Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 448
Alerts This Week
Warning Icon 1 448

openSUSE: SUSE-SU-2024:0284-1 Important: Slurm Permissions Issue

opensuse
Calendar Grey January 31, 2024
Dist Opensuse Esm H88
Essential security patch for slurm addresses multiple vulnerabilities and enhances overall protection. Important for every affected user.
This update for slurm fixes the following issues: Update to slurm 23.02.6:

Description

This update for slurm fixes the following issues:

Update to slurm 23.02.6:

Security fixes:

* CVE-2023-49933: Prevent message extension attacks that could bypass the

message hash. (bsc#1218046)

* CVE-2023-49935: Prevent message hash bypass in slurmd which can allow an

attacker to reuse root-level MUNGE tokens and escalate permissions.

(bsc#1218049)

* CVE-2023-49936: Prevent NULL pointer dereference on `size_valp` overflow.

(bsc#1218050)

* CVE-2023-49937: Prevent double-xfree() on error in

`_unpack_node_reg_resp()`. (bsc#1218051)

* CVE-2023-49938: Prevent modified `sbcast` RPCs from opening a file with the

wrong group permissions. (bsc#1218053)

Other fixes:

* Add missing service file for slurmrestd (bsc#1217711).

* Fix slurm upgrading to incompatible versions (bsc#1216869).

Patch

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like

YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

* HPC Module 15-SP5

zypper in -t patch SUSE-SLE-Module-HPC-15-SP5-2024-284=1

* SUSE Package Hub 15 15-SP5

zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP5-2024-284=1

* openSUSE Leap 15.5

zypper in -t patch SUSE-2024-284=1 openSUSE-SLE-15.5-2024-284=1

Package List

* HPC Module 15-SP5 (aarch64 x86_64)

* slurm-sql-debuginfo-23.02.7-150500.5.15.1

* slurm-munge-23.02.7-150500.5.15.1

* slurm-cray-23.02.7-150500.5.15.1

* slurm-pam_slurm-debuginfo-23.02.7-150500.5.15.1

* slurm-slurmdbd-debuginfo-23.02.7-150500.5.15.1

* slurm-rest-23.02.7-150500.5.15.1

* slurm-torque-debuginfo-23.02.7-150500.5.15.1

* slurm-plugin-ext-sensors-rrd-23.02.7-150500.5.15.1

* perl-slurm-debuginfo-23.02.7-150500.5.15.1

* slurm-auth-none-23.02.7-150500.5.15.1

* slurm-plugin-ext-sensors-rrd-debuginfo-23.02.7-150500.5.15.1

* slurm-sview-23.02.7-150500.5.15.1

* slurm-debuginfo-23.02.7-150500.5.15.1

* slurm-23.02.7-150500.5.15.1

* slurm-node-23.02.7-150500.5.15.1

* slurm-devel-23.02.7-150500.5.15.1

* slurm-plugins-debuginfo-23.02.7-150500.5.15.1

* slurm-torque-23.02.7-150500.5.15.1

* libpmi0-23.02.7-150500.5.15.1

* libpmi0-debuginfo-23.02.7-150500.5.15.1

* slurm-auth-none-debuginfo-23.02.7-150500.5.15.1

* slurm-sql-23.02.7-150500.5.15.1

* libnss_slurm2-23.02.7-150500.5.15.1

*...

Read the Full Advisory

References

* bsc#1216869

* bsc#1217711

* bsc#1218046

* bsc#1218049

* bsc#1218050

* bsc#1218051

* bsc#1218053

## References:

* https://www.suse.com/security/cve/CVE-2023-49933.html

* https://www.suse.com/security/cve/CVE-2023-49935.html

* https://www.suse.com/security/cve/CVE-2023-49936.html

* https://www.suse.com/security/cve/CVE-2023-49937.html

* https://www.suse.com/security/cve/CVE-2023-49938.html

* https://bugzilla.suse.com/show_bug.cgi?id=1216869

* https://bugzilla.suse.com/show_bug.cgi?id=1217711

* https://bugzilla.suse.com/show_bug.cgi?id=1218046

* https://bugzilla.suse.com/show_bug.cgi?id=1218049

* https://bugzilla.suse.com/show_bug.cgi?id=1218050

* https://bugzilla.suse.com/show_bug.cgi?id=1218051

* https://bugzilla.suse.com/show_bug.cgi?id=1218053

Severity
important
Lowest
Low
Medium
High
Critical

Announcement ID: SUSE-SU-2024:0284-1
Rating: important

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.