Debian Security Advisory
DLA-3643-1 pmix -- LTS security update
- Date Reported:
- 31 Oct 2023
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2023-41915.
- More information:
It was discovered that there was an arbitrary file overwrite vulnerability in pmix, a library used in parallel/cluster computing. Attackers could have obtained ownership of arbitrary files via a symlink-related race condition during execution of library code with UID 0.
OpenPMIx PMIx before 4.2.6 and 5.0.x before 5.0.1 allows attackers to obtain ownership of arbitrary files via a race condition during execution of library code with UID 0.
For Debian 10
Buster, this problem has been fixed in version 3.1.2-3+deb10u1.
We recommend that you upgrade your pmix packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS