From ${URL} : Description A vulnerability has been reported in TORQUE Resource Manager, which can be exploited by malicious users to compromise a vulnerable system. For more information: SA55622 Solution: Fixed in the source code repository. Further details available to Secunia VIM customers Original Advisory: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=729333 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
CVE-2013-4495 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4495): The send_the_mail function in server/svr_mail.c in Terascale Open-Source Resource and Queue Manager (aka TORQUE Resource Manager) before 4.2.6 allows remote attackers to execute arbitrary commands via shell metacharacters in the email (-M switch) to qsub.
Upstream commits for 4.1 [1] and 2.5 [2] branches: [1] https://github.com/adaptivecomputing/torque/commit/2aad72c3d2ac612ecbb66828ac6ed5ab51eff5f3 [2] https://github.com/adaptivecomputing/torque/commit/64da0af7ed27284f3397081313850bba270593db
patch for 2.5 was superseeded by this: https://github.com/adaptivecomputing/torque/commit/8246d967bbcf174482ef01b1bf4920a5944b1011
2.5.13 has been added to the tree with fixes for this issue and can be considered a stabilization target. I'm still working on 4.1.x +*torque-2.5.13 (19 Jun 2014) + + 19 Jun 2014; Justin Bronder <jsbronder@gentoo.org> +torque-2.5.13.ebuild, + +files/CVE-2013-4495.patch, +files/CVE-2014-0749.patch: + Bump 2.5.13 with additional patches for CVE-2013-4495 (#491270) and + CVE-2014-0749 (#510726)
Alright, 4.1.7 is in the tree as well with the aforementioned patch applied. Please consider this to also be a stable target.
Thanks, Justin! Arches, please test and mark stable: =sys-cluster/torque-2.5.13 =sys-cluster/torque-4.1.7 Target KEYWORDS="alpha amd64 hppa ia64 ~mips ppc ppc64 sparc x86"
Stable for HPPA.
amd64 stable
x86 stable
alpha stable
ppc stable
ppc64 stable
ia64 stable
sparc stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
+ 26 Dec 2014; Kacper Kowalik <xarthisius@gentoo.org> -torque-2.5.12-r1.ebuild, + -torque-2.5.12.ebuild, -torque-4.1.5.1-r1.ebuild: + Drop old wrt #491270
there is glsa for it already.
This issue was resolved and addressed in GLSA 201412-47 at http://security.gentoo.org/glsa/glsa-201412-47.xml by GLSA coordinator Yury German (BlueKnight).