From ${URL} : Chad Vizino reported a flaw in the TORQUE Resource Manager that would allow non-root users to kill any process, including root-owned ones on any node in a job: http://seclists.org/oss-sec/2014/q4/75 The fixes in the 4.2 branch appear applicable to the version of TORQUE in Fedora and EPEL: https://github.com/adaptivecomputing/torque/commit/f2f4c950f3d461a249111c8826da3beaafccace9 https://github.com/adaptivecomputing/torque/commit/967cdc80150690459a47a35a658abeee0ca6e5cb @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
The prior 4.2 ebuild was unstable, probably no need for stabilization. +*torque-4.2.9-r1 (17 Oct 2014) + + 17 Oct 2014; Justin Bronder <jsbronder@gentoo.org> -torque-4.2.9.ebuild, + +torque-4.2.9-r1.ebuild, + +files/TRQ-2885-limit-tm_adopt-to-only-adopt-a-session-id-t.patch: + Apply upstream fixes for TRQ-2885. #524362
Thanks for the bump, Justin. The 4.2 branch is not stable, so closing noglsa.