[QSA-0614232] Security Update Bundle

Qlustar Security Advisory 0614232

June 14th, 2023


Summary:

A Qlustar security update bundle is a cumulative update of packages that are taken from upstream Debian/Ubuntu without modification. Only packages that are used in a typical HPC/Storage cluster installation are mentioned in Qlustar Security Advisories. Other non-HPC related updates also enter the Qlustar repository, but their functionality is not separately verified by the Qlustar team. To track these updates subscribe to the general security mailing lists of Debian/Ubuntu and/or CentOS/AlmaLinux.

Package(s)       : see upstream description of individual package
Qlustar releases : 11.0, 12.0, 13
Affected versions: All versions prior to this update
Vulnerability    : see upstream description of individual package
Problem type     : see upstream description of individual package
Qlustar-specific : no
CVE Id(s)        : see upstream description of individual package

This update includes several security related package updates from Debian/Ubuntu and CentOS/AlmaLinux. The following list provides references to the upstream security report of the corresponding packages. You can view the original upstream advisory by clicking on the corresponding title.

Relevant to Qlustar 13, 12.0 and 11.0

Vim vulnerabilities

It was discovered that Vim was using uninitialized memory when fuzzy matching, which could lead to invalid memory access. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.

It was discovered that Vim was not properly performing bounds checks when processing register contents, which could lead to a NULL pointer dereference. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.

It was discovered that Vim was not properly limiting the length of substitution expression strings, which could lead to excessive memory consumption. An attacker could possibly use this issue to cause a denial of service.

Sysstat vulnerability

It was discovered that Sysstat incorrectly handled certain arithmetic multiplications in 64-bit systems, as a result of an incomplete fix for CVE-2022-39377. An attacker could use this issue to cause Sysstat to crash, resulting in a denial of service, or possibly execute arbitrary code.

OpenSSL vulnerability

Matt Caswell discovered that OpenSSL incorrectly handled certain ASN.1 object identifiers. A remote attacker could possibly use this issue to cause OpenSSL to consume resources, resulting in a denial of service.

GNU binutils vulnerabilities

It was discovered that GNU binutils incorrectly handled certain DWARF files. An attacker could possibly use this issue to cause a crash or execute arbitrary code.

It was discovered that GNU binutils did not properly verify the version definitions in zer0-lengthverdef table. An attacker could possibly use this issue to cause a crash or execute arbitrary code.

It was discovered that GNU binutils did not properly validate the size of length parameter in vms-alpha. An attacker could possibly use this issue to cause a crash or access sensitive information.

It was discovered that GNU binutils did not properly initialized the file_table field of struct module and the_bfd field of asymbol. An attacker could possibly use this issue to cause a crash.

ncurses vulnerabilities

It was discovered that ncurses was incorrectly performing bounds checks when processing invalid hashcodes. An attacker could possibly use this issue to cause a denial of service or to expose sensitive information.

It was discovered that ncurses was incorrectly handling end-of-string characters when processing terminfo and termcap files. An attacker could possibly use this issue to cause a denial of service or to expose sensitive information.

It was discovered that ncurses was incorrectly handling end-of-string characters when converting between termcap and terminfo formats. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.

It was discovered that ncurses was incorrectly performing bounds checks when dealing with corrupt terminfo data while reading a terminfo file. An attacker could possibly use this issue to cause a denial of service or to expose sensitive information.

It was discovered that ncurses was parsing environment variables when running with setuid applications and not properly handling the processing of malformed data when doing so. A local attacker could possibly use this issue to cause a denial of service (application crash) or execute arbitrary code.

Git vulnerabilities

It was discovered that Git incorrectly handled certain commands. An attacker could possibly use this issue to overwriting some paths.

Maxime Escourbiac and Yassine BENGANA discovered that Git incorrectly handled some gettext machinery. An attacker could possibly use this issue to allows the malicious placement of crafted messages.

André Baptista and Vítor Pinho discovered that Git incorrectly handled certain configurations. An attacker could possibly use this issue to arbitrary configuration injection.

OpenSSL vulnerabilities

It was discovered that OpenSSL was not properly managing file locks when processing policy constraints. If a user or automated system were tricked into processing a certificate chain with specially crafted policy constraints, a remote attacker could possibly use this issue to cause a denial of service.

David Benjamin discovered that OpenSSL was not properly performing the verification of X.509 certificate chains that include policy constraints, which could lead to excessive resource consumption. If a user or automated system were tricked into processing a specially crafted X.509 certificate chain that includes policy constraints, a remote attacker could possibly use this issue to cause a denial of service.

David Benjamin discovered that OpenSSL was not properly handling invalid certificate policies in leaf certificates, which would result in certain policy checks being skipped for the certificate. If a user or automated system were tricked into processing a specially crafted certificate, a remote attacker could possibly use this issue to assert invalid certificate policies and circumvent policy checking.

David Benjamin discovered that OpenSSL incorrectly documented the functionalities of function X509_VERIFY_PARAM_add0_policy, stating that it would implicitly enable certificate policy checks when doing certificate verifications, contrary to its implementation. This could cause users and applications to not perform certificate policy checks even when expected to do so.

CentOS 7.9 / AlmaLinux 8.8 security updates

Please check the CentOS mailing list for details about CentOS 7 updates and the AlmaLinux Errata site for details about AlmaLinux 8 updates that entered this release (everything from April 23rd 2023 until June 13th).

Update instructions:

The problem can be corrected by updating your system to the following or more recent package versions:

For Qlustar 13

qlustar-module-core-jammy-amd64-13.0       13.0.4-b565f1494
qlustar-module-core-centos8-amd64-13.0     13.0.4-b565f1494

For Qlustar 12.0

qlustar-module-core-focal-amd64-12.0.2     12.0.2.4-b566f1493
qlustar-module-core-centos7-amd64-12.0.2   12.0.2.4-b566f1493

For Qlustar 11.0

qlustar-module-core-bionic-amd64-11.0.1    11.0.1.23-b567f1495

Special Update instructions:

In addition to the steps described in the general Qlustar Update Instructions these updates require the following:

  • On Qlustar 12 and 13, write the ssh config with QluMan before rebooting. This will switch the ssh known hosts keys to ed25519 from rsa and is necessary for host-based authentication to continue to work.
  • On Qlustar 12, also perform the following manual steps if you haven’t done so yet: Write the dnsmasq and slurm config with QluMan before rebooting. If your cluster was installed with a release earlier than 12.0.0.8-b546f1425 you will have to generate new LDAP certificates at some point since the earlier ones were generated with a 1 year validity. Now they are generated with an unlimited validity. To check the expiration date execute
    # openssl x509 -dates -in /etc/ssl/certs/qlustar-ca-cert.pem | grep notAfter
    

    To regenerate the certificate with unlimited validity execute

    # qluman-ldap-cli --update-certs
    

    before rebooting the whole cluster.
    Please note that we no longer provide 12.x AlmaLinux 8 modules for Qlustar 12. If you want to use AlmaLinux 8 under Qlustar 12, please switch to the 13.x image modules and create a corresponding chroot for it.

  • On Qlustar 11: Also perform the manual steps ‘7. Migration to GRUB PXE booting’ and ‘11. Adjust root bash shell initialization’ as described in the Release Notes if you haven’t done so yet.