[QSA-0515262]
Security Update Bundle
Qlustar Security Advisory 0515262
May 15th, 2026
Summary:
A Qlustar security update bundle is a cumulative update of packages that are taken from upstream Debian/Ubuntu without modification. Only packages that are used in a typical HPC/Storage cluster installation are mentioned in Qlustar Security Advisories. Other non-HPC related updates also enter the Qlustar repository, but their functionality is not separately verified by the Qlustar team. To track these updates subscribe to the general security mailing lists of Debian/Ubuntu and/or AlmaLinux.
Package(s) : see upstream description of individual package
Qlustar releases : 13, 14
Affected versions: All versions prior to this update
Vulnerability : see upstream description of individual package
Problem type : see upstream description of individual package
Qlustar-specific : no
CVE Id(s) : see upstream description of individual package
This update includes several security related package updates from Debian/Ubuntu and AlmaLinux. The following list provides references to the upstream security report of the corresponding packages. You can view the original upstream advisory by clicking on the corresponding title.
Relevant to Qlustar 13 and/or 14 – Ubuntu
If an advisory applies only to Qlustar 13 or 14, it is noted in its description.
Avahi vulnerabilities
It is discovered that Avahi incorrectly handled crafted input. A remote attacker could possibly use this issue to crash the program, resulting in a denial of service.
Guillaume Meunier discovered that Avahi incorrectly handled crafted input. An attacker could possibly use this issue to crash the program, resulting in a denial of service.
Dnsmasq vulnerabilities
Andrew S. Fasano, Royce M, and Hugo Martinez Ray discovered that Dnsmasq did not allocate the necessary space to store domain names in some contexts. An attacker could possibly use this issue to write out-of-bounds, and could cause a denial of service or execute arbitrary code.
Royce M discovered that Dnsmasq could loop infinitely due to erroneously missing the window header. An attacker could possibly use this issue to cause a denial of service.
Royce M discovered that a maliciously crafted packet could cause Dnsmasq to report a negative length. An attacker could possibly use this issue to cause a denial of service.
Royce M and Asim Viladi Oglu Manizada discovered that certain configurations of Dnsmasq could write over the DHCPv6 CLID buffer within a privileged helper. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.
Royce M discovered that certain configurations of Dnsmasq could bypass internal bounds checks. An attacker could possibly use this issue to permit malformed packets, and could cause a denial of service.
Hugo Martinez discovered that Dnsmasq did not check the rdlen element of a record. An attacker could possibly use this issue to cause a denial of service.
Lua vulnerability
It was discovered that the Lua parser incorrectly handled garbage collection when processing specially crafted Lua scripts. A remote attacker could possibly use this issue to cause a denial of service or execute arbitrary code.
Vim vulnerability
It was discovered that Vim did not properly handle backticks in tag filenames. An attacker could possibly use this issue to execute arbitrary commands.
Postfix vulnerability
Kamil Frankowicz discovered that Postfix incorrectly handled certain enhanced status codes. A remote attacker could possibly use this issue to cause Postfix to crash, resulting in a denial of service.
libpng vulnerabilities
It was discovered that libpng incorrectly handled memory when processing certain PNG files. If a user or automated system were tricked into opening a specially crafted PNG file, an attacker could use this issue to cause libpng to crash, resulting in a denial of service, or possibly execute arbitrary code.
It was discovered that libpng incorrectly handled expanding 8-bit paletted rows to RGB or RGBA on ARM processors. If a user or automated system were tricked into opening a specially crafted PNG file, an attacker could use this issue to cause libpng to crash, resulting in a denial of service, or possibly execute arbitrary code.
It was discovered that libpng incorrectly handled certain setter APIs. An attacker could possibly use this issue to obtain sensitive information.
dpkg vulnerability
Yashashree Gund discovered that the dpkg dpkg-deb tool incorrectly handled certain zstd-compressed .deb archives. If a user or automated system were tricked into manipulating a specially crafted .deb archive, a remote attacker could possibly use this issue to cause dpkg-deb to stop responding, resulting in a denial of service.
Apache HTTP Server vulnerabilities
It was discovered that the Apache HTTP Server mod_rewrite module incorrectly handled certain privileges. A local attacker could possibly use this issue to obtain sensitive information.
Andrew Lacambra, Elhanan Haenel, Tianshuo Han, and Tristan Madani discovered that the Apache HTTP Server mod_proxy_ajp module incorrectly handled certain AJP server messages. An attacker in control of a backend AJP server could use this issue to cause Apache HTTP Server to crash, resulting in a denial of service, or possibly execute arbitrary code.
Pavel Kohout discovered that Apache HTTP Server did not properly limit resource allocation in mod_md when processing OCSP response data. A remote attacker could possibly use this issue to cause a denial of service.
Pavel Kohout discovered that the Apache HTTP Server incorrectly handled certain memory operations in mod_dav_lock. A remote attacker could possibly use this issue to cause Apache HTTP Server to crash, resulting in a denial of service.
Nitescu Lucian discovered that Apache HTTP Server had a timing attack vulnerability in mod_auth_digest. A remote attacker could possibly use this issue to bypass Digest authentication.
Pavel Kohout and Arkadi Vainbrand discovered that Apache HTTP Server incorrectly handled certain memory operations in mod_authn_socache. A remote attacker could possibly use this issue to cause Apache HTTP Server to crash, resulting in a denial of service.
Haruki Oyama, Merih Mengisteab, and Dawit Jeong discovered that Apache HTTP Server had an HTTP response splitting vulnerability in multiple modules when used with untrusted or compromised backend servers. An attacker could possibly use this issue to inject arbitrary HTTP headers.
Elhanan Haenel discovered that Apache HTTP Server incorrectly handled certain memory operations in mod_proxy_ajp. A remote attacker could possibly use this issue to cause Apache HTTP Server to crash, resulting in a denial of service.
Tianshuo Han and Jérôme Djouder discovered that Apache HTTP Server incorrectly handled certain string operations in mod_proxy_ajp. A remote attacker could possibly use this issue to obtain sensitive information.
Elhanan Haenel discovered that Apache HTTP Server incorrectly handled certain memory operations in mod_proxy_ajp. A remote attacker could use this issue to cause Apache HTTP Server to crash, resulting in a denial of service, or possibly obtain sensitive information.
AlmaLinux 8.10 security updates
Please check the AlmaLinux Errata site for details about AlmaLinux 8 updates that entered this release (everything from May 1st until May 15th).
Update instructions:
The problem can be corrected by updating your system to the following or more recent package versions:
For Qlustar 14
qlustar-module-core-noble-amd64-14.1 14.1.3-b589f1626
qlustar-module-core-centos8-amd64-14.1 14.1.3-b589f1626
For Qlustar 13
qlustar-module-core-jammy-amd64-13.4 13.4.3-b588f1625
Special Update instructions:
In addition to the steps described in the general Qlustar Update Instructions these updates require the following:
- Spack migration
With the release of the HPC Core Stack 02/26, spack was also updated to version 1.1.1. If you
haven’t yet migrated your spack database to version 8, login on a cluster node as a user with
Spack admin rights (usually user softadm or anybody in the group softadm) and execute
# spack reindexNote that after this, older Spack versions will no longer be able to read the database. However, a backup is created in case a revert is needed.
- Please note that we no longer provide 13.x AlmaLinux 8 modules for Qlustar 13. If you want to use AlmaLinux 8 under Qlustar 13, please switch to the 14.x image modules and create a corresponding chroot for it.