Security update for slurm_22_05 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:0311-1 Final 1 1 2024-02-02T05:03:38Z current 2024-02-02T05:03:38Z 2024-02-02T05:03:38Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for slurm_22_05 This update for slurm_22_05 fixes the following issues: Update to slurm 22.05.11: Security fixes: - CVE-2023-49933: Prevent message extension attacks that could bypass the message hash. (bsc#1218046) - CVE-2023-49936: Prevent NULL pointer dereference on `size_valp` overflow. (bsc#1218050) - CVE-2023-49937: Prevent double-xfree() on error in `_unpack_node_reg_resp()`. (bsc#1218051) - CVE-2023-49938: Prevent modified `sbcast` RPCs from opening a file with the wrong group permissions. (bsc#1218053) Other fixes: - Add missing service file for slurmrestd (bsc#1217711). - Fix slurm upgrading to incompatible versions (bsc#1216869). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2024-311,SUSE-SLE-Module-HPC-12-2024-311 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20240311-1/ Link for SUSE-SU-2024:0311-1 https://lists.suse.com/pipermail/sle-security-updates/2024-February/017845.html E-Mail link for SUSE-SU-2024:0311-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1216869 SUSE Bug 1216869 https://bugzilla.suse.com/1217711 SUSE Bug 1217711 https://bugzilla.suse.com/1218046 SUSE Bug 1218046 https://bugzilla.suse.com/1218050 SUSE Bug 1218050 https://bugzilla.suse.com/1218051 SUSE Bug 1218051 https://bugzilla.suse.com/1218053 SUSE Bug 1218053 https://www.suse.com/security/cve/CVE-2023-49933/ SUSE CVE CVE-2023-49933 page https://www.suse.com/security/cve/CVE-2023-49936/ SUSE CVE CVE-2023-49936 page https://www.suse.com/security/cve/CVE-2023-49937/ SUSE CVE CVE-2023-49937 page https://www.suse.com/security/cve/CVE-2023-49938/ SUSE CVE CVE-2023-49938 page SUSE Linux Enterprise Module for HPC 12 libnss_slurm2_22_05-22.05.11-3.9.1 libpmi0_22_05-22.05.11-3.9.1 libslurm38-22.05.11-3.9.1 perl-slurm_22_05-22.05.11-3.9.1 slurm_22_05-22.05.11-3.9.1 slurm_22_05-auth-none-22.05.11-3.9.1 slurm_22_05-config-22.05.11-3.9.1 slurm_22_05-config-man-22.05.11-3.9.1 slurm_22_05-cray-22.05.11-3.9.1 slurm_22_05-devel-22.05.11-3.9.1 slurm_22_05-doc-22.05.11-3.9.1 slurm_22_05-lua-22.05.11-3.9.1 slurm_22_05-munge-22.05.11-3.9.1 slurm_22_05-node-22.05.11-3.9.1 slurm_22_05-openlava-22.05.11-3.9.1 slurm_22_05-pam_slurm-22.05.11-3.9.1 slurm_22_05-plugins-22.05.11-3.9.1 slurm_22_05-seff-22.05.11-3.9.1 slurm_22_05-sjstat-22.05.11-3.9.1 slurm_22_05-slurmdbd-22.05.11-3.9.1 slurm_22_05-sql-22.05.11-3.9.1 slurm_22_05-sview-22.05.11-3.9.1 slurm_22_05-testsuite-22.05.11-3.9.1 slurm_22_05-torque-22.05.11-3.9.1 slurm_22_05-webdoc-22.05.11-3.9.1 libnss_slurm2_22_05-22.05.11-3.9.1 as a component of SUSE Linux Enterprise Module for HPC 12 libpmi0_22_05-22.05.11-3.9.1 as a component of SUSE Linux Enterprise Module for HPC 12 libslurm38-22.05.11-3.9.1 as a component of SUSE Linux Enterprise Module for HPC 12 perl-slurm_22_05-22.05.11-3.9.1 as a component of SUSE Linux Enterprise Module for HPC 12 slurm_22_05-22.05.11-3.9.1 as a component of SUSE Linux Enterprise Module for HPC 12 slurm_22_05-auth-none-22.05.11-3.9.1 as a component of SUSE Linux Enterprise Module for HPC 12 slurm_22_05-config-22.05.11-3.9.1 as a component of SUSE Linux Enterprise Module for HPC 12 slurm_22_05-config-man-22.05.11-3.9.1 as a component of SUSE Linux Enterprise Module for HPC 12 slurm_22_05-devel-22.05.11-3.9.1 as a component of SUSE Linux Enterprise Module for HPC 12 slurm_22_05-doc-22.05.11-3.9.1 as a component of SUSE Linux Enterprise Module for HPC 12 slurm_22_05-lua-22.05.11-3.9.1 as a component of SUSE Linux Enterprise Module for HPC 12 slurm_22_05-munge-22.05.11-3.9.1 as a component of SUSE Linux Enterprise Module for HPC 12 slurm_22_05-node-22.05.11-3.9.1 as a component of SUSE Linux Enterprise Module for HPC 12 slurm_22_05-pam_slurm-22.05.11-3.9.1 as a component of SUSE Linux Enterprise Module for HPC 12 slurm_22_05-plugins-22.05.11-3.9.1 as a component of SUSE Linux Enterprise Module for HPC 12 slurm_22_05-slurmdbd-22.05.11-3.9.1 as a component of SUSE Linux Enterprise Module for HPC 12 slurm_22_05-sql-22.05.11-3.9.1 as a component of SUSE Linux Enterprise Module for HPC 12 slurm_22_05-sview-22.05.11-3.9.1 as a component of SUSE Linux Enterprise Module for HPC 12 slurm_22_05-torque-22.05.11-3.9.1 as a component of SUSE Linux Enterprise Module for HPC 12 slurm_22_05-webdoc-22.05.11-3.9.1 as a component of SUSE Linux Enterprise Module for HPC 12 An issue was discovered in SchedMD Slurm 22.05.x, 23.02.x, and 23.11.x. There is Improper Enforcement of Message Integrity During Transmission in a Communication Channel. This allows attackers to modify RPC traffic in a way that bypasses message hash checks. The fixed versions are 22.05.11, 23.02.7, and 23.11.1. CVE-2023-49933 SUSE Linux Enterprise Module for HPC 12:libnss_slurm2_22_05-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:libpmi0_22_05-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:libslurm38-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:perl-slurm_22_05-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-auth-none-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-config-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-config-man-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-devel-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-doc-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-lua-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-munge-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-node-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-pam_slurm-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-plugins-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-slurmdbd-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-sql-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-sview-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-torque-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-webdoc-22.05.11-3.9.1 moderate 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20240311-1/ https://www.suse.com/security/cve/CVE-2023-49933.html CVE-2023-49933 https://bugzilla.suse.com/1218046 SUSE Bug 1218046 An issue was discovered in SchedMD Slurm 22.05.x, 23.02.x, and 23.11.x. A NULL pointer dereference leads to denial of service. The fixed versions are 22.05.11, 23.02.7, and 23.11.1. CVE-2023-49936 SUSE Linux Enterprise Module for HPC 12:libnss_slurm2_22_05-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:libpmi0_22_05-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:libslurm38-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:perl-slurm_22_05-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-auth-none-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-config-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-config-man-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-devel-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-doc-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-lua-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-munge-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-node-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-pam_slurm-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-plugins-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-slurmdbd-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-sql-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-sview-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-torque-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-webdoc-22.05.11-3.9.1 important 7.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20240311-1/ https://www.suse.com/security/cve/CVE-2023-49936.html CVE-2023-49936 https://bugzilla.suse.com/1218050 SUSE Bug 1218050 An issue was discovered in SchedMD Slurm 22.05.x, 23.02.x, and 23.11.x. Because of a double free, attackers can cause a denial of service or possibly execute arbitrary code. The fixed versions are 22.05.11, 23.02.7, and 23.11.1. CVE-2023-49937 SUSE Linux Enterprise Module for HPC 12:libnss_slurm2_22_05-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:libpmi0_22_05-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:libslurm38-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:perl-slurm_22_05-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-auth-none-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-config-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-config-man-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-devel-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-doc-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-lua-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-munge-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-node-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-pam_slurm-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-plugins-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-slurmdbd-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-sql-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-sview-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-torque-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-webdoc-22.05.11-3.9.1 important 7.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20240311-1/ https://www.suse.com/security/cve/CVE-2023-49937.html CVE-2023-49937 https://bugzilla.suse.com/1218051 SUSE Bug 1218051 An issue was discovered in SchedMD Slurm 22.05.x and 23.02.x. There is Incorrect Access Control: an attacker can modified their extended group list that is used with the sbcast subsystem, and open files with an unauthorized set of extended groups. The fixed versions are 22.05.11 and 23.02.7. CVE-2023-49938 SUSE Linux Enterprise Module for HPC 12:libnss_slurm2_22_05-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:libpmi0_22_05-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:libslurm38-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:perl-slurm_22_05-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-auth-none-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-config-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-config-man-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-devel-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-doc-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-lua-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-munge-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-node-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-pam_slurm-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-plugins-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-slurmdbd-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-sql-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-sview-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-torque-22.05.11-3.9.1 SUSE Linux Enterprise Module for HPC 12:slurm_22_05-webdoc-22.05.11-3.9.1 moderate 5.1 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20240311-1/ https://www.suse.com/security/cve/CVE-2023-49938.html CVE-2023-49938 https://bugzilla.suse.com/1218053 SUSE Bug 1218053