[QSA-1024192] Security Update Bundle

Qlustar Security Advisory 1024192

Oct 24th, 2019

Summary:

A Qlustar security update bundle is a cumulative update of packages that are taken from upstream Debian/Ubuntu without modification. Only packages that are used in a typical HPC/Storage cluster installation are mentioned in Qlustar Security Advisories. Other non-HPC related updates also enter the Qlustar repository, but their functionality is not separately verified by the Qlustar team. To track these updates subscribe to the general security mailing lists of Debian/Ubuntu and/or CentOS.

    Package(s)       : see upstream description of individual package
    Qlustar releases : 10.1, 11.0
    Affected versions: All versions prior to this update
    Vulnerability    : see upstream description of individual package
    Problem type     : see upstream description of individual package
    Qlustar-specific : no
    CVE Id(s)        : see upstream description of individual package
  

This update includes several security related package updates from Debian/Ubuntu and CentOS. The following list provides references to the upstream security report of the corresponding packages. You can view the original upstream advisory by clicking on the corresponding title.

Relevant to Qlustar 11.0 and 10.1

sudo vulnerability

Joe Vennix discovered that Sudo incorrectly handled certain user IDs. An attacker could potentially exploit this to execute arbitrary commands as the root user.

Python vulnerabilities

It was discovered that Python incorrectly parsed certain email addresses. A remote attacker could possibly use this issue to trick Python applications into accepting email addresses that should be denied.

It was discovered that the Python documentation XML-RPC server incorrectly handled certain fields. A remote attacker could use this issue to execute a cross-site scripting (XSS) attack.

e2fsprogs vulnerability

It was discovered that e2fsprogs incorrectly handled certain ext4 partitions. An attacker could possibly use this issue to execute arbitrary code.

CentOS 7.7 security updates

Please check the CentOS mailing list for details about CentOS 7 updates that entered this release (everything from Sept. 17th to Oct 23rd, 2019).

Update instructions:

The problem can be corrected by updating your system to the following Qlustar package versions in addition to the package versions mentioned in the upstream reports (follow the Qlustar Update Instructions and for this update also perform the manual step '10. Adjust root bash shell initialization' as described in the Release Notes):

For Qlustar 11.0

    qlustar-module-core-bionic-amd64-11.0.0    11.0.0.4-b515f1270
    qlustar-module-core-centos7-amd64-11.0.0   11.0.0.4-b515f1270
  

For Qlustar 10.1

    qlustar-module-core-xenial-amd64-10.1.1    10.1.1.8-b509f1268