[QSA-0706212] Security Update Bundle
Qlustar Security Advisory 0706212
July 6th, 2021
Summary:
A Qlustar security update bundle is a cumulative update of packages that are taken from upstream Debian/Ubuntu without modification. Only packages that are used in a typical HPC/Storage cluster installation are mentioned in Qlustar Security Advisories. Other non-HPC related updates also enter the Qlustar repository, but their functionality is not separately verified by the Qlustar team. To track these updates subscribe to the general security mailing lists of Debian/Ubuntu and/or CentOS.
Package(s) : see upstream description of individual package
Qlustar releases : 11.0, 12.0
Affected versions: All versions prior to this update
Vulnerability : see upstream description of individual package
Problem type : see upstream description of individual package
Qlustar-specific : no
CVE Id(s) : see upstream description of individual package
This update includes several security related package updates from Debian/Ubuntu and CentOS. The following list provides references to the upstream security report of the corresponding packages. You can view the original upstream advisory by clicking on the corresponding title.
Relevant to Qlustar 12.0 and 11.0
Apache HTTP Server vulnerabilities
Marc Stern discovered that the Apache mod_proxy_http module incorrectly handled certain requests. A remote attacker could possibly use this issue to cause Apache to crash, resulting in a denial of service.
Antonio Morales discovered that the Apache mod_auth_digest module incorrectly handled certain Digest nonces. A remote attacker could possibly use this issue to cause Apache to crash, resulting in a denial of service.
Antonio Morales discovered that the Apache mod_session module incorrectly handled certain Cookie headers. A remote attacker could possibly use this issue to cause Apache to crash, resulting in a denial of service.
Christophe Jaillet discovered that the Apache mod_session module incorrectly handled certain SessionHeader values. A remote attacker could use this issue to cause Apache to crash, resulting in a denial of service, or possibly execute arbitrary code.
Christoph Anton Mitterer discovered that the new MergeSlashes configuration option resulted in unexpected behaviour in certain situations.
GRUB 2 vulnerabilities
Máté Kukri discovered that the acpi command in GRUB 2 allowed privileged users to load crafted ACPI tables when secure boot is enabled. An attacker could use this to bypass UEFI Secure Boot restrictions.
Chris Coulson discovered that the rmmod command in GRUB 2 contained a use- after-free vulnerability. A local attacker could use this to execute arbitrary code and bypass UEFI Secure Boot restrictions.
Chris Coulson discovered that a buffer overflow existed in the command line parser in GRUB 2. A local attacker could use this to execute arbitrary code and bypass UEFI Secure Boot restrictions.
It was discovered that the cutmem command in GRUB 2 did not honor secure boot locking. A local attacker could use this to execute arbitrary code and bypass UEFI Secure Boot restrictions.
It was discovered that the option parser in GRUB 2 contained a heap overflow vulnerability. A local attacker could use this to execute arbitrary code and bypass UEFI Secure Boot restrictions.
It was discovered that the menu rendering implementation in GRUB 2 did not properly calculate the amount of memory needed in some situations, leading to out-of-bounds writes. A local attacker could use this to execute arbitrary code and bypass UEFI Secure Boot restrictions.
libxml2 vulnerabilities
Zhipeng Xie discovered that libxml2 incorrectly handled certain XML schemas. A remote attacker could possibly use this issue to cause a denial of service.
It was discovered that libxml2 incorrectly handled invalid UTF-8 input. A remote attacker could possibly exploit this with a crafted XML file to cause libxml2 to crash, resulting in a denial of service.
It was discovered that libxml2 did not properly handle certain crafted XML files. A local attacker could exploit this with a crafted input to cause libxml2 to crash, resulting in a denial of service, or possibly execute arbitrary code.
It was discovered that libxml2 incorrectly handled error states. A remote attacker could exploit this with a crafted XML file to cause libxml2 to crash, resulting in a denial of service.
Sebastian Pipping discovered that libxml2 did not properly handle certain crafted XML files. A remote attacker could exploit this with a crafted XML file to cause libxml2 to crash, resulting in a denial of service.
rpcbind vulnerability
It was discovered that rpcbind incorrectly handled certain large data sizes. A remote attacker could use this issue to cause rpcbind to consume resources, leading to a denial of service.
polkit vulnerability
Kevin Backhouse discovered that polkit incorrectly handled errors in the polkit_system_bus_name_get_creds_sync function. A local attacker could possibly use this issue to escalate privileges.
Dnsmasq vulnerability
Petr Mensik discovered that Dnsmasq incorrectly randomized source ports in certain configurations. A remote attacker could possibly use this issue to facilitate DNS cache poisoning attacks.
Python vulnerability
It was discovered that the Python stdlib ipaddress API incorrectly handled octal strings. A remote attacker could possibly use this issue to perform a wide variety of attacks, including bypassing certain access restrictions.
libx11 vulnerability
It was discovered that libx11 incorrectly validated certain parameter lengths. A remote attacker could possibly use this issue to trick libx11 into emitting extra X protocol requests.
GNU C Library vulnerabilities
Jason Royes and Samuel Dytrych discovered that the memcpy() implementation for 32 bit ARM processors in the GNU C Library contained an integer underflow vulnerability. An attacker could possibly use this to cause a denial of service (application crash) or execute arbitrary code.
It was discovered that the POSIX regex implementation in the GNU C Library did not properly parse alternatives. An attacker could use this to cause a denial of service.
MariaDB vulnerabilities
This update fixed multiple vulnerabilities in MariaDB.
Samba vulnerability
Peter Eriksson discovered that Samba incorrectly handled certain negative idmap cache entries. This issue could result in certain users gaining unauthorized access to files, contrary to expected behaviour.
CentOS 7.9 / 8.4 security updates
Please check the CentOS mailing list for details about CentOS 7/8 updates that entered this release (everything from Apr 26th, 2021 to July 6th, 2021).
Update instructions:
The problem can be corrected by updating your system to the following or more recent package versions:
For Qlustar 12.0
qlustar-module-core-focal-amd64-12.0.0 12.0.0.4-b542f1382
qlustar-module-core-centos7-amd64-12.0.0 12.0.0.4-b542f1382
qlustar-module-core-centos8-amd64-12.0.0 12.0.0.4-b542f1382
For Qlustar 11.0
qlustar-module-core-bionic-amd64-11.0.1 11.0.1.8-b543f1384
qlustar-module-core-centos7-amd64-11.0.1 11.0.1.8-b543f1384
qlustar-module-core-centos8-amd64-11.0.1 11.0.1.8-b543f1384
Special Update instructions:
In addition to the steps described in the general Qlustar Update Instructions these updates require the following:
- On Qlustar 12: Also write the dnsmasq config with QluMan before rebooting.
- On Qlustar 11: Also perform the manual steps ‘7. Migration to GRUB PXE booting’ and ‘11. Adjust root bash shell initialization’ as described in the Release Notes if you haven’t done so yet.