[QSA-0130242] Security Update Bundle
Qlustar Security Advisory 0130242
January 30th, 2024
Summary:
A Qlustar security update bundle is a cumulative update of packages that are taken from upstream Debian/Ubuntu without modification. Only packages that are used in a typical HPC/Storage cluster installation are mentioned in Qlustar Security Advisories. Other non-HPC related updates also enter the Qlustar repository, but their functionality is not separately verified by the Qlustar team. To track these updates subscribe to the general security mailing lists of Debian/Ubuntu and/or CentOS/AlmaLinux.
Package(s) : see upstream description of individual package
Qlustar releases : 12.0, 13
Affected versions: All versions prior to this update
Vulnerability : see upstream description of individual package
Problem type : see upstream description of individual package
Qlustar-specific : no
CVE Id(s) : see upstream description of individual package
This update includes several security related package updates from Debian/Ubuntu and CentOS/AlmaLinux. The following list provides references to the upstream security report of the corresponding packages. You can view the original upstream advisory by clicking on the corresponding title.
Relevant to Qlustar 13 and 12.0
MariaDB vulnerabilities
Several security issues were discovered in MariaDB and this update includes new upstream MariaDB versions to fix these issues. MariaDB has been updated to 10.3.39 in Qlustar 12 and 10.6.16 in Qlustar 13. In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes.
GnuTLS vulnerabilities
It was discovered that GnuTLS had a timing side-channel when processing malformed ciphertexts in RSA-PSK ClientKeyExchange. A remote attacker could possibly use this issue to recover sensitive information.
It was discovered that GnuTLS incorrectly handled certain certificate chains with a cross-signing loop. A remote attacker could possibly use this issue to cause GnuTLS to crash, resulting in a denial of service.
Postfix vulnerability
Timo Longin discovered that Postfix incorrectly handled certain email line endings. A remote attacker could possibly use this issue to bypass an email authentication mechanism, allowing domain spoofing and potential spamming.
Please note that certain configuration changes are required to address this issue. They are not enabled by default for backward compatibility. Information can be found here.
PAM vulnerability
Matthias Gerstner discovered that the PAM pam_namespace module incorrectly handled special files when performing directory checks. A local attacker could possibly use this issue to cause PAM to stop responding, resulting in a denial of service.
X.Org X Server vulnerabilities
Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled memory when processing the DeviceFocusEvent and ProcXIQueryPointer APIs. An attacker could possibly use this issue to cause the X Server to crash, obtain sensitive information, or execute arbitrary code.
Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled reattaching to a different master device. An attacker could use this issue to cause the X Server to crash, leading to a denial of service, or possibly execute arbitrary code.
Olivier Fourdan and Donn Seeley discovered that the X.Org X Server incorrectly labeled GLX PBuffers when used with SELinux. An attacker could use this issue to cause the X Server to crash, leading to a denial of service.
Olivier Fourdan discovered that the X.Org X Server incorrectly handled the curser code when used with SELinux. An attacker could use this issue to cause the X Server to crash, leading to a denial of service.
Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled memory when processing the XISendDeviceHierarchyEvent API. An attacker could possibly use this issue to cause the X Server to crash, or execute arbitrary code.
Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled devices being disabled. An attacker could possibly use this issue to cause the X Server to crash, or execute arbitrary code.
GNU binutils vulnerabilities
It was discovered that GNU binutils was not properly performing bounds checks in several functions, which could lead to a buffer overflow. An attacker could possibly use this issue to cause a denial of service, expose sensitive information or execute arbitrary code.
It was discovered that GNU binutils incorrectly handled memory management operations in several of its functions, which could lead to excessive memory consumption due to memory leaks. An attacker could possibly use these issues to cause a denial of service.
QEMU vulnerabilities
Gaoning Pan and Xingwei Li discovered that QEMU incorrectly handled the USB xHCI controller device. A privileged guest attacker could possibly use this issue to cause QEMU to crash, leading to a denial of service.
It was discovered that QEMU incorrectly handled the TCG Accelerator. A local attacker could use this issue to cause QEMU to crash, leading to a denial of service, or possibly execute arbitrary code and esclate privileges.
It was discovered that QEMU incorrectly handled the Intel HD audio device. A malicious guest attacker could use this issue to cause QEMU to crash, leading to a denial of service.
It was discovered that QEMU incorrectly handled the ATI VGA device. A malicious guest attacker could use this issue to cause QEMU to crash, leading to a denial of service.
It was discovered that QEMU incorrectly handled the VMWare paravirtual RDMA device. A malicious guest attacker could use this issue to cause QEMU to crash, leading to a denial of service.
It was discovered that QEMU incorrectly handled the 9p passthrough filesystem. A malicious guest attacker could possibly use this issue to open special files and escape the exported 9p tree.
It was discovered that QEMU incorrectly handled the virtual crypto device. A malicious guest attacker could use this issue to cause QEMU to crash, leading to a denial of service, or possibly execute arbitrary code.
It was discovered that QEMU incorrectly handled the built-in VNC server. A remote authenticated attacker could possibly use this issue to cause QEMU to stop responding, resulting in a denial of service.
It was discovered that QEMU incorrectly handled net device hot-unplugging. A malicious guest attacker could use this issue to cause QEMU to crash, leading to a denial of service.
It was discovered that QEMU incorrectly handled the built-in VNC server. A remote attacker could possibly use this issue to cause QEMU to crash, resulting in a denial of service.
It was discovered that QEMU incorrectly handled NVME devices. A malicious guest attacker could use this issue to cause QEMU to crash, leading to a denial of service.
It was discovered that QEMU incorrectly handled NVME devices. A malicious guest attacker could use this issue to cause QEMU to crash, leading to a denial of service, or possibly obtain sensitive information.
It was discovered that QEMU incorrectly handled certain disk offsets. A malicious guest attacker could possibly use this issue to gain control of the host in certain nested virtualization scenarios.
OpenSSH vulnerabilities
It was discovered that OpenSSH incorrectly handled supplemental groups when running helper programs for AuthorizedKeysCommand and AuthorizedPrincipalsCommand as a different user. An attacker could possibly use this issue to escalate privileges.
It was discovered that OpenSSH incorrectly added destination constraints when PKCS#11 token keys were added to ssh-agent, contrary to expectations.
It was discovered that OpenSSH incorrectly handled user names or host names with shell metacharacters. An attacker could possibly use this issue to perform OS command injection.
OpenSSH vulnerabilities
Fabian Bäumer, Marcus Brinkmann, Jörg Schwenk discovered that the SSH protocol was vulnerable to a prefix truncation attack. If a remote attacker was able to intercept SSH communications, extension negotiation messages could be truncated, possibly leading to certain algorithms and features being downgraded. This issue is known as the Terrapin attack. This update adds protocol extensions to mitigate this issue.
Luci Stanescu discovered that OpenSSH incorrectly added destination constraints when smartcard keys were added to ssh-agent, contrary to expectations.
CentOS 7.9 / AlmaLinux 8.9 security updates
Please check the CentOS mailing list for details about CentOS 7 updates and the AlmaLinux Errata site for details about AlmaLinux 8 updates that entered this release (everything from December 4th until January 27th).
Update instructions:
The problem can be corrected by updating your system to the following or more recent package versions:
For Qlustar 13
qlustar-module-core-jammy-amd64-13.1 13.1.4-b569f1527
qlustar-module-core-centos8-amd64-13.1 13.1.4-b569f1527
For Qlustar 12.0
qlustar-module-core-focal-amd64-12.0.3 12.0.3.3-b566f1526
qlustar-module-core-centos7-amd64-12.0.3 12.0.3.3-b566f1526
Special Update instructions:
In addition to the steps described in the general Qlustar Update Instructions these updates require the following:
- On Qlustar 12, also perform the following manual steps if you haven’t done so yet: Write the
dnsmasq and slurm config with QluMan before rebooting. If your cluster was installed with a
release earlier than 12.0.0.8-b546f1425 you will have to generate new LDAP certificates at
some point since the earlier ones were generated with a 1 year validity. Now they are
generated with an unlimited validity. To check the expiration date execute
# openssl x509 -dates -in /etc/ssl/certs/qlustar-ca-cert.pem | grep notAfter
To regenerate the certificate with unlimited validity execute
# qluman-ldap-cli --update-certs
before rebooting the whole cluster.
Please note that we no longer provide 12.x AlmaLinux 8 modules for Qlustar 12. If you want to use AlmaLinux 8 under Qlustar 12, please switch to the 13.x image modules and create a corresponding chroot for it.