User login
Qlustar: Install and enjoy!

[QSA-0118212] Security Update Bundle

Qlustar Security Advisory 0118212

January 18th, 2021


Summary:

A Qlustar security update bundle is a cumulative update of packages that are taken from upstream Debian/Ubuntu without modification. Only packages that are used in a typical HPC/Storage cluster installation are mentioned in Qlustar Security Advisories. Other non-HPC related updates also enter the Qlustar repository, but their functionality is not separately verified by the Qlustar team. To track these updates subscribe to the general security mailing lists of Debian/Ubuntu and/or CentOS.


    Package(s)       : see upstream description of individual package
    Qlustar releases : 11.0, 12.0
    Affected versions: All versions prior to this update
    Vulnerability    : see upstream description of individual package
    Problem type     : see upstream description of individual package
    Qlustar-specific : no
    CVE Id(s)        : see upstream description of individual package
  

This update includes several security related package updates from Debian/Ubuntu and CentOS. The following list provides references to the upstream security report of the corresponding packages. You can view the original upstream advisory by clicking on the corresponding title.

Relevant to Qlustar 12.0 and 11.0

Dnsmasq vulnerabilities

Moshe Kol and Shlomi Oberman discovered that Dnsmasq incorrectly handled memory when sorting RRsets. A remote attacker could use this issue to cause Dnsmasq to hang, resulting in a denial of service, or possibly execute arbitrary code.

Moshe Kol and Shlomi Oberman discovered that Dnsmasq incorrectly handled extracting certain names. A remote attacker could use this issue to cause Dnsmasq to hang, resulting in a denial of service, or possibly execute arbitrary code.

Moshe Kol and Shlomi Oberman discovered that Dnsmasq incorrectly implemented address/port checks. A remote attacker could use this issue to perform a cache poisoning attack.

Moshe Kol and Shlomi Oberman discovered that Dnsmasq incorrectly implemented query resource name checks. A remote attacker could use this issue to perform a cache poisoning attack.

Moshe Kol and Shlomi Oberman discovered that Dnsmasq incorrectly handled multiple query requests for the same resource name. A remote attacker could use this issue to perform a cache poisoning attack.

It was discovered that Dnsmasq incorrectly handled memory during DHCP response creation. A remote attacker could possibly use this issue to cause Dnsmasq to consume resources, leading to a denial of service.

tar vulnerabilities

Chris Siebenmann discovered that tar incorrectly handled extracting files resized during extraction when invoked with the --sparse flag. An attacker could possibly use this issue to cause a denial of service.

Daniel Axtens discovered that tar incorrectly handled certain malformed tar files. If a user or automated system were tricked into processing a specially crafted tar archive, a remote attacker could use this issue to cause tar to crash, resulting in a denial of service.

APT vulnerability

Kevin Backhouse discovered that APT incorrectly handled certain packages. A local attacker could possibly use this issue to cause APT to crash or stop responding, resulting in a denial of service.

curl vulnerabilities

Varnavas Papaioannou discovered that curl incorrectly handled FTP PASV responses. An attacker could possibly use this issue to trick curl into connecting to an arbitrary IP address and be used to perform port scanner and other information gathering.

It was discovered that curl incorrectly handled FTP wildcard matchins. A remote attacker could possibly use this issue to cause curl to consume resources and crash, resulting in a denial of service.

It was discovered that curl incorrectly handled OCSP response verification. A remote attacker could possibly use this issue to provide a fraudulent OCSP response.

OpenSSL vulnerability

David Benjamin discovered that OpenSSL incorrectly handled comparing certificates containing a EDIPartyName name type. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service.

QEMU vulnerabilities

Alexander Bulekov discovered that QEMU incorrectly handled SDHCI device emulation. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile.

Sergej Schumilo, Cornelius Aschermann, and Simon Wrner discovered that QEMU incorrectly handled USB device emulation. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.

Sergej Schumilo, Cornelius Aschermann, and Simon Wrner discovered that QEMU incorrectly handled SDHCI device emulation. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.

Gaoning Pan, Yongkang Jia, and Yi Ren discovered that QEMU incorrectly handled USB device emulation. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.

It was discovered that QEMU incorrectly handled USB device emulation. An attacker inside the guest could use this issue to cause QEMU to hang, resulting in a denial of service.

Cheolwoo Myung discovered that QEMU incorrectly handled USB device emulation. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.

Gaoning Pan discovered that QEMU incorrectly handled networking. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.

CentOS 7.9 / 8.3 security updates

Please check the CentOS mailing list for details about CentOS 7/8 updates that entered this release (everything from Nov 19th, 2020 to Jan 18th, 2021).

Update instructions:

The problem can be corrected by updating your system to the following or more recent package versions (follow the Qlustar Update Instructions and on Qlustar 11 also perform the manual steps '7. Migration to GRUB PXE booting' and '11. Adjust root bash shell initialization' as described in the Release Notes if you haven't done so yet):

For Qlustar 12.0

    qlustar-module-core-focal-amd64-12.0.0     12.0.0.1-b528f1339
    qlustar-module-core-centos7-amd64-12.0.0   12.0.0.1-b528f1339
    qlustar-module-core-centos8-amd64-12.0.0   12.0.0.1-b528f1339
  

For Qlustar 11.0

    qlustar-module-core-bionic-amd64-11.0.1    11.0.1.5-b527f1338
    qlustar-module-core-centos7-amd64-11.0.1   11.0.1.5-b527f1340
    qlustar-module-core-centos8-amd64-11.0.1   11.0.1.5-b527f1340
  
glqxz9283 sfy39587stf02 mnesdcuix8
sfy39587stf03
sfy39587p08