[QSA-0219221] Linux kernel vulnerabilities
Qlustar Security Advisory 0219221
February 19th, 2022
Summary:
The system could crash or be made to run programs as an administrator.
Package(s) : linux-image-ql-generic,
qlustar-module-core-bionic-amd64-11.0.1,
qlustar-module-core-focal-amd64-12.0.0,
qlustar-module-core-centos7-amd64-12.0.0,
qlustar-module-core-centos8-amd64-12.0.0
Qlustar releases : 11.0, 12.0
Affected versions: All versions prior to this update
Vulnerability : privilege escalation/denial of service
Problem type : local
Qlustar-specific : no
CVE Id(s) : Not documented
A number of vulnerabilities and bugs have been discovered in the 5.4.x Linux kernel series since the last Qlustar 12.0 release based on 5.4.167. They may lead to a denial of service or privilege escalation. Please check the following web pages that contain details of the fixes in each release after 5.4.167 up to the current Qlustar kernel 5.4.180:
Linux kernel 5.4.180 Linux kernel 5.4.179 Linux kernel 5.4.178 Linux kernel 5.4.177 Linux kernel 5.4.176 Linux kernel 5.4.175 Linux kernel 5.4.174 Linux kernel 5.4.173 Linux kernel 5.4.172 Linux kernel 5.4.171 Linux kernel 5.4.170 Linux kernel 5.4.169 Linux kernel 5.4.168
A number of vulnerabilities and bugs have been discovered in the 4.19.x Linux kernel series since the last Qlustar 11.0 release based on 4.19.221. They may lead to a denial of service or privilege escalation. Please check the following web pages that contain details of the fixes in each release after 4.19.221 up to the current Qlustar kernel 4.19.229:
Linux kernel 4.19.229 Linux kernel 4.19.228 Linux kernel 4.19.227 Linux kernel 4.19.226 Linux kernel 4.19.225 Linux kernel 4.19.224 Linux kernel 4.19.223 Linux kernel 4.19.222
Update instructions:
The problem can be corrected by updating your system to the following or more recent package versions:
For Qlustar 12.0
linux-image-ql-generic 5.4.180-ql-generic-12.0-14
qlustar-module-core-focal-amd64-12.0.0 12.0.0.9-b547f1429
qlustar-module-core-centos7-amd64-12.0.0 12.0.0.9-b547f1429
qlustar-module-core-centos8-amd64-12.0.0 12.0.0.9-b547f1429
For Qlustar 11.0
linux-image-ql-generic 4.19.229-ql-generic-11.0-29
qlustar-module-core-bionic-amd64-11.0.1 11.0.1.13-b543f1428
Special Update instructions:
In addition to the steps described in the general Qlustar Update Instructions these updates require the following:
- On Qlustar 12: Also write the dnsmasq config with QluMan before rebooting. If your cluster
was installed with a release earlier than 12.0.0.8-b546f1425 you will have to generate new
LDAP certificates at some point since the earlier ones were generated with a 1 year validity.
Now they are generated with an unlimited validity. To check the expiration date execute
# openssl x509 -dates -in /etc/ssl/certs/qlustar-ca-cert.pem | grep notAfter
To regenerate the certificate with unlimited validity execute
# qluman-ldap-cli --update-certs
before rebooting the whole cluster.
- On Qlustar 11: Also perform the manual steps ‘7. Migration to GRUB PXE booting’ and ‘11. Adjust root bash shell initialization’ as described in the Release Notes if you haven’t done so yet.