User login
Qlustar: Install and enjoy!

[QSA-0228182] Security Update Bundle

Qlustar Security Advisory 0228182

February 28th, 2018


Summary:

Security update bundle. A Qlustar security update bundle is a cumulative update of packages that are taken from upstream Debian/Ubuntu without modification. Only packages that are used in a typical HPC/Storage cluster installation are mentioned in Qlustar Security Advisories. Other non-HPC related updates also enter the Qlustar repository, but their functionality is not separately verified by the Qlustar team. To track these updates subscribe to the general security mailing lists of Debian/Ubuntu.


    Package(s)       : see upstream description of individual package
    Qlustar releases : 9.2
    Affected versions: All versions prior to this update
    Vulnerability    : see upstream description of individual package
    Problem type     : see upstream description of individual package
    Qlustar-specific : no
    CVE Id(s)        : see upstream description of individual package
  

This update includes several security related package updates from Debian/Ubuntu. The following list provides references to the upstream security report of the corresponding packages. You can view the original upstream advisory by clicking on the corresponding title.

PHP vulnerabilities

It was discovered that PHP incorrectly handled the PHAR 404 error page. A remote attacker could possibly use this issue to conduct cross-site scripting (XSS) attacks.

It was discovered that PHP incorrectly handled memory when unserializing certain data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code.

It was discovered that PHP incorrectly handled 'front of' and 'back of' date directives. A remote attacker could possibly use this issue to obtain sensitive information.

curl vulnerability

It was discovered that curl could accidentally leak authentication data. An attacker could possibly use this to get access to sensitive information.

rsync vulnerabilities

It was discovered that rsync incorrectly handled certain data input. An attacker could possibly use this to cause a denial of service or execute arbitrary code.

It was discovered that rsync incorrectly parsed certain arguments. An attacker could possibly use this to bypass arguments and execute arbitrary code.

OpenSSH vulnerabilities

Jann Horn discovered that OpenSSH incorrectly loaded PKCS#11 modules from untrusted directories. A remote attacker could possibly use this issue to execute arbitrary PKCS#11 modules.

Jann Horn discovered that OpenSSH incorrectly handled certain buffer memory operations. A local attacker could possibly use this issue to obtain sensitive information.

Guido Vranken discovered that OpenSSH incorrectly handled certain shared memory manager operations. A local attacker could possibly use issue to gain privileges.

Michal Zalewski discovered that OpenSSH incorrectly prevented write operations in readonly mode. A remote attacker could possibly use this issue to create zero-length files, leading to a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following Qlustar package versions in addition to the package versions mentioned in the upstream reports (follow the Qlustar Update Instructions):

    qlustar-module-core-trusty-amd64-9.2.0     9.2.0.3-b479f1128
  
glqxz9283 sfy39587stf02 mnesdcuix8
sfy39587stf03
sfy39587p08