[QSA-0313242] Security Update Bundle

Qlustar Security Advisory 0313242

March 13th, 2024


Summary:

A Qlustar security update bundle is a cumulative update of packages that are taken from upstream Debian/Ubuntu without modification. Only packages that are used in a typical HPC/Storage cluster installation are mentioned in Qlustar Security Advisories. Other non-HPC related updates also enter the Qlustar repository, but their functionality is not separately verified by the Qlustar team. To track these updates subscribe to the general security mailing lists of Debian/Ubuntu and/or CentOS/AlmaLinux.

Package(s)       : see upstream description of individual package
Qlustar releases : 12.0, 13
Affected versions: All versions prior to this update
Vulnerability    : see upstream description of individual package
Problem type     : see upstream description of individual package
Qlustar-specific : no
CVE Id(s)        : see upstream description of individual package

This update includes several security related package updates from Debian/Ubuntu and CentOS/AlmaLinux. The following list provides references to the upstream security report of the corresponding packages. You can view the original upstream advisory by clicking on the corresponding title.

Relevant to Qlustar 13 and 12.0

less vulnerability

It was discovered that less incorrectly handled certain file names. An attacker could possibly use this issue to cause a crash or execute arbitrary commands.

libxml2 vulnerability

It was discovered that libxml2 incorrectly handled certain XML documents. A remote attacker could possibly use this issue to cause libxml2 to crash, resulting in a denial of service, or possibly execute arbitrary code.

Dnsmasq vulnerabilities

Elias Heftrig, Haya Schulmann, Niklas Vogel, and Michael Waidner discovered that Dnsmasq icorrectly handled validating DNSSEC messages. A remote attacker could possibly use this issue to cause Dnsmasq to consume resources, leading to a denial of service.

It was discovered that Dnsmasq incorrectly handled preparing an NSEC3 closest encloser proof. A remote attacker could possibly use this issue to cause Dnsmasq to consume resources, leading to a denial of service.

GNU binutils vulnerabilities

It was discovered that GNU binutils was not properly handling the logic behind certain memory management related operations, which could lead to an invalid memory access. An attacker could possibly use this issue to cause a denial of service.

It was discovered that GNU binutils was not properly performing bounds checks when dealing with memory allocation operations, which could lead to excessive memory consumption. An attacker could possibly use this issue to cause a denial of service.

It was discovered that GNU binutils incorrectly handled memory management operations in several of its functions, which could lead to excessive memory consumption due to memory leaks. An attacker could possibly use these issues to cause a denial of service.

curl vulnerability

Harry Sintonen discovered that curl incorrectly handled mixed case cookie domains. A remote attacker could possibly use this issue to set cookies that get sent to different and unrelated sites and domains.

shadow vulnerability

It was discovered that shadow was not properly sanitizing memory when running the password utility. An attacker could possibly use this issue to retrieve a password from memory, exposing sensitive information.

OpenSSL vulnerabilities

David Benjamin discovered that OpenSSL incorrectly handled excessively long X9.42 DH keys. A remote attacker could possibly use this issue to cause OpenSSL to consume resources, leading to a denial of service.

Sverker Eriksson discovered that OpenSSL incorrectly handled POLY1304 MAC on the PowerPC architecture. A remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service, or possibly execute arbitrary code.

It was discovered that OpenSSL incorrectly handled excessively long RSA public keys. A remote attacker could possibly use this issue to cause OpenSSL to consume resources, leading to a denial of service.

Bahaa Naamneh discovered that OpenSSL incorrectly handled certain malformed PKCS12 files. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service.

OpenLDAP vulnerability

It was discovered that OpenLDAP was not properly performing bounds checks when executing functions related to LDAP URLs. An attacker could possibly use this issue to cause a denial of service.

Postfix update

USN-6591-1 fixed vulnerabilities in Postfix. A fix with less risk of regression has been made available since the last update. This update updates the fix and aligns with the latest configuration guidelines regarding this vulnerability.

CentOS 7.9 / AlmaLinux 8.9 security updates

Please check the CentOS mailing list for details about CentOS 7 updates and the AlmaLinux Errata site for details about AlmaLinux 8 updates that entered this release (everything from January 27th until March 12th).

Update instructions:

The problem can be corrected by updating your system to the following or more recent package versions:

For Qlustar 13

qlustar-module-core-jammy-amd64-13.1       13.1.5-b569f1531
qlustar-module-core-centos8-amd64-13.1     13.1.5-b569f1531

For Qlustar 12.0

qlustar-module-core-focal-amd64-12.0.3     12.0.3.4-b566f1529
qlustar-module-core-centos7-amd64-12.0.3   12.0.3.4-b566f1529

Special Update instructions:

In addition to the steps described in the general Qlustar Update Instructions these updates require the following:

  • On Qlustar 12, also perform the following manual steps if you haven’t done so yet: Write the dnsmasq and slurm config with QluMan before rebooting. If your cluster was installed with a release earlier than 12.0.0.8-b546f1425 you will have to generate new LDAP certificates at some point since the earlier ones were generated with a 1 year validity. Now they are generated with an unlimited validity. To check the expiration date execute
    # openssl x509 -dates -in /etc/ssl/certs/qlustar-ca-cert.pem | grep notAfter
    

    To regenerate the certificate with unlimited validity execute

    # qluman-ldap-cli --update-certs
    

    before rebooting the whole cluster.
    Please note that we no longer provide 12.x AlmaLinux 8 modules for Qlustar 12. If you want to use AlmaLinux 8 under Qlustar 12, please switch to the 13.x image modules and create a corresponding chroot for it.