[SECURITY] [DSA 5547-1] pmix security update

To: debian-security-announce@lists.debian.org
Subject: [SECURITY] [DSA 5547-1] pmix security update
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 04 Nov 2023 10:12:09 +0000
Message-id: <[🔎] E1qzDdR-00BnDd-Q0@seger.debian.org>
Reply-to: debian-security-announce-request@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-5547-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
November 04, 2023                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : pmix
CVE ID         : CVE-2023-41915
Debian Bug     : 1051729

Francois Diakhate reported that a race condition in pmix, a library
implementing Process Management Interface (PMI) Exascale API, could
allow a malicious user to obtain ownership of an arbitrary file on the
filesystem when parts of the PMIx library are called by a process with
elevated privileges, resulting in privilege escalation. This may
happen under the default configuration of certain workload managers,
including Slurm.

For the oldstable distribution (bullseye), this problem has been fixed
in version 4.0.0-4.1+deb11u1.

For the stable distribution (bookworm), this problem has been fixed in
version 4.2.2-1+deb12u1.

We recommend that you upgrade your pmix packages.

For the detailed security status of pmix please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/pmix

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmVGGG5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0QdMQ/7B+6JnojbADILfhhKuVY0hFentvOj1ShNb9+m3xLCE/ZQGBtlddCmCdr1
DqOFYZ+VoxzpOSYP+uobZjo0qvisCdiig/+Pyp6zfYiYxUXoRSCU+2G9MWbxeCwS
am/xKmOVAN7h4sN7slu+hpuZf/Xr7fHJ3mmBVkq3a5Q3easj12TMmgtG0zKbQAgx
Is6HjfPkOmy3VCmMvZNlGdyVhKgaNsZt3EB8cvG70tOZtNzODKM38HVWGmKUmiSC
9Wm5tP12S0Ms/sZY5A3Cmehgojhdibd8AV4ef7OB3ibB2sK6ix1ddJN8De9pQRvS
77yJ8B5nztaiEr9vXsj/OK1IJBT5zru7KbeQvxhNZZ9F5mjYL24hTlBOO4ZnsdAV
XoO3l0yk3bq4asvECywleu+XVWgtOYpMvuJfheKGulzYH/z496yuU4DUKl7qrMki
kfUjDhXJEnJ8AdtqLlVfW80Nx5mUaunO0O2Bn7inhHqjc6qZ2QJCIME5A0EvXS42
VYczBwPBhUv3rvFfQ/zTjaIXmrnjwsHNzPkSWupOUeOAHdurC25IWFbIGwbsQRQd
Y89m6jMM8z6RazZ/5HKagxfRDxws5VBRKCnTs2npMQlh/E+EV/k6BMDnPVm+wNVy
qWY8gh1t6nEwMvMm8lBb3xHeQaM8ZcxjKoQTOL1zmLmZMn61ZpA=
=GhRh
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DSA 5546-1] chromium security update
Next by Date: [SECURITY] [DSA 5548-1] openjdk-17 security update
Previous by thread: [SECURITY] [DSA 5546-1] chromium security update
Next by thread: [SECURITY] [DSA 5548-1] openjdk-17 security update
Index(es):
- Date
- Thread