[QSA-0624221] Linux kernel vulnerabilities
Qlustar Security Advisory 0624221
June 24th, 2022
The system could crash or be made to run programs as an administrator.
Package(s) : linux-image-ql-generic, qlustar-module-core-bionic-amd64-11.0.1, qlustar-module-core-focal-amd64-12.0.0, qlustar-module-core-centos7-amd64-12.0.0, qlustar-module-core-centos8-amd64-12.0.0 Qlustar releases : 11.0, 12.0 Affected versions: All versions prior to this update Vulnerability : privilege escalation/denial of service Problem type : local Qlustar-specific : no CVE Id(s) : Not documented
A number of vulnerabilities and bugs have been discovered in the 5.4.x Linux kernel series since the last Qlustar 12.0 release based on 5.4.195. They may lead to a denial of service or privilege escalation. Please check the following web pages that contain details of the fixes in each release after 5.4.195 up to the current Qlustar kernel 5.4.199:
A number of vulnerabilities and bugs have been discovered in the 4.19.x Linux kernel series since the last Qlustar 11.0 release based on 4.19.244. They may lead to a denial of service or privilege escalation. Please check the following web pages that contain details of the fixes in each release after 4.19.244 up to the current Qlustar kernel 4.19.248:
The problem can be corrected by updating your system to the following or more recent package versions:
For Qlustar 12.0
linux-image-ql-generic 5.4.199-ql-generic-12.0-18 qlustar-module-core-focal-amd64-12.0.0 188.8.131.52-b548f1436 qlustar-module-core-centos7-amd64-12.0.0 184.108.40.206-b548f1436 qlustar-module-core-centos8-amd64-12.0.0 220.127.116.11-b548f1436
For Qlustar 11.0
linux-image-ql-generic 4.19.248-ql-generic-11.0-32 qlustar-module-core-bionic-amd64-11.0.1 18.104.22.168-b549f1437
Special Update instructions:
In addition to the steps described in the general Qlustar Update Instructions these updates require the following:
- On Qlustar 12, also perform the following manual steps if you haven’t done so yet: Write the
dnsmasq and slurm config with QluMan before rebooting. If your cluster was installed with a
release earlier than 22.214.171.124-b546f1425 you will have to generate new LDAP certificates at
some point since the earlier ones were generated with a 1 year validity. Now they are
generated with an unlimited validity. To check the expiration date execute
# openssl x509 -dates -in /etc/ssl/certs/qlustar-ca-cert.pem | grep notAfter
To regenerate the certificate with unlimited validity execute
# qluman-ldap-cli --update-certs
before rebooting the whole cluster.
- On Qlustar 11: Also perform the manual steps ‘7. Migration to GRUB PXE booting’ and ‘11. Adjust root bash shell initialization’ as described in the Release Notes if you haven’t done so yet.