Security update for slurm_20_02 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:0278-1 Final 1 1 2024-01-31T06:15:30Z current 2024-01-31T06:15:30Z 2024-01-31T06:15:30Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for slurm_20_02 This update for slurm_20_02 fixes the following issues: Security fixes: - CVE-2023-49933: Prevent message extension attacks that could bypass the message hash. (bsc#1218046) - CVE-2023-49936: Prevent NULL pointer dereference on `size_valp` overflow. (bsc#1218050) - CVE-2023-49937: Prevent double-xfree() on error in `_unpack_node_reg_resp()`. (bsc#1218051) - CVE-2023-49938: Prevent modified `sbcast` RPCs from opening a file with the wrong group permissions. (bsc#1218053) Other fixes: - Fix slurm upgrading to incompatible versions (bsc#1216869). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2024-278,openSUSE-SLE-15.5-2024-278 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20240278-1/ Link for SUSE-SU-2024:0278-1 https://lists.suse.com/pipermail/sle-security-updates/2024-January/017819.html E-Mail link for SUSE-SU-2024:0278-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1216869 SUSE Bug 1216869 https://bugzilla.suse.com/1218046 SUSE Bug 1218046 https://bugzilla.suse.com/1218050 SUSE Bug 1218050 https://bugzilla.suse.com/1218051 SUSE Bug 1218051 https://bugzilla.suse.com/1218053 SUSE Bug 1218053 https://www.suse.com/security/cve/CVE-2023-49933/ SUSE CVE CVE-2023-49933 page https://www.suse.com/security/cve/CVE-2023-49936/ SUSE CVE CVE-2023-49936 page https://www.suse.com/security/cve/CVE-2023-49937/ SUSE CVE CVE-2023-49937 page https://www.suse.com/security/cve/CVE-2023-49938/ SUSE CVE CVE-2023-49938 page openSUSE Leap 15.5 libnss_slurm2_20_02-20.02.7-150100.3.30.1 libpmi0_20_02-20.02.7-150100.3.30.1 libslurm35-20.02.7-150100.3.30.1 perl-slurm_20_02-20.02.7-150100.3.30.1 slurm_20_02-20.02.7-150100.3.30.1 slurm_20_02-auth-none-20.02.7-150100.3.30.1 slurm_20_02-config-20.02.7-150100.3.30.1 slurm_20_02-config-man-20.02.7-150100.3.30.1 slurm_20_02-cray-20.02.7-150100.3.30.1 slurm_20_02-devel-20.02.7-150100.3.30.1 slurm_20_02-doc-20.02.7-150100.3.30.1 slurm_20_02-hdf5-20.02.7-150100.3.30.1 slurm_20_02-lua-20.02.7-150100.3.30.1 slurm_20_02-munge-20.02.7-150100.3.30.1 slurm_20_02-node-20.02.7-150100.3.30.1 slurm_20_02-openlava-20.02.7-150100.3.30.1 slurm_20_02-pam_slurm-20.02.7-150100.3.30.1 slurm_20_02-plugins-20.02.7-150100.3.30.1 slurm_20_02-rest-20.02.7-150100.3.30.1 slurm_20_02-seff-20.02.7-150100.3.30.1 slurm_20_02-sjstat-20.02.7-150100.3.30.1 slurm_20_02-slurmdbd-20.02.7-150100.3.30.1 slurm_20_02-sql-20.02.7-150100.3.30.1 slurm_20_02-sview-20.02.7-150100.3.30.1 slurm_20_02-testsuite-20.02.7-150100.3.30.1 slurm_20_02-torque-20.02.7-150100.3.30.1 slurm_20_02-webdoc-20.02.7-150100.3.30.1 libnss_slurm2_20_02-20.02.7-150100.3.30.1 as a component of openSUSE Leap 15.5 libpmi0_20_02-20.02.7-150100.3.30.1 as a component of openSUSE Leap 15.5 perl-slurm_20_02-20.02.7-150100.3.30.1 as a component of openSUSE Leap 15.5 slurm_20_02-20.02.7-150100.3.30.1 as a component of openSUSE Leap 15.5 slurm_20_02-auth-none-20.02.7-150100.3.30.1 as a component of openSUSE Leap 15.5 slurm_20_02-config-20.02.7-150100.3.30.1 as a component of openSUSE Leap 15.5 slurm_20_02-config-man-20.02.7-150100.3.30.1 as a component of openSUSE Leap 15.5 slurm_20_02-cray-20.02.7-150100.3.30.1 as a component of openSUSE Leap 15.5 slurm_20_02-devel-20.02.7-150100.3.30.1 as a component of openSUSE Leap 15.5 slurm_20_02-doc-20.02.7-150100.3.30.1 as a component of openSUSE Leap 15.5 slurm_20_02-hdf5-20.02.7-150100.3.30.1 as a component of openSUSE Leap 15.5 slurm_20_02-lua-20.02.7-150100.3.30.1 as a component of openSUSE Leap 15.5 slurm_20_02-munge-20.02.7-150100.3.30.1 as a component of openSUSE Leap 15.5 slurm_20_02-node-20.02.7-150100.3.30.1 as a component of openSUSE Leap 15.5 slurm_20_02-openlava-20.02.7-150100.3.30.1 as a component of openSUSE Leap 15.5 slurm_20_02-pam_slurm-20.02.7-150100.3.30.1 as a component of openSUSE Leap 15.5 slurm_20_02-plugins-20.02.7-150100.3.30.1 as a component of openSUSE Leap 15.5 slurm_20_02-rest-20.02.7-150100.3.30.1 as a component of openSUSE Leap 15.5 slurm_20_02-seff-20.02.7-150100.3.30.1 as a component of openSUSE Leap 15.5 slurm_20_02-sjstat-20.02.7-150100.3.30.1 as a component of openSUSE Leap 15.5 slurm_20_02-slurmdbd-20.02.7-150100.3.30.1 as a component of openSUSE Leap 15.5 slurm_20_02-sql-20.02.7-150100.3.30.1 as a component of openSUSE Leap 15.5 slurm_20_02-sview-20.02.7-150100.3.30.1 as a component of openSUSE Leap 15.5 slurm_20_02-testsuite-20.02.7-150100.3.30.1 as a component of openSUSE Leap 15.5 slurm_20_02-torque-20.02.7-150100.3.30.1 as a component of openSUSE Leap 15.5 slurm_20_02-webdoc-20.02.7-150100.3.30.1 as a component of openSUSE Leap 15.5 An issue was discovered in SchedMD Slurm 22.05.x, 23.02.x, and 23.11.x. There is Improper Enforcement of Message Integrity During Transmission in a Communication Channel. This allows attackers to modify RPC traffic in a way that bypasses message hash checks. The fixed versions are 22.05.11, 23.02.7, and 23.11.1. CVE-2023-49933 openSUSE Leap 15.5:libnss_slurm2_20_02-20.02.7-150100.3.30.1 openSUSE Leap 15.5:libpmi0_20_02-20.02.7-150100.3.30.1 openSUSE Leap 15.5:perl-slurm_20_02-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-auth-none-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-config-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-config-man-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-cray-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-devel-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-doc-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-hdf5-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-lua-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-munge-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-node-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-openlava-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-pam_slurm-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-plugins-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-rest-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-seff-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-sjstat-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-slurmdbd-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-sql-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-sview-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-testsuite-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-torque-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-webdoc-20.02.7-150100.3.30.1 moderate 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20240278-1/ https://www.suse.com/security/cve/CVE-2023-49933.html CVE-2023-49933 https://bugzilla.suse.com/1218046 SUSE Bug 1218046 An issue was discovered in SchedMD Slurm 22.05.x, 23.02.x, and 23.11.x. A NULL pointer dereference leads to denial of service. The fixed versions are 22.05.11, 23.02.7, and 23.11.1. CVE-2023-49936 openSUSE Leap 15.5:libnss_slurm2_20_02-20.02.7-150100.3.30.1 openSUSE Leap 15.5:libpmi0_20_02-20.02.7-150100.3.30.1 openSUSE Leap 15.5:perl-slurm_20_02-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-auth-none-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-config-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-config-man-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-cray-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-devel-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-doc-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-hdf5-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-lua-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-munge-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-node-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-openlava-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-pam_slurm-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-plugins-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-rest-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-seff-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-sjstat-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-slurmdbd-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-sql-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-sview-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-testsuite-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-torque-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-webdoc-20.02.7-150100.3.30.1 important 7.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20240278-1/ https://www.suse.com/security/cve/CVE-2023-49936.html CVE-2023-49936 https://bugzilla.suse.com/1218050 SUSE Bug 1218050 An issue was discovered in SchedMD Slurm 22.05.x, 23.02.x, and 23.11.x. Because of a double free, attackers can cause a denial of service or possibly execute arbitrary code. The fixed versions are 22.05.11, 23.02.7, and 23.11.1. CVE-2023-49937 openSUSE Leap 15.5:libnss_slurm2_20_02-20.02.7-150100.3.30.1 openSUSE Leap 15.5:libpmi0_20_02-20.02.7-150100.3.30.1 openSUSE Leap 15.5:perl-slurm_20_02-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-auth-none-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-config-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-config-man-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-cray-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-devel-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-doc-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-hdf5-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-lua-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-munge-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-node-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-openlava-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-pam_slurm-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-plugins-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-rest-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-seff-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-sjstat-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-slurmdbd-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-sql-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-sview-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-testsuite-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-torque-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-webdoc-20.02.7-150100.3.30.1 important 7.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20240278-1/ https://www.suse.com/security/cve/CVE-2023-49937.html CVE-2023-49937 https://bugzilla.suse.com/1218051 SUSE Bug 1218051 An issue was discovered in SchedMD Slurm 22.05.x and 23.02.x. There is Incorrect Access Control: an attacker can modified their extended group list that is used with the sbcast subsystem, and open files with an unauthorized set of extended groups. The fixed versions are 22.05.11 and 23.02.7. CVE-2023-49938 openSUSE Leap 15.5:libnss_slurm2_20_02-20.02.7-150100.3.30.1 openSUSE Leap 15.5:libpmi0_20_02-20.02.7-150100.3.30.1 openSUSE Leap 15.5:perl-slurm_20_02-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-auth-none-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-config-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-config-man-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-cray-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-devel-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-doc-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-hdf5-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-lua-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-munge-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-node-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-openlava-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-pam_slurm-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-plugins-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-rest-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-seff-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-sjstat-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-slurmdbd-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-sql-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-sview-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-testsuite-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-torque-20.02.7-150100.3.30.1 openSUSE Leap 15.5:slurm_20_02-webdoc-20.02.7-150100.3.30.1 moderate 5.1 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20240278-1/ https://www.suse.com/security/cve/CVE-2023-49938.html CVE-2023-49938 https://bugzilla.suse.com/1218053 SUSE Bug 1218053