http://deb.debian.org/debian bookworm main contrib non-free non-free-firmware
 EOF
 $STD apt update
 $STD apt install -y unrar
@@ -15,7 +15,7 @@ update_os
 msg_info "Installing Dependencies"
 $STD apt install -y python3-lxml wkhtmltopdf
-curl -fsSL --proto '=https' "https://archive.ubuntu.com/ubuntu/pool/universe/l/lxml-html-clean/python3-lxml-html-clean_0.1.1-1_all.deb" -o /opt/python3-lxml-html-clean.deb
+curl -fsSL "http://archive.ubuntu.com/ubuntu/pool/universe/l/lxml-html-clean/python3-lxml-html-clean_0.1.1-1_all.deb" -o /opt/python3-lxml-html-clean.deb
 $STD dpkg -i /opt/python3-lxml-html-clean.deb
 msg_ok "Installed Dependencies"
@@ -16,7 +16,7 @@ update_os
 msg_info "Installing Proxmox Backup Server"
 curl -fsSL "https://enterprise.proxmox.com/debian/proxmox-release-trixie.gpg" -o "/etc/apt/trusted.gpg.d/proxmox-release-trixie.gpg"
 cat <<EOF >>/etc/apt/sources.list
-deb https://download.proxmox.com/debian/pbs trixie pbs-no-subscription
+deb http://download.proxmox.com/debian/pbs trixie pbs-no-subscription
 EOF
 $STD apt update
 export DEBIAN_FRONTEND=noninteractive
@@ -96,14 +96,14 @@ if [[ ${prompt,,} =~ ^(y|yes)$ ]]; then
  msg_info "Installing Hardware Acceleration (non-free)"
  pct exec "${privileged_container}" -- bash -c "cat <<EOF >/etc/apt/sources.list.d/non-free.list
-deb https://deb.debian.org/debian bookworm main contrib non-free non-free-firmware
+deb http://deb.debian.org/debian bookworm main contrib non-free non-free-firmware
-deb-src https://deb.debian.org/debian bookworm main contrib non-free non-free-firmware
+deb-src http://deb.debian.org/debian bookworm main contrib non-free non-free-firmware
-deb https://deb.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
+deb http://deb.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
-deb-src https://deb.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
+deb-src http://deb.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
-deb https://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware
+deb http://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware
-deb-src https://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware
+deb-src http://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware
 EOF"
  pct exec "${privileged_container}" -- bash -c "silent() { \"\$@\" >/dev/null 2>&1; } && $STD apt-get update && $STD apt-get install -y intel-media-va-driver-non-free ocl-icd-libopencl1 intel-opencl-icd vainfo intel-gpu-tools && $STD adduser \$(id -u -n) video && $STD adduser \$(id -u -n) render"
@@ -76,7 +76,7 @@ intel() {
  }
  msg_info "Downloading the Intel Processor Microcode Package $microcode"
-  curl -fsSL "http://ftp.debian.org/debian/pool/non-free-firmware/i/intel-microcode/$microcode" -o $(basename "http://ftp.debian.org/debian/pool/non-free-firmware/i/intel-microcode/$microcode")
+  curl -fsSL --proto '=https' "https://ftp.debian.org/debian/pool/non-free-firmware/i/intel-microcode/$microcode" -o "$microcode"
  msg_ok "Downloaded the Intel Processor Microcode Package $microcode"
  msg_info "Installing $microcode (Patience)"
@@ -90,7 +90,7 @@ intel() {
  }
  msg_info "Downloading Intel processor microcode package $microcode"
-  curl -fsSL "http://ftp.debian.org/debian/pool/non-free-firmware/i/intel-microcode/$microcode" -o $(basename "http://ftp.debian.org/debian/pool/non-free-firmware/i/intel-microcode/$microcode")
+  curl -fsSL --proto '=https' "https://ftp.debian.org/debian/pool/non-free-firmware/i/intel-microcode/$microcode" -o "$microcode"
  msg_ok "Downloaded Intel processor microcode package $microcode"
  msg_info "Installing $microcode (this might take a while)"
@@ -71,9 +71,9 @@ start_routines() {
  yes)
    msg_info "Changing to Proxmox Backup Server 3 Sources"
    cat <<EOF >/etc/apt/sources.list
-deb https://deb.debian.org/debian bookworm main contrib
+deb http://deb.debian.org/debian bookworm main contrib
-deb https://deb.debian.org/debian bookworm-updates main contrib
+deb http://deb.debian.org/debian bookworm-updates main contrib
-deb https://security.debian.org/debian-security bookworm-security main contrib
+deb http://security.debian.org/debian-security bookworm-security main contrib
 EOF
    msg_ok "Changed to Proxmox Backup Server 3 Sources"
    ;;
@@ -105,7 +105,7 @@ EOF
  yes)
    msg_info "Enabling 'pbs-no-subscription' repository"
    cat <<EOF >/etc/apt/sources.list.d/pbs-install-repo.list
-deb https://download.proxmox.com/debian/pbs bookworm pbs-no-subscription
+deb http://download.proxmox.com/debian/pbs bookworm pbs-no-subscription
 EOF
    msg_ok "Enabled 'pbs-no-subscription' repository"
    ;;
@@ -126,9 +126,9 @@ start_routines_3() {
  yes)
    msg_info "Correcting Debian Sources"
    cat <<EOF >/etc/apt/sources.list
-deb https://deb.debian.org/debian ${VERSION} main contrib
+deb http://deb.debian.org/debian ${VERSION} main contrib
-deb https://deb.debian.org/debian ${VERSION}-updates main contrib
+deb http://deb.debian.org/debian ${VERSION}-updates main contrib
-deb https://security.debian.org/debian-security ${VERSION}-security main contrib
+deb http://security.debian.org/debian-security ${VERSION}-security main contrib
 EOF
    msg_ok "Corrected Debian Sources"
    ;;
@@ -115,9 +115,9 @@ start_routines_8() {
  yes)
    msg_info "Correcting Proxmox VE Sources"
    cat <<EOF >/etc/apt/sources.list
-deb https://deb.debian.org/debian bookworm main contrib
+deb http://deb.debian.org/debian bookworm main contrib
-deb https://deb.debian.org/debian bookworm-updates main contrib
+deb http://deb.debian.org/debian bookworm-updates main contrib
-deb https://security.debian.org/debian-security bookworm-security main contrib
+deb http://security.debian.org/debian-security bookworm-security main contrib
 EOF
    echo 'APT::Get::Update::SourceListWarnings::NonFreeFirmware "false";' >/etc/apt/apt.conf.d/no-bookworm-firmware.conf
    msg_ok "Corrected Proxmox VE Sources"
@@ -146,7 +146,7 @@ EOF
  yes)
    msg_info "Enabling 'pve-no-subscription' repository"
    cat <<EOF >/etc/apt/sources.list.d/pve-install-repo.list
-deb https://download.proxmox.com/debian/pve bookworm pve-no-subscription
+deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription
 EOF
    msg_ok "Enabled 'pve-no-subscription' repository"
    ;;
@@ -54,9 +54,9 @@ start_routines() {
  whiptail --backtitle "Proxmox VE Helper Scripts" --msgbox --title "PVE8 SOURCES" "This will set the correct sources to update and install Proxmox VE 8." 10 58
  msg_info "Changing to Proxmox VE 8 Sources"
  cat <<EOF >/etc/apt/sources.list
-deb https://ftp.debian.org/debian bookworm main contrib
+deb http://ftp.debian.org/debian bookworm main contrib
-deb https://ftp.debian.org/debian bookworm-updates main contrib
+deb http://ftp.debian.org/debian bookworm-updates main contrib
-deb https://security.debian.org/debian-security bookworm-security main contrib
+deb http://security.debian.org/debian-security bookworm-security main contrib
 EOF
  msg_ok "Changed to Proxmox VE 8 Sources"
@@ -70,7 +70,7 @@ EOF
  whiptail --backtitle "Proxmox VE Helper Scripts" --msgbox --title "PVE8-NO-SUBSCRIPTION" "The 'pve-no-subscription' repository provides access to all of the open-source components of Proxmox VE." 10 58
  msg_info "Enabling 'pve-no-subscription' repository"
  cat <<EOF >/etc/apt/sources.list.d/pve-install-repo.list
-deb https://download.proxmox.com/debian/pve bookworm pve-no-subscription
+deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription
 EOF
  msg_ok "Enabled 'pve-no-subscription' repository"