Debian Security Advisory
DLA-2886-1 slurm-llnl -- LTS security update
- Date Reported:
- 17 Jan 2022
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 931880, Bug 961406, Bug 974721, Bug 988439.
In Mitre's CVE dictionary: CVE-2019-12838, CVE-2020-12693, CVE-2020-27745, CVE-2021-31215.
- More information:
Multiple security issues were discovered in the Simple Linux Utility for Resource Management (SLURM), a cluster resource management and job scheduling system, which could result in denial of service, information disclosure or privilege escalation.
SchedMD Slurm allows SQL Injection.
In the rare case where Message Aggregation is enabled, Slurm allows Authentication Bypass via an Alternate Path or Channel. A race condition allows a user to launch a process as an arbitrary user.
RPC Buffer Overflow in the PMIx MPI plugin.
SchedMD Slurm allows remote code execution as SlurmUser because use of a PrologSlurmctld or EpilogSlurmctld script leads to environment mishandling.
For Debian 9 stretch, these problems have been fixed in version 16.05.9-1+deb9u5.
We recommend that you upgrade your slurm-llnl packages.
For the detailed security status of slurm-llnl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/slurm-llnl
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS