[QSA-1129192]
Security Update Bundle
Qlustar Security Advisory 1129192
Nov 29th, 2019
Summary:
A Qlustar security update bundle is a cumulative update of packages that are taken from upstream Debian/Ubuntu without modification. Only packages that are used in a typical HPC/Storage cluster installation are mentioned in Qlustar Security Advisories. Other non-HPC related updates also enter the Qlustar repository, but their functionality is not separately verified by the Qlustar team. To track these updates subscribe to the general security mailing lists of Debian/Ubuntu and/or CentOS.
Package(s) : see upstream description of individual package
Qlustar releases : 10.1, 11.0
Affected versions: All versions prior to this update
Vulnerability : see upstream description of individual package
Problem type : see upstream description of individual package
Qlustar-specific : no
CVE Id(s) : see upstream description of individual package
This update includes several security related package updates from Debian/Ubuntu and CentOS. The following list provides references to the upstream security report of the corresponding packages. You can view the original upstream advisory by clicking on the corresponding title.
Relevant only to Qlustar 11.0
mariadb vulnerabilities
Qlustar 11.0 has been updated to MariaDB 10.1.43. In addition to security fixes, the updated package contain bug fixes, new features, and possibly incompatible changes.
Relevant to Qlustar 11.0 and 10.1
NSS vulnerability
It was discovered that NSS incorrectly handled certain memory operations. A remote attacker could use this issue to cause NSS to crash, resulting in a denial of service, or possibly execute arbitrary code.
QEMU vulnerabilities
It was discovered that the LSI SCSI adapter emulator implementation in QEMU did not properly validate executed scripts. A local attacker could use this to cause a denial of service.
Sergej Schumilo, Cornelius Aschermann and Simon Wörner discovered that the qxl paravirtual graphics driver implementation in QEMU contained a null pointer dereference. A local attacker in a guest could use this to cause a denial of service.
Riccardo Schirone discovered that the QEMU bridge helper did not properly validate network interface names. A local attacker could possibly use this to bypass ACL restrictions.
It was discovered that a heap-based buffer overflow existed in the SLiRP networking implementation of QEMU. A local attacker in a guest could use this to cause a denial of service or possibly execute arbitrary code in the host.
It was discovered that a use-after-free vulnerability existed in the SLiRP networking implementation of QEMU. A local attacker in a guest could use this to cause a denial of service.
GNU cpio vulnerability
Thomas Habets discovered that GNU cpio incorrectly handled certain inputs. An attacker could possibly use this issue to privilege escalation.
file vulnerability
It was discovered that file incorrectly handled certain malformed files. An attacker could use this issue to cause a denial of service, or possibly execute arbitrary code.
libarchive vulnerability
It was discovered that libarchive incorrectly handled certain archive files. An attacker could possibly execute arbitrary code.
Samba vulnerabilities
Michael Hanselmann discovered that the Samba client code incorrectly handled path separators. If a user were tricked into connecting to a malicious server, a remote attacker could use this issue to cause the client to access local pathnames instead of network pathnames.
Simon Fonteneau and Björn Baumbach discovered that Samba incorrectly handled the check password script. This issue could possibly bypass custom password complexity checks, contrary to expectations. This issue did not affect Qlustar 10.1.
Adam Xu discovered that Samba incorrectly handled the dirsync LDAP control. A remote attacker with "get changes" permissions could possibly use this issue to cause Samba to crash, resulting in a denial of service.
PHP vulnerability
It was discovered that PHP incorrectly handled certain paths when being used in FastCGI configurations. A remote attacker could possibly use this issue to execute arbitrary code.
Libxslt vulnerabilities
It was discovered that Libxslt incorrectly handled certain documents. An attacker could possibly use this issue to access sensitive information.
It was discovered that Libxslt incorrectly handled certain documents. An attacker could possibly use this issue to execute arbitrary code.
CentOS 7.7 security updates
Please check the CentOS mailing list for details about CentOS 7 updates that entered this release (everything from Oct 23rd to Nov 28th, 2019).
Update instructions:
The problem can be corrected by updating your system to the following Qlustar package versions in addition to the package versions mentioned in the upstream reports (follow the Qlustar Update Instructions and for this update also perform the manual step '10. Adjust root bash shell initialization' as described in the Release Notes):
For Qlustar 11.0
qlustar-module-core-bionic-amd64-11.0.0 11.0.0.5-b515f1276
qlustar-module-core-centos7-amd64-11.0.0 11.0.0.5-b515f1274
For Qlustar 10.1
qlustar-module-core-xenial-amd64-10.1.1 10.1.1.9-b509f1273