[QSA-0608262]
Security Update Bundle
Qlustar Security Advisory 0608262
June 8th, 2026
Summary:
A Qlustar security update bundle is a cumulative update of packages that are taken from upstream Debian/Ubuntu without modification. Only packages that are used in a typical HPC/Storage cluster installation are mentioned in Qlustar Security Advisories. Other non-HPC related updates also enter the Qlustar repository, but their functionality is not separately verified by the Qlustar team. To track these updates subscribe to the general security mailing lists of Debian/Ubuntu and/or AlmaLinux.
Package(s) : see upstream description of individual package
Qlustar releases : 13, 14
Affected versions: All versions prior to this update
Vulnerability : see upstream description of individual package
Problem type : see upstream description of individual package
Qlustar-specific : no
CVE Id(s) : see upstream description of individual package
This update includes several security related package updates from Debian/Ubuntu and AlmaLinux. The following list provides references to the upstream security report of the corresponding packages. You can view the original upstream advisory by clicking on the corresponding title.
Relevant to Qlustar 13 and/or 14 – Ubuntu
If an advisory applies only to Qlustar 13 or 14, it is noted in its description.
Apache HTTP Server vulnerability
It was discovered that Apache HTTP Server incorrectly handled certain cookie headers in the HTTP/2 implementation. A remote attacker could possibly use this issue to cause Apache HTTP Server to consume excessive resources, resulting in a denial of service.
XZ Utils vulnerability
It was discovered that XZ Utils did not properly manage memory when attempting to append data to a decoded index that contained no records. An attacker could possibly use this issue to cause XZ Utils to crash, resulting in a denial of service, or execute arbitrary code.
GNU SASL vulnerability
It was discovered that GNU SASL did not properly handle certain DIGEST-MD5 tokens. An attacker could possibly use this issue to cause GNU SASL to crash, resulting in a denial of service.
SSSD vulnerability
It was discovered that SSSD did not properly handle raw bytes in the PAM passkey responder. A local attacker could possibly use this issue to cause the SSSD PAM responder to crash, resulting in a denial of service.
Apache HTTP Server vulnerabilities
Anthony Parfenov discovered that Apache HTTP Server with SSI enabled and mod_cgid passed shell-escaped query strings to #exec cmd directives. A remote attacker could possibly use this issue to perform command injection.
Mattias Åsander discovered that Apache HTTP Server incorrectly gave precedence to environment variables from HTTP headers over server-calculated CGI variables. A remote attacker could possibly use this issue to influence the environment of CGI programs.
Mattias Åsander discovered that Apache HTTP Server mod_userdir with suexec could be caused to run CGI scripts under an unexpected user ID via RequestHeader directives in .htaccess files. An attacker with .htaccess write access could possibly use this issue to bypass suexec user restrictions.
PHP vulnerabilities
Aleksey Solovev and Nikita Sveshnikov discovered that PHP improperly handled NUL bytes when preparing SQL queries in the PDO Firebird driver. An attacker could possibly use this issue to perform SQL injection attacks.
It was discovered that PHP incorrectly handled certain encoding names in mbstring. An attacker could possibly use this issue to obtain sensitive information or cause a denial of service.
It was discovered that PHP incorrectly handled object references while parsing crafted SOAP requests. A remote attacker could possibly use this issue to execute arbitrary code.
It was discovered that PHP incorrectly sanitized certain data in the PHP-FPM status page. A remote attacker could possibly use this issue to inject arbitrary JavaScript code.
It was discovered that PHP had an encoding mismatch in mbstring. An attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service.
It was discovered that PHP incorrectly handled SOAP session persistence after errors. A remote attacker could possibly use this issue to obtain sensitive information or cause PHP to crash, resulting in a denial of service.
It was discovered that PHP incorrectly handled missing values in SOAP typemap decoding. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service.
It was discovered that PHP incorrectly handled very long input in metaphone(). An attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service.
Samba vulnerabilities
Pavel Kohout discovered that Samba’s vfs_worm module did not properly block file overwrites. An attacker could possibly use this issue to overwrite files that should have remained immutable.
Arad Inbar, Nir Somech, and Ben Grinberg discovered that Samba incorrectly handled certificate auto-enrolment group policies over HTTP without verification. A machine-in-the-middle attacker could possibly use this issue to install a malicious CA certificate.
Arad Inbar, Erez Cohen, Nir Somech, and Ben Grinberg discovered that Samba’s Active Directory Domain Controller WINS server could be made to crash under certain circumstances. A remote attacker could possibly use this issue to cause a denial of service.
Ron Ben Yizhak discovered that Samba’s DCE/RPC SAMR server incorrectly handled a non-default password check script configuration. A remote attacker could possibly use this issue to execute arbitrary code.
Ron Ben Yizhak discovered that Samba’s printing subsystem incorrectly handled a non-default print command configuration. A remote attacker could possibly use this issue to execute arbitrary code.
Vim vulnerabilities
Joshua Rogers discovered that Vim incorrectly handled certain URL schemes in the netrw plugin. An attacker could possibly use this issue to execute arbitrary commands.
It was discovered that Vim incorrectly handled command-line completion for the :find command. An attacker could possibly use this issue to execute arbitrary commands.
Daniel Cervera discovered that Vim incorrectly handled loading spell files. An attacker could possibly use this issue to cause a denial of service, or to execute arbitrary code.
Evince vulnerability
It was discovered that Evince did not properly sanitize command-line arguments in PDF /GoToR actions. If a user opened a specially crafted PDF file, an attacker could possibly use this issue to execute arbitrary code.
libarchive vulnerabilities
It was discovered that libarchive incorrectly handled certain RAR archives. An attacker could possibly use this issue to cause an out-of-bounds read via a crafted RAR archive, leading to sensitive memory disclosure.
It was discovered that libarchive incorrectly handled certain ISO files. An attacker could possibly use this issue to cause incorrect memory allocation via a crafted ISO file, leading to a denial of service.
It was discovered that libarchive incorrectly handled block pointer allocation in zisofs on 32-bit systems. An attacker could possibly use this issue to cause a heap buffer overflow via a crafted ISO9660 image, possibly leading to arbitrary code execution.
rsync vulnerabilities
Calum Hutton discovered that rsync contained a heap-based out-of-bounds read when handling file transfers. A remote attacker with read access to an rsync server could possibly use this issue to cause a denial of service.
Batuhan Sancak, Damien Neil, and Michael Stapelberg discovered that rsync daemons configured without chroot protection were exposed to a race condition on parent path components. A local attacker with write access to a module could possibly use this issue to overwrite files, obtain sensitive information, or escalate privileges.
It was discovered that rsync did not properly validate a length value while sorting extended attributes. An attacker could possibly use this issue to cause a denial of service.
It was discovered that rsync performed reverse-DNS lookups after chrooting in some daemon configurations. A remote attacker could possibly use this issue to bypass hostname-based access controls and access network services.
Omar Elsayed discovered that rsync did not properly check for integer overflows while decoding compressed tokens. A remote attacker could possibly use this issue to obtain sensitive information.
Andrew Tridgell discovered that rsync did not fully fix a symlink race condition in path-based system calls for daemons configured without chroot protection. A local attacker could possibly use this issue to overwrite files, obtain sensitive information, or escalate privileges.
Pratham Gupta discovered that rsync did not properly validate an index while processing file lists. A remote attacker could possibly use this issue to cause rsync to crash, resulting in a denial of service.
Michal Ruprich discovered that rsync contained an off-by-one error while handling HTTP proxy responses. An attacker able to intercept network communications or a malicious proxy server could possibly use this issue to cause a denial of service.
GnuTLS vulnerabilities
Joshua Rogers discovered that GnuTLS did not properly handle malformed DTLS handshake fragments in certain cases. A remote attacker could possibly use this issue to obtain sensitive information, or cause a denial of service.
Haruto Kimura, Oscar Reparaz, and Zou Dikai discovered that GnuTLS did not properly validate DTLS handshake fragment lengths in certain cases. A remote attacker could possibly use this issue to cause GnuTLS to crash, resulting in a denial of service, or execute arbitrary code.
Oleh Konko and Joshua Rogers discovered that GnuTLS did not properly validate OCSP responses in certain cases. A remote attacker could possibly use this issue to bypass certificate revocation checks, leading to a machine-in-the-middle attack.
Oleh Konko and Joshua Rogers discovered that GnuTLS did not properly handle case-insensitive name constraints in certain cases. A remote attacker could possibly use this issue to bypass certificate validation, leading to a machine-in-the-middle attack.
Joshua Rogers discovered that GnuTLS did not properly order DTLS packets with duplicate sequence numbers in certain cases. A remote attacker could possibly use this issue to cause GnuTLS to crash, resulting in a denial of service.
Joshua Rogers discovered that GnuTLS did not properly handle usernames containing NUL characters in certain RSA-PSK configurations. A remote attacker could possibly use this issue to bypass authentication and gain unintended access to services.
Haruto Kimura discovered that GnuTLS did not properly apply permitted name constraints in certain certificate validation paths. A remote attacker could possibly use this issue to bypass certificate validation, leading to a machine-in-the-middle attack.
Oleh Konko discovered that GnuTLS incorrectly fell back to Common Name checks for certain URI and SRV subject alternative names. A remote attacker could possibly use this issue to bypass certificate validation, leading to a machine-in-the-middle attack.
Haruto Kimura and Joshua Rogers discovered that GnuTLS incorrectly fell back to Common Name checks when subject alternative names were oversized. A remote attacker could possibly use this issue to bypass certificate validation, leading to a machine-in-the-middle attack.
Luigino Camastra and Joshua Rogers discovered that GnuTLS had a use-after-free issue when changing PKCS#11 token security officer PINs in certain cases. An attacker could possibly use this issue to cause GnuTLS to crash, resulting in a denial of service, or execute arbitrary code.
Zou Dikai discovered that GnuTLS did not properly validate PKCS#12 bag sizes in certain cases. An attacker could possibly use this issue to cause GnuTLS to crash, resulting in a denial of service, or execute arbitrary code.
Joshua Rogers discovered that GnuTLS did not properly handle very short premaster secrets in certain RSA key exchange cases with PKCS#11-backed server keys. A remote attacker could possibly use this issue to obtain sensitive information.
Doria Tang discovered that GnuTLS did not perform PKCS#7 padding checks in constant time in certain cases. A remote attacker could possibly use this issue to obtain sensitive information.
AlmaLinux 8.10 security updates
Please check the AlmaLinux Errata site for details about AlmaLinux 8 updates that entered this release (everything from May 15th until June 7th).
Update instructions:
The problem can be corrected by updating your system to the following or more recent package versions:
For Qlustar 14
qlustar-module-core-noble-amd64-14.1 14.1.4-b589f1628
qlustar-module-core-centos8-amd64-14.1 14.1.4-b589f1628
For Qlustar 13
qlustar-module-core-jammy-amd64-13.4 13.4.4-b588f1627
Special Update instructions:
In addition to the steps described in the general Qlustar Update Instructions these updates require the following:
- Spack migration
With the release of the HPC Core Stack 02/26, spack was also updated to version 1.1.1. If you
haven’t yet migrated your spack database to version 8, login on a cluster node as a user with
Spack admin rights (usually user softadm or anybody in the group softadm) and execute
# spack reindexNote that after this, older Spack versions will no longer be able to read the database. However, a backup is created in case a revert is needed.
- Please note that we no longer provide 13.x AlmaLinux 8 modules for Qlustar 13. If you want to use AlmaLinux 8 under Qlustar 13, please switch to the 14.x image modules and create a corresponding chroot for it.