Qlustar

Contact Info

Legal Information

Qlustar

Contact Info

Legal Information

[QSA-0321252]
Security Update Bundle

Qlustar Security Advisory 0321252

March 21st, 2025

Summary:

A Qlustar security update bundle is a cumulative update of packages that are taken from upstream Debian/Ubuntu without modification. Only packages that are used in a typical HPC/Storage cluster installation are mentioned in Qlustar Security Advisories. Other non-HPC related updates also enter the Qlustar repository, but their functionality is not separately verified by the Qlustar team. To track these updates subscribe to the general security mailing lists of Debian/Ubuntu and/or CentOS/AlmaLinux.

Package(s)       : see upstream description of individual package
Qlustar releases : 12.0, 13
Affected versions: All versions prior to this update
Vulnerability    : see upstream description of individual package
Problem type     : see upstream description of individual package
Qlustar-specific : no
CVE Id(s)        : see upstream description of individual package

This update includes several security related package updates from Debian/Ubuntu and CentOS/AlmaLinux. The following list provides references to the upstream security report of the corresponding packages. You can view the original upstream advisory by clicking on the corresponding title.

Relevant to Qlustar 13 and 12.0

GNU binutils vulnerabilities

It was discovered that GNU binutils in nm tool is affected by an incorrect access control. An attacker could possibly use this issue to cause a crash. (CVE-2024-57360)

It was discovered that GNU binutils incorrectly handled certain inputs. An attacker could possibly use this issue to cause a crash or execute arbitrary code. (CVE-2025-0840)

X.Org X Server vulnerabilities

Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled certain memory operations. An attacker could use these issues to cause the X Server to crash, leading to a denial of service, or possibly execute arbitrary code.

libcap2 vulnerability

Tianjia Zhang discovered the libcap2 PAM module pam_cap incorrectly handled parsing group names in the configuration file. This could result in certain users being granted capabilities, contrary to expectations.

GnuTLS vulnerability

GnuTLS could be made to consume resources if it decoded specially crafted certificates.

Python vulnerability

It was discovered that Python incorrectly handled parsing domain names that included square brackets. A remote attacker could possibly use this issue to perform a Server-Side Request Forgery (SSRF) attack.

OpenSSL vulnerabilities

George Pantelakis and Alicja Kario discovered that OpenSSL had a timing side-channel when performing ECDSA signature computations. A remote attacker could possibly use this issue to recover private data. (CVE-2024-13176)

It was discovered that OpenSSL incorrectly handled certain memory operations when using low-level GF(2^m) elliptic curve APIs with untrusted explicit values for the field polynomial. When being used in this uncommon fashion, a remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2024-9143)

OpenSSH vulnerabilities

It was discovered that the OpenSSH client incorrectly handled the non-default VerifyHostKeyDNS option. If that option were enabled, an attacker could possibly impersonate a server by completely bypassing the server identity check. (CVE-2025-26465)

Vim vulnerability

It was discovered that Vim incorrectly handled certain internal calls when scrolling a window. An attacker could possibly use this issue to cause a denial of service.

GNU C Library vulnerability

It was discovered that GNU C Library incorrectly handled memory when using the assert function. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.

AlmaLinux 8.10 security updates

Please check the AlmaLinux Errata site for details about AlmaLinux 8 updates that entered this release (everything from February 5th until March 21st).

Update instructions:

The problem can be corrected by updating your system to the following or more recent package versions:

For Qlustar 13

qlustar-module-core-jammy-amd64-13.2       13.3.0-b573f1561
qlustar-module-core-centos8-amd64-13.2     13.3.0-b573f1561

For Qlustar 12.0

qlustar-module-core-focal-amd64-12.0.3     12.0.3.11-b566f1559

Special Update instructions:

In addition to the steps described in the general Qlustar Update Instructions these updates require the following:

  • On Qlustar 12, also perform the following manual steps if you haven’t done so yet: Write the dnsmasq and slurm config with QluMan before rebooting. If your cluster was installed with a release earlier than 12.0.0.8-b546f1425 you will have to generate new LDAP certificates at some point since the earlier ones were generated with a 1 year validity. Now they are generated with an unlimited validity. To check the expiration date execute 
    # openssl x509 -dates -in /etc/ssl/certs/qlustar-ca-cert.pem | grep notAfter

    To regenerate the certificate with unlimited validity execute

    # qluman-ldap-cli --update-certs

    before rebooting the whole cluster.
    Please note that we no longer provide 12.x AlmaLinux 8 modules for Qlustar 12. If you want to use AlmaLinux 8 under Qlustar 12, please switch to the 13.x image modules and create a corresponding chroot for it.