[QSA-0211192] Security Update Bundle

Qlustar Security Advisory 0211192

Mar 11th, 2019


Summary:

A Qlustar security update bundle is a cumulative update of packages that are taken from upstream Debian/Ubuntu without modification. Only packages that are used in a typical HPC/Storage cluster installation are mentioned in Qlustar Security Advisories. Other non-HPC related updates also enter the Qlustar repository, but their functionality is not separately verified by the Qlustar team. To track these updates subscribe to the general security mailing lists of Debian/Ubuntu.


    Package(s)       : see upstream description of individual package
    Qlustar releases : 10.1
    Affected versions: All versions prior to this update
    Vulnerability    : see upstream description of individual package
    Problem type     : see upstream description of individual package
    Qlustar-specific : no
    CVE Id(s)        : see upstream description of individual package
  

This update includes several security related package updates from Debian/Ubuntu. The following list provides references to the upstream security report of the corresponding packages. You can view the original upstream advisory by clicking on the corresponding title.

php7.0 vulnerabilities

It was discovered that the PHP XML-RPC module incorrectly handled decoding XML data. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service.

It was discovered that the PHP PHAR module incorrectly handled certain filenames. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service.

It was discovered that PHP incorrectly parsed certain DNS responses. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service.

It was discovered that PHP incorrectly handled mbstring regular expressions. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service.

nss vulnerability

Hanno Böck and Damian Poddebniak discovered that NSS incorrectly handled certain CMS functions. A remote attacker could possibly use this issue to cause NSS to crash, resulting in a denial of service.

bind9 vulnerabilities

It was discovered that Bind incorrectly handled certain trust anchors when used with the "managed-keys" feature. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service.

It was discovered that Bind incorrectly handled certain controls for zone transfers, contrary to expectations.

systemd vulnerability

It was discovered that systemd incorrectly handled certain D-Bus messages. A local unprivileged attacker could exploit this in order to crash the init process, resulting in a system denial-of-service (kernel panic).

openssh vulnerabilities

Harry Sintonen discovered multiple issus in the OpenSSH scp utility. If a user or automated system were tricked into connecting to an untrusted server, a remote attacker could possibly use these issues to write to arbitrary files, change directory permissions, and spoof client output.

libarchive vulnerabilities

It was discovered that libarchive incorrectly handled certain 7zip files. An attacker could possibly use this issue to cause a denial of service.

curl vulnerabilities

Wenxiang Qian discovered that curl incorrectly handled certain NTLM authentication messages. A remote attacker could possibly use this issue to cause curl to crash, resulting in a denial of service.

Wenxiang Qian discovered that curl incorrectly handled certain NTLMv2 authentication messages. A remote attacker could use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code.

Brian Carpenter discovered that curl incorrectly handled certain SMTP responses. A remote attacker could possibly use this issue to cause curl to crash, resulting in a denial of service.

openjdk-8, openjdk-lts vulnerability

It was discovered that a memory disclosure issue existed in the OpenJDK Library subsystem. An attacker could use this to expose sensitive information and possibly bypass Java sandbox restrictions.

apt vulnerability

Max Justicz discovered that APT incorrectly handled certain parameters during redirects. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could potentially be used to install altered packages.

policykit-1 vulnerability

It was discovered that PolicyKit incorrectly handled certain large user UIDs. A local attacker with a large UID could possibly use this issue to perform privileged actions.

libarchive vulnerability

It was discovered that libarchive incorrectly handled certain archive files. An attacker could possibly use this issue to expose sensitive information.

Update instructions:

The problem can be corrected by updating your system to the following Qlustar package versions in addition to the package versions mentioned in the upstream reports (follow the Qlustar Update Instructions):

    qlustar-module-core-xenial-amd64-10.1.1    10.1.1.3-b509f1235