Qlustar

Contact Info

Legal Information

Qlustar

Contact Info

Legal Information

[QSA-0826252]
Security Update Bundle

Qlustar Security Advisory 0826252

August 26th, 2025

Summary:

A Qlustar security update bundle is a cumulative update of packages that are taken from upstream Debian/Ubuntu without modification. Only packages that are used in a typical HPC/Storage cluster installation are mentioned in Qlustar Security Advisories. Other non-HPC related updates also enter the Qlustar repository, but their functionality is not separately verified by the Qlustar team. To track these updates subscribe to the general security mailing lists of Debian/Ubuntu and/or AlmaLinux.

Package(s)       : see upstream description of individual package
Qlustar releases : 13, 14
Affected versions: All versions prior to this update
Vulnerability    : see upstream description of individual package
Problem type     : see upstream description of individual package
Qlustar-specific : no
CVE Id(s)        : see upstream description of individual package

This update includes several security related package updates from Debian/Ubuntu and AlmaLinux. The following list provides references to the upstream security report of the corresponding packages. You can view the original upstream advisory by clicking on the corresponding title.

Relevant to Qlustar 13 and 14 / Ubuntu

If an advisory applies only to Qlustar 13 or 14, it is noted in its description.

Python vulnerabilities

It was discovered that Python inefficiently parsed maliciously crafted HTML input. An attacker could possibly use this issue to cause a denial of service.

It was discovered that Python incorrectly parsed maliciously crafted Tar archives. An attacker could possibly use this issue to cause a denial of service.

libxml2 vulnerabilities

Ahmed Lekssays discovered that libxml2 did not properly perform certain mathematical operations, leading to an integer overflow. An attacker could possibly use this issue to cause a crash, resulting in a denial of service, or possibly execute arbitrary code.

Ahmed Lekssays discovered that libxml2 did not properly validate the size of an untrusted input stream. An attacker could possibly use this issue to cause a crash, resulting in a denial of service, or possibly execute arbitrary code.

Nikita Sveshnikov discovered that libxml2 did not properly handle certain XPath expressions, leading to a use-after-free vulnerability. An attacker could potentially exploit this issue to cause a denial of service.

Nikita Sveshnikov discovered that libxml2 contained a type confusion vulnerability when parsing specially crafted XML documents. An attacker could potentially exploit this issue to cause a denial of service.

Perl vulnerability

It was discovered that Perl threads incorrectly handled certain file operations. A local attacker could possibly use this issue to load code or access files from unexpected locations.

PHP vulnerabilities

It was discovered that PHP incorrectly handled certain hostnames containing null characters. A remote attacker could possibly use this issue to bypass certain hostname validation checks.

It was discovered that PHP incorrectly handled the pgsql and pdo_pgsql escaping functions. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service.

It was discovered that PHP incorrectly handled parsing certain XML data in SOAP extensions. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service.

Apache HTTP Server vulnerabilities

It was discovered that the Apache HTTP Server incorrectly handled certain Content-Type response headers. A remote attacker could possibly use this issue to perform HTTP response splitting attacks.

xiaojunjie discovered that the Apache HTTP Server mod_proxy module incorrectly handled certain requests. A remote attacker could possibly use this issue to send outbound proxy requests to an arbitrary URL.

John Runyon discovered that the Apache HTTP Server mod_ssl module incorrectly escaped certain data. A remote attacker could possibly use this issue to insert escape characters into log files.

Sven Hebrok, Felix Cramer, Tim Storm, Maximilian Radoy, and Juraj Somorovsky discovered that the Apache HTTP Server mod_ssl module incorrectly handled TLS 1.3 session resumption. A remote attacker could possibly use this issue to bypass access control.

Anthony CORSIEZ discovered that the Apache HTTP Server mod_proxy_http2 module incorrectly handled missing host headers. A remote attacker could possibly use this issue to cause the server to crash, resulting in a denial of service.

Robert Merget discovered that the Apache HTTP Server mod_ssl module incorrectly handled TLS upgrades. A remote attacker could possibly use this issue to hijack an HTTP session. This update removes the old “SSLEngine optional” configuration option, possibly requiring a configuration change in certain environments.

Gal Bar Nahum discovered that the Apache HTTP Server incorrectly handled certain memory operations. A remote attacker could possibly use this issue to cause the server to consume resources, leading to a denial of service.

GnuTLS vulnerabilities

It was discovered that GnuTLS incorrectly handled exporting Subject Alternative Name (SAN) entries containing an otherName. A remote attacker could use this issue to cause GnuTLS to crash, resulting in a denial of service, or possibly execute arbitrary code.

It was discovered that GnuTLS incorrectly handled parsing the Certificate Transparency (CT) Signed Certificate Timestamp (SCT) extension. A remote attacker could use this issue to cause GnuTLS to crash, resulting in a denial of service, or possibly obtain sensitive information.

It was discovered that the GnuTLS certtool utility incorrectly handled parsing certain template files. An attacker could use this issue to cause GnuTLS to crash, resulting in a denial of service, or possibly execute arbitrary code.

Stefan Bühler discovered that GnuTLS incorrectly handled parsing certain template files. An attacker could possibly use this issue to cause GnuTLS to crash, resulting in a denial of service.

Protocol Buffers vulnerabilities

It was discovered that Protocol Buffers incorrectly handled memory when receiving malicious input using the Python bindings. An attacker could possibly use this issue to cause a denial of service.

Git vulnerabilities

Avi Halachmi discovered that Git incorrectly managed file modification constraints with Gitk. An attacker could possibly use this issue to create or write to arbitrary files on the system.

Qlustar 14 only: Avi Halachmi discovered that Git incorrectly handled arguments when invoking the Gitk utility. If a user were tricked into cloning a malicious Git repository, an attacker could possibly use this issue to run arbitrary commands.

Johannes Sixt discovered that Git incorrectly managed file modification constraints with Git GUI. If a user were tricked into editing a file in a malicious Git repository, an attacker could possibly use this issue to create or write to arbitrary files on the system.

David Leadbeater discovered that Git incorrectly stripped CRLF characters when editing configuration files. An attacker could possibly use this issue to execute arbitrary code.

Qlustar 14 only: David Leadbeater discovered that Git incorrectly handled verification when fetching remote Git repositories. An attacker could possibly use this issue to perform protocol injection, leading to arbitrary code execution.

David Leadbeater discovered that Git incorrectly handled memory with the wincred credential helper. An attacker could possibly use this issue to cause a denial of service.

AlmaLinux 8.10 security updates

Please check the AlmaLinux Errata site for details about AlmaLinux 8 updates that entered this release (everything from July 3rd until August 26th).

Update instructions:

The problem can be corrected by updating your system to the following or more recent package versions:

For Qlustar 14

qlustar-module-core-noble-amd64-14.0       14.0.3-b586f1597
qlustar-module-core-centos8-amd64-14.0     14.0.3-b586f1597

For Qlustar 13

qlustar-module-core-jammy-amd64-13.3       13.3.3-b587f1600
qlustar-module-core-centos8-amd64-13.3     13.3.3-b587f1600

Special Update instructions:

In addition to the steps described in the general Qlustar Update Instructions these updates require the following:

  • No special instructions