http://lists.suse.com/archive/suse-security-announce/2006-Oct/0007.html Version is unspecified, but since 2.3.x has been around for a while, I'm assuming our current stable is vulnerable. From SuSE: - OpenPBS potential security problems An audit of OpenPBS found some potential security vulnerabilities that may allow the compromising of a system remotely and/or locally. An update was released to fix these issues.
attaching patch from duplicate bug #154315, altering title to be more descriptive, adding CVE reference.
Created attachment 101596 [details, diff] OpenPBS_2_3_16-security.diff Untested patch from Thomas Biege via bug #154315.
*** Bug 154315 has been marked as a duplicate of this bug. ***
Pulling in herd for advise. Does openpbs run with root privileges?
(In reply to comment #4) > Pulling in herd for advise. Does openpbs run with root privileges? Yeah. And the patch applies clean, although I was unable to find a fixed SRPM on SuSE's servers -- e.g. http://ftp.opensuse.org/pub/opensuse/distribution/SL-10.1/inst-source/suse/src/ does not appear to have any recent OpenPBS patch.
is something possible here? otherwise if no upgrade is possible, we should begin to think about p.masking it :(
I wouldn't mind just telling people to switch over to Torque. It's based off OpenPBS and is actually maintained.
mind someone if i p.mask it advising sys-cluster/torque as a replacement?
Fine by me.
p.masked, glsa request filled
Donnie, an old sys-cluster/mpiexec-0.75 still depends on the vulnerable openpbs. Hi, x86 team, please could you test and mark stable sys-cluster/mpiexec-0.82 if appropriate. If it fails, you can try mpiexec-0.76-r2, thanks.
Of course, x86 can...x86 can do a lot...x86 is making you happy, everyday.
(In reply to comment #10) > p.masked, glsa request filled You need to p.mask <=sys-cluster/mpiexec-0.76-r1 as well.
I commented out the mask due to the dep breakage: sys-cluster/mpiexec-0.75: nonsolvable depset(depends) keyword(x86) profile (default-linux/x86/2006.1/desktop): solutions: [ sys-cluster/openpbs ] remask it without dep breakage please.
now with <=sys-cluster/mpiexec-0.75 that should be OK, ping me if there is still something wrong but now repoman is happy. Sorry for the mess.
GLSA 200704-04, thanks everybody
(In reply to comment #16) > GLSA 200704-04, thanks everybody This ready to close?
sys-cluster/openpbs seems nuked.