[QSA-0220262]
Security Update Bundle
Qlustar Security Advisory 0220262
February 20th, 2026
Summary:
A Qlustar security update bundle is a cumulative update of packages that are taken from upstream Debian/Ubuntu without modification. Only packages that are used in a typical HPC/Storage cluster installation are mentioned in Qlustar Security Advisories. Other non-HPC related updates also enter the Qlustar repository, but their functionality is not separately verified by the Qlustar team. To track these updates subscribe to the general security mailing lists of Debian/Ubuntu and/or AlmaLinux.
Package(s) : see upstream description of individual package
Qlustar releases : 13, 14
Affected versions: All versions prior to this update
Vulnerability : see upstream description of individual package
Problem type : see upstream description of individual package
Qlustar-specific : no
CVE Id(s) : see upstream description of individual package
This update includes several security related package updates from Debian/Ubuntu and AlmaLinux. The following list provides references to the upstream security report of the corresponding packages. You can view the original upstream advisory by clicking on the corresponding title.
Relevant to Qlustar 13 and/or 14 – Ubuntu
If an advisory applies only to Qlustar 13 or 14, it is noted in its description.
GnuTLS vulnerabilities
Tim Scheckenbach discovered that GnuTLS incorrectly handled malicious certificates containing a large number of name constraints and subject alternative names. A remote attacker could possibly use this issue to cause GnuTLS to consume resources, resulting in a denial of service.
Luigino Camastra discovered that GnuTLS incorrectly handled certain PKCS11 token labels. A remote attacker could use this issue to cause GnuTLS to crash, resulting in a denial of service, or possibly execute arbitrary code. The default compiler options for affected releases should reduce the vulnerability to a denial of service.
libpng vulnerability
It was discovered that the libpng simplified API incorrectly handled quantizing RGB images. If a user or automated system were tricked into opening a specially crafted PNG file, an attacker could use this issue to cause libpng to crash, resulting in a denial of service.
Expat vulnerabilities
It was discovered that Expat incorrectly handled the initialization of parsers for external entities. An attacker could possibly use this issue to cause a denial of service.
It was discovered that Expat incorrectly handled integer calculations when allocating memory for XML tags. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.
GLib vulnerabilities
It was discovered that GLib incorrectly parsed large Base64 data. An attacker could use this issue to cause GLib to crash, resulting in a denial of service, or possibly execute arbitrary code.
It was discovered that GLib incorrectly parsed certain treemagic files. An attacker could use this issue to cause GLib to crash, resulting in a denial of service, or possibly execute arbitrary code.
It was discovered that GLib incorrectly handled Unicode case conversion. An attacker could use this issue to cause GLib to crash, resulting in a denial of service, or possibly execute arbitrary code.
Python vulnerabilities
Denis Ledoux discovered that Python incorrectly parsed email message headers. An attacker could possibly use this issue to inject arbitrary headers into email messages.
Jacob Walls, Shai Berger, and Natalia Bidart discovered that Python inefficiently parsed XML input with quadratic complexity. An attacker could possibly use this issue to cause a denial of service.
It was discovered that Python incorrectly parsed malicious plist files. An attacker could possibly use this issue to cause Python to use excessive resources, leading to a denial of service.
Omar Hasan discovered that Python incorrectly parsed URL mediatypes. An attacker could possibly use this issue to inject arbitrary HTTP headers.
Omar Hasan discovered that Python incorrectly parsed malicious IMAP inputs. An attacker could possibly use this issue to inject arbitrary IMAP commands.
Omar Hasan discovered that Python incorrectly parsed malicious POP3 inputs. An attacker could possibly use this issue to inject arbitrary POP3 commands.
Omar Hasan discovered that Python incorrectly parsed malicious HTTP cookie headers. An attacker could possibly use this issue to inject arbitrary HTTP headers.
GNU C Library vulnerabilities
Vitaly Simonovich discovered that the GNU C Library did not properly initialize the input when WRDE_REUSE is used. An attacker could possibly use this issue to cause applications to crash, leading to a denial of service.
Igor Morgenstern discovered that the GNU C Library incorrectly handled the memalign function when doing memory allocation. An attacker could possibly use this issue to cause applications to crash, leading to a denial of service, or possibly execute arbitrary code.
Igor Morgenstern discovered that the GNU C Library incorrectly handled certain DNS backend when queries for a zero-valued network. An attacker could possibly use this issue to cause a denial of service or obtain sensitive information.
libpng vulnerabilities
It was discovered that libpng incorrectly handled memory when processing certain malformed PNG files. If a user or automated system were tricked into opening a specially crafted PNG file, an attacker could use this issue to cause libpng to crash, resulting in a denial of service. This issue only affected Qlustar 14.
OpenSSL vulnerabilities
Stanislav Fort discovered that OpenSSL incorrectly parsed CMS AuthEnvelopedData messages. An attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service.
Petr Simecek and Stanislav Fort discovered that OpenSSL incorrectly handled memory when writing large data into a BIO chain. An attacker could possibly use this issue to consume resources, leading to a denial of service.
Stanislav Fort discovered that the OpenSSL OCB API could incorrectly leave final partial blocks unencrypted and unauthenticated. An attacker could possibly use this issue to read or tamper with the affected final bytes.
Stanislav Fort discovered that OpenSSL incorrectly handled the PKCS12_get_friendlyname() utf-8 conversion. An attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service.
Luigino Camastra discovered that OpenSSL incorrectly handled ASN1_TYPE validation in the TS_RESP_verify_response() function. An attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service.
Luigino Camastra discovered that OpenSSL incorrectly handled memory in the PKCS12_item_decrypt_d2i_ex function. An attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service.
Luigino Camastra discovered that OpenSSL incorrectly handled ASN1_TYPE validation in PKCS#12 parsing. An attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service.
Luigino Camastra discovered that OpenSSL incorrectly handled ASN1_TYPE validation in the PKCS7_digest_from_attributes() function. An attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service.
pyasn1 vulnerability
It was discovered that pyasn1 incorrectly handled malformed RELATIVE-OIDs with excessive continuation octets. An attacker could possibly use this issue to cause pyasn1 to consume memory, leading to a denial of service.
libxml2 vulnerabilities
It was discovered that libxml2 incorrectly handled maliciously crafted SGML catalog files. An attacker could possibly use this issue to cause libxml2 to consume excessive resources, leading to a denial of service.
It was discovered that libxml2 incorrectly handled recursive include directories with the RelaxNG parser. An attacker could possibly use this issue to cause libxml2 to consume excessive resources, leading to a denial of service.
Nick Wellnhofer discovered that libxml2 incorrectly parsed catalogs with self-referencing URI delegates. An attacker could possibly use this issue to cause libxml2 to consume excessive resources, leading to a denial of service.
Nick Wellnhofer discovered that libxml2 inefficiently parsed catalogs linked with repeating nextCatalog elements. An attacker could possibly use this issue to cause libxml2 to use excessive resources, leading to a denial of service.
GLib vulnerability
It was discovered that GLib incorrectly handled the buffered input stream API. An attacker could use this issue to cause GLib to crash, resulting in a denial of service, or possibly execute arbitrary code.
Apache HTTP Server vulnerabilities
It was discovered that the Apache HTTP Server incorrectly handled failed ACME certificate renewals. This could result in renewal attempts to be repeated without delays, possibly leading to a denial of service.
Anthony Parfenov discovered that the Apache HTTP Server would pass the query string to cmd directives when configured with Server Side Includes (SSI) enabled and mod_cgid. An attacker could possibly use this issue to execute arbitrary code.
Mattias Åsander discovered that the Apache HTTP Server incorrectly neutralized certain environment variables. This could result in unexpectedly superseding variables calculated by the server for CGI programs.
Mattias Åsander discovered that the Apache HTTP Server incorrectly handled AllowOverride FileInfo configurations when using mod_userdir with suexec. An attacker with access to use the RequestHeader directive in htaccess can cause some CGI scripts to run under an unexpected userid.
libpng vulnerabilities
It was discovered that the libpng simplified API incorrectly processed palette PNG images with partial transparency and gamma correction. If a user or automated system were tricked into opening a specially crafted PNG file, an attacker could use this issue to cause libpng to crash, resulting in a denial of service.
Petr Simecek, Stanislav Fort and Pavel Kohout discovered that the libpng simplified API incorrectly processed interlaced 16-bit PNGs with 8-bit output format and non-minimal row strides. If a user or automated system were tricked into opening a specially crafted PNG file, an attacker could use this issue to cause libpng to crash, resulting in a denial of service.
Cosmin Truta discovered that the libpng simplified API incorrectly handled invalid row strides. If a user or automated system were tricked into opening a specially crafted PNG file, an attacker could use this issue to cause libpng to crash, resulting in a denial of service.
Libtasn1 vulnerabilities
It was discovered that Libtasn1 incorrectly handled decoding ASN.1 content. An attacker could possibly use this issue to cause Libtasn1 to crash, resulting in a denial of service.
Python vulnerability
It was discovered that Python’s http.client did not properly handle the Content-Length header in HTTP responses. A malicious server could exploit this to cause Python to allocate excessive memory, leading to a denial of service.
PHP vulnerabilities
It was discovered that PHP incorrectly handled memory when element count exceeds 32-bit limit. An attacker could possibly use this issue to cause a denial of service.
It was discovered that PHP incorrectly handled memory when using the PDO PostgreSQL driver. An attacker could possibly use this issue to cause a denial of service.
Sodium vulnerability
It was discovered that Sodium incorrectly handled the elliptic curve point validity check in certain atypical use cases. This could result in invalid points being used, contrary to expectations.
GnuPG vulnerability
It was discovered that GnuPG incorrectly handled crafted input. A remote attacker could possibly use this issue to crash the program, or execute arbitrary code.
GLib vulnerabilities
It was discovered that GLib incorrectly handled escaping URI strings. An attacker could use this issue to cause GLib to crash, resulting in a denial of service, or possibly execute arbitrary code.
It was discovered that GLib incorrectly parsed certain GVariants. An attacker could use this issue to cause GLib to crash, resulting in a denial of service, or possibly execute arbitrary code.
It was discovered that GLib incorrectly parsed certain long invalid ISO 8601 timestamps. An attacker could possibly use this issue to cause GLib to crash, resulting in a denial of service.
It was discovered that GLib incorrectly handled GString memory operations. An attacker could use this issue to cause GLib to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Qlustar 14.
It was discovered that GLib incorrectly handled creating temporary files. An attacker could possibly use this issue to access unauthorized data.
AlmaLinux 8.10 security updates
Please check the AlmaLinux Errata site for details about AlmaLinux 8 updates that entered this release (everything from December 12th until February 16th).
Update instructions:
The problem can be corrected by updating your system to the following or more recent package versions:
For Qlustar 14
qlustar-module-core-noble-amd64-14.0 14.1.0-b589f1616
qlustar-module-core-centos8-amd64-14.0 14.1.0-b589f1616
For Qlustar 13
qlustar-module-core-jammy-amd64-13.3 13.4.0-b588f1617
qlustar-module-core-centos8-amd64-13.3 13.4.0-b588f1617
Special Update instructions:
In addition to the steps described in the general Qlustar Update Instructions these updates require the following:
- Spack migration
With the release of the HPC Core Stack 02/26, spack was also updated to version 1.1.1. This
update requires a migration of the Spack database to version 8. To migrate, login on a cluster
node as a user with Spack admin rights (usually user softadm or anybody in the group softadm)
and execute
# spack reindexNote that after this, older Spack versions will no longer be able to read the database. However, a backup is created in case a revert is needed.
- Please note that we no longer provide 13.x AlmaLinux 8 modules for Qlustar 13. If you want to use AlmaLinux 8 under Qlustar 13, please switch to the 14.x image modules and create a corresponding chroot for it.