942684 – (CVE-2024-48936) sys-cluster/slurm: Incorrect Authorization

Bug 942684 (CVE-2024-48936) - sys-cluster/slurm: Incorrect Authorization

Summary: sys-cluster/slurm: Incorrect Authorization

Status:	CONFIRMED

Alias:	CVE-2024-48936

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://security-tracker.debian.org/t...
Whiteboard:	B1 [ebuild]
Keywords:

Depends on:
Blocks:

Reported:	2024-11-01 20:27 UTC by foufou33
Modified:	2025-03-23 08:43 UTC (History)
CC List:	4 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description foufou33 2024-11-01 20:27:59 UTC

from debian's security tracker :
Description:	SchedMD Slurm before 24.05.4 has Incorrect Authorization. A mistake in authentication handling in stepmgr could permit an attacker to execute processes under other users' jobs. This is limited to jobs explicitly running with --stepmgr, or on systems that have globally enabled stepmgr via SlurmctldParameters=enable_stepmgr in their configuration.

upstream's release anouncment is here :
https://www.schedmd.com/slurm-version-24-05-4-is-now-available/

Reproducible: Always

Comment 1 Hans de Graaff gentoo-dev

2024-11-11 10:32:44 UTC

I have removed the version number from the summary because we use that to refer to fixed versions in Gentoo, and there is no such version right now.

Comment 2 John Helmert III archtester

2025-03-23 08:41:15 UTC

Ping, Benda?

Comment 3 John Helmert III archtester

2025-03-23 08:43:26 UTC

(In reply to John Helmert III from comment #2)
> Ping, Benda?

Please also add yourself as a maintainer (and perhaps remove the other maintainers) if you're going to take responsibility for this package.