[QSA-0424232] Security Update Bundle

Qlustar Security Advisory 0424232

April 24th, 2023

Summary:

A Qlustar security update bundle is a cumulative update of packages that are taken from upstream Debian/Ubuntu without modification. Only packages that are used in a typical HPC/Storage cluster installation are mentioned in Qlustar Security Advisories. Other non-HPC related updates also enter the Qlustar repository, but their functionality is not separately verified by the Qlustar team. To track these updates subscribe to the general security mailing lists of Debian/Ubuntu and/or CentOS/AlmaLinux.

Package(s)       : see upstream description of individual package
Qlustar releases : 11.0, 12.0, 13
Affected versions: All versions prior to this update
Vulnerability    : see upstream description of individual package
Problem type     : see upstream description of individual package
Qlustar-specific : no
CVE Id(s)        : see upstream description of individual package

This update includes several security related package updates from Debian/Ubuntu and CentOS/AlmaLinux. The following list provides references to the upstream security report of the corresponding packages. You can view the original upstream advisory by clicking on the corresponding title.

Relevant to Qlustar 13, 12.0 and 11.0

Dnsmasq vulnerability

It was discovered that Dnsmasq was sending large DNS messages over UDP, possibly causing transmission failures due to IP fragmentation. This update lowers the default maximum size of DNS messages to improve transmission reliability over UDP.

Vim vulnerabilities

It was discovered that Vim was incorrectly processing Vim buffers. An
attacker could possibly use this issue to perform illegal memory access and expose sensitive information.

It was discovered that Vim was using freed memory when dealing with regular expressions inside a visual selection. If a user were tricked into opening a specially crafted file, an attacker could crash the application, leading to a denial of service, or possibly achieve code execution with user privileges.

It was discovered that Vim was incorrectly handling virtual column position operations, which could result in an out-of-bounds read. An attacker could possibly use this issue to expose sensitive information.

It was discovered that Vim was not properly performing bounds checks when updating windows present on a screen, which could result in a heap buffer overflow. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.

It was discovered that Vim was incorrectly performing read and write operations when in visual block mode, going beyond the end of a line and causing a heap buffer overflow. If a user were tricked into opening a specially crafted file, an attacker could crash the application, leading to a denial of service, or possibly achieve code execution with user privileges.

It was discovered that Vim was incorrectly handling window exchanging operations when in Visual mode, which could result in an out-of-bounds read. An attacker could possibly use this issue to expose sensitive information.

It was discovered that Vim was incorrectly handling recursion when parsing conditional expressions. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.

It was discovered that Vim was not properly handling memory allocation when processing data in Ex mode, which could result in a heap buffer overflow. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.

It was discovered that Vim was not properly performing bounds checks when executing line operations in Visual mode, which could result in a heap buffer overflow. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.

It was discovered that Vim was not properly handling loop conditions when looking for spell suggestions, which could result in a stack buffer overflow. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.

It was discovered that Vim was incorrectly handling memory access when executing buffer operations, which could result in the usage of freed memory. An attacker could possibly use this issue to execute arbitrary code.

It was discovered that Vim was incorrectly processing Vim buffers. An attacker could possibly use this issue to perform illegal memory access and expose sensitive information.

It was discovered that Vim was not properly performing bounds checks for column numbers when replacing tabs with spaces or spaces with tabs, which could cause a heap buffer overflow. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.

It was discovered that Vim was incorrectly processing Vim buffers. An attacker could possibly use this issue to perform illegal memory access and expose sensitive information.

It was discovered that Vim was not properly performing validation of data that contained special multi-byte characters, which could cause an out-of-bounds read. An attacker could possibly use this issue to cause a denial of service.

It was discovered that Vim was incorrectly processing data used to define indentation in a file, which could cause a heap buffer overflow. An attacker could possibly use this issue to cause a denial of service.

It was discovered that Vim was incorrectly processing certain regular expression patterns and strings, which could cause an out-of-bounds read. An attacker could possibly use this issue to cause a denial of service.

It was discovered that Vim incorrectly handled memory access. An attacker could potentially use this issue to cause the corruption of sensitive information, a crash, or arbitrary code execution.

Sudo vulnerabilities

Matthieu Barjole and Victor Cutillas discovered that Sudo incorrectly escaped control characters in log messages and sudoreplay output. An attacker could possibly use these issues to inject terminal control characters that alter output when being viewed.

IPMItool vulnerability

It was discovered that IPMItool was not properly checking the data received from a remote LAN party. A remote attacker could possibly use this issue to to cause a crash or arbitrary code execution.

Vim vulnerabilities

It was discovered that Vim incorrectly handled memory when opening certain files. If an attacker could trick a user into opening a specially crafted file, it could cause Vim to crash, or possible execute arbitrary code.

It was discovered that Vim incorrectly handled memory when opening certain files. If an attacker could trick a user into opening a specially crafted file, it could cause Vim to crash, or possible execute arbitrary code.

It was discovered that Vim incorrectly handled memory when opening certain files. If an attacker could trick a user into opening a specially crafted file, it could cause Vim to crash, or possible execute arbitrary code.

It was discovered that Vim incorrectly handled memory when opening certain files. If an attacker could trick a user into opening a specially crafted file, it could cause Vim to crash, or possible execute arbitrary code.

It was discovered that Vim incorrectly handled memory when opening certain files. If an attacker could trick a user into opening a specially crafted file, it could cause Vim to crash, or possible execute arbitrary code.

Samba vulnerabilities

Demi Marie Obenour discovered that the Samba LDAP server incorrectly handled certain confidential attribute values. A remote authenticated attacker could possibly use this issue to obtain certain sensitive information.

Andrew Bartlett discovered that the Samba AD DC admin tool incorrectly sent passwords in cleartext. A remote attacker could possibly use this issue to obtain sensitive information.

X.Org X Server vulnerability

Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled certain memory operations. An attacker could possibly use these issues to cause the X Server to crash, execute arbitrary code, or escalate privileges.

CentOS 7.9 / AlmaLinux 8.7 security updates

Please check the CentOS mailing list for details about CentOS 7 updates and the AlmaLinux Errata site for details about AlmaLinux 8 updates that entered this release (everything from March 25th 2023 until April 23rd).

Update instructions:

The problem can be corrected by updating your system to the following or more recent package versions:

For Qlustar 13

qlustar-module-core-jammy-amd64-13.0       13.0.3-b565f1486
qlustar-module-core-centos8-amd64-13.0     13.0.3-b565f1486

For Qlustar 12.0

qlustar-module-core-focal-amd64-12.0.2     12.0.2.3-b566f1487
qlustar-module-core-centos7-amd64-12.0.2   12.0.2.3-b566f1487

For Qlustar 11.0

qlustar-module-core-bionic-amd64-11.0.1    11.0.1.22-b567f1489

Special Update instructions:

In addition to the steps described in the general Qlustar Update Instructions these updates require the following:

  • On Qlustar 12, also perform the following manual steps if you haven’t done so yet: Write the dnsmasq and slurm config with QluMan before rebooting. If your cluster was installed with a release earlier than 12.0.0.8-b546f1425 you will have to generate new LDAP certificates at some point since the earlier ones were generated with a 1 year validity. Now they are generated with an unlimited validity. To check the expiration date execute 
    # openssl x509 -dates -in /etc/ssl/certs/qlustar-ca-cert.pem | grep notAfter

    To regenerate the certificate with unlimited validity execute

    # qluman-ldap-cli --update-certs

    before rebooting the whole cluster.
    Please note that we no longer provide 12.x AlmaLinux 8 modules for Qlustar 12. If you want to use AlmaLinux 8 under Qlustar 12, please switch to the 13.x image modules and create a corresponding chroot for it.

  • On Qlustar 11: Also perform the manual steps ‘7. Migration to GRUB PXE booting’ and ‘11. Adjust root bash shell initialization’ as described in the Release Notes if you haven’t done so yet.