[QSA-0903212] Security Update Bundle
Qlustar Security Advisory 0903212
September 3rd, 2021
A Qlustar security update bundle is a cumulative update of packages that are taken from upstream Debian/Ubuntu without modification. Only packages that are used in a typical HPC/Storage cluster installation are mentioned in Qlustar Security Advisories. Other non-HPC related updates also enter the Qlustar repository, but their functionality is not separately verified by the Qlustar team. To track these updates subscribe to the general security mailing lists of Debian/Ubuntu and/or CentOS.
Package(s) : see upstream description of individual package Qlustar releases : 11.0, 12.0 Affected versions: All versions prior to this update Vulnerability : see upstream description of individual package Problem type : see upstream description of individual package Qlustar-specific : no CVE Id(s) : see upstream description of individual package
This update includes several security related package updates from Debian/Ubuntu and CentOS. The following list provides references to the upstream security report of the corresponding packages. You can view the original upstream advisory by clicking on the corresponding title.
Relevant to Qlustar 12.0 and 11.0
Etienne Stalmans discovered that Squashfs-Tools mishandled certain malformed SQUASHFS files. An attacker could use this vulnerability to write arbitrary files to the filesystem.
John Ouyang discovered that OpenSSL incorrectly handled decrypting SM2 data. A remote attacker could use this issue to cause applications using OpenSSL to crash, resulting in a denial of service, or possibly change application behaviour.
Ingo Schwarze discovered that OpenSSL incorrectly handled certain ASN.1 strings. A remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service, or possibly obtain sensitive information.
It was discovered that GnuTLS incorrectly handled sending certain extensions when being used as a client. A remote attacker could use this issue to cause GnuTLS to crash, resulting in a denial of service, or possibly execute arbitrary code.
USN-5022-1 fixed multiple vulnerabilities in MySQL. This update provides the corresponding fixes for CVE-2021-2372 and CVE-2021-2389 in MariaDB 10.3 and 10.5.
In addition to security fixes, the updated package contain bug fixes, new features, and possibly incompatible changes.
Please see the following for more information:
CentOS 7.9 / 8.4 security updates
Please check the CentOS mailing list for details about CentOS 7/8 updates that entered this release (everything from July 23rd, 2021 to September 1st, 2021).
The problem can be corrected by updating your system to the following or more recent package versions:
For Qlustar 12.0
qlustar-module-core-focal-amd64-12.0.0 126.96.36.199-b542f1396 qlustar-module-core-centos7-amd64-12.0.0 188.8.131.52-b542f1396 qlustar-module-core-centos8-amd64-12.0.0 184.108.40.206-b542f1396
For Qlustar 11.0
qlustar-module-core-bionic-amd64-11.0.1 220.127.116.11-b543f1397 qlustar-module-core-centos7-amd64-11.0.1 18.104.22.168-b543f1397 qlustar-module-core-centos8-amd64-11.0.1 22.214.171.124-b543f1397
Special Update instructions:
In addition to the steps described in the general Qlustar Update Instructions these updates require the following:
- On Qlustar 12: Also write the dnsmasq config with QluMan before rebooting.
- On Qlustar 11: Also perform the manual steps ‘7. Migration to GRUB PXE booting’ and ‘11. Adjust root bash shell initialization’ as described in the Release Notes if you haven’t done so yet.