Описание
Security update for slurm_23_02
This update for slurm_23_02 fixes the following issues:
Update to slurm 23.02.6:
Security fixes:
- CVE-2023-49933: Prevent message extension attacks that could bypass the message hash. (bsc#1218046)
- CVE-2023-49935: Prevent message hash bypass in slurmd which can allow an attacker to reuse root-level MUNGE tokens and escalate permissions. (bsc#1218049)
- CVE-2023-49936: Prevent NULL pointer dereference on
size_valpoverflow. (bsc#1218050) - CVE-2023-49937: Prevent double-xfree() on error in
_unpack_node_reg_resp(). (bsc#1218051) - CVE-2023-49938: Prevent modified
sbcastRPCs from opening a file with the wrong group permissions. (bsc#1218053)
Other fixes:
- Add missing service file for slurmrestd (bsc#1217711).
- Fix slurm upgrading to incompatible versions (bsc#1216869).
Список пакетов
SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS
Ссылки
- Link for SUSE-SU-2024:0289-1
- E-Mail link for SUSE-SU-2024:0289-1
- SUSE Security Ratings
- SUSE Bug 1216869
- SUSE Bug 1217711
- SUSE Bug 1218046
- SUSE Bug 1218049
- SUSE Bug 1218050
- SUSE Bug 1218051
- SUSE Bug 1218053
- SUSE CVE CVE-2023-49933 page
- SUSE CVE CVE-2023-49935 page
- SUSE CVE CVE-2023-49936 page
- SUSE CVE CVE-2023-49937 page
- SUSE CVE CVE-2023-49938 page
Описание
An issue was discovered in SchedMD Slurm 22.05.x, 23.02.x, and 23.11.x. There is Improper Enforcement of Message Integrity During Transmission in a Communication Channel. This allows attackers to modify RPC traffic in a way that bypasses message hash checks. The fixed versions are 22.05.11, 23.02.7, and 23.11.1.
Затронутые продукты
Ссылки
- CVE-2023-49933
- SUSE Bug 1218046
Описание
An issue was discovered in SchedMD Slurm 23.02.x and 23.11.x. There is Incorrect Access Control because of a slurmd Message Integrity Bypass. An attacker can reuse root-level authentication tokens during interaction with the slurmd process. This bypasses the RPC message hashes that protect against undesired MUNGE credential reuse. The fixed versions are 23.02.7 and 23.11.1.
Затронутые продукты
Ссылки
- CVE-2023-49935
- SUSE Bug 1218049
Описание
An issue was discovered in SchedMD Slurm 22.05.x, 23.02.x, and 23.11.x. A NULL pointer dereference leads to denial of service. The fixed versions are 22.05.11, 23.02.7, and 23.11.1.
Затронутые продукты
Ссылки
- CVE-2023-49936
- SUSE Bug 1218050
Описание
An issue was discovered in SchedMD Slurm 22.05.x, 23.02.x, and 23.11.x. Because of a double free, attackers can cause a denial of service or possibly execute arbitrary code. The fixed versions are 22.05.11, 23.02.7, and 23.11.1.
Затронутые продукты
Ссылки
- CVE-2023-49937
- SUSE Bug 1218051
Описание
An issue was discovered in SchedMD Slurm 22.05.x and 23.02.x. There is Incorrect Access Control: an attacker can modified their extended group list that is used with the sbcast subsystem, and open files with an unauthorized set of extended groups. The fixed versions are 22.05.11 and 23.02.7.
Затронутые продукты
Ссылки
- CVE-2023-49938
- SUSE Bug 1218053