[QSA-0325231] Linux kernel vulnerabilities
Qlustar Security Advisory 0325231
March 25th, 2023
The system could crash or be made to run programs as an administrator.
Package(s) : linux-image-ql-generic, qlustar-module-core-bionic-amd64-11.0.1, qlustar-module-core-focal-amd64-12.0.2, qlustar-module-core-centos7-amd64-12.0.2, qlustar-module-core-jammy-amd64-13.0, qlustar-module-core-centos8-amd64-13.0 Qlustar releases : 11.0, 12.0, 13 Affected versions: All versions prior to this update Vulnerability : privilege escalation/denial of service Problem type : local Qlustar-specific : no CVE Id(s) : Not documented
A number of vulnerabilities and bugs have been discovered in the 5.15.x Linux kernel series since the last Qlustar 13.0 release based on 5.15.93. They may lead to a denial of service or privilege escalation. Please check the following web pages that contain details of the fixes in each release after 5.15.93 up to the current Qlustar kernel 5.15.104:
Linux kernel 5.15.104 Linux kernel 5.15.103 Linux kernel 5.15.102 Linux kernel 5.15.101 Linux kernel 5.15.100 Linux kernel 5.15.99 Linux kernel 5.15.98 Linux kernel 5.15.97 Linux kernel 5.15.96 Linux kernel 5.15.95 Linux kernel 5.15.94
A number of vulnerabilities and bugs have been discovered in the 5.4.x Linux kernel series since the last Qlustar 12.0 release based on 5.4.231. They may lead to a denial of service or privilege escalation. Please check the following web pages that contain details of the fixes in each release after 5.4.231 up to the current Qlustar kernel 5.4.238:
Linux kernel 5.4.238 Linux kernel 5.4.237 Linux kernel 5.4.236 Linux kernel 5.4.235 Linux kernel 5.4.234 Linux kernel 5.4.233 Linux kernel 5.4.232
A number of vulnerabilities and bugs have been discovered in the 4.19.x Linux kernel series since the last Qlustar 11.0 release based on 4.19.272. They may lead to a denial of service or privilege escalation. Please check the following web pages that contain details of the fixes in each release after 4.19.272 up to the current Qlustar kernel 4.19.279:
Linux kernel 4.19.279 Linux kernel 4.19.278 Linux kernel 4.19.277 Linux kernel 4.19.276 Linux kernel 4.19.275 Linux kernel 4.19.274 Linux kernel 4.19.273
The problem can be corrected by updating your system to the following or more recent package versions:
For Qlustar 13
linux-image-ql-generic 5.15.104-ql-generic-13.0-4 qlustar-module-core-jammy-amd64-13.0 13.0.2-b564f1479 qlustar-module-core-centos8-amd64-13.0 13.0.2-b564f1479
For Qlustar 12.0
linux-image-ql-generic 5.4.238-ql-generic-12.0-23 qlustar-module-core-focal-amd64-12.0.2 22.214.171.124-b560f1480 qlustar-module-core-centos7-amd64-12.0.2 126.96.36.199-b560f1480
For Qlustar 11.0
linux-image-ql-generic 4.19.279-ql-generic-11.0-37 qlustar-module-core-bionic-amd64-11.0.1 188.8.131.52-b562f1476
Special Update instructions:
In addition to the steps described in the general Qlustar Update Instructions these updates require the following:
- On Qlustar 12, also perform the following manual steps if you haven’t done so yet: Write the
dnsmasq and slurm config with QluMan before rebooting. If your cluster was installed with a
release earlier than 184.108.40.206-b546f1425 you will have to generate new LDAP certificates at
some point since the earlier ones were generated with a 1 year validity. Now they are
generated with an unlimited validity. To check the expiration date execute
# openssl x509 -dates -in /etc/ssl/certs/qlustar-ca-cert.pem | grep notAfter
To regenerate the certificate with unlimited validity execute
# qluman-ldap-cli --update-certs
before rebooting the whole cluster.
Please note that we no longer provide 12.x AlmaLinux 8 modules for Qlustar 12. If you want to use AlmaLinux 8 under Qlustar 12, please switch to the 13.x image modules and create a corresponding chroot for it.
- On Qlustar 11: Also perform the manual steps ‘7. Migration to GRUB PXE booting’ and ‘11. Adjust root bash shell initialization’ as described in the Release Notes if you haven’t done so yet.