Debian Security Advisory

DSA-5547-1 pmix -- security update

Date Reported:
04 Nov 2023
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 1051729.
In Mitre's CVE dictionary: CVE-2023-41915.
More information:

Francois Diakhate reported that a race condition in pmix, a library implementing Process Management Interface (PMI) Exascale API, could allow a malicious user to obtain ownership of an arbitrary file on the filesystem when parts of the PMIx library are called by a process with elevated privileges, resulting in privilege escalation. This may happen under the default configuration of certain workload managers, including Slurm.

For the oldstable distribution (bullseye), this problem has been fixed in version 4.0.0-4.1+deb11u1.

For the stable distribution (bookworm), this problem has been fixed in version 4.2.2-1+deb12u1.

We recommend that you upgrade your pmix packages.

For the detailed security status of pmix please refer to its security tracker page at: