Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -7 articles for you...
100
security advisoryDoSimportantSUSE: 2025:01751-1 important: slurm permission management issue
* bsc#1243666 Cross-References: * CVE-2025-43904 . # Security update for slurm Announcement ID: SUSE-SU-2025:01751-1 Release Date: 2025-05-29T12:53:41Z Rating: important References: * bsc#1243666 Cross-References: * CVE-2025-43904 CVSS scores: * CVE-2025-43904 ( SUSE ): 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N * CVE-2025-43904 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: * HPC Module 15-SP7 * SUSE Linux Enterprise Desktop 15 SP7 * SUSE Linux Enterprise Real Time 15 SP7 * SUSE Linux Enterprise Server 15 SP7 * SUSE Linux Enterprise Server for SAP Applications 15 SP7 * SUSE Package Hub 15 15-SP7 An update that solves one vulnerability can now be installed. ## Description: This update for slurm fixes the following issues: Update to version 24.11.5. Security issues fixed: * CVE-2025-43904: an issue with permission handling for Coordinators within the accounting system allowed Coordinators to promote a user to Administrator (bsc#1243666). Other changes and issues fixed: * Changes from version 24.11.5 * Return error to `scontrol` reboot on bad nodelists. * `slurmrestd` \- Report an error when QOS resolution fails for v0.0.40 endpoints. * `slurmrestd` \- Report an error when QOS resolution fails for v0.0.41 endpoints. * `slurmrestd` \- Report an error when QOS resolution fails for v0.0.42 endpoints. * `data_parser/v0.0.42` \- Added `+inline_enums` flag which modifies the output when generating OpenAPI specification. It causes enum arrays to not be defined in their own schema with references (`$ref`) to them. Instead they will be dumped inline. * Fix binding error with `tres-bind map/mask` on partial node allocations. * Fix `stepmgr` enabled steps being able to request features. * Reject step creation if requested feature is not available in job. * `slurmd` \- Restrict listening for new incoming RPC requests further into startup. *`slurmd` \- Avoid `auth/slurm` related hangs of CLI commands during startup and shutdown. * `slurmctld` \- Restrict processing new incoming RPC requests further into startup. Stop processing requests sooner during shutdown. * `slurmcltd` \- Avoid auth/slurm related hangs of CLI commands during startup and shutdown. * `slurmctld` \- Avoid race condition during shutdown or ereconfigure that could result in a crash due delayed processing of a connection while plugins are unloaded. * Fix small memleak when getting the job list from the database. * Fix incorrect printing of `%` escape characters when printing stdio fields for jobs. * Fix padding parsing when printing stdio fields for jobs. * Fix printing `%A` array job id when expanding patterns. * Fix reservations causing jobs to be held for `Bad Constraints`. * `switch/hpe_slingshot` \- Prevent potential segfault on failed curl request to the fabric manager. * Fix printing incorrect array job id when expanding stdio file names. The `%A` will now be substituted by the correct value. * Fix printing incorrect array job id when expanding stdio file names. The `%A` will now be substituted by the correct value. * `switch/hpe_slingshot` \- Fix VNI range not updating on slurmctld restart or reconfigre. * Fix steps not being created when using certain combinations of `-c` and `-n` inferior to the jobs requested resources, when using stepmgr and nodes are configured with `CPUs == Sockets*CoresPerSocket`. * Permit configuring the number of retry attempts to destroy CXI service via the new destroy_retries `SwitchParameter`. * Do not reset `memory.high` and `memory.swap.max` in slurmd startup or reconfigure as we are never really touching this in `slurmd`. * Fix reconfigure failure of slurmd when it has been started manually and the `CoreSpecLimits` have been removed from `slurm.conf`. * Set or reset CoreSpec limits when slurmd is reconfigured and it was started with systemd. *`switch/hpe-slingshot` \- Make sure the slurmctld can free step VNIs after the controller restarts or reconfigures while the job is running. * Fix backup `slurmctld` failure on 2nd takeover. * Changes from version 24.11.4 * `slurmctld`,`slurmrestd` \- Avoid possible race condition that could have caused process to crash when listener socket was closed while accepting a new connection. * `slurmrestd` \- Avoid race condition that could have resulted in address logged for a UNIX socket to be incorrect. * `slurmrestd` \- Fix parameters in OpenAPI specification for the following endpoints to have `job_id` field: `GET /slurm/v0.0.40/jobs/state/ GET /slurm/v0.0.41/jobs/state/ GET /slurm/v0.0.42/jobs/state/ GET /slurm/v0.0.43/jobs/state/` * `slurmd` \- Fix tracking of thread counts that could cause incoming connections to be ignored after burst of simultaneous incoming connections that trigger delayed response logic. * Avoid unnecessary `SRUN_TIMEOUT` forwarding to `stepmgr`. * Fix jobs being scheduled on higher weighted powered down nodes. * Fix how backfill scheduler filters nodes from the available nodes based on exclusive user and `mcs_label` requirements. * `acct_gather_energy/{gpu,ipmi}` \- Fix potential energy consumption adjustment calculation underflow. * `acct_gather_energy/ipmi` \- Fix regression introduced in 24.05.5 (which introduced the new way of preserving energy measurements through slurmd restarts) when `EnergyIPMICalcAdjustment=yes`. * Prevent `slurmctld` deadlock in the assoc mgr. * Fix memory leak when `RestrictedCoresPerGPU` is enabled. * Fix preemptor jobs not entering execution due to wrong calculation of accounting policy limits. * Fix certain job requests that were incorrectly denied with node configuration unavailable error. * `slurmd` \- Avoid crash due when slurmd has a communications failure with `slurmstepd`. * Fix memory leak when parsing yaml input. * Prevent `slurmctld` from showingerror message about `PreemptMode=GANG` being a cluster-wide option for `scontrol update part` calls that don't attempt to modify partition PreemptMode. * Fix setting `GANG` preemption on partition when updating `PreemptMode` with `scontrol`. * Fix `CoreSpec` and `MemSpec` limits not being removed from previously configured slurmd. * Avoid race condition that could lead to a deadlock when `slurmd`, `slurmstepd`, `slurmctld`, `slurmrestd` or `sackd` have a fatal event. * Fix jobs using `--ntasks-per-node` and `--mem` keep pending forever when the requested mem divided by the number of CPUs will surpass the configured `MaxMemPerCPU`. * `slurmd` \- Fix address logged upon new incoming RPC connection from `INVALID` to IP address. * Fix memory leak when retrieving reservations. This affects `scontrol`, `sinfo`, `sview`, and the following `slurmrestd` endpoints: `GET /slurm/{any_data_parser}/reservation/{reservation_name}` `GET /slurm/{any_data_parser}/reservations` * Log warning instead of `debuflags=conmgr` gated log when deferring new incoming connections when number of active connections exceed `conmgr_max_connections`. * Avoid race condition that could result in worker thread pool not activating all threads at once after a reconfigure resulting in lower utilization of available CPU threads until enough internal activity wakes up all threads in the worker pool. * Avoid theoretical race condition that could result in new incoming RPC socket connections being ignored after reconfigure. * slurmd - Avoid race condition that could result in a state where new incoming RPC connections will always be ignored. * Add ReconfigFlags=KeepNodeStateFuture to restore saved `FUTURE` node state on restart and reconfig instead of reverting to `FUTURE` state. This will be made the default in 25.05. * Fix case where hetjob submit would cause `slurmctld` to crash. * Fix jobs using `--cpus-per-gpu` and `--mem` keep pending foreverwhen the requested mem divided by the number of CPUs will surpass the configured `MaxMemPerCPU`. * Enforce that jobs using `--mem` and several `--*-per-*` options do not violate the `MaxMemPerCPU` in place. * `slurmctld` \- Fix use-cases of jobs incorrectly pending held when `--prefer` features are not initially satisfied. * `slurmctld` \- Fix jobs incorrectly held when `--prefer` not satisfied in some use-cases. * Ensure `RestrictedCoresPerGPU` and `CoreSpecCount` don't overlap. * Changes from version 24.11.3 * Fix database cluster ID generation not being random. * Fix a regression in which `slurmd -G` gave no output. * Fix a long-standing crash in `slurmctld` after updating a reservation with an empty nodelist. The crash could occur after restarting slurmctld, or if downing/draining a node in the reservation with the `REPLACE` or `REPLACE_DOWN` flag. * Avoid changing process name to "`watch`" from original daemon name. This could potentially breaking some monitoring scripts. * Avoid `slurmctld` being killed by `SIGALRM` due to race condition at startup. * Fix race condition in slurmrestd that resulted in "`Requested data_parser plugin does not support OpenAPI plugin`" error being returned for valid endpoints. * Fix race between `task/cgroup` CPUset and `jobacctgather/cgroup`. The first was removing the pid from `task_X` cgroup directory causing memory limits to not being applied. * If multiple partitions are requested, set the `SLURM_JOB_PARTITION` output environment variable to the partition in which the job is running for `salloc` and `srun` in order to match the documentation and the behavior of `sbatch`. * `srun` \- Fixed wrongly constructed `SLURM_CPU_BIND` env variable that could get propagated to downward srun calls in certain mpi environments, causing launch failures. * Don't print misleading errors for stepmgr enabled steps. * `slurmrestd` \- Avoid connection to slurmdbd for the followingendpoints: `GET /slurm/v0.0.41/jobs GET /slurm/v0.0.41/job/{job_id}` * `slurmrestd` \- Avoid connection to slurmdbd for the following endpoints: `GET /slurm/v0.0.40/jobs GET /slurm/v0.0.40/job/{job_id}` * `slurmrestd` \- Fix possible memory leak when parsing arrays with `data_parser/v0.0.40`. * `slurmrestd` \- Fix possible memory leak when parsing arrays with `data_parser/v0.0.41`. * `slurmrestd` \- Fix possible memory leak when parsing arrays with `data_parser/v0.0.42`. * Changes from version 24.11.2 * Fix segfault when submitting `--test-only` jobs that can preempt. * Fix regression introduced in 23.11 that prevented the following flags from being added to a reservation on an update: `DAILY`, `HOURLY`, `WEEKLY`, `WEEKDAY`, and `WEEKEND`. * Fix crash and issues evaluating job's suitability for running in nodes with already suspended job(s) there. * `slurmctld` will ensure that healthy nodes are not reported as `UnavailableNodes` in job reason codes. * Fix handling of jobs submitted to a current reservation with flags `OVERLAP,FLEX` or `OVERLAP,ANY_NODES` when it overlaps nodes with a future maintenance reservation. When a job submission had a time limit that overlapped with the future maintenance reservation, it was rejected. Now the job is accepted but stays pending with the reason "`ReqNodeNotAvail, Reserved for maintenance`". * `pam_slurm_adopt` \- avoid errors when explicitly setting some arguments to the default value. * Fix QOS preemption with `PreemptMode=SUSPEND`. * `slurmdbd` \- When changing a user's name update lineage at the same time. * Fix regression in 24.11 in which `burst_buffer.lua` does not inherit the `SLURM_CONF` environment variable from `slurmctld` and fails to run if slurm.conf is in a non-standard location. * Fix memory leak in slurmctld if `select/linear` and the `PreemptParameters=reclaim_licenses` options are both set in `slurm.conf`. Regression in 24.11.1. * Fix runningjobs, that requested multiple partitions, from potentially being set to the wrong partition on restart. * `switch/hpe_slingshot` \- Fix compatibility with newer cxi drivers, specifically when specifying `disable_rdzv_get`. * Add `ABORT_ON_FATAL` environment variable to capture a backtrace from any `fatal()` message. * Fix printing invalid address in rate limiting log statement. * `sched/backfill` \- Fix node state `PLANNED` not being cleared from fully allocated nodes during a backfill cycle. * `select/cons_tres` \- Fix future planning of jobs with `bf_licenses`. * Prevent redundant "`on_data returned rc: Rate limit exceeded, please retry momentarily`" error message from being printed in slurmctld logs. * Fix loading non-default QOS on pending jobs from pre-24.11 state. * Fix pending jobs displaying `QOS=(null)` when not explicitly requesting a QOS. * Fix segfault issue from job record with no `job_resrcs`. * Fix failing `sacctmgr delete/modify/show` account operations with `where` clauses. * Fix regression in 24.11 in which Slurm daemons started catching several `SIGTSTP`, `SIGTTIN` and `SIGUSR1` signals and ignored them, while before they were not ignoring them. This also caused slurmctld to not being able to shutdown after a `SIGTSTP` because slurmscriptd caught the signal and stopped while slurmctld ignored it. Unify and fix these situations and get back to the previous behavior for these signals. * Document that `SIGQUIT` is no longer ignored by `slurmctld`, `slurmdbd`, and slurmd in 24.11. As of 24.11.0rc1, `SIGQUIT` is identical to `SIGINT` and `SIGTERM` for these daemons, but this change was not documented. * Fix not considering nodes marked for reboot without ASAP in the scheduler. * Remove the `boot^` state on unexpected node reboot after return to service. * Do not allow new jobs to start on a node which is being rebooted with the flag `nextstate=resume`. * Prevent lower priority job running after cancelling anASAP reboot. * Fix srun jobs starting on `nextstate=resume` rebooting nodes. ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * HPC Module 15-SP7 zypper in -t patch SUSE-SLE-Module-HPC-15-SP7-2025-1751=1 * SUSE Package Hub 15 15-SP7 zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2025-1751=1 ## Package List: * HPC Module 15-SP7 (aarch64 x86_64) * slurm-sql-debuginfo-24.11.5-150700.3.3.1 * slurm-lua-debuginfo-24.11.5-150700.3.3.1 * slurm-rest-debuginfo-24.11.5-150700.3.3.1 * slurm-cray-24.11.5-150700.3.3.1 * slurm-auth-none-24.11.5-150700.3.3.1 * slurm-munge-24.11.5-150700.3.3.1 * slurm-slurmdbd-debuginfo-24.11.5-150700.3.3.1 * slurm-torque-debuginfo-24.11.5-150700.3.3.1 * slurm-lua-24.11.5-150700.3.3.1 * libnss_slurm2-24.11.5-150700.3.3.1 * slurm-node-24.11.5-150700.3.3.1 * slurm-slurmdbd-24.11.5-150700.3.3.1 * slurm-pam_slurm-debuginfo-24.11.5-150700.3.3.1 * slurm-debugsource-24.11.5-150700.3.3.1 * slurm-sview-24.11.5-150700.3.3.1 * libpmi0-debuginfo-24.11.5-150700.3.3.1 * slurm-node-debuginfo-24.11.5-150700.3.3.1 * perl-slurm-24.11.5-150700.3.3.1 * slurm-sql-24.11.5-150700.3.3.1 * slurm-torque-24.11.5-150700.3.3.1 * slurm-plugins-24.11.5-150700.3.3.1 * slurm-debuginfo-24.11.5-150700.3.3.1 * libpmi0-24.11.5-150700.3.3.1 * slurm-cray-debuginfo-24.11.5-150700.3.3.1 * libnss_slurm2-debuginfo-24.11.5-150700.3.3.1 * slurm-24.11.5-150700.3.3.1 * slurm-pam_slurm-24.11.5-150700.3.3.1 * slurm-munge-debuginfo-24.11.5-150700.3.3.1 * slurm-plugins-debuginfo-24.11.5-150700.3.3.1 * perl-slurm-debuginfo-24.11.5-150700.3.3.1 * libslurm42-24.11.5-150700.3.3.1 * libslurm42-debuginfo-24.11.5-150700.3.3.1 * slurm-devel-24.11.5-150700.3.3.1 * slurm-auth-none-debuginfo-24.11.5-150700.3.3.1 *slurm-rest-24.11.5-150700.3.3.1 * slurm-sview-debuginfo-24.11.5-150700.3.3.1 * HPC Module 15-SP7 (noarch) * slurm-doc-24.11.5-150700.3.3.1 * slurm-config-man-24.11.5-150700.3.3.1 * slurm-webdoc-24.11.5-150700.3.3.1 * slurm-config-24.11.5-150700.3.3.1 * SUSE Package Hub 15 15-SP7 (ppc64le s390x) * slurm-sql-debuginfo-24.11.5-150700.3.3.1 * slurm-lua-debuginfo-24.11.5-150700.3.3.1 * slurm-rest-debuginfo-24.11.5-150700.3.3.1 * slurm-cray-24.11.5-150700.3.3.1 * slurm-auth-none-24.11.5-150700.3.3.1 * slurm-munge-24.11.5-150700.3.3.1 * slurm-slurmdbd-debuginfo-24.11.5-150700.3.3.1 * slurm-torque-debuginfo-24.11.5-150700.3.3.1 * slurm-lua-24.11.5-150700.3.3.1 * libnss_slurm2-24.11.5-150700.3.3.1 * slurm-node-24.11.5-150700.3.3.1 * slurm-slurmdbd-24.11.5-150700.3.3.1 * slurm-pam_slurm-debuginfo-24.11.5-150700.3.3.1 * slurm-debugsource-24.11.5-150700.3.3.1 * slurm-sview-24.11.5-150700.3.3.1 * libpmi0-debuginfo-24.11.5-150700.3.3.1 * slurm-node-debuginfo-24.11.5-150700.3.3.1 * perl-slurm-24.11.5-150700.3.3.1 * slurm-sql-24.11.5-150700.3.3.1 * slurm-torque-24.11.5-150700.3.3.1 * slurm-plugins-24.11.5-150700.3.3.1 * slurm-debuginfo-24.11.5-150700.3.3.1 * libpmi0-24.11.5-150700.3.3.1 * slurm-cray-debuginfo-24.11.5-150700.3.3.1 * libnss_slurm2-debuginfo-24.11.5-150700.3.3.1 * slurm-24.11.5-150700.3.3.1 * slurm-pam_slurm-24.11.5-150700.3.3.1 * slurm-munge-debuginfo-24.11.5-150700.3.3.1 * slurm-plugins-debuginfo-24.11.5-150700.3.3.1 * perl-slurm-debuginfo-24.11.5-150700.3.3.1 * slurm-hdf5-24.11.5-150700.3.3.1 * slurm-devel-24.11.5-150700.3.3.1 * slurm-auth-none-debuginfo-24.11.5-150700.3.3.1 * slurm-hdf5-debuginfo-24.11.5-150700.3.3.1 * slurm-rest-24.11.5-150700.3.3.1 * slurm-sview-debuginfo-24.11.5-150700.3.3.1 * SUSE Package Hub 15 15-SP7 (noarch) * slurm-doc-24.11.5-150700.3.3.1 * slurm-config-man-24.11.5-150700.3.3.1 *slurm-config-24.11.5-150700.3.3.1 * slurm-sjstat-24.11.5-150700.3.3.1 * slurm-openlava-24.11.5-150700.3.3.1 * slurm-seff-24.11.5-150700.3.3.1 * slurm-webdoc-24.11.5-150700.3.3.1 ## References: * https://www.suse.com/security/cve/CVE-2025-43904.html * https://bugzilla.suse.com/show_bug.cgi?id=1243666 . The recent security update from SUSE for slurm takes action on CVE-2025-43905, enhancing the management of permissions related to user roles.. SUSE Slurm Security Update Permission Management CVE-2025-43904. . Severity: Important. LinuxSecurity.com Team
May 29, 2025
•Important
SuSE
172
security advisorysudolocal attackUbuntu 2146-1 Critical Advisory: Sudo Local Attack Risks
Several security issues were fixed in Sudo.. =========================================================================Ubuntu Security Notice USN-2146-1 March 13, 2014 sudo vulnerabilities ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 13.10 - Ubuntu 12.10 - Ubuntu 12.04 LTS - Ubuntu 10.04 LTS Summary: Several security issues were fixed in Sudo. Software Description: - sudo: Provide limited super user privileges to specific users Details: Sebastien Macke discovered that Sudo incorrectly handled blacklisted environment variables when the env_reset option was disabled. A local attacker could use this issue to possibly run unintended commands by using blacklisted environment variables. In a default Ubuntu installation, the env_reset option is enabled by default. This issue only affected Ubuntu 10.04 LTS and Ubuntu 12.04 LTS. (CVE-2014-0106) It was discovered that the Sudo init script set a date in the past on existing timestamp files instead of using epoch to invalidate them completely. A local attacker could possibly modify the system time to attempt to reuse timestamp files. This issue only applied to Ubuntu 12.04 LTS, Ubuntu 12.10 and Ubuntu 13.10. (LP: #1223297) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 13.10: sudo 1.8.6p3-0ubuntu3.1 sudo-ldap 1.8.6p3-0ubuntu3.1 Ubuntu 12.10: sudo 1.8.5p2-1ubuntu1.2 sudo-ldap 1.8.5p2-1ubuntu1.2 Ubuntu 12.04 LTS: sudo 1.8.3p1-1ubuntu3.6 sudo-ldap 1.8.3p1-1ubuntu3.6 Ubuntu 10.04 LTS: sudo 1.7.2p1-1ubuntu5.7 sudo-ldap 1.7.2p1-1ubuntu5.7 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-2146-1 CVE-2014-0106, https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1223297 Package Information: https://launchpad.net/ubuntu/+source/sudo/1.8.6p3-0ubuntu3.1 https://launchpad.net/ubuntu/+source/sudo/1.8.5p2-1ubuntu1.2 https://launchpad.net/ubuntu/+source/sudo/1.8.3p1-1ubuntu3.6 https://launchpad.net/ubuntu/+source/sudo/1.7.2p1-1ubuntu5.7 . Multiple vulnerabilities in Sudo have been resolved across various Ubuntu versions. It's vital to update your system right away to ensure security and fend off potential risks. Sudo Issues, Ubuntu Security, Privilege Management. . Severity: Critical. LinuxSecurity.com Team
Mar 13, 2014
•Critical
Ubuntu
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!