[QSA-0406202]
Security Update Bundle
Qlustar Security Advisory 0406202
Apr 6th, 2020
Summary:
A Qlustar security update bundle is a cumulative update of packages that are taken from upstream Debian/Ubuntu without modification. Only packages that are used in a typical HPC/Storage cluster installation are mentioned in Qlustar Security Advisories. Other non-HPC related updates also enter the Qlustar repository, but their functionality is not separately verified by the Qlustar team. To track these updates subscribe to the general security mailing lists of Debian/Ubuntu and/or CentOS.
Package(s) : see upstream description of individual package
Qlustar releases : 10.1, 11.0
Affected versions: All versions prior to this update
Vulnerability : see upstream description of individual package
Problem type : see upstream description of individual package
Qlustar-specific : no
CVE Id(s) : see upstream description of individual package
This update includes several security related package updates from Debian/Ubuntu and CentOS. The following list provides references to the upstream security report of the corresponding packages. You can view the original upstream advisory by clicking on the corresponding title.
Relevant only to Qlustar 11.0
Apache HTTP Server update
As a security improvement, this update adds TLSv1.3 support to the Apache HTTP Server package. TLSv1.3 is enabled by default, and in certain environments may cause compatibility issues. The SSLProtocol directive may be used to disable TLSv1.3 in these problematic environments.
Relevant to Qlustar 11.0 and 10.1
libgd2 vulnerabilities
It was discovered that GD Graphics Library incorrectly handled cloning an image. An attacker could possibly use this issue to cause GD Graphics Library to crash, resulting in a denial of service.
It was discovered that GD Graphics Library incorrectly handled loading images from X bitmap format files. An attacker could possibly use this issue to cause GD Graphics Library to crash, resulting in a denial of service, or to disclose contents of the stack that has been left there by previous code.
Vim vulnerabilities
It was discovered that Vim incorrectly handled certain sources, inputs or files. An attacker could possibly use this issue to cause a denial of service.
libarchive vulnerability
It was discovered that libarchive incorrectly handled certain archive files. An attacker could possibly use this issue to access sensitive information.
rsync vulnerabilities
It was discovered that rsync incorrectly handled pointer arithmetic in zlib. An attacker could use this issue to cause rsync to crash, resulting in a denial of service, or possibly execute arbitrary code.
It was discovered that rsync incorrectly handled vectors involving left shifts of negative integers in zlib. An attacker could use this issue to cause rsync to crash, resulting in a denial of service, or possibly execute arbitrary code.
It was discovered that rsync incorrectly handled vectors involving big-endian CRC calculation in zlib. An attacker could use this issue to cause rsync to crash, resulting in a denial of service, or possibly execute arbitrary code.
QEMU vulnerabilities
Felipe Franciosi, Raphael Norwitz, and Peter Turschmid discovered that QEMU incorrectly handled iSCSI server responses. A remote attacker in control of the iSCSI server could use this issue to cause QEMU to crash, leading to a denial of service, or possibly execute arbitrary code.
It was discovered that the QEMU libslirp component incorrectly handled memory. A remote attacker could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code.
PHP vulnerabilities
It was discovered that PHP incorrectly handled certain scripts. An attacker could possibly use this issue to cause a denial of service.
It was discovered that PHP incorrectly handled certain inputs. An attacker could possibly use this issue to expose sensitive information.
It was discovered that PHP incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code.
CentOS 7.7 security updates
Please check the CentOS mailing list for details about CentOS 7 updates that entered this release (everything from Feb 7th to Apr 6th, 2020).
Update instructions:
The problem can be corrected by updating your system to the following Qlustar package versions in addition to the package versions mentioned in the upstream reports (follow the Qlustar Update Instructions and on Qlustar 11 also perform the manual step '10. Adjust root bash shell initialization' as described in the Release Notes if you haven't done so yet):
For Qlustar 11.0
qlustar-module-core-bionic-amd64-11.0.0 11.0.0.8-b518f1287
qlustar-module-core-centos7-amd64-11.0.0 11.0.0.8-b519f1289
For Qlustar 10.1
qlustar-module-core-xenial-amd64-10.1.1 10.1.1.12-b521f1292