[QSA-0903212] Security Update Bundle

Qlustar Security Advisory 0903212

September 3rd, 2021

Summary:

A Qlustar security update bundle is a cumulative update of packages that are taken from upstream Debian/Ubuntu without modification. Only packages that are used in a typical HPC/Storage cluster installation are mentioned in Qlustar Security Advisories. Other non-HPC related updates also enter the Qlustar repository, but their functionality is not separately verified by the Qlustar team. To track these updates subscribe to the general security mailing lists of Debian/Ubuntu and/or CentOS.

Package(s)       : see upstream description of individual package
Qlustar releases : 11.0, 12.0
Affected versions: All versions prior to this update
Vulnerability    : see upstream description of individual package
Problem type     : see upstream description of individual package
Qlustar-specific : no
CVE Id(s)        : see upstream description of individual package

This update includes several security related package updates from Debian/Ubuntu and CentOS. The following list provides references to the upstream security report of the corresponding packages. You can view the original upstream advisory by clicking on the corresponding title.

Relevant to Qlustar 12.0 and 11.0

Squashfs-Tools vulnerability

Etienne Stalmans discovered that Squashfs-Tools mishandled certain malformed SQUASHFS files. An attacker could use this vulnerability to write arbitrary files to the filesystem.

OpenSSL vulnerabilities

John Ouyang discovered that OpenSSL incorrectly handled decrypting SM2 data. A remote attacker could use this issue to cause applications using OpenSSL to crash, resulting in a denial of service, or possibly change application behaviour.

Ingo Schwarze discovered that OpenSSL incorrectly handled certain ASN.1 strings. A remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service, or possibly obtain sensitive information.

GnuTLS vulnerabilities

It was discovered that GnuTLS incorrectly handled sending certain extensions when being used as a client. A remote attacker could use this issue to cause GnuTLS to crash, resulting in a denial of service, or possibly execute arbitrary code.

MariaDB vulnerabilities

USN-5022-1 fixed multiple vulnerabilities in MySQL. This update provides the corresponding fixes for CVE-2021-2372 and CVE-2021-2389 in MariaDB 10.3 and 10.5.

In addition to security fixes, the updated package contain bug fixes, new features, and possibly incompatible changes.

Please see the following for more information:

https://mariadb.com/kb/en/mariadb-10331-changelog/
https://mariadb.com/kb/en/mariadb-10512-changelog/

CentOS 7.9 / 8.4 security updates

Please check the CentOS mailing list for details about CentOS 7/8 updates that entered this release (everything from July 23rd, 2021 to September 1st, 2021).

Update instructions:

The problem can be corrected by updating your system to the following or more recent package versions:

For Qlustar 12.0

qlustar-module-core-focal-amd64-12.0.0     12.0.0.6-b542f1396
qlustar-module-core-centos7-amd64-12.0.0   12.0.0.6-b542f1396
qlustar-module-core-centos8-amd64-12.0.0   12.0.0.6-b542f1396

For Qlustar 11.0

qlustar-module-core-bionic-amd64-11.0.1    11.0.1.10-b543f1397
qlustar-module-core-centos7-amd64-11.0.1   11.0.1.10-b543f1397
qlustar-module-core-centos8-amd64-11.0.1   11.0.1.10-b543f1397

Special Update instructions:

In addition to the steps described in the general Qlustar Update Instructions these updates require the following:

  • On Qlustar 12: Also write the dnsmasq config with QluMan before rebooting.
  • On Qlustar 11: Also perform the manual steps ‘7. Migration to GRUB PXE booting’ and ‘11. Adjust root bash shell initialization’ as described in the Release Notes if you haven’t done so yet.