Qlustar

Contact Info

Legal Information

Qlustar

Contact Info

Legal Information

[QSA-0704262]
Security Update Bundle

Qlustar Security Advisory 0704262

July 4th, 2026


Summary:

A Qlustar security update bundle is a cumulative update of packages that are taken from upstream Debian/Ubuntu without modification. Only packages that are used in a typical HPC/Storage cluster installation are mentioned in Qlustar Security Advisories. Other non-HPC related updates also enter the Qlustar repository, but their functionality is not separately verified by the Qlustar team. To track these updates subscribe to the general security mailing lists of Debian/Ubuntu and/or AlmaLinux.

Package(s)       : see upstream description of individual package
Qlustar releases : 13, 14
Affected versions: All versions prior to this update
Vulnerability    : see upstream description of individual package
Problem type     : see upstream description of individual package
Qlustar-specific : no
CVE Id(s)        : see upstream description of individual package

This update includes several security related package updates from Debian/Ubuntu and AlmaLinux. The following list provides references to the upstream security report of the corresponding packages. You can view the original upstream advisory by clicking on the corresponding title.

Relevant to Qlustar 13 and/or 14 – Ubuntu

If an advisory applies only to Qlustar 13 or 14, it is noted in its description.

Vim vulnerabilities

It was discovered that Vim incorrectly handled path traversal in the zip.vim plugin. An attacker could possibly use this issue to overwrite arbitrary files.

It was discovered that Vim incorrectly handled depth tracking when processing spell files. An attacker could possibly use this issue to cause a denial of service.

It was discovered that Vim incorrectly handled filename escaping in the netrw plugin. An attacker could possibly use this issue to execute arbitrary code.

It was discovered that Vim incorrectly handled length calculations when opening encrypted files. An attacker could possibly use this issue to cause a denial of service.

Dhruv Vishesh Gupta discovered that Vim incorrectly handled quoting of archive entry names. An attacker could possibly use this issue to execute arbitrary code.

It was discovered that Vim incorrectly handled bounds checking when translating words through a byte map. An attacker could possibly use this issue to cause a denial of service.

Chenyuan Mi discovered that Vim incorrectly handled docstring escaping during Python omni-completion. An attacker could possibly use this issue to execute arbitrary code.

curl vulnerabilities

Andrew Nesbitt discovered that curl could reuse an existing live connection during STARTTLS-based connection upgrades even when the TLS configuration did not match. A remote attacker could possibly use this issue to cause curl to use an unintended TLS configuration.

Muhamad Arga Reksapati discovered that curl incorrectly reused connections for Negotiate-authenticated requests when different services were involved. A remote attacker could possibly use this issue to access resources authenticated for another service.

It was discovered that curl incorrectly handled cookie parsing in certain circumstances. A remote attacker could possibly use this issue to set cookies that would be transmitted to unrelated third-party domains.

Joshua Rogers discovered that curl could double-free a GSASL context when handling SASL authentication. A remote attacker could possibly use this issue to cause a denial of service, or execute arbitrary code.

Ady Elouej discovered that curl did not clear proxy authentication state between requests when reusing a handle with environment-variable proxy configuration. A remote attacker could possibly use this issue to obtain sensitive credentials.

Joshua Rogers discovered that curl did not properly reject host key type mismatches when using the SSH key callback for SCP and SFTP transfers. A machine-in-the-middle attacker could possibly use this issue to impersonate a trusted server.

libssh2 vulnerabilities

It was discovered that libssh2 incorrectly handled the sftp_symlink() function. A malicious SSH server or machine-in-the-middle attacker could possibly use this issue to obtain sensitive information or cause a denial of service.

It was discovered that libssh2 had a pre-authentication denial of service vulnerability in the SSH_MSG_EXT_INFO handler. A malicious SSH server could possibly use this issue to cause a client CPU exhaustion loop, resulting in a denial of service.

NSS vulnerability

Haruto Kimura discovered that NSS had incorrecty handled parsing PKCS#11 URI escape sequences. An attacker could possibly use this issue to cause NSS to crash, resulting in a denial of service, or obtain sensitive information.

tar vulnerability

It was discovered that tar incorrectly handled certain crafted archive files. An attacker could possibly use this to inject hidden files with attacker-controlled content, bypassing pre-extraction inspection mechanisms.

libxml2 vulnerability

Geoffrey Humphreys discovered that libxml2 had a use after free when parsing the internal subset of a DTD. A remote attacker could possibly use this issue to cause a denial of service or possibly execute arbitrary code.

Vim vulnerabilities

Srinivas Piskala Ganesh Babu discovered that Vim incorrectly handled directory names when serializing browsed paths to the netrw history file. An attacker could possibly use this issue to execute arbitrary code.

It was discovered that Vim incorrectly handled step-definition patterns in the cucumber filetype plugin. An attacker could possibly use this issue to execute arbitrary code.

It was discovered that Vim incorrectly handled import statements during Python omni-completion. An attacker could possibly use this issue to execute arbitrary code.

Andrej Tomči discovered that Vim incorrectly handled certain terminal screen cells when taking a snapshot, leading to an out-of-bounds read. An attacker could possibly use this issue to cause Vim to crash, resulting in a denial of service.

David Carliez discovered that Vim incorrectly handled reconstructed function and class definitions during Python omni-completion. An attacker could possibly use this issue to execute arbitrary code.

tmux vulnerability

It was discovered that tmux incorrectly handled image cleanup, leading to a use-after-free vulnerability. A local attacker could possibly use this issue to cause tmux to crash, resulting in a denial of service.

Vim vulnerabilities

It was discovered that Vim incorrectly handled marked filenames in the netrw plugin. An attacker could possibly use this issue to execute arbitrary code.

It was discovered that Vim incorrectly handled filenames when decompressing certain archives. An attacker could possibly use this issue to execute arbitrary code.

OpenSSL vulnerabilities

Frank Buss discovered that OpenSSL had a heap buffer over-read in ASN.1 content parsing. An attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service, or obtain sensitive information.

Asim Viladi Oglu Manizada and Alex Gaynor discovered that OpenSSL could accept forged CMS AuthEnvelopedData messages. An attacker could possibly use this issue to bypass message authentication checks.

Mayank Jangid, Kushal Khemka, Hari Priandana, Bhabani Sankar Das, and Qifan Zhang discovered that OpenSSL had a possible NULL dereference in password- based CMS decryption. An attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service.

Zhanpeng Liu, Guannan Wang, and Guancheng Li discovered that OpenSSL had a NULL pointer dereference in CRMF EncryptedValue decryption. An attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service.

Alex Gaynor discovered that OpenSSL used attacker-supplied parameters when validating FFC-DH peers. An attacker could possibly use this issue to weaken key validation and compromise security guarantees.

Alex Gaynor discovered that OpenSSL could ignore the IV in AES-OCB mode on the EVP_Cipher() path. An attacker could possibly use this issue to bypass cryptographic protections and obtain sensitive information.

Alex Gaynor discovered that OpenSSL had incorrect tag processing for empty messages in AES-GCM-SIV and AES-SIV modes. An attacker could possibly use this issue to bypass cryptographic integrity checks.

Thai Duong discovered that OpenSSL had a heap use-after-free in PKCS7_verify(). An attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service, or execute arbitrary code.

Zehua Qiao and Jinwen He discovered that OpenSSL had a possible heap buffer overflow in ASN.1 multibyte string conversion. An attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service, or execute arbitrary code.

Bhabani Sankar Das discovered that OpenSSL had an out-of-bounds read in CMS password-based decryption. An attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service.

CUPS vulnerabilities

Ariel Silver discovered that CUPS incorrectly handled username comparisons during authorization checks. A local attacker could possibly use this issue to gain unauthorized access to restricted operations.

Asim Viladi Oglu Manizada discovered that CUPS incorrectly handled notify-recipient-uri values in the RSS notifier. A remote attacker could possibly use this issue to overwrite lp-writable files and cause a denial of service.

Jacob Newman discovered that CUPS incorrectly handled filter option strings when processing job attributes. An attacker could use this issue to cause CUPS to crash, resulting in a denial of service, or possibly execute arbitrary code.

Asim Viladi Oglu Manizada discovered that CUPS incorrectly handled page-border values in shared PostScript queues. A remote attacker could possibly use this issue to execute arbitrary code.

Asim Viladi Oglu Manizada discovered that CUPS incorrectly handled localhost authentication to attacker-controlled IPP services. A local attacker could possibly use this issue to overwrite arbitrary files and execute arbitrary code.

Tomer Fichman discovered that CUPS incorrectly handled negative job-password-supported values. A local attacker could possibly use this issue to cause CUPS to crash, resulting in a denial of service.

Tomer Fichman discovered that CUPS incorrectly handled temporary printer deletion. An attacker could possibly use this issue to cause CUPS to crash, resulting in a denial of service, or to execute arbitrary code.

Tomer Fichman discovered that CUPS incorrectly handled certain malformed SNMP responses. An attacker could possibly use this issue to obtain sensitive information.

systemd vulnerabilities

It was discovered that systemd-nspawn incorrectly handled certain optional configuration files. A local attacker could possibly use this issue to escape to the host system and execute arbitrary code.

It was discovered that systemd-resolved incorrectly validated DNSSEC records for signed domains. An attacker could possibly use this issue to manipulate DNS records. This issue only affected Qlustar 13.

AlmaLinux 8.10 security updates

Please check the AlmaLinux Errata site for details about AlmaLinux 8 updates that entered this release (everything from June 7th until July 3rd).

Update instructions:

The problem can be corrected by updating your system to the following or more recent package versions:

For Qlustar 14

qlustar-module-core-noble-amd64-14.1       14.1.5-b589f1631
qlustar-module-core-centos8-amd64-14.1     14.1.5-b589f1631

For Qlustar 13

qlustar-module-core-jammy-amd64-13.4       13.4.5-b588f1632

Special Update instructions:

In addition to the steps described in the general Qlustar Update Instructions these updates require the following:

  • Spack migration With the release of the HPC Core Stack 02/26, spack was also updated to version 1.1.1. If you haven’t yet migrated your spack database to version 8, login on a cluster node as a user with Spack admin rights (usually user softadm or anybody in the group softadm) and execute
    # spack reindex
    

    Note that after this, older Spack versions will no longer be able to read the database. However, a backup is created in case a revert is needed.

  • Please note that we no longer provide 13.x AlmaLinux 8 modules for Qlustar 13. If you want to use AlmaLinux 8 under Qlustar 13, please switch to the 14.x image modules and create a corresponding chroot for it.