[QSA-0929231] Linux kernel vulnerabilities

Qlustar Security Advisory 0929231

September 29th, 2023

Summary:

The system could crash or be made to run programs as an administrator.

Package(s)       : linux-image-ql-generic,
                   qlustar-module-core-focal-amd64-12.0.2,
                   qlustar-module-core-centos7-amd64-12.0.2,
                   qlustar-module-core-jammy-amd64-13.0,
                   qlustar-module-core-centos8-amd64-13.0
Qlustar releases : 12.0, 13
Affected versions: All versions prior to this update
Vulnerability    : privilege escalation/denial of service
Problem type     : local
Qlustar-specific : no
CVE Id(s)        : Not documented

A number of vulnerabilities and bugs have been discovered in the 5.15.x Linux kernel series since the last Qlustar 13.0 release based on 5.15.122. They may lead to a denial of service or privilege escalation. Please check the following web pages that contain details of the fixes in each release after 5.15.122 up to the current Qlustar kernel 5.15.133:

Linux kernel 5.15.133
Linux kernel 5.15.132
Linux kernel 5.15.131
Linux kernel 5.15.130
Linux kernel 5.15.129
Linux kernel 5.15.128
Linux kernel 5.15.127
Linux kernel 5.15.126
Linux kernel 5.15.125
Linux kernel 5.15.124
Linux kernel 5.15.123

A number of vulnerabilities and bugs have been discovered in the 5.4.x Linux kernel series since the last Qlustar 12.0 release based on 5.4.250. They may lead to a denial of service or privilege escalation. Please check the following web pages that contain details of the fixes in each release after 5.4.250 up to the current Qlustar kernel 5.4.257:

Linux kernel 5.4.257
Linux kernel 5.4.256
Linux kernel 5.4.255
Linux kernel 5.4.254
Linux kernel 5.4.253
Linux kernel 5.4.252
Linux kernel 5.4.251

Update instructions:

The problem can be corrected by updating your system to the following or more recent package versions:

For Qlustar 13

linux-image-ql-generic                     5.15.133-ql-generic-13.0-9
qlustar-module-core-jammy-amd64-13.1       13.1.0-b565f1513

For Qlustar 12.0

linux-image-ql-generic                     5.4.257-ql-generic-12.0-29
qlustar-module-core-focal-amd64-12.0.3     12.0.3.0-b566f1512

Special Update instructions:

In addition to the steps described in the general Qlustar Update Instructions these updates require the following:

On Qlustar 12, also perform the following manual steps if you haven’t done so yet: Write the dnsmasq and slurm config with QluMan before rebooting. If your cluster was installed with a release earlier than 12.0.0.8-b546f1425 you will have to generate new LDAP certificates at some point since the earlier ones were generated with a 1 year validity. Now they are generated with an unlimited validity. To check the expiration date execute
```
# openssl x509 -dates -in /etc/ssl/certs/qlustar-ca-cert.pem | grep notAfter
```
To regenerate the certificate with unlimited validity execute
```
# qluman-ldap-cli --update-certs
```
before rebooting the whole cluster.
Please note that we no longer provide 12.x AlmaLinux 8 modules for Qlustar 12. If you want to use AlmaLinux 8 under Qlustar 12, please switch to the 13.x image modules and create a corresponding chroot for it.