Qlustar

Contact Info

Legal Information

Qlustar

Contact Info

Legal Information

[QSA-1220252]
Security Update Bundle

Qlustar Security Advisory 1220252

December 20th, 2025

Summary:

A Qlustar security update bundle is a cumulative update of packages that are taken from upstream Debian/Ubuntu without modification. Only packages that are used in a typical HPC/Storage cluster installation are mentioned in Qlustar Security Advisories. Other non-HPC related updates also enter the Qlustar repository, but their functionality is not separately verified by the Qlustar team. To track these updates subscribe to the general security mailing lists of Debian/Ubuntu and/or AlmaLinux.

Package(s)       : see upstream description of individual package
Qlustar releases : 13, 14
Affected versions: All versions prior to this update
Vulnerability    : see upstream description of individual package
Problem type     : see upstream description of individual package
Qlustar-specific : no
CVE Id(s)        : see upstream description of individual package

This update includes several security related package updates from Debian/Ubuntu and AlmaLinux. The following list provides references to the upstream security report of the corresponding packages. You can view the original upstream advisory by clicking on the corresponding title.

Relevant to Qlustar 13 and/or 14 – Ubuntu

If an advisory applies only to Qlustar 13 or 14, it is noted in its description.

libsoup vulnerability

It was discovered libsoup incorrectly handled memory when handling specific HTTP/2 read and cancel sequences. An attacker could possibly use this issue to cause a denial of service.

urllib3 vulnerabilities

Illia Volochii discovered that urllib3 did not limit the steps in a decompression chain. An attacker could possibly use this issue to cause urllib3 to use excessive resources, causing a denial of service.

Rui Xi discovered that urllib3 incorrectly handled highly compressed data. An attacker could possibly use this issue to cause urllib3 to use excessive resources, causing a denial of service.

libpng vulnerabilities

It was discovered that libpng incorrectly handled memory when processing certain PNG files, which could result in an out-of-bounds memory access. If a user or automated system were tricked into opening a specially crafted PNG file, an attacker could use this issue to cause libpng to crash, resulting in a denial of service.

It was discovered that libpng incorrectly handled memory when processing 8-bit images through the simplified write API with ‘convert_to_8bit’ enabled, which could result in an out-of-bounds memory access. If a user or automated system were tricked into opening a specially crafted 8-bit PNG file, an attacker could use this issue to cause libpng to crash, resulting in a denial of service.

It was discovered that libpng incorrectly handled memory when processing palette images with ‘PNG_FLAG_OPTIMIZE_ALPHA’ enabled, which could result in an out-of-bounds memory access. If a user or automated system were tricked into opening a specially crafted PNG file, an attacker could use this issue to cause libpng to crash, resulting in a denial of service.

It was discovered that libpng incorrectly handled memory when processing 6-bit interlaced PNGs with 8-bit output format, which could result in an out-of-bounds memory access. If a user or automated system were tricked into opening a specially crafted PNG file, an attacker could use this issue to cause libpng to crash, resulting in a denial of service.

GNU binutils vulnerabilities

It was discovered that certain GNU binutils functions could be manipulated to perform out-of-bounds reads. A local attacker could possibly use this issue to cause GNU binutils to crash, resulting in a denial of service.

It was discovered that GNU binutils’ _bfd_x86_elf_late_size_sections function could be manipulated to perform an out-of-bounds read. A local attacker could possibly use this issue to cause GNU binutils to crash, resulting in a denial of service.

python-apt vulnerability

Julian Andres Klode discovered that python-apt incorrectly handled deb822 configuration files. An attacker could use this issue to cause python-apt to crash, resulting in a denial of service.

CUPS vulnerability

Johannes Meixner and Paul Zirnik discovered that CUPS incorrectly handled clients that send messages slowly. A remote attacker could possibly use this issue to cause CUPS to stop responding, resulting in a denial of service.

In addition, this update fixes a regression introduced in USN-7897-1 which resulted in certain invalid configuration file directives to cause the CUPS daemon to fail to start.

GNU binutils vulnerabilities

It was discovered that GNU binutils could be forced to perform an out- of-bounds read in certain instances. An attacker with local access to a system could possibly use this issue to cause a denial of service.

CUPS vulnerability

It was discovered that CUPS incorrectly handled input from users in the web configuration settings. An attacker could use this issue to insert malicious configuration options, causing a denial of service or possibly executing arbitrary code.

Python vulnerabilities

It was discovered that Python inefficiently handled expanding system environment variables. An attacker could possibly use this issue to cause Python to consume excessive resources, leading to a denial of service.

Caleb Brown discovered that Python incorrectly handled the ZIP64 End of Central Directory (EOCD) Locator record offset value. An attacker could possibly use this issue to obfuscate malicious content.

cups-filters vulnerabilities

It was discovered that cups-filters incorrectly handled certain malformed TIFF image files. A remote attacker could use this issue to cause cups-filters to crash, resulting in a denial of service, or possibly execute arbitrary code.

It was discovered that cups-filters incorrectly handled certain malformed PDF document files. A remote attacker could use this issue to cause cups-filters to crash, resulting in a denial of service, or possibly execute arbitrary code.

It was discovered that cups-filters incorrectly handled certain malformed CUPS Raster files. A remote attacker could use this issue to cause cups-filters to crash, resulting in a denial of service, or possibly execute arbitrary code.

libxml2 vulnerability

It was discovered that libxslt, used by libxml2, incorrectly handled certain attributes. An attacker could use this issue to cause a crash, resulting in a denial of service, or possibly execute arbitrary code. This update adds a fix to libxml2 to mitigate the libxslt vulnerability.

GNU binutils vulnerabilities

It was discovered that GNU binutils incorrectly handled certain files. An attacker could possibly use this issue to cause a crash or execute arbitrary code. The attack is restricted to local execution.

It was discovered that GNU binutils incorrectly handled certain inputs. An attacker could possibly use this issue to cause a crash or execute arbitrary code.

It was discovered that GNU binutils incorrectly handled certain files. An attacker could possibly use this issue to cause crash, execute arbitrary code or expose sensitive information.

X.Org X Server vulnerabilities

Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled certain memory operations. An attacker could use these issues to cause the X Server to crash, leading to a denial of service, obtain sensitive information, or possibly execute arbitrary code.

Python LDAP vulnerabilities

It was discovered that Python LDAP incorrectly handled special characters in the special character filtering function. A remote attacker could possibly use this issue to perform LDAP injection attacks.

Arad Inbar discovered that Python LDAP incorrectly escaped NUL character bytes. An attacker could possibly use this issue to cause a denial of service.

AlmaLinux 8.10 security updates

Please check the AlmaLinux Errata site for details about AlmaLinux 8 updates that entered this release (everything from October 16th until December 12th).

Update instructions:

The problem can be corrected by updating your system to the following or more recent package versions:

For Qlustar 14

qlustar-module-core-noble-amd64-14.0       14.0.5-b589f1605
qlustar-module-core-centos8-amd64-14.0     14.0.5-b589f1605

For Qlustar 13

qlustar-module-core-jammy-amd64-13.3       13.3.5-b588f1607
qlustar-module-core-centos8-amd64-13.3     13.3.5-b588f1607

Special Update instructions:

In addition to the steps described in the general Qlustar Update Instructions these updates require the following:

  • No special instructions