[QSA-0502262]
Security Update Bundle
Qlustar Security Advisory 0502262
May 2nd, 2026
Summary:
A Qlustar security update bundle is a cumulative update of packages that are taken from upstream Debian/Ubuntu without modification. Only packages that are used in a typical HPC/Storage cluster installation are mentioned in Qlustar Security Advisories. Other non-HPC related updates also enter the Qlustar repository, but their functionality is not separately verified by the Qlustar team. To track these updates subscribe to the general security mailing lists of Debian/Ubuntu and/or AlmaLinux.
Package(s) : see upstream description of individual package
Qlustar releases : 13, 14
Affected versions: All versions prior to this update
Vulnerability : see upstream description of individual package
Problem type : see upstream description of individual package
Qlustar-specific : no
CVE Id(s) : see upstream description of individual package
This update includes several security related package updates from Debian/Ubuntu and AlmaLinux. The following list provides references to the upstream security report of the corresponding packages. You can view the original upstream advisory by clicking on the corresponding title.
Relevant to Qlustar 13 and/or 14 – Ubuntu
If an advisory applies only to Qlustar 13 or 14, it is noted in its description.
OpenSSH vulnerabilities
Christos Papakonstantinou discovered that the OpenSSH scp tool incorrectly handled the legacy scp protocol (-O) option. This could result in certain files being installed setuid or setgid, contrary to expectations.
Florian Kohnhäuser discovered that OpenSSH incorrectly handled shell metacharacters in usernames within a command line. When untrusted usernames and non-default configurations using % in ssh_config are being used, an attacker could possibly use this issue to execute arbitrary code.
Christos Papakonstantinou discovered that OpenSSH incorrectly handled parsing the PubkeyAcceptedAlgorithms and HostbasedAcceptedAlgorithms options. This could result in unintended ECDSA algorithms being used, contrary to expectations.
Michalis Vasileiadis discovered that OpenSSH incorrectly handled proxy-mode multiplexing sessions. This could result in no confirmation being asked, contrary to expectations.
Vladimir Tokarev discovered that OpenSSH incorrectly handled certificates with the principal name containing a comma character when using user-trusted CA keys in authorized_keys and an authorized_keys principals=”” option that lists more than one principal. This could result in inappropriate principal matching, contrary to expectations.
Vim vulnerabilities
Michał Majchrowicz discovered that Vim’s zip plugin could overwrite arbitrary files. An attacker could possibly use this issue to delete sensitive data or execute arbitrary code. This issue only affected Qlustar 14.
It was discovered that Vim’s netbeans interface did not properly sanitize certain strings. An attacker could possibly use this issue to execute arbitrary commands.
libcap vulnerability
Ali Raza discovered that libcap incorrectly handled file capability updates. A local attacker could possibly use this issue to inject or strip capabilities into arbitrary executables and escalate privileges.
polkit vulnerabilities
It was discovered that polkit incorrectly handled nested elements in XML policy files. If an administrator were tricked into installing a malicious policy file, a remote attacker could possibly use this issue to cause polkit to crash, resulting in a denial of service.
Pavel Kohout discovered that the polkit polkit-agent-helper-1 utility incorrectly handled long input. A local attacker could possibly use this issue to cause polkit to crash, resulting in a denial of service.
Vim vulnerabilities
Nathan Mills discovered that Vim could crash when parsing certain regular expressions. An attacker could possibly use this issue to cause a denial of service. This issue only affected Qlustar 14.
It was discovered that Vim did not properly sanitize user input. An attacker could possibly use this issue to execute arbitrary commands.
Avishay Matayev discovered that Vim’s modeline sandbox could be bypassed when opening a maliciously-crafted file. An attacker could possibly use this issue to execute arbitrary commands.
QEMU vulnerabilities
It was discovered that the LSI53C895A SCSI Host Bus Adapter implementation of QEMU incorrectly handled memory. An attacker inside the guest could possibly use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code.
It was discovered that QEMU could be made to read out of bounds when reading VMDK images. If a user or an automated system were tricked into opening a specially crafted VMDK image, an attacker could possibly use this issue to leak sensitive informaton or cause QEMU to crash, resulting in a denial of service.
It was discovered that the virtio-snd device implementation of QEMU could be made to write out of bounds. An attacker inside the guest could possibly use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Qlustar 14.
It was discovered that the virtio-snd device implementation of QEMU contained an arithmetic overflow. An attacker inside the guest could possibly use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Qlustar 14.
It was discovered that the Hyper-V Synthetic Debugging device implementation of QEMU could me made to write out of bounds. An attacker inside the guest could possibly use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Qlustar 14.
AlmaLinux 8.10 security updates
Please check the AlmaLinux Errata site for details about AlmaLinux 8 updates that entered this release (everything from April 6th until May 1st).
Update instructions:
The problem can be corrected by updating your system to the following or more recent package versions:
For Qlustar 14
qlustar-module-core-noble-amd64-14.1 14.1.2-b589f1622
qlustar-module-core-centos8-amd64-14.1 14.1.2-b589f1622
For Qlustar 13
qlustar-module-core-jammy-amd64-13.4 13.4.2-b588f1623
Special Update instructions:
In addition to the steps described in the general Qlustar Update Instructions these updates require the following:
- Spack migration
With the release of the HPC Core Stack 02/26, spack was also updated to version 1.1.1. This
update requires a migration of the Spack database to version 8. To migrate, login on a cluster
node as a user with Spack admin rights (usually user softadm or anybody in the group softadm)
and execute
# spack reindexNote that after this, older Spack versions will no longer be able to read the database. However, a backup is created in case a revert is needed.
- Please note that we no longer provide 13.x AlmaLinux 8 modules for Qlustar 13. If you want to use AlmaLinux 8 under Qlustar 13, please switch to the 14.x image modules and create a corresponding chroot for it.