[QSA-0205252]
Security Update Bundle
Qlustar Security Advisory 0205252
February 5th, 2025
Summary:
A Qlustar security update bundle is a cumulative update of packages that are taken from upstream Debian/Ubuntu without modification. Only packages that are used in a typical HPC/Storage cluster installation are mentioned in Qlustar Security Advisories. Other non-HPC related updates also enter the Qlustar repository, but their functionality is not separately verified by the Qlustar team. To track these updates subscribe to the general security mailing lists of Debian/Ubuntu and/or CentOS/AlmaLinux.
Package(s) : see upstream description of individual package
Qlustar releases : 12.0, 13
Affected versions: All versions prior to this update
Vulnerability : see upstream description of individual package
Problem type : see upstream description of individual package
Qlustar-specific : no
CVE Id(s) : see upstream description of individual package
This update includes several security related package updates from Debian/Ubuntu and CentOS/AlmaLinux. The following list provides references to the upstream security report of the corresponding packages. You can view the original upstream advisory by clicking on the corresponding title.
Relevant to Qlustar 13 and 12.0
Vim vulnerability
It was discovered that Vim incorrectly handled memory when closing buffers with the visual mode active. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.
Python vulnerability
It was discovered that Python incorrectly handled parsing bracketed hosts. A remote attacker could possibly use this issue to perform a Server-Side Request Forgery (SSRF) attack.
Python 2.7 vulnerabilities
It was discovered that Python incorrectly handled certain ZIP files. An attacker could possibly use this issue to cause a denial of service. (CVE-2019-9674)
It was discovered that Python incorrectly handled certain inputs If a user or an automated system were tricked into running a specially crafted input, a remote attacker could possibly use this issue to cause a denial of service. (CVE-2022-45061)
It was discovered that Python incorrectly handled certain crafted ZIP files. An attacker could possibly use this issue to crash the program, resulting in a denial of service. (CVE-2024-0450)
Git vulnerabilities
It was discovered that Git incorrectly handled certain URLs when asking for credentials. An attacker could possibly use this issue to mislead the user into typing passwords for trusted sites that would then be sent to untrusted sites instead. (CVE-2024-50349)
It was discovered that git incorrectly handled line endings when using credential helpers. (CVE-2024-52006)
rsync vulnerabilities
Simon Scannell, Pedro Gallegos, and Jasiel Spelman discovered that rsync did not properly handle checksum lengths. An attacker could use this issue to execute arbitrary code. (CVE-2024-12084)
Simon Scannell, Pedro Gallegos, and Jasiel Spelman discovered that rsync compared checksums with uninitialized memory. An attacker could exploit this issue to leak sensitive information. (CVE-2024-12085)
Simon Scannell, Pedro Gallegos, and Jasiel Spelman discovered that rsync incorrectly handled file checksums. A malicious server could use this to expose arbitrary client files. (CVE-2024-12086)
Simon Scannell, Pedro Gallegos, and Jasiel Spelman discovered that rsync mishandled symlinks for some settings. An attacker could exploit this to write files outside the intended directory. (CVE-2024-12087)
Simon Scannell, Pedro Gallegos, and Jasiel Spelman discovered that rsync failed to verify symbolic link destinations for some settings. An attacker could exploit this for path traversal attacks. (CVE-2024-12088)
Aleksei Gorban discovered a race condition in rsync’s handling of symbolic links. An attacker could use this to access sensitive information or escalate privileges. (CVE-2024-12747)
Python vulnerabilities
It was discovered that Python incorrectly handled certain scripts. An attacker could possibly use this issue to execute arbitrary code or cause a crash. (CVE-2022-48560)
It was discovered that Python did not properly handle XML entity declarations in plist files. An attacker could possibly use this vulnerability to perform an XML External Entity (XXE) injection, resulting in a denial of service or information disclosure. (CVE-2022-48565)
It was discovered that Python did not properly provide constant-time processing for a crypto operation. An attacker could possibly use this issue to perform a timing attack and recover sensitive information. (CVE-2022-48566)
It was discovered that Python incorrectly handled certain inputs. If a user or an automated system were tricked into running a specially crafted input, a remote attacker could possibly use this issue to cause a denial of service. (CVE-2023-24329)
It was discovered that Python instances of ssl.SSLSocket were vulnerable to a bypass of the TLS handshake. An attacker could possibly use this issue to cause applications to treat unauthenticated received data before TLS handshake as authenticated data after TLS handshake. (CVE-2023-40217)
curl vulnerability
Harry Sintonen discovered that curl incorrectly handled credentials from .netrc files when following HTTP redirects. In certain configurations, the password for the first host could be leaked to the followed-to host, contrary to expectations.
PHP vulnerabilities
It was discovered that PHP incorrectly handled certain inputs when processed with convert.quoted-printable decode filters. An attacker could possibly use this issue to expose sensitive information or cause a crash. (CVE-2024-11233)
It was discovered that PHP incorrectly handled certain HTTP requests. An attacker could possibly use this issue to performing arbitrary HTTP requests originating from the server, thus potentially gaining access to resources not normally available to the external user. (CVE-2024-11234)
It was discovered that PHP incorrectly handled certain inputs. An attacker could possibly use this issue to cause a crash or execute arbitrary code. (CVE-2024-11236, CVE-2024-8932)
It was discovered that PHP incorrectly handled certain MySQL requests. An attacker could possibly use this issue to cause the client to disclose the content of its heap containing data from other SQL requests and possible other data belonging to different users of the same server. (CVE-2024-8929)
AlmaLinux 8.10 security updates
Please check the AlmaLinux Errata site for details about AlmaLinux 8 updates that entered this release (everything from December 6th until February 5th).
Update instructions:
The problem can be corrected by updating your system to the following or more recent package versions:
For Qlustar 13
qlustar-module-core-jammy-amd64-13.2 13.2.4-b569f1553
qlustar-module-core-centos8-amd64-13.2 13.2.4-b569f1553
For Qlustar 12.0
qlustar-module-core-focal-amd64-12.0.3 12.0.3.10-b566f1554
Special Update instructions:
In addition to the steps described in the general Qlustar Update Instructions these updates require the following:
- On Qlustar 12, also perform the following manual steps if you haven’t done so yet: Write the
dnsmasq and slurm config with QluMan before rebooting. If your cluster was installed with a
release earlier than 12.0.0.8-b546f1425 you will have to generate new LDAP certificates at
some point since the earlier ones were generated with a 1 year validity. Now they are
generated with an unlimited validity. To check the expiration date execute
# openssl x509 -dates -in /etc/ssl/certs/qlustar-ca-cert.pem | grep notAfterTo regenerate the certificate with unlimited validity execute
# qluman-ldap-cli --update-certsbefore rebooting the whole cluster.
Please note that we no longer provide 12.x AlmaLinux 8 modules for Qlustar 12. If you want to use AlmaLinux 8 under Qlustar 12, please switch to the 13.x image modules and create a corresponding chroot for it.