Version is unspecified, but since 2.3.x has been around for a while, I'm assuming our current stable is vulnerable. From SuSE:
- OpenPBS potential security problems
An audit of OpenPBS found some potential security vulnerabilities that
may allow the compromising of a system remotely and/or locally. An update was
released to fix these issues.
attaching patch from duplicate bug #154315, altering title to be more descriptive, adding CVE reference.
Created attachment 101596 [details, diff]
Untested patch from Thomas Biege via bug #154315.
*** Bug 154315 has been marked as a duplicate of this bug. ***
Pulling in herd for advise. Does openpbs run with root privileges?
(In reply to comment #4)
> Pulling in herd for advise. Does openpbs run with root privileges?
Yeah. And the patch applies clean, although I was unable to find a fixed SRPM on SuSE's servers -- e.g. http://ftp.opensuse.org/pub/opensuse/distribution/SL-10.1/inst-source/suse/src/ does not appear to have any recent OpenPBS patch.
is something possible here? otherwise if no upgrade is possible, we should begin to think about p.masking it :(
I wouldn't mind just telling people to switch over to Torque. It's based off OpenPBS and is actually maintained.
mind someone if i p.mask it advising sys-cluster/torque as a replacement?
Fine by me.
p.masked, glsa request filled
Donnie, an old sys-cluster/mpiexec-0.75 still depends on the vulnerable openpbs.
Hi, x86 team, please could you test and mark stable sys-cluster/mpiexec-0.82 if appropriate. If it fails, you can try mpiexec-0.76-r2, thanks.
Of course, x86 can...x86 can do a lot...x86 is making you happy, everyday.
(In reply to comment #10)
> p.masked, glsa request filled
You need to p.mask <=sys-cluster/mpiexec-0.76-r1 as well.
I commented out the mask due to the dep breakage:
sys-cluster/mpiexec-0.75: nonsolvable depset(depends) keyword(x86) profile (default-linux/x86/2006.1/desktop): solutions: [ sys-cluster/openpbs ]
remask it without dep breakage please.
now with <=sys-cluster/mpiexec-0.75 that should be OK, ping me if there is still something wrong but now repoman is happy. Sorry for the mess.
GLSA 200704-04, thanks everybody
(In reply to comment #16)
> GLSA 200704-04, thanks everybody
This ready to close?
sys-cluster/openpbs seems nuked.