https://lists.schedmd.com/pipermail/slurm-announce/2023/000103.html Slurm versions 23.11.1, 23.02.7, 22.05.11 are now available and address a number of recently-discovered security issues. They've been assigned CVE-2023-49933 through CVE-2023-49938. 1) CVE-2023-49935 Slurmd Message Integrity Bypass. (Slurm 23.02 and 23.11.) Permits an attacker to reuse root-level authentication tokens when interacting with the slurmd process, bypassing the RPC message hashes which protect against malicious MUNGE credential reuse. 2) CVE-2023-49938 Slurm Arbitrary File Overwrite. (Slurm 22.05 and 23.02.) Permits an attacker to modified their extended group list used with the sbcast subsystem, and open files with an incorrect set of extended groups. 3) CVE-2023-49936 Slurm NULL Pointer Dereference. (Slurm 22.05, 23.02, 23.11.) Denial of service. 4) CVE-2023-49937 Slurm Protocol Double Free. (Slurm 22.05, 23.02, 23.11.) Denial of service, potential for arbitrary code execution. 5) CVE-2023-49933 Slurm Protocol Message Extension. (Slurm 22.05, 23.02, 23.11.) Allows for malicious modification of RPC traffic that bypasses the message hash checks. 6) CVE-2023-49934 SQL Injection. (Slurm 23.11.)
Thanks! Already masked for bug 631552.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=878ee04160ad05c9a40beeac3ba2c973dbf436d6 commit 878ee04160ad05c9a40beeac3ba2c973dbf436d6 Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2024-01-14 22:20:09 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2024-01-14 22:20:19 +0000 sys-cluster/slurm: treeclean Bug: https://bugs.gentoo.org/631552 Bug: https://bugs.gentoo.org/920104 Signed-off-by: John Helmert III <ajak@gentoo.org> profiles/package.mask | 4 - sys-cluster/slurm/Manifest | 1 - sys-cluster/slurm/files/logrotate | 20 -- .../slurm/files/slurm-22.05.3_autoconf-lua.patch | 49 ---- sys-cluster/slurm/files/slurm.confd | 6 - sys-cluster/slurm/files/slurm.tmpfiles | 1 - sys-cluster/slurm/files/slurmctld.initd | 76 ------ sys-cluster/slurm/files/slurmd.initd | 79 ------ sys-cluster/slurm/files/slurmdbd.initd | 74 ------ sys-cluster/slurm/metadata.xml | 28 -- sys-cluster/slurm/slurm-22.05.3.ebuild | 287 --------------------- 11 files changed, 625 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/proj/guru.git/commit/?id=d6957c8ab178c1284b5407f185196f3aa146ffb4 commit d6957c8ab178c1284b5407f185196f3aa146ffb4 Author: Anna (cybertailor) Vyalkova <cyber+gentoo@sysrq.in> AuthorDate: 2024-01-15 03:29:52 +0000 Commit: Anna (cybertailor) Vyalkova <cyber+gentoo@sysrq.in> CommitDate: 2024-01-15 03:29:52 +0000 profiles: mask a bunch of sys-cluster/* pkgs Bug: https://bugs.gentoo.org/631552 Bug: https://bugs.gentoo.org/920104 Signed-off-by: Anna (cybertailor) Vyalkova <cyber+gentoo@sysrq.in> profiles/package.mask | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+)
Hi John, I don't understand why sys-cluster/slurm deserves a treeclean. Newer versions addressing the CVE are available. Version bumps will solve the bugs.
