[QSA-0118212] Security Update Bundle
Qlustar Security Advisory 0118212
January 18th, 2021
Summary:
A Qlustar security update bundle is a cumulative update of packages that are taken from upstream Debian/Ubuntu without modification. Only packages that are used in a typical HPC/Storage cluster installation are mentioned in Qlustar Security Advisories. Other non-HPC related updates also enter the Qlustar repository, but their functionality is not separately verified by the Qlustar team. To track these updates subscribe to the general security mailing lists of Debian/Ubuntu and/or CentOS.
Package(s) : see upstream description of individual package
Qlustar releases : 11.0, 12.0
Affected versions: All versions prior to this update
Vulnerability : see upstream description of individual package
Problem type : see upstream description of individual package
Qlustar-specific : no
CVE Id(s) : see upstream description of individual package
This update includes several security related package updates from Debian/Ubuntu and CentOS. The following list provides references to the upstream security report of the corresponding packages. You can view the original upstream advisory by clicking on the corresponding title.
Relevant to Qlustar 12.0 and 11.0
Dnsmasq vulnerabilities
Moshe Kol and Shlomi Oberman discovered that Dnsmasq incorrectly handled memory when sorting RRsets. A remote attacker could use this issue to cause Dnsmasq to hang, resulting in a denial of service, or possibly execute arbitrary code.
Moshe Kol and Shlomi Oberman discovered that Dnsmasq incorrectly handled extracting certain names. A remote attacker could use this issue to cause Dnsmasq to hang, resulting in a denial of service, or possibly execute arbitrary code.
Moshe Kol and Shlomi Oberman discovered that Dnsmasq incorrectly implemented address/port checks. A remote attacker could use this issue to perform a cache poisoning attack.
Moshe Kol and Shlomi Oberman discovered that Dnsmasq incorrectly implemented query resource name checks. A remote attacker could use this issue to perform a cache poisoning attack.
Moshe Kol and Shlomi Oberman discovered that Dnsmasq incorrectly handled multiple query requests for the same resource name. A remote attacker could use this issue to perform a cache poisoning attack.
It was discovered that Dnsmasq incorrectly handled memory during DHCP response creation. A remote attacker could possibly use this issue to cause Dnsmasq to consume resources, leading to a denial of service.
tar vulnerabilities
Chris Siebenmann discovered that tar incorrectly handled extracting files resized during extraction when invoked with the --sparse flag. An attacker could possibly use this issue to cause a denial of service.
Daniel Axtens discovered that tar incorrectly handled certain malformed tar files. If a user or automated system were tricked into processing a specially crafted tar archive, a remote attacker could use this issue to cause tar to crash, resulting in a denial of service.
APT vulnerability
Kevin Backhouse discovered that APT incorrectly handled certain packages. A local attacker could possibly use this issue to cause APT to crash or stop responding, resulting in a denial of service.
curl vulnerabilities
Varnavas Papaioannou discovered that curl incorrectly handled FTP PASV responses. An attacker could possibly use this issue to trick curl into connecting to an arbitrary IP address and be used to perform port scanner and other information gathering.
It was discovered that curl incorrectly handled FTP wildcard matchins. A remote attacker could possibly use this issue to cause curl to consume resources and crash, resulting in a denial of service.
It was discovered that curl incorrectly handled OCSP response verification. A remote attacker could possibly use this issue to provide a fraudulent OCSP response.
OpenSSL vulnerability
David Benjamin discovered that OpenSSL incorrectly handled comparing certificates containing a EDIPartyName name type. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service.
QEMU vulnerabilities
Alexander Bulekov discovered that QEMU incorrectly handled SDHCI device emulation. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile.
Sergej Schumilo, Cornelius Aschermann, and Simon Wrner discovered that QEMU incorrectly handled USB device emulation. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
Sergej Schumilo, Cornelius Aschermann, and Simon Wrner discovered that QEMU incorrectly handled SDHCI device emulation. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
Gaoning Pan, Yongkang Jia, and Yi Ren discovered that QEMU incorrectly handled USB device emulation. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
It was discovered that QEMU incorrectly handled USB device emulation. An attacker inside the guest could use this issue to cause QEMU to hang, resulting in a denial of service.
Cheolwoo Myung discovered that QEMU incorrectly handled USB device emulation. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
Gaoning Pan discovered that QEMU incorrectly handled networking. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
CentOS 7.9 / 8.3 security updates
Please check the CentOS mailing list for details about CentOS 7/8 updates that entered this release (everything from Nov 19th, 2020 to Jan 18th, 2021).
Update instructions:
The problem can be corrected by updating your system to the following or more recent package versions (follow the Qlustar Update Instructions and on Qlustar 11 also perform the manual steps '7. Migration to GRUB PXE booting' and '11. Adjust root bash shell initialization' as described in the Release Notes if you haven't done so yet):
For Qlustar 12.0
qlustar-module-core-focal-amd64-12.0.0 12.0.0.1-b528f1339
qlustar-module-core-centos7-amd64-12.0.0 12.0.0.1-b528f1339
qlustar-module-core-centos8-amd64-12.0.0 12.0.0.1-b528f1339
For Qlustar 11.0
qlustar-module-core-bionic-amd64-11.0.1 11.0.1.5-b527f1338
qlustar-module-core-centos7-amd64-11.0.1 11.0.1.5-b527f1340
qlustar-module-core-centos8-amd64-11.0.1 11.0.1.5-b527f1340