December 15th, 2023
A Qlustar security update bundle is a cumulative update of packages that are taken from upstream Debian/Ubuntu without modification. Only packages that are used in a typical HPC/Storage cluster installation are mentioned in Qlustar Security Advisories. Other non-HPC related updates also enter the Qlustar repository, but their functionality is not separately verified by the Qlustar team. To track these updates subscribe to the general security mailing lists of Debian/Ubuntu and/or CentOS/AlmaLinux.
Package(s) : see upstream description of individual package
Qlustar releases : 12.0, 13
Affected versions: All versions prior to this update
Vulnerability : see upstream description of individual package
Problem type : see upstream description of individual package
Qlustar-specific : no
CVE Id(s) : see upstream description of individual package
This update includes several security related package updates from Debian/Ubuntu and CentOS/AlmaLinux. The following list provides references to the upstream security report of the corresponding packages. You can view the original upstream advisory by clicking on the corresponding title.
It was discovered that Vim could be made to dereference invalid memory. An attacker could possibly use this issue to cause a denial of service.
It was discovered that Vim could be made to recurse infinitely. An attacker could possibly use this issue to cause a denial of service.
It was discovered that Vim could be made to write out of bounds with a put command. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.
It was discovered that Vim could be made to write out of bounds. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.
It was discovered that Vim did not properly manage memory in the spell command. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.
It was discovered that Vim did not properly manage memory. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.
It was discovered that Vim contained multiple arithmetic overflows. An attacker could possibly use these issues to cause a denial of service.
It was discovered that Vim did not properly manage memory in the substitute command. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.
Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled XKB button actions. An attacker could possibly use this issue to cause the X Server to crash, execute arbitrary code, or escalate privileges.
Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled memory when processing the RRChangeOutputProperty and RRChangeProviderProperty APIs. An attacker could possibly use this issue to cause the X Server to crash, or obtain sensitive information.
It was discovered that GNU binutils was not properly performing bounds checks in several functions, which could lead to a buffer overflow. An attacker could possibly use this issue to cause a denial of service, expose sensitive information or execute arbitrary code.
It was discovered that GNU binutils contained a reachable assertion, which could lead to an intentional assertion failure when processing certain crafted DWARF files. An attacker could possibly use this issue to cause a denial of service.
It was discovered that tar incorrectly handled extended attributes in PAX archives. An attacker could use this issue to cause tar to crash, resulting in a denial of service.
Please check the CentOS mailing list for details about CentOS 7 updates and the AlmaLinux Errata site for details about AlmaLinux 8 updates that entered this release (everything from December 4th until December 15th).
The problem can be corrected by updating your system to the following or more recent package versions:
qlustar-module-core-jammy-amd64-13.1 13.1.3-b569f1522
qlustar-module-core-centos8-amd64-13.1 13.1.3-b569f1522
qlustar-module-core-focal-amd64-12.0.3 12.0.3.2-b566f1523
qlustar-module-core-centos7-amd64-12.0.3 12.0.3.2-b566f1523
In addition to the steps described in the general Qlustar Update Instructions these updates require the following:
# openssl x509 -dates -in /etc/ssl/certs/qlustar-ca-cert.pem | grep notAfter
To regenerate the certificate with unlimited validity execute
# qluman-ldap-cli --update-certs
before rebooting the whole cluster.
Please note that we no longer provide 12.x AlmaLinux 8 modules for Qlustar 12. If you want to
use AlmaLinux 8 under Qlustar 12, please switch to the 13.x image modules and create a
corresponding chroot for it.