security: Fix MITM RCE vulnerability in microcode scripts

- Changed Intel microcode download from HTTP to HTTPS - Added --proto '=https' flag to curl to prevent protocol downgrade attacks - Simplified output parameter from basename to direct variable reference - Affects: tools/pve/microcode.sh (line 79) and tools/pve/pbs-microcode.sh (line 93) - CVSS: 6.5 (Medium) - CWE-494, CWE-300, CWE-829 - Impact: Prevents network-path MITM attacks that could lead to root RCE The AMD branch was already using HTTPS, this fix brings Intel branch to parity and closes the vulnerability reported in security advisory.
Update CHANGELOG.md (#15004 )
2026-06-09 00:55:14 +02:00 · 2026-06-08 21:10:11 +02:00 · 2026-06-08 13:36:24 +00:00 · 2026-06-08 15:35:50 +02:00 · 2026-06-08 11:34:16 +00:00 · 2026-06-08 13:33:50 +02:00
6 changed files with 25 additions and 4 deletions
@@ -486,8 +486,13 @@ Exercise vigilance regarding copycat or coat-tailing sites that seek to exploit

  - #### 🐞 Bug Fixes

+    - homelable: preserve MCP server config across updates [@ferr079](https://github.com/ferr079) ([#14996](https://github.com/community-scripts/ProxmoxVE/pull/14996))
    - changedetection: migrate Python install to uv venv [@ferr079](https://github.com/ferr079) ([#14995](https://github.com/community-scripts/ProxmoxVE/pull/14995))

+  - #### 🔧 Refactor
+
+    - Update Flowwiseai to node 24 [@michelroegl-brunner](https://github.com/michelroegl-brunner) ([#14999](https://github.com/community-scripts/ProxmoxVE/pull/14999))
+
 ## 2026-06-07

 ### 🚀 Updated Scripts
@@ -29,7 +29,7 @@ function update_script() {
    exit
  fi

-  NODE_VERSION="20" NODE_MODULE="pnpm" setup_nodejs
+  NODE_VERSION="24" NODE_MODULE="pnpm" setup_nodejs

  msg_info "Updating FlowiseAI (this may take some time)"
  systemctl stop flowise
@@ -38,6 +38,9 @@ function update_script() {
    msg_info "Backing up Configuration and Data"
    cp /opt/homelable/backend/.env /opt/homelable.env.bak
    cp -r /opt/homelable/data /opt/homelable_data_bak
+    if [[ -f /opt/homelable/mcp/.env ]]; then
+      cp -a /opt/homelable/mcp/.env /opt/homelable-mcp.env.bak
+    fi
    msg_ok "Backed up Configuration and Data"

    CLEAN_INSTALL=1 fetch_and_deploy_gh_release "homelable" "Pouzor/homelable" "tarball" "latest" "/opt/homelable"
@@ -61,6 +64,19 @@ function update_script() {
    rm -rf /opt/homelable_data_bak
    msg_ok "Restored Configuration and Data"

+    if [[ -f /opt/homelable-mcp.env.bak ]]; then
+      msg_info "Restoring MCP Server"
+      cp -a /opt/homelable-mcp.env.bak /opt/homelable/mcp/.env
+      rm -f /opt/homelable-mcp.env.bak
+      MCP_OWNER=$(stat -c '%U' /opt/homelable/mcp/.env)
+      cd /opt/homelable/mcp
+      $STD uv venv --clear /opt/homelable/mcp/.venv
+      $STD uv pip install --python /opt/homelable/mcp/.venv/bin/python -r requirements.txt
+      chown -R "$MCP_OWNER":"$MCP_OWNER" /opt/homelable/mcp
+      systemctl restart homelable-mcp
+      msg_ok "Restored MCP Server"
+    fi
+
    msg_info "Starting Service"
    systemctl start homelable
    msg_ok "Started Service"
@@ -17,7 +17,7 @@ msg_info "Installing Dependencies"
 $STD apt install -y build-essential python3-dev
 msg_ok "Installed Dependencies"

-NODE_VERSION="20" setup_nodejs
+NODE_VERSION="24" setup_nodejs

 msg_info "Installing FlowiseAI (Patience)"
 $STD npm install -g flowise \
@@ -76,7 +76,7 @@ intel() {
  }

  msg_info "Downloading the Intel Processor Microcode Package $microcode"
-  curl -fsSL "http://ftp.debian.org/debian/pool/non-free-firmware/i/intel-microcode/$microcode" -o $(basename "http://ftp.debian.org/debian/pool/non-free-firmware/i/intel-microcode/$microcode")
+  curl -fsSL --proto '=https' "https://ftp.debian.org/debian/pool/non-free-firmware/i/intel-microcode/$microcode" -o "$microcode"
  msg_ok "Downloaded the Intel Processor Microcode Package $microcode"

  msg_info "Installing $microcode (Patience)"
@@ -90,7 +90,7 @@ intel() {
  }

  msg_info "Downloading Intel processor microcode package $microcode"
-  curl -fsSL "http://ftp.debian.org/debian/pool/non-free-firmware/i/intel-microcode/$microcode" -o $(basename "http://ftp.debian.org/debian/pool/non-free-firmware/i/intel-microcode/$microcode")
+  curl -fsSL --proto '=https' "https://ftp.debian.org/debian/pool/non-free-firmware/i/intel-microcode/$microcode" -o "$microcode"
  msg_ok "Downloaded Intel processor microcode package $microcode"

  msg_info "Installing $microcode (this might take a while)"
Author	SHA1	Message	Date
Security Fix	ab549baa1f	security: Fix MITM RCE vulnerability in microcode scripts - Changed Intel microcode download from HTTP to HTTPS - Added --proto '=https' flag to curl to prevent protocol downgrade attacks - Simplified output parameter from basename to direct variable reference - Affects: tools/pve/microcode.sh (line 79) and tools/pve/pbs-microcode.sh (line 93) - CVSS: 6.5 (Medium) - CWE-494, CWE-300, CWE-829 - Impact: Prevents network-path MITM attacks that could lead to root RCE The AMD branch was already using HTTPS, this fix brings Intel branch to parity and closes the vulnerability reported in security advisory.	2026-06-08 21:10:11 +02:00
community-scripts-pr-app[bot]	131545081c	Update CHANGELOG.md (#15004 ) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>	2026-06-08 13:36:24 +00:00
Michel Roegl-Brunner	f98a64b632	Move flowiseai to node 24 to alligne with upstream (#14999 )	2026-06-08 15:35:50 +02:00
community-scripts-pr-app[bot]	56129f7833	Update CHANGELOG.md (#15001 ) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>	2026-06-08 11:34:16 +00:00
Stéphane FERREIRA	68af0f5b41	homelable: preserve MCP server config across updates (#14996 ) * homelable: preserve MCP server config across updates The update path runs CLEAN_INSTALL=1 fetch_and_deploy_gh_release, which wipes /opt/homelable before redeploying. The backup/restore only covers backend/.env and data/, so an optionally-installed MCP server (set up via Pouzor/homelable's own scripts/lxc-mcp-install.sh, which targets exactly this LXC and lives in /opt/homelable/mcp) loses its .env and .venv on every update. The homelable-mcp service then keeps running on deleted inodes and dies at the next restart. Back up mcp/.env when present, and after the deploy restore it, rebuild the venv (same uv pattern as the backend), restore ownership and restart the service. Fully conditional: installs without the MCP are unaffected. * homelable: remove comments per maintainer review	2026-06-08 13:33:50 +02:00