Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 920104 (CVE-2023-49933, CVE-2023-49934, CVE-2023-49935, CVE-2023-49936, CVE-2023-49937, CVE-2023-49938) - sys-cluster/slurm: multiple vulnerabilities
Summary: sys-cluster/slurm: multiple vulnerabilities
Alias: CVE-2023-49933, CVE-2023-49934, CVE-2023-49935, CVE-2023-49936, CVE-2023-49937, CVE-2023-49938
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa?]
Depends on:
Reported: 2023-12-16 10:08 UTC by Jarkko Suominen
Modified: 2024-06-17 13:42 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Jarkko Suominen 2023-12-16 10:08:03 UTC

Slurm versions 23.11.1, 23.02.7, 22.05.11 are now available and address 
a number of recently-discovered security issues. They've been assigned 
CVE-2023-49933 through CVE-2023-49938.

1) CVE-2023-49935 Slurmd Message Integrity Bypass. (Slurm 23.02 and 23.11.)

Permits an attacker to reuse root-level authentication tokens when 
interacting with the slurmd process, bypassing the RPC message hashes 
which protect against malicious MUNGE credential reuse.

2) CVE-2023-49938 Slurm Arbitrary File Overwrite. (Slurm 22.05 and 23.02.)
Permits an attacker to modified their extended group list used with the 
sbcast subsystem, and open files with an incorrect set of extended groups.

3) CVE-2023-49936 Slurm NULL Pointer Dereference. (Slurm 22.05, 23.02, 23.11.)

Denial of service.

4) CVE-2023-49937 Slurm Protocol Double Free. (Slurm 22.05, 23.02, 23.11.)
Denial of service, potential for arbitrary code execution.

5) CVE-2023-49933 Slurm Protocol Message Extension. (Slurm 22.05, 23.02, 23.11.)
Allows for malicious modification of RPC traffic that bypasses the 
message hash checks.

6) CVE-2023-49934 SQL Injection. (Slurm 23.11.)
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2024-01-14 22:20:50 UTC
Thanks! Already masked for bug 631552.
Comment 2 Larry the Git Cow gentoo-dev 2024-01-14 22:27:22 UTC
The bug has been referenced in the following commit(s):

commit 878ee04160ad05c9a40beeac3ba2c973dbf436d6
Author:     John Helmert III <>
AuthorDate: 2024-01-14 22:20:09 +0000
Commit:     John Helmert III <>
CommitDate: 2024-01-14 22:20:19 +0000

    sys-cluster/slurm: treeclean
    Signed-off-by: John Helmert III <>

 profiles/package.mask                              |   4 -
 sys-cluster/slurm/Manifest                         |   1 -
 sys-cluster/slurm/files/logrotate                  |  20 --
 .../slurm/files/slurm-22.05.3_autoconf-lua.patch   |  49 ----
 sys-cluster/slurm/files/slurm.confd                |   6 -
 sys-cluster/slurm/files/slurm.tmpfiles             |   1 -
 sys-cluster/slurm/files/slurmctld.initd            |  76 ------
 sys-cluster/slurm/files/slurmd.initd               |  79 ------
 sys-cluster/slurm/files/slurmdbd.initd             |  74 ------
 sys-cluster/slurm/metadata.xml                     |  28 --
 sys-cluster/slurm/slurm-22.05.3.ebuild             | 287 ---------------------
 11 files changed, 625 deletions(-)
Comment 3 Larry the Git Cow gentoo-dev 2024-01-15 15:46:50 UTC
The bug has been referenced in the following commit(s):

commit d6957c8ab178c1284b5407f185196f3aa146ffb4
Author:     Anna (cybertailor) Vyalkova <>
AuthorDate: 2024-01-15 03:29:52 +0000
Commit:     Anna (cybertailor) Vyalkova <>
CommitDate: 2024-01-15 03:29:52 +0000

    profiles: mask a bunch of sys-cluster/* pkgs
    Signed-off-by: Anna (cybertailor) Vyalkova <>

 profiles/package.mask | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)
Comment 4 Benda Xu gentoo-dev 2024-04-24 06:27:15 UTC
Hi John, I don't understand why sys-cluster/slurm deserves a treeclean.  Newer versions addressing the CVE are available.  Version bumps will solve the bugs.
Comment 5 Peter Gustafson 2024-06-17 13:33:38 UTC
Hi, I just saw this left the tree and am pretty bummed about it.  Its mission critical for me.  I hope you would reconsider, given the CVEs have bug fixed.

Thanks for you work on this and for considering the request.
Comment 6 Hans de Graaff gentoo-dev Security 2024-06-17 13:42:35 UTC
This package was already removed in Januari. In any case I'm sure it could be added back when someone want to maintain it and address the CVEs. That wasn't being done and hence the package was listed for removal.

I'm not sure if ajak has additional considerations here.