Please bump if needed
security bug
from secunia security advisory at $URL: Description: The vulnerability is caused due to an unspecified error when using munge authentication and can be exploited to impersonate other users. The vulnerability is reported in versions prior to 2.5.9. Solution: Update to version 2.5.9.
+ 03 Jan 2012; Kacper Kowalik <xarthisius@gentoo.org> +torque-2.5.9.ebuild, + -torque-2.5.8.ebuild: + Version bump wrt #390167, drop old
Thanks. Arches, please test and mark stable: =sys-cluster/torque-2.5.9 Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
I may have jumped the gun; apologies for that. @cluster and Alexey, should we move forward and stabilize =sys-cluster/torque-2.5.9?
There shouldn't be any need to stabilize as torque-2.5.x has never been stable (and most likely never will if 3.0 continues progressing well).
(In reply to comment #6) > There shouldn't be any need to stabilize as torque-2.5.x has never been stable > (and most likely never will if 3.0 continues progressing well). As I understand only 2.5.x branch was affected. The bug was in munge authentication which was introduced in 2.5.3. I can't find information whether it's relevant for 3.0.x, but I suppose it is, since it was a backport.
Ok, thanks. It looks like CVE-2011-2907/bug 378805 affect 2.4 or 2.5; would you agree? http://www.clusterresources.com/pipermail/torqueusers/2011-August/013194.html
(In reply to comment #8) > Ok, thanks. It looks like CVE-2011-2907/bug 378805 affect 2.4 or 2.5; would you > agree? > > http://www.clusterresources.com/pipermail/torqueusers/2011-August/013194.html Correct. For 2.5.x the workaround is to use munge. For 2.4.x, use acl_hosts. As noted in the linked thread, it's always been the assumption that the cluster is behind a firewall.
Thanks, Jason. Can we move forward then and stabilize 2.5.9 (via bug 378805)?
CVE-2011-4925 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4925): Terascale Open-Source Resource and Queue Manager (aka TORQUE Resource Manager) before 2.5.9, when munge authentication is used, allows remote authenticated users to impersonate arbitrary user accounts via unspecified vectors.
We do realize this bug is quite old, but is there any target version for stabilization?
Arches, please test and stabilize: =sys-cluster/torque-2.5.12 Target arches: alpha amd64 hppa ia64 ppc ppc64 sparc x86
(In reply to Chris Reffett from comment #13) > Arches, please test and stabilize: > =sys-cluster/torque-2.5.12 > Target arches: alpha amd64 hppa ia64 ppc ppc64 sparc x86 Make no sense do two stabilization in few days, lets wait for bug 484320
Added to an existing GLSA request
All vulnerable gone, GLSA issued?
This issue was resolved and addressed in GLSA 201412-47 at http://security.gentoo.org/glsa/glsa-201412-47.xml by GLSA coordinator Yury German (BlueKnight).