Debian Long Term Support / LTS Security Information / 2023 / Security Information -- DLA-3643-1 pmix

Debian Security Advisory

DLA-3643-1 pmix -- LTS security update

Date Reported:

31 Oct 2023

Affected Packages:

pmix

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2023-41915.

More information:

It was discovered that there was an arbitrary file overwrite vulnerability in pmix, a library used in parallel/cluster computing. Attackers could have obtained ownership of arbitrary files via a symlink-related race condition during execution of library code with UID 0.

• CVE-2023-41915

  OpenPMIx PMIx before 4.2.6 and 5.0.x before 5.0.1 allows attackers to obtain ownership of arbitrary files via a race condition during execution of library code with UID 0.

For Debian 10 Buster, this problem has been fixed in version 3.1.2-3+deb10u1.

We recommend that you upgrade your pmix packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS