[QSA-1126202] Security Update Bundle

Qlustar Security Advisory 1126202

November 26th, 2020


Summary:

A Qlustar security update bundle is a cumulative update of packages that are taken from upstream Debian/Ubuntu without modification. Only packages that are used in a typical HPC/Storage cluster installation are mentioned in Qlustar Security Advisories. Other non-HPC related updates also enter the Qlustar repository, but their functionality is not separately verified by the Qlustar team. To track these updates subscribe to the general security mailing lists of Debian/Ubuntu and/or CentOS.


    Package(s)       : see upstream description of individual package
    Qlustar releases : 10.1, 11.0
    Affected versions: All versions prior to this update
    Vulnerability    : see upstream description of individual package
    Problem type     : see upstream description of individual package
    Qlustar-specific : no
    CVE Id(s)        : see upstream description of individual package
  

This update includes several security related package updates from Debian/Ubuntu and CentOS. The following list provides references to the upstream security report of the corresponding packages. You can view the original upstream advisory by clicking on the corresponding title.

Relevant to Qlustar 11.0 and 10.1

Pacemaker vulnerability

Ken Gaillot discovered that Pacemaker incorrectly handled IPC communications permissions. A local attacker could possibly use this issue to bypass ACL restrictions and execute arbitrary code as root.

tmux vulnerability

Sergey Nizovtsev discovered that tmux incorrectly handled some inputs. An attacker could possibly use this issue to cause a crash or execute arbitrary code.

Samba vulnerabilities

Steven French discovered that Samba incorrectly handled ChangeNotify permissions. A remote attacker could possibly use this issue to obtain file name information.

Bas Alberts discovered that Samba incorrectly handled certain winbind requests. A remote attacker could possibly use this issue to cause winbind to crash, resulting in a denial of service.

Francis Brosnan Blázquez discovered that Samba incorrectly handled certain invalid DNS records. A remote attacker could possibly use this issue to cause the DNS server to crash, resulting in a denial of service.

MariaDB vulnerabilities

It was discovered that MariaDB didn't properly validate the content of a packet received from a server. A remote attacker could use this vulnerability to sent a specialy crafted file to cause a denial of service.

It was discovered that MariaDB has other security issues. An attacker can cause a hang or frequently repeatable crash (denial of service).

Perl vulnerabilities

ManhND discovered that Perl incorrectly handled certain regular expressions. In environments where untrusted regular expressions are evaluated, a remote attacker could possibly use this issue to cause Perl to crash, resulting in a denial of service, or possibly execute arbitrary code.

Hugo van der Sanden and Slaven Rezic discovered that Perl incorrectly handled certain regular expressions. In environments where untrusted regular expressions are evaluated, a remote attacker could possibly use this issue to cause Perl to crash, resulting in a denial of service, or possibly execute arbitrary code.

Sergey Aleynikov discovered that Perl incorrectly handled certain regular expressions. In environments where untrusted regular expressions are evaluated, a remote attacker could possibly use this issue to cause Perl to crash, resulting in a denial of service, or possibly execute arbitrary code.

PHP vulnerabilities

It was discovered that PHP incorrectly handled certain encrypt ciphers. An attacker could possibly use this issue to decrease security or cause incorrect encryption data.

It was discorevered that PHP incorrectly handled certain HTTP cookies. An attacker could possibly use this issue to forge cookie which is supposed to be secure.

Vim vulnerabilities

It was discovered that Vim incorrectly handled permissions on the .swp file. A local attacker could possibly use this issue to obtain sensitive information.

It was discovered that Vim incorrectly handled restricted mode. A local attacker could possibly use this issue to bypass restricted mode and execute arbitrary commands. Note: This update only makes executing shell commands more difficult. Restricted mode should not be considered a complete security measure.

Python vulnerability

It was discovered that Python incorrectly handled certain character sequences. A remote attacker could possibly use this issue to perform CRLF injection.

CentOS 7.8 / 8.1 security updates

Please check the CentOS mailing list for details about CentOS 7/8 updates that entered this release (everything from Oct 9th to Nov 19th, 2020).

Update instructions:

The problem can be corrected by updating your system to the following Qlustar package versions in addition to the package versions mentioned in the upstream reports (follow the Qlustar Update Instructions and on Qlustar 11 also perform the manual steps '7. Migration to GRUB PXE booting' and '10. Adjust root bash shell initialization' as described in the Release Notes if you haven't done so yet):

For Qlustar 11.0

    qlustar-module-core-bionic-amd64-11.0.1    11.0.1.4-b522f1319
    qlustar-module-core-centos7-amd64-11.0.1   11.0.1.4-b522f1321
  

For Qlustar 10.1

    qlustar-module-core-xenial-amd64-10.1.1    10.1.1.17-b521f1318