[QSA-0109202] Security Update Bundle

Qlustar Security Advisory 0109202

Jan 9th, 2020

Summary:

A Qlustar security update bundle is a cumulative update of packages that are taken from upstream Debian/Ubuntu without modification. Only packages that are used in a typical HPC/Storage cluster installation are mentioned in Qlustar Security Advisories. Other non-HPC related updates also enter the Qlustar repository, but their functionality is not separately verified by the Qlustar team. To track these updates subscribe to the general security mailing lists of Debian/Ubuntu and/or CentOS.

    Package(s)       : see upstream description of individual package
    Qlustar releases : 10.1, 11.0
    Affected versions: All versions prior to this update
    Vulnerability    : see upstream description of individual package
    Problem type     : see upstream description of individual package
    Qlustar-specific : no
    CVE Id(s)        : see upstream description of individual package
  

This update includes several security related package updates from Debian/Ubuntu and CentOS. The following list provides references to the upstream security report of the corresponding packages. You can view the original upstream advisory by clicking on the corresponding title.

Relevant to Qlustar 11.0 and 10.1

GnuTLS update

As a security improvement, this update marks SHA1 as being untrusted for digital signature operations.

NSS vulnerability

It was discovered that NSS incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code.

libpcap vulnerability

It was discovered that libpcap did not properly validate PHB headers in some situations. An attacker could use this to cause a denial of service (memory exhaustion).

Git vulnerabilities

Joern Schneeweisz and Nicolas Joly discovered that Git contained various security flaws. An attacker could possibly use these issues to overwrite arbitrary paths, execute arbitrary code, and overwrite files in the .git directory.

Samba vulnerabilities

Andreas Oster discovered that the Samba DNS management server incorrectly handled certain records. An authenticated attacker could possibly use this issue to crash Samba, resulting in a denial of service.

Isaac Boukris discovered that Samba did not enforce the Kerberos DelegationNotAllowed feature restriction, contrary to expectations.

NSS vulnerability

It was discovered that NSS incorrectly handled certain certificates. An attacker could possibly use this issue to cause a denial of service.

CentOS 7.7 security updates

Please check the CentOS mailing list for details about CentOS 7 updates that entered this release (everything from Nov 28th to Dec 26th, 2019).

Update instructions:

The problem can be corrected by updating your system to the following Qlustar package versions in addition to the package versions mentioned in the upstream reports (follow the Qlustar Update Instructions and on Qlustar 11 also perform the manual step '10. Adjust root bash shell initialization' as described in the Release Notes if you haven't done so yet):

For Qlustar 11.0

    qlustar-module-core-bionic-amd64-11.0.0    11.0.0.6-b515f1278
    qlustar-module-core-centos7-amd64-11.0.0   11.0.0.6-b515f1278
  

For Qlustar 10.1

    qlustar-module-core-xenial-amd64-10.1.1    10.1.1.10-b509f1277