Qlustar

Contact Info

Legal Information

Qlustar

Contact Info

Legal Information

[QSA-0515252]
Security Update Bundle

Qlustar Security Advisory 0321252

May 15th, 2025

Summary:

A Qlustar security update bundle is a cumulative update of packages that are taken from upstream Debian/Ubuntu without modification. Only packages that are used in a typical HPC/Storage cluster installation are mentioned in Qlustar Security Advisories. Other non-HPC related updates also enter the Qlustar repository, but their functionality is not separately verified by the Qlustar team. To track these updates subscribe to the general security mailing lists of Debian/Ubuntu and/or CentOS/AlmaLinux.

Package(s)       : see upstream description of individual package
Qlustar releases : 12.0, 13, 14
Affected versions: All versions prior to this update
Vulnerability    : see upstream description of individual package
Problem type     : see upstream description of individual package
Qlustar-specific : no
CVE Id(s)        : see upstream description of individual package

This update includes several security related package updates from Debian/Ubuntu and CentOS/AlmaLinux. The following list provides references to the upstream security report of the corresponding packages. You can view the original upstream advisory by clicking on the corresponding title.

Relevant to Qlustar 12.0, 13 and 14

Python vulnerabilities

It was discovered that Python incorrectly handled parsing bracketed hosts. A remote attacker could possibly use this issue to perform a Server-Side Request Forgery (SSRF) attack.

It was discovered that Python allowed excessive backtracking while parsing certain tarfile headers. A remote attacker could possibly use this issue to cause Python to consume excessive resources, leading to a denial of service.

It was discovered that Python incorrectly handled quoted path names when using the venv module. A local attacker able to control virtual environments could possibly use this issue to execute arbitrary code when the virtual environment is activated.

libxml2 vulnerabilities

It was discovered that the libxml2 Python bindings incorrectly handled certain return values. An attacker could possibly use this issue to cause libxml2 to crash, resulting in a denial of service.

It was discovered that libxml2 incorrectly handled certain memory operations. A remote attacker could possibly use this issue to cause libxml2 to crash, resulting in a denial of service.

OpenSSH vulnerability

It was discovered that OpenSSH incorrectly handled the DisableForwarding directive. The directive would fail to disable X11 and agent forwarding, contrary to documentation and expectations.

libarchive vulnerabilities

It was discovered that libarchive incorrectly handled certain TAR archive files. If a user or automated system were tricked into processing a specially crafted TAR archive, an attacker could use this issue to cause libarchive to crash, resulting in a denial of service, or possibly execute arbitrary code.

Perl vulnerability

It was discovered that Perl incorrectly handled transliterating non-ASCII bytes. A remote attacker could use this issue to cause Perl to crash, resulting in a denial of service, or possibly execute arbitrary code.

GNU binutils vulnerabilities

It was discovered that GNU binutils incorrectly handled certain inputs. An attacker could possibly use this issue to cause a crash, expose sensitive information or execute arbitrary code.

It was discovered that ld in GNU binutils incorrectly handled certain files. An attacker could possibly use this issue to execute arbitrary code.

It was discovered that ld in GNU binutils incorrectly handled certain files. An attacker could possibly use this issue to cause a crash, expose sensitive information or execute arbitrary code.

Vim vulnerability

It was discovered that Vim incorrectly handled memory when redirecting certain output to the register. An attacker could possibly use this issue to cause a denial of service.

GnuPG vulnerability

It was discovered that GnuPG incorrectly handled importing keys with certain crafted subkey data. If a user or automated system were tricked into importing a specially crafted key, a remote attacker may prevent users from importing other keys in the future.

PHP vulnerabilities

It was discovered that PHP incorrectly handle certain inputs. An attacker could possibly use this issue to cause a crash or execute arbitrary code.

It was discovered that PHP incorrectly handle certain folded headers. An attacker could possibly use this issue to cause a crash or execute arbritrary code.

It was discovered that PHP incorrectly handled certain headers. An attacker could possibly use this issue to expose sensitive information or execute arbitrary code.

It was discovered that PHP incorrectly handle certain headers with invalid name and no colon. An attacker could possibly use this issue to confuse applications into accepting invalid headers causing code injection.

It was discovered that PHP incorrectly handled certain headers. An attacker could possibly use this issue to cause a denial of service.

It was discovered that PHP incorrectly handled certain inputs. An attacker could possibly use this issue to expose sensitive information.

MariaDB vulnerability

A security issue was discovered in MariaDB and this update includes a new upstream MariaDB version to fix the issue. In addition to security fixes, the updated packages contain bug and regression fixes, new features, and possibly incompatible changes.

AlmaLinux 8.10 security updates

Please check the AlmaLinux Errata site for details about AlmaLinux 8 updates that entered this release (everything from March 21st until May 15th).

Update instructions:

The problem can be corrected by updating your system to the following or more recent package versions:

For Qlustar 14

qlustar-module-core-noble-amd64-14.0       14.0.1-b575f1574
qlustar-module-core-centos8-amd64-14.0     14.0.1-b575f1574

For Qlustar 13

qlustar-module-core-jammy-amd64-13.3       13.3.1-b573f1573
qlustar-module-core-centos8-amd64-13.3     13.3.1-b573f1573

For Qlustar 12.0

qlustar-module-core-focal-amd64-12.0.3     12.0.3.12-b566f1572

Please note that Qlustar 12 has reached its EOL now and this is the last security update covering Qlustar 12. An update to Qlustar 13 should be done as soon as possible.

Special Update instructions:

In addition to the steps described in the general Qlustar Update Instructions these updates require the following:

  • On Qlustar 12, also perform the following manual steps if you haven’t done so yet: Write the dnsmasq and slurm config with QluMan before rebooting. If your cluster was installed with a release earlier than 12.0.0.8-b546f1425 you will have to generate new LDAP certificates at some point since the earlier ones were generated with a 1 year validity. Now they are generated with an unlimited validity. To check the expiration date execute 
    # openssl x509 -dates -in /etc/ssl/certs/qlustar-ca-cert.pem | grep notAfter

    To regenerate the certificate with unlimited validity execute

    # qluman-ldap-cli --update-certs

    before rebooting the whole cluster.
    Please note that we no longer provide 12.x AlmaLinux 8 modules for Qlustar 12. If you want to use AlmaLinux 8 under Qlustar 12, please switch to the 13.x image modules and create a corresponding chroot for it.