[QSA-0313241] Linux kernel vulnerabilities

Qlustar Security Advisory 0313241

March 13th, 2024

Summary:

The system could crash or be made to run programs as an administrator.

Package(s)       : linux-image-ql-generic,
                   qlustar-module-core-focal-amd64-12.0.3,
                   qlustar-module-core-centos7-amd64-12.0.3,
                   qlustar-module-core-jammy-amd64-13.1,
                   qlustar-module-core-centos8-amd64-13.1
Qlustar releases : 12.0, 13
Affected versions: All versions prior to this update
Vulnerability    : privilege escalation/denial of service
Problem type     : local
Qlustar-specific : no
CVE Id(s)        : Not documented

A number of vulnerabilities and bugs have been discovered in the 5.15.x Linux kernel series since the last Qlustar 13.0 release based on 5.15.148. They may lead to a denial of service or privilege escalation. Please check the following web pages that contain details of the fixes in each release after 5.15.148 up to the current Qlustar kernel 5.15.151:

Linux kernel 5.15.151
Linux kernel 5.15.150
Linux kernel 5.15.149

A number of vulnerabilities and bugs have been discovered in the 5.4.x Linux kernel series since the last Qlustar 12.0 release based on 5.4.268. They may lead to a denial of service or privilege escalation. Please check the following web pages that contain details of the fixes in each release after 5.4.268 up to the current Qlustar kernel 5.4.271:

Linux kernel 5.4.271
Linux kernel 5.4.270
Linux kernel 5.4.269

Update instructions:

The problem can be corrected by updating your system to the following or more recent package versions:

For Qlustar 13

linux-image-ql-generic                     5.15.151-ql-generic-13.0-12
qlustar-module-core-jammy-amd64-13.1       13.1.5-b569f1531

For Qlustar 12.0

linux-image-ql-generic                     5.4.271-ql-generic-12.0-32
qlustar-module-core-focal-amd64-12.0.3     12.0.3.4-b566f1529

Special Update instructions:

In addition to the steps described in the general Qlustar Update Instructions these updates require the following:

• On Qlustar 12, also perform the following manual steps if you haven’t done so yet: Write the dnsmasq and slurm config with QluMan before rebooting. If your cluster was installed with a release earlier than 12.0.0.8-b546f1425 you will have to generate new LDAP certificates at some point since the earlier ones were generated with a 1 year validity. Now they are generated with an unlimited validity. To check the expiration date execute

  # openssl x509 -dates -in /etc/ssl/certs/qlustar-ca-cert.pem | grep notAfter
  

  To regenerate the certificate with unlimited validity execute

  # qluman-ldap-cli --update-certs
  

  before rebooting the whole cluster.
  Please note that we no longer provide 12.x AlmaLinux 8 modules for Qlustar 12. If you want to use AlmaLinux 8 under Qlustar 12, please switch to the 13.x image modules and create a corresponding chroot for it.