User login
Qlustar: Install and enjoy!

[QSA-0406202] Security Update Bundle

Qlustar Security Advisory 0406202

Apr 6th, 2020


Summary:

A Qlustar security update bundle is a cumulative update of packages that are taken from upstream Debian/Ubuntu without modification. Only packages that are used in a typical HPC/Storage cluster installation are mentioned in Qlustar Security Advisories. Other non-HPC related updates also enter the Qlustar repository, but their functionality is not separately verified by the Qlustar team. To track these updates subscribe to the general security mailing lists of Debian/Ubuntu and/or CentOS.


    Package(s)       : see upstream description of individual package
    Qlustar releases : 10.1, 11.0
    Affected versions: All versions prior to this update
    Vulnerability    : see upstream description of individual package
    Problem type     : see upstream description of individual package
    Qlustar-specific : no
    CVE Id(s)        : see upstream description of individual package
  

This update includes several security related package updates from Debian/Ubuntu and CentOS. The following list provides references to the upstream security report of the corresponding packages. You can view the original upstream advisory by clicking on the corresponding title.

Relevant only to Qlustar 11.0

Apache HTTP Server update

As a security improvement, this update adds TLSv1.3 support to the Apache HTTP Server package. TLSv1.3 is enabled by default, and in certain environments may cause compatibility issues. The SSLProtocol directive may be used to disable TLSv1.3 in these problematic environments.

Relevant to Qlustar 11.0 and 10.1

libgd2 vulnerabilities

It was discovered that GD Graphics Library incorrectly handled cloning an image. An attacker could possibly use this issue to cause GD Graphics Library to crash, resulting in a denial of service.

It was discovered that GD Graphics Library incorrectly handled loading images from X bitmap format files. An attacker could possibly use this issue to cause GD Graphics Library to crash, resulting in a denial of service, or to disclose contents of the stack that has been left there by previous code.

Vim vulnerabilities

It was discovered that Vim incorrectly handled certain sources, inputs or files. An attacker could possibly use this issue to cause a denial of service.

libarchive vulnerability

It was discovered that libarchive incorrectly handled certain archive files. An attacker could possibly use this issue to access sensitive information.

rsync vulnerabilities

It was discovered that rsync incorrectly handled pointer arithmetic in zlib. An attacker could use this issue to cause rsync to crash, resulting in a denial of service, or possibly execute arbitrary code.

It was discovered that rsync incorrectly handled vectors involving left shifts of negative integers in zlib. An attacker could use this issue to cause rsync to crash, resulting in a denial of service, or possibly execute arbitrary code.

It was discovered that rsync incorrectly handled vectors involving big-endian CRC calculation in zlib. An attacker could use this issue to cause rsync to crash, resulting in a denial of service, or possibly execute arbitrary code.

QEMU vulnerabilities

Felipe Franciosi, Raphael Norwitz, and Peter Turschmid discovered that QEMU incorrectly handled iSCSI server responses. A remote attacker in control of the iSCSI server could use this issue to cause QEMU to crash, leading to a denial of service, or possibly execute arbitrary code.

It was discovered that the QEMU libslirp component incorrectly handled memory. A remote attacker could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code.

PHP vulnerabilities

It was discovered that PHP incorrectly handled certain scripts. An attacker could possibly use this issue to cause a denial of service.

It was discovered that PHP incorrectly handled certain inputs. An attacker could possibly use this issue to expose sensitive information.

It was discovered that PHP incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code.

CentOS 7.7 security updates

Please check the CentOS mailing list for details about CentOS 7 updates that entered this release (everything from Feb 7th to Apr 6th, 2020).

Update instructions:

The problem can be corrected by updating your system to the following Qlustar package versions in addition to the package versions mentioned in the upstream reports (follow the Qlustar Update Instructions and on Qlustar 11 also perform the manual step '10. Adjust root bash shell initialization' as described in the Release Notes if you haven't done so yet):

For Qlustar 11.0

    qlustar-module-core-bionic-amd64-11.0.0    11.0.0.8-b518f1287
    qlustar-module-core-centos7-amd64-11.0.0   11.0.0.8-b519f1289
  

For Qlustar 10.1

    qlustar-module-core-xenial-amd64-10.1.1    10.1.1.12-b521f1292
  
glqxz9283 sfy39587stf02 mnesdcuix8
sfy39587stf03
sfy39587p08