Описание
Security update for pdsh, slurm_18_08
This update for pdsh, slurm_18_08 fixes the following issues:
Slurm was included in the 18.08 release, as 'slurm_18_08' package. The version 18.08.9 contains all recent security fixes, including:
- CVE-2019-19728: Fixed a privilege escalation with srun, where --uid might have unintended side effects (bsc#1159692).
- CVE-2019-19727: Fixed permissions of slurmdbd.conf (bsc#1155784).
pdsh was updated to:
- Add support for an alternative SLURM version when building the slurm plugin.
Список пакетов
SUSE Linux Enterprise Module for HPC 12
Ссылки
- Link for SUSE-SU-2020:0434-1
- E-Mail link for SUSE-SU-2020:0434-1
- SUSE Security Ratings
- SUSE Bug 1018371
- SUSE Bug 1065697
- SUSE Bug 1085240
- SUSE Bug 1095508
- SUSE Bug 1123304
- SUSE Bug 1140709
- SUSE Bug 1155784
- SUSE Bug 1158709
- SUSE Bug 1158798
- SUSE Bug 1159692
- SUSE CVE CVE-2016-10030 page
- SUSE CVE CVE-2017-15566 page
- SUSE CVE CVE-2018-10995 page
- SUSE CVE CVE-2018-7033 page
- SUSE CVE CVE-2019-12838 page
- SUSE CVE CVE-2019-19727 page
- SUSE CVE CVE-2019-19728 page
Описание
The _prolog_error function in slurmd/req.c in Slurm before 15.08.13, 16.x before 16.05.7, and 17.x before 17.02.0-pre4 has a vulnerability in how the slurmd daemon informs users of a Prolog failure on a compute node. That vulnerability could allow a user to assume control of an arbitrary file on the system. Any exploitation of this is dependent on the user being able to cause or anticipate the failure (non-zero return code) of a Prolog script that their job would run on. This issue affects all Slurm versions from 0.6.0 (September 2005) to present. Workarounds to prevent exploitation of this are to either disable your Prolog script, or modify it such that it always returns 0 ("success") and adjust it to set the node as down using scontrol instead of relying on the slurmd to handle that automatically. If you do not have a Prolog set you are unaffected by this issue.
Затронутые продукты
Ссылки
- CVE-2016-10030
- SUSE Bug 1018371
Описание
Insecure SPANK environment variable handling exists in SchedMD Slurm before 16.05.11, 17.x before 17.02.9, and 17.11.x before 17.11.0rc2, allowing privilege escalation to root during Prolog or Epilog execution.
Затронутые продукты
Ссылки
- CVE-2017-15566
- SUSE Bug 1065697
Описание
SchedMD Slurm before 17.02.11 and 17.1x.x before 17.11.7 mishandles user names (aka user_name fields) and group ids (aka gid fields).
Затронутые продукты
Ссылки
- CVE-2018-10995
- SUSE Bug 1095508
Описание
SchedMD Slurm before 17.02.10 and 17.11.x before 17.11.5 allows SQL Injection attacks against SlurmDBD.
Затронутые продукты
Ссылки
- CVE-2018-7033
- SUSE Bug 1085240
Описание
SchedMD Slurm 17.11.x, 18.08.0 through 18.08.7, and 19.05.0 allows SQL Injection.
Затронутые продукты
Ссылки
- CVE-2019-12838
- SUSE Bug 1140709
Описание
SchedMD Slurm before 18.08.9 and 19.x before 19.05.5 has weak slurmdbd.conf permissions.
Затронутые продукты
Ссылки
- CVE-2019-19727
- SUSE Bug 1155784
Описание
SchedMD Slurm before 18.08.9 and 19.x before 19.05.5 executes srun --uid with incorrect privileges.
Затронутые продукты
Ссылки
- CVE-2019-19728
- SUSE Bug 1155784
- SUSE Bug 1159692
Описание
SchedMD Slurm before 17.11.13 and 18.x before 18.08.5 mishandles 32-bit systems.
Затронутые продукты
Ссылки
- CVE-2019-6438
- SUSE Bug 1123304