[QSA-0614231]
Linux kernel vulnerabilities
Qlustar Security Advisory 0614231
June 14th, 2023
Summary:
The system could crash or be made to run programs as an administrator.
Package(s) : linux-image-ql-generic,
qlustar-module-core-bionic-amd64-11.0.1,
qlustar-module-core-focal-amd64-12.0.2,
qlustar-module-core-centos7-amd64-12.0.2,
qlustar-module-core-jammy-amd64-13.0,
qlustar-module-core-centos8-amd64-13.0
Qlustar releases : 11.0, 12.0, 13
Affected versions: All versions prior to this update
Vulnerability : privilege escalation/denial of service
Problem type : local
Qlustar-specific : no
CVE Id(s) : Not documented
A number of vulnerabilities and bugs have been discovered in the 5.15.x Linux kernel series since the last Qlustar 13.0 release based on 5.15.108. They may lead to a denial of service or privilege escalation. Please check the following web pages that contain details of the fixes in each release after 5.15.108 up to the current Qlustar kernel 5.15.116:
Linux kernel 5.15.116 Linux kernel 5.15.115 Linux kernel 5.15.114 Linux kernel 5.15.113 Linux kernel 5.15.112 Linux kernel 5.15.111 Linux kernel 5.15.110 Linux kernel 5.15.109
A number of vulnerabilities and bugs have been discovered in the 5.4.x Linux kernel series since the last Qlustar 12.0 release based on 5.4.241. They may lead to a denial of service or privilege escalation. Please check the following web pages that contain details of the fixes in each release after 5.4.241 up to the current Qlustar kernel 5.4.246:
Linux kernel 5.4.246 Linux kernel 5.4.245 Linux kernel 5.4.244 Linux kernel 5.4.243 Linux kernel 5.4.242
A number of vulnerabilities and bugs have been discovered in the 4.19.x Linux kernel series since the last Qlustar 11.0 release based on 4.19.281. They may lead to a denial of service or privilege escalation. Please check the following web pages that contain details of the fixes in each release after 4.19.281 up to the current Qlustar kernel 4.19.285:
Linux kernel 4.19.285 Linux kernel 4.19.284 Linux kernel 4.19.283 Linux kernel 4.19.282
Update instructions:
The problem can be corrected by updating your system to the following or more recent package versions:
For Qlustar 13
linux-image-ql-generic 5.15.116-ql-generic-13.0-6
qlustar-module-core-jammy-amd64-13.0 13.0.4-b565f1494
qlustar-module-core-centos8-amd64-13.0 13.0.4-b565f1494
For Qlustar 12.0
linux-image-ql-generic 5.4.246-ql-generic-12.0-26
qlustar-module-core-focal-amd64-12.0.2 12.0.2.4-b566f1493
qlustar-module-core-centos7-amd64-12.0.2 12.0.2.4-b566f1493
For Qlustar 11.0
linux-image-ql-generic 4.19.285-ql-generic-11.0-39
qlustar-module-core-bionic-amd64-11.0.1 11.0.1.23-b567f1495
Special Update instructions:
In addition to the steps described in the general Qlustar Update Instructions these updates require the following:
- On Qlustar 12 and 13, write the ssh config with QluMan before rebooting. This will switch the ssh known hosts keys to ed25519 from rsa and is necessary for host-based authentication to continue to work.
- On Qlustar 12, also perform the following manual steps if you haven’t done so yet: Write the
dnsmasq and slurm config with QluMan before rebooting. If your cluster was installed with a
release earlier than 12.0.0.8-b546f1425 you will have to generate new LDAP certificates at
some point since the earlier ones were generated with a 1 year validity. Now they are
generated with an unlimited validity. To check the expiration date execute
# openssl x509 -dates -in /etc/ssl/certs/qlustar-ca-cert.pem | grep notAfterTo regenerate the certificate with unlimited validity execute
# qluman-ldap-cli --update-certsbefore rebooting the whole cluster.
Please note that we no longer provide 12.x AlmaLinux 8 modules for Qlustar 12. If you want to use AlmaLinux 8 under Qlustar 12, please switch to the 13.x image modules and create a corresponding chroot for it. - On Qlustar 11: Also perform the manual steps ‘7. Migration to GRUB PXE booting’ and ‘11. Adjust root bash shell initialization’ as described in the Release Notes if you haven’t done so yet.