[QSA-0408262]
Security Update Bundle
Qlustar Security Advisory 0408262
April 8th, 2026
Summary:
A Qlustar security update bundle is a cumulative update of packages that are taken from upstream Debian/Ubuntu without modification. Only packages that are used in a typical HPC/Storage cluster installation are mentioned in Qlustar Security Advisories. Other non-HPC related updates also enter the Qlustar repository, but their functionality is not separately verified by the Qlustar team. To track these updates subscribe to the general security mailing lists of Debian/Ubuntu and/or AlmaLinux.
Package(s) : see upstream description of individual package
Qlustar releases : 13, 14
Affected versions: All versions prior to this update
Vulnerability : see upstream description of individual package
Problem type : see upstream description of individual package
Qlustar-specific : no
CVE Id(s) : see upstream description of individual package
This update includes several security related package updates from Debian/Ubuntu and AlmaLinux. The following list provides references to the upstream security report of the corresponding packages. You can view the original upstream advisory by clicking on the corresponding title.
Relevant to Qlustar 13 and/or 14 – Ubuntu
If an advisory applies only to Qlustar 13 or 14, it is noted in its description.
OpenSSL vulnerabilities
Igor Morgenstern discovered that OpenSSL incorrectly handled certain memory operations when used as a DANE client. A remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service, or possibly execute arbitrary code.
Igor Morgenstern discovered that OpenSSL incorrectly handled certain memory operations when processing a delta CRL. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service.
Nathan Sportsman, Daniel Rhea, and Jaeho Nam discovered that OpenSSL incorrectly handled certain memory operations when processing a crafted CMS EnvelopedData message with KeyAgreeRecipientInfo. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service.
Muhammad Daffa, Joshua Rogers, and Chanho Kim discovered that OpenSSL incorrectly handled processing of a crafted CMS EnvelopedData message with KeyTransportRecipientInfo. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service.
Quoc Tran discovered that OpenSSL incorrectly handled hexadecimal conversion on 32-bit platforms. A remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service, or possibly execute arbitrary code.
Simo Sorce discovered that OpenSSL incorrectly handled failures in RSA KEM RSASVE Encapsulation. A remote attacker could possibly use this issue to obtain sensitive information.
libarchive vulnerabilities
It was discovered that libarchive could read past the end of file streams when processing input to bsdtar. An attacker could possibly use this issue to cause memory corruption or a denial of service.
HyungJung Joo discovered that libarchive did not properly limit memory allocation when processing substitution rules in bsdtar. An attacker could possibly use this issue to cause excessive memory consumption, leading to a denial of service.
Elhanan Haenel discovered that libarchive could enter an infinite loop when processing crafted RAR5 archives. An attacker could possibly use this issue to cause excessive CPU consumption, leading to a denial of service.
systemd vulnerabilities
It was discovered that systemd incorrectly handled certain cgroup paths. A local attacker could possibly use this issue to cause systemd to crash, resulting in a denial of service.
It was discovered that the systemd udev component incorrectly handled certain fields received from the kernel. An attacker with a malicious device could possibly use this issue to execute arbitrary code as an administrator (root).
Vim vulnerabilities
Rahul Hoysala discovered that Vim did not correctly handle certain tag resolutions. An attacker could possibly use this issue to cause a denial of service.
It was discovered that Vim did not correctly handle processing certain specialKey commands. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.
Kim Dong Han discovered that Vim did not correctly handle opening certain URLs. If a user or system were tricked into opening a specially crafted file, an attacker could possibly use this issue to execute arbitrary code.
Kim Dong Han discovered that Vim did not correctly handle parsing Emacs-style tag files. An attacker could possibly use this issue to cause a denial of service.
Kim Dong Han discovered that Vim did not correctly handle processing maximum combining characters from Unicode supplementary planes. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.
Kim Dong Han discovered that Vim did not correctly handle swap file recovery. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.
Kim Dong Han discovered that Vim did not correctly handle rendering status lines. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.
util-linux vulnerability
It was discovered that the util-linux su utility did not drop capabilities when being used with the –pty option. While not a security issue by itself, a local attacker could possibly use the su tool to exploit vulnerabilities in other applications.
OpenSSH vulnerabilities
Jeremy Brown discovered that the OpenSSH GSSAPI Key Exchange incorrectly handled disconnecting clients. In non-default configurations where the GSSAPIKeyExchange setting is enabled, a remote attacker could use this issue to cause OpenSSH to crash, resulting in a denial of service, or possibly execute arbitrary code.
David Leadbeater discovered that OpenSSH incorrectly handled certain control characters in usernames. When untrusted usernames and the ProxyCommand are being used, an attacker could possibly use this issue to execute arbitrary code.
David Leadbeater discovered that OpenSSH incorrectly handled NULL characters in ssh:// URIs. When the ProxyCommand is being used, an attacker could possibly use this issue to execute arbitrary code.
Sudo vulnerability
It was discovered that Sudo incorrectly checked return codes when dropping privileges to run the mailer. A local attacker could possibly use this issue to escalate privileges.
libpng vulnerabilities
It was discovered that libpng did not properly handle memory when processing certain PNG files. An attacker could possibly use this issue to cause libpng to crash, resulting in a denial of service, or disclose sensitive information.
Joshua Inscoe discovered that libpng did not properly handle memory when processing certain PNG files. An attacker could possibly use this issue to cause libpng to crash, resulting in a denial of service, disclose sensitive information, or execute arbitrary code.
curl vulnerabilities
Zhicheng Chen discovered that curl could incorrectly reuse the wrong connection for Negotiate-authenticated HTTP or HTTPS requests. This could result in the use of credentials from a different connection, contrary to expectations.
It was discovered that curl incorrectly leaked OAuth2 bearer tokens when following a redirect. This could result in tokens being sent to the wrong host, contrary to expectations.
Muhamad Arga Reksapati discovered that curl incorrectly reused existing HTTP proxy connections even if the request used different credentials. This could result in the use of incorrect credentials, contrary to expectations.
Yihang Zhou discovered that curl incorrectly reused .netrc file credentials when following redirects. This could result in the use of credentials for a different host, contrary to expectations.
less vulnerability
It was discovered that less incorrectly handled certain file names. An attacker could possibly use this issue to cause a denial of service or execute arbitrary commands.
Qt vulnerabilities
It was discovered that Qt did not correctly handle certain integer arithmetic. An attacker could possibly use this issue to cause a denial of service. This issue was only addressed in Qlustar 13.
It was discovered that Qt did not correctly handle certain encrypted connections. An attacker could possibly use this issue to leak sensitive information. This issue was only addressed in Qlustar 14.
QEMU vulnerabilities
It was discovered that the UHCI controller implementation of QEMU could be brought into an invalid state. An attacker inside the guest could possibly use this issue to cause QEMU to crash, resulting in a denial of service.
It was discovered that QEMU incorrectly handled memory during certain VNC operations. An remote attacker could possibly use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code.
It was discovered that the e1000 network device implementation of QEMU could be made to write out of bounds. An attacker inside the guest could possibly use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Qlustar 14.
It was discovered that the virtio-crypto device implementation of QEMU did not limit the length of a certain path input. An attacker inside the guest could possibly use this issue to cause QEMU to consume large amount of memory, resulting in a denial of service. This issue only affected Qlustar 14.
It was discovered that the KVM Xen guest support of QEMU could be made to read out of bounds. An attacker inside the guest could possibly use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Qlustar 14.
NSS vulnerability
It was discovered that NSS incorrectly handled memory when performing certain GHASH operations. A remote attacker could use this issue to cause NSS to crash, resulting in a denial of service, or possibly execute arbitrary code.
ImageMagick vulnerabilities
It was discovered that ImageMagick did not properly decode certain SUN image files. An attacker could use this issue to cause ImageMagick to crash, resulting in a denial of service, or possibly execute arbitrary code.
It was discovered that ImageMagick did not properly validate pixel index values when writing UIL and XPM image files. An attacker could use this issue to cause ImageMagick to crash, resulting in a denial of service, or possibly obtain sensitive information.
It was discovered that ImageMagick’s MSL decoder did not properly handle certain attribute values. An attacker could use this issue to cause ImageMagick to crash, resulting in a denial of service, or possibly execute arbitrary code.
It was discovered that ImageMagick’s MSL decoder did not properly handle memory when processing certain script elements. An attacker could use this issue to cause ImageMagick to crash, resulting in a denial of service, or possibly execute arbitrary code.
It was discovered that ImageMagick did not properly handle certain YUV image files. An attacker could use this issue to cause ImageMagick to crash, resulting in a denial of service, or possibly execute arbitrary code.
It was discovered that ImageMagick did not properly handle certain MAP image files. An attacker could use this issue to cause ImageMagick to crash, resulting in a denial of service, or possibly obtain sensitive information.
It was discovered that ImageMagick’s PCD decoder did not properly process Huffman-coded data. An attacker could use this issue to cause ImageMagick to crash, resulting in a denial of service, or possibly obtain sensitive information.
Protocol Buffers vulnerability
It was discovered that Protocol Buffers incorrectly handled recursion when the Python google.protobuf.json_format.ParseDict() function is being used. An attacker could possibly use this issue to cause Protocol Buffers to consume resources, resulting in a denial of service.
curl vulnerabilities
Calvin Ruocco discovered that curl did not properly handle WebSocket communications under certain circumstances. A malicious server could possibly use this issue to poison proxy caches with malicious content. This issue only affected Qlustar 14.
Stanislav Fort discovered that curl did not properly manage TLS options when performing LDAP over TLS transfers in multi-threaded environments. Under certain circumstances, certificate verification could be unintentionally and unknowingly disabled.
It was discovered that curl incorrectly handled Oauth2 bearer tokens when following redirects. A remote attacker could possibly use this issue to obtain authentication credentials.
Stanislav Fort discovered that curl did not properly validate TLS certificates when reusing connections. A remote attacker could possibly use this issue to bypass expected certificate verification. This issue only affected Qlustar 14.
Harry Sintonen discovered that curl did not properly validate SSH host keys when performing SSH-based file transfers. This issue could lead to unintended bypass of custom known_hosts file.
Harry Sintonen discovered that curl built with libssh did not properly handle authentication when performing SSH-based file transfers. This could result in unintended authentication operations.
AlmaLinux 8.10 security updates
Please check the AlmaLinux Errata site for details about AlmaLinux 8 updates that entered this release (everything from February 16th until April 6th).
Update instructions:
The problem can be corrected by updating your system to the following or more recent package versions:
For Qlustar 14
qlustar-module-core-noble-amd64-14.0 14.1.1-b589f1620
qlustar-module-core-centos8-amd64-14.0 14.1.1-b589f1620
For Qlustar 13
qlustar-module-core-jammy-amd64-13.3 13.4.1-b588f1619
Special Update instructions:
In addition to the steps described in the general Qlustar Update Instructions these updates require the following:
- Spack migration
With the release of the HPC Core Stack 02/26, spack was also updated to version 1.1.1. This
update requires a migration of the Spack database to version 8. To migrate, login on a cluster
node as a user with Spack admin rights (usually user softadm or anybody in the group softadm)
and execute
# spack reindexNote that after this, older Spack versions will no longer be able to read the database. However, a backup is created in case a revert is needed.
- Please note that we no longer provide 13.x AlmaLinux 8 modules for Qlustar 13. If you want to use AlmaLinux 8 under Qlustar 13, please switch to the 14.x image modules and create a corresponding chroot for it.