Qlustar General May 2026

qlustar-general@qlustar.org

3 participants
4 discussions

Security/Bug fix releases 14.1.3, 13.4.3
by no-reply-list＠qlustar.org 16 May '26

16 May '26

The Qlustar releases 14.1.3 and 13.4.3 are ready including a number of security/bug fixes. Please check the following web pages for details about security fixes and special update instructions: https://qlustar.com/qsa/2026/0515261 https://qlustar.com/qsa/2026/0515262

3 2

Mitigation for the Dirty Frag vulnerability
by no-reply-list＠qlustar.org 09 May '26

09 May '26

It was discovered [1] that the Linux kernel modules esp4, esp6 and rxrpc contain a logic flaw allowing a local attacker to escalate privileges to root. All Qlustar 13 and 14 Ubuntu releases are vulnerable to this bug. On Qlustar 13 Ubuntu releases the public exploit does not work though. To mitigate the issue until kernel updates are made available please proceed as follows: On the head-node execute: $ cat > /etc/qlustar/common/rc.boot/01-remove-vulnerable-kernel-modules << EOF #!/bin/bash modules_to_be_removed="esp4 esp6 rxrpc" for mod in \$modules_to_be_removed; do mod_paths=\$(find /usr/lib/modules/\$(uname -r) -name "\$mod.*") if [ -n "\$mod_paths" ]; then echo "Found vulnerable kernel module \$mod ==> Removing it" echo \$mod_paths | xargs rm -f fi rmmod \$mod > /dev/null 2>&1 done EOF $ chmod 755 /etc/qlustar/common/rc.boot/01-remove-vulnerable-kernel-modules Then on all running cluster nodes including the head-node execute: $ /etc/qlustar/common/rc.boot/01-remove-vulnerable-kernel-modules These changes will prevent loading the faulty kernel modules, which are not needed on any standard Qlustar HPC/AI/Storage cluster setup. [1] https://dirtyfrag.io

1 0

Security/Bug fix releases 14.1.2, 13.4.2
by no-reply-list＠qlustar.org 02 May '26

02 May '26

The Qlustar releases 14.1.2 and 13.4.2 are ready including a number of security/bug fixes. Please check the following web pages for details about security fixes and special update instructions: https://qlustar.com/qsa/2026/0502261 https://qlustar.com/qsa/2026/0502262 The following non-security related updates/enhancements/bug fixes are included: For Qlustar 14 only: - QluMan 14.1.4 * Alerts - Fixes/Improvements of the expression editor + Parse metric values as float and use QDoubleSpinBox for larger range of values. + Convert value to int when it's a whole number (e.g. use 16 instead of 16.0 in the expression). + Catch and show exception when opening expression editor. - Fixes/Improvements of the alert silencing dialog + Add ErrorDialog when fetching silences fails. + Reset input mask on save. + Reset color for Starts label when selection changes. + Fix exception about c++ object deleted on update. * Slurm ManageAssociations - Convert value to str before setting text in QOSLineEdit.undo(). * Command editor - Remove duplicate save of command when the name is changed. - Don't trigger a save when setting the argument filters while selecting a command. * Switch support - Remove host_id from SwitchData entries when deleting hosts. - Add the rights for SwitchData and query_switch to the 'Can configure hosts.' right. - Delete switch data if a switch is being deleted. * Misc - Fix local variable collision preventing qlustar module files getting copied to netboot nodes for lustre nodes. - nvidia-570 module * nvidia-persistenced: Enforce persistence-mode at startup. - lustre-2.17 + lustre-client module * Make ko2iblnd work with mlnx-ofed (doca).

1 0

Mitigation for the Copy Fail vulnerability - actions refined
by no-reply-list＠qlustar.org 01 May '26

01 May '26

It was discovered that the Linux kernel algif_aead module contained a logic flaw allowing a local attacker to escalate privileges to root. All Qlustar 14 Ubuntu releases are vulnerable to this bug. Qlustar 13 Ubuntu releases are not vulnerable and Qlustar 13/14 AlmaLinux releases are vulnerable but the public exploit does not work there. To mitigate the issue until kernel updates are made available please proceed as follows: On all running Qlustar 14 Ubuntu nodes including the head-node execute $ rmmod algif_aead $ rm -f /usr/lib/modules/*/kernel/crypto/algif_aead.ko Then for each Qlustar 14 image do $ qlustar-image-edit -s <img-name> $ rm -f usr/lib/modules/*/kernel/crypto/algif_aead.ko $ exit Please note the missing / at the beginning of the path here. These changes will prevent loading the faulty algif_aead kernel module, which is not needed on any standard Qlustar HPC/AI cluster setup. To check whether a node was already exploited execute $ diff /union/image/usr/bin/su /usr/bin/su If they differ, someone definitely has exploited the bug and became root. In that case reboot the node immediately after you have changed the image like explained above.

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

Qlustar General May 2026