https://lists.schedmd.com/pipermail/slurm-announce/2023/000103.html Slurm versions 23.11.1, 23.02.7, 22.05.11 are now available and address a number of recently-discovered security issues. They've been assigned CVE-2023-49933 through CVE-2023-49938. 1) CVE-2023-49935 Slurmd Message Integrity Bypass. (Slurm 23.02 and 23.11.) Permits an attacker to reuse root-level authentication tokens when interacting with the slurmd process, bypassing the RPC message hashes which protect against malicious MUNGE credential reuse. 2) CVE-2023-49938 Slurm Arbitrary File Overwrite. (Slurm 22.05 and 23.02.) Permits an attacker to modified their extended group list used with the sbcast subsystem, and open files with an incorrect set of extended groups. 3) CVE-2023-49936 Slurm NULL Pointer Dereference. (Slurm 22.05, 23.02, 23.11.) Denial of service. 4) CVE-2023-49937 Slurm Protocol Double Free. (Slurm 22.05, 23.02, 23.11.) Denial of service, potential for arbitrary code execution. 5) CVE-2023-49933 Slurm Protocol Message Extension. (Slurm 22.05, 23.02, 23.11.) Allows for malicious modification of RPC traffic that bypasses the message hash checks. 6) CVE-2023-49934 SQL Injection. (Slurm 23.11.)
Thanks! Already masked for bug 631552.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=878ee04160ad05c9a40beeac3ba2c973dbf436d6 commit 878ee04160ad05c9a40beeac3ba2c973dbf436d6 Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2024-01-14 22:20:09 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2024-01-14 22:20:19 +0000 sys-cluster/slurm: treeclean Bug: https://bugs.gentoo.org/631552 Bug: https://bugs.gentoo.org/920104 Signed-off-by: John Helmert III <ajak@gentoo.org> profiles/package.mask | 4 - sys-cluster/slurm/Manifest | 1 - sys-cluster/slurm/files/logrotate | 20 -- .../slurm/files/slurm-22.05.3_autoconf-lua.patch | 49 ---- sys-cluster/slurm/files/slurm.confd | 6 - sys-cluster/slurm/files/slurm.tmpfiles | 1 - sys-cluster/slurm/files/slurmctld.initd | 76 ------ sys-cluster/slurm/files/slurmd.initd | 79 ------ sys-cluster/slurm/files/slurmdbd.initd | 74 ------ sys-cluster/slurm/metadata.xml | 28 -- sys-cluster/slurm/slurm-22.05.3.ebuild | 287 --------------------- 11 files changed, 625 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/proj/guru.git/commit/?id=d6957c8ab178c1284b5407f185196f3aa146ffb4 commit d6957c8ab178c1284b5407f185196f3aa146ffb4 Author: Anna (cybertailor) Vyalkova <cyber+gentoo@sysrq.in> AuthorDate: 2024-01-15 03:29:52 +0000 Commit: Anna (cybertailor) Vyalkova <cyber+gentoo@sysrq.in> CommitDate: 2024-01-15 03:29:52 +0000 profiles: mask a bunch of sys-cluster/* pkgs Bug: https://bugs.gentoo.org/631552 Bug: https://bugs.gentoo.org/920104 Signed-off-by: Anna (cybertailor) Vyalkova <cyber+gentoo@sysrq.in> profiles/package.mask | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+)
Hi John, I don't understand why sys-cluster/slurm deserves a treeclean. Newer versions addressing the CVE are available. Version bumps will solve the bugs.
Hi, I just saw this left the tree and am pretty bummed about it. Its mission critical for me. I hope you would reconsider, given the CVEs have bug fixed. Thanks for you work on this and for considering the request.
This package was already removed in Januari. In any case I'm sure it could be added back when someone want to maintain it and address the CVEs. That wasn't being done and hence the package was listed for removal. I'm not sure if ajak has additional considerations here.
> I'm not sure if ajak has additional considerations here. Nope, someone just needs to maintain it.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=b2a8e7761946e4dd7bf5f993678482d2a80f8d73 commit b2a8e7761946e4dd7bf5f993678482d2a80f8d73 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-09-22 07:39:27 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-09-22 07:39:40 +0000 [ GLSA 202409-16 ] Slurm: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/631552 Bug: https://bugs.gentoo.org/920104 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202409-16.xml | 47 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+)