[QSA-1024192] Security Update Bundle
Qlustar Security Advisory 1024192
Oct 24th, 2019
A Qlustar security update bundle is a cumulative update of packages that are taken from upstream Debian/Ubuntu without modification. Only packages that are used in a typical HPC/Storage cluster installation are mentioned in Qlustar Security Advisories. Other non-HPC related updates also enter the Qlustar repository, but their functionality is not separately verified by the Qlustar team. To track these updates subscribe to the general security mailing lists of Debian/Ubuntu and/or CentOS.
Package(s) : see upstream description of individual package Qlustar releases : 10.1, 11.0 Affected versions: All versions prior to this update Vulnerability : see upstream description of individual package Problem type : see upstream description of individual package Qlustar-specific : no CVE Id(s) : see upstream description of individual package
This update includes several security related package updates from Debian/Ubuntu and CentOS. The following list provides references to the upstream security report of the corresponding packages. You can view the original upstream advisory by clicking on the corresponding title.
Relevant to Qlustar 11.0 and 10.1
Joe Vennix discovered that Sudo incorrectly handled certain user IDs. An attacker could potentially exploit this to execute arbitrary commands as the root user.
It was discovered that Python incorrectly parsed certain email addresses. A remote attacker could possibly use this issue to trick Python applications into accepting email addresses that should be denied.
It was discovered that the Python documentation XML-RPC server incorrectly handled certain fields. A remote attacker could use this issue to execute a cross-site scripting (XSS) attack.
It was discovered that e2fsprogs incorrectly handled certain ext4 partitions. An attacker could possibly use this issue to execute arbitrary code.
CentOS 7.7 security updates
Please check the CentOS mailing list for details about CentOS 7 updates that entered this release (everything from Sept. 17th to Oct 23rd, 2019).
The problem can be corrected by updating your system to the following Qlustar package versions in addition to the package versions mentioned in the upstream reports (follow the Qlustar Update Instructions and for this update also perform the manual step '10. Adjust root bash shell initialization' as described in the Release Notes):
For Qlustar 11.0
qlustar-module-core-bionic-amd64-11.0.0 220.127.116.11-b515f1270 qlustar-module-core-centos7-amd64-11.0.0 18.104.22.168-b515f1270
For Qlustar 10.1