[QSA-0427212] Security Update Bundle

Qlustar Security Advisory 0427212

April 27th, 2021

Summary:

A Qlustar security update bundle is a cumulative update of packages that are taken from
upstream Debian/Ubuntu without modification. Only packages that are used in a typical
HPC/Storage cluster installation are mentioned in Qlustar Security Advisories. Other
non-HPC related updates also enter the Qlustar repository, but their functionality is not
separately verified by the Qlustar team. To track these updates subscribe to the general
security mailing lists of Debian/Ubuntu and/or CentOS.

    Package(s)       : see upstream description of individual package
    Qlustar releases : 11.0, 12.0
    Affected versions: All versions prior to this update
    Vulnerability    : see upstream description of individual package
    Problem type     : see upstream description of individual package
    Qlustar-specific : no
    CVE Id(s)        : see upstream description of individual package
  

This update includes several security related package updates from Debian/Ubuntu and
CentOS. The following list provides references to the upstream security report of the
corresponding packages. You can view the original upstream advisory by clicking on the
corresponding title.

Relevant to Qlustar 12.0 and 11.0

X.Org X Server vulnerability

Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled certain lengths of
XInput extension ChangeFeedbackControl requests. An attacker could use this issue to cause
the server to crash, resulting in a denial of service, or possibly execute arbitrary code.

OpenSSL vulnerability

It was discovered that OpenSSL incorrectly handled certain renegotiation ClientHello
messages. A remote attacker could use this issue to cause OpenSSL to crash, resulting in a
denial of service, or possibly execute arbitrary code.

CentOS 7.9 / 8.3 security updates

Please check the CentOS mailing list for details about CentOS 7/8 updates that entered
this release (everything from Mar 20th, 2021 to Apr 26th, 2021).

Update instructions:

The problem can be corrected by updating your system to the following or more recent
package versions (follow the Qlustar Update Instructions and on Qlustar 11 also perform the manual steps '7. Migration to GRUB PXE booting' and '11. Adjust root bash shell initialization' as described in the Release Notes if you haven't done so yet):

For Qlustar 12.0

    qlustar-module-core-focal-amd64-12.0.0     12.0.0.3-b536f1363
    qlustar-module-core-centos7-amd64-12.0.0   12.0.0.3-b536f1363
    qlustar-module-core-centos8-amd64-12.0.0   12.0.0.3-b536f1363
  

For Qlustar 11.0

    qlustar-module-core-bionic-amd64-11.0.1    11.0.1.7-b533f1362
    qlustar-module-core-centos7-amd64-11.0.1   11.0.1.7-b533f1362
    qlustar-module-core-centos8-amd64-11.0.1   11.0.1.7-b533f1362