User login
Qlustar: Install and enjoy!

[QSA-0628172] Security Update Bundle

Qlustar Security Advisory 0628172

June 28th, 2017


Summary:

Security update bundle. A Qlustar security update bundle is a cumulative update of packages that are taken from upstream Debian/Ubuntu without modification. Only packages that are used in a typical HPC/Storage cluster installation are mentioned in Qlustar Security Advisories. Other non-HPC related updates also enter the Qlustar repository, but their functionality is not separately verified by the Qlustar team. To track these updates subscribe to the general security mailing lists of Debian/Ubuntu.


    Package(s)       : see upstream description of individual package
    Qlustar releases : 9.1/9.2
    Affected versions: All versions prior to this update
    Vulnerability    : see upstream description of individual package
    Problem type     : see upstream description of individual package
    Qlustar-specific : no
    CVE Id(s)        : see upstream description of individual package
  

This update includes several security related package updates from Debian/Ubuntu. The following list provides references to the upstream security report of the corresponding packages. You can view the original upstream advisory by clicking on the corresponding title.

Apache HTTP Server vulnerabilities

Emmanuel Dreyfus discovered that third-party modules using the ap_get_basic_auth_pw() function outside of the authentication phase may lead to authentication requirements being bypassed. This update adds a new ap_get_basic_auth_components() function for use by third-party modules.

Vasileios Panopoulos discovered that the Apache mod_ssl module may crash when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port.

Javier Jiménez discovered that the Apache HTTP Server incorrectly handled parsing certain requests. A remote attacker could possibly use this issue to cause the Apache HTTP Server to crash, resulting in a denial of service.

ChenQin and Hanno Böck discovered that the Apache mod_mime module incorrectly handled certain Content-Type response headers. A remote attacker could possibly use this issue to cause the Apache HTTP Server to crash, resulting in a denial of service.

NSS vulnerability

It was discovered that NSS incorrectly handled certain empty SSLv2 messages. A remote attacker could possibly use this issue to cause NSS to crash, resulting in a denial of service.

GNU C Library vulnerability

It was discovered that the GNU C library did not properly handle memory when processing environment variables for setuid programs. A local attacker could use this in combination with another vulnerability to gain administrative privileges.

GnuTLS vulnerability

It was discovered that GnuTLS incorrectly handled decoding certain OpenPGP certificates. A remote attacker could use this issue to cause GnuTLS to crash, resulting in a denial of service, or possibly execute arbitrary code.

OpenLDAP vulnerability

Karsten Heymann discovered that OpenLDAP incorrectly handled certain search requests. A remote attacker could use this issue to cause slapd to crash, resulting in a denial of service.

Sudo vulnerability

It was discovered that Sudo did not properly parse the contents of /proc/[pid]/stat when attempting to determine its controlling tty. A local attacker in some configurations could possibly use this to overwrite any file on the filesystem, bypassing intended permissions.

Samba vulnerability

It was discovered that Samba incorrectly handled shared libraries. A remote attacker could use this flaw to upload a shared library to a writable share and execute arbitrary code.

Bash vulnerabilities

Bernd Dietzel discovered that Bash incorrectly expanded the hostname when displaying the prompt. If a remote attacker were able to modify a hostname, this flaw could be exploited to execute arbitrary code.

It was discovered that Bash incorrectly handled the SHELLOPTS and PS4 environment variables. A local attacker could use this issue to execute arbitrary code with root privileges.

It was discovered that Bash incorrectly handled the popd command. A remote attacker could possibly use this issue to bypass restricted shells.

OpenJDK 7 vulnerabilities

It was discovered that OpenJDK improperly re-used cached NTLM connections in some situations. A remote attacker could possibly use this to cause a Java application to perform actions with the credentials of a different user.

It was discovered that an untrusted library search path flaw existed in the Java Cryptography Extension (JCE) component of OpenJDK. A local attacker could possibly use this to gain the privileges of a Java application.

It was discovered that the Java API for XML Processing (JAXP) component in OpenJDK did not properly enforce size limits when parsing XML documents. An attacker could use this to cause a denial of service (processor and memory consumption).

It was discovered that the FTP client implementation in OpenJDK did not properly sanitize user inputs. If a user was tricked into opening a specially crafted FTP URL, a remote attacker could use this to manipulate the FTP connection.

It was discovered that OpenJDK allowed MD5 to be used as an algorithm for JAR integrity verification. An attacker could possibly use this to modify the contents of a JAR file without detection.

It was discovered that the SMTP client implementation in OpenJDK did not properly sanitize sender and recipient addresses. A remote attacker could use this to specially craft email addresses and gain control of a Java application's SMTP connections.

Git vulnerability

Timo Schmid discovered that the Git restricted shell incorrectly filtered allowed commands. A remote attacker could possibly use this issue to run an interactive pager and access sensitive information.

Apache HTTP Server vulnerabilities

It was discovered that the Apache mod_session_crypto module was encrypting data and cookies using either CBC or ECB modes. A remote attacker could possibly use this issue to perform padding oracle attacks.

Maksim Malyutin discovered that the Apache mod_auth_digest module incorrectly handled malicious input. A remote attacker could possibly use this issue to cause Apache to crash, resulting in a denial of service.

David Dennerline and Régis Leroy discovered that the Apache HTTP Server incorrectly handled unusual whitespace when parsing requests, contrary to specifications. When being used in combination with a proxy or backend server, a remote attacker could possibly use this issue to perform an injection attack and pollute cache. This update may introduce compatibility issues with clients that do not strictly follow HTTP protocol specifications. A new configuration option "HttpProtocolOptions Unsafe" can be used to revert to the previous unsafe behaviour in problematic environments.

shadow vulnerabilities

Sebastian Krahmer discovered integer overflows in shadow utilities. A local attacker could possibly cause them to crash or potentially gain privileges via crafted input.

Tobias Stöckmann discovered a race condition in su. A local attacker could cause su to send SIGKILL to other processes with root privileges.

NSS vulnerabilities

Karthik Bhargavan and Gaetan Leurent discovered that the DES and Triple DES ciphers were vulnerable to birthday attacks. A remote attacker could possibly use this flaw to obtain clear text data from long encrypted sessions. This update causes NSS to limit use of the same symmetric key.

It was discovered that NSS incorrectly handled Base64 decoding. A remote attacker could use this flaw to cause NSS to crash, resulting in a denial of service, or possibly execute arbitrary code.

This update refreshes the NSS package to version 3.28.4 which includes the latest CA certificate bundle.

Samba vulnerabilities

Jann Horn discovered that Samba incorrectly handled symlinks. An authenticated remote attacker could use this issue to access files on the server outside of the exported directories.

Update instructions:

The problem can be corrected by updating your system to the following Qlustar package versions in addition to the package versions mentioned in the upstream reports (follow the Qlustar Update Instructions):

    qlustar-module-core-trusty-amd64-9.2.0     9.2.0.1-b463f1072
    qlustar-module-core-wheezy-amd64-9.1.1     9.1.1.5-b461f1071
  
glqxz9283 sfy39587stf02 mnesdcuix8
sfy39587stf03
sfy39587p08