pmix just released a bunch of new versions for all supported (and officially unsupported) branches: https://github.com/openpmix/openpmix/releases All of them address CVE-2023-41915.
CVE-2023-41915: OpenPMIx PMIx before 4.2.6 and 5.0.x before 5.0.1 allows attackers to obtain ownership of arbitrary files via a race condition during execution of library code with UID 0. Fixes indeed appear to be in 4.2.6 and 5.0.1: https://github.com/openpmix/openpmix/releases/tag/v4.2.6 https://github.com/openpmix/openpmix/releases/tag/v5.0.1
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cd296783cab97c794a2afb16c2049890ad357880 commit cd296783cab97c794a2afb16c2049890ad357880 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-12-20 10:03:19 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-12-20 10:03:29 +0000 sys-cluster/pmix: add 4.2.8 Bug: https://bugs.gentoo.org/914381 Signed-off-by: Sam James <sam@gentoo.org> sys-cluster/pmix/Manifest | 1 + sys-cluster/pmix/pmix-4.2.8.ebuild | 38 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 39 insertions(+)
