Security update for slurm SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:0315-1 Final 1 1 2024-02-02T08:55:34Z current 2024-02-02T08:55:34Z 2024-02-02T08:55:34Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for slurm This update for slurm fixes the following issues: - CVE-2023-49933: Fixed a message extension attack that could bypass the message hash (bsc#1218046). - CVE-2023-49936: Fixed a NULL pointer dereference (bsc#1218050). - CVE-2023-49937: Fixed a double free that could lead to denial of service or code execution (bsc#1218051). - CVE-2023-49938: Fixed an incorrect access control issue that could allow an attacker to modify their extended group list (bsc#1218053). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2024-315,SUSE-SLE-Module-HPC-12-2024-315 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20240315-1/ Link for SUSE-SU-2024:0315-1 https://lists.suse.com/pipermail/sle-security-updates/2024-February/017850.html E-Mail link for SUSE-SU-2024:0315-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1218046 SUSE Bug 1218046 https://bugzilla.suse.com/1218050 SUSE Bug 1218050 https://bugzilla.suse.com/1218051 SUSE Bug 1218051 https://bugzilla.suse.com/1218053 SUSE Bug 1218053 https://www.suse.com/security/cve/CVE-2023-49933/ SUSE CVE CVE-2023-49933 page https://www.suse.com/security/cve/CVE-2023-49936/ SUSE CVE CVE-2023-49936 page https://www.suse.com/security/cve/CVE-2023-49937/ SUSE CVE CVE-2023-49937 page https://www.suse.com/security/cve/CVE-2023-49938/ SUSE CVE CVE-2023-49938 page SUSE Linux Enterprise Module for HPC 12 libpmi0-17.02.11-6.59.1 libslurm31-17.02.11-6.59.1 perl-slurm-17.02.11-6.59.1 slurm-17.02.11-6.59.1 slurm-auth-none-17.02.11-6.59.1 slurm-config-17.02.11-6.59.1 slurm-devel-17.02.11-6.59.1 slurm-doc-17.02.11-6.59.1 slurm-lua-17.02.11-6.59.1 slurm-munge-17.02.11-6.59.1 slurm-openlava-17.02.11-6.59.1 slurm-pam_slurm-17.02.11-6.59.1 slurm-plugins-17.02.11-6.59.1 slurm-sched-wiki-17.02.11-6.59.1 slurm-seff-17.02.11-6.59.1 slurm-sjstat-17.02.11-6.59.1 slurm-slurmdb-direct-17.02.11-6.59.1 slurm-slurmdbd-17.02.11-6.59.1 slurm-sql-17.02.11-6.59.1 slurm-sview-17.02.11-6.59.1 slurm-testsuite-17.02.11-6.59.1 slurm-torque-17.02.11-6.59.1 slurm-torque-openqa-tests-17.02.11-6.59.1 libpmi0-17.02.11-6.59.1 as a component of SUSE Linux Enterprise Module for HPC 12 libslurm31-17.02.11-6.59.1 as a component of SUSE Linux Enterprise Module for HPC 12 perl-slurm-17.02.11-6.59.1 as a component of SUSE Linux Enterprise Module for HPC 12 slurm-17.02.11-6.59.1 as a component of SUSE Linux Enterprise Module for HPC 12 slurm-auth-none-17.02.11-6.59.1 as a component of SUSE Linux Enterprise Module for HPC 12 slurm-config-17.02.11-6.59.1 as a component of SUSE Linux Enterprise Module for HPC 12 slurm-devel-17.02.11-6.59.1 as a component of SUSE Linux Enterprise Module for HPC 12 slurm-doc-17.02.11-6.59.1 as a component of SUSE Linux Enterprise Module for HPC 12 slurm-lua-17.02.11-6.59.1 as a component of SUSE Linux Enterprise Module for HPC 12 slurm-munge-17.02.11-6.59.1 as a component of SUSE Linux Enterprise Module for HPC 12 slurm-pam_slurm-17.02.11-6.59.1 as a component of SUSE Linux Enterprise Module for HPC 12 slurm-plugins-17.02.11-6.59.1 as a component of SUSE Linux Enterprise Module for HPC 12 slurm-sched-wiki-17.02.11-6.59.1 as a component of SUSE Linux Enterprise Module for HPC 12 slurm-slurmdb-direct-17.02.11-6.59.1 as a component of SUSE Linux Enterprise Module for HPC 12 slurm-slurmdbd-17.02.11-6.59.1 as a component of SUSE Linux Enterprise Module for HPC 12 slurm-sql-17.02.11-6.59.1 as a component of SUSE Linux Enterprise Module for HPC 12 slurm-torque-17.02.11-6.59.1 as a component of SUSE Linux Enterprise Module for HPC 12 An issue was discovered in SchedMD Slurm 22.05.x, 23.02.x, and 23.11.x. There is Improper Enforcement of Message Integrity During Transmission in a Communication Channel. This allows attackers to modify RPC traffic in a way that bypasses message hash checks. The fixed versions are 22.05.11, 23.02.7, and 23.11.1. CVE-2023-49933 SUSE Linux Enterprise Module for HPC 12:libpmi0-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:libslurm31-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:perl-slurm-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:slurm-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:slurm-auth-none-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:slurm-config-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:slurm-devel-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:slurm-doc-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:slurm-lua-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:slurm-munge-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:slurm-pam_slurm-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:slurm-plugins-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:slurm-sched-wiki-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:slurm-slurmdb-direct-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:slurm-slurmdbd-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:slurm-sql-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:slurm-torque-17.02.11-6.59.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20240315-1/ https://www.suse.com/security/cve/CVE-2023-49933.html CVE-2023-49933 https://bugzilla.suse.com/1218046 SUSE Bug 1218046 An issue was discovered in SchedMD Slurm 22.05.x, 23.02.x, and 23.11.x. A NULL pointer dereference leads to denial of service. The fixed versions are 22.05.11, 23.02.7, and 23.11.1. CVE-2023-49936 SUSE Linux Enterprise Module for HPC 12:libpmi0-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:libslurm31-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:perl-slurm-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:slurm-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:slurm-auth-none-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:slurm-config-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:slurm-devel-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:slurm-doc-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:slurm-lua-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:slurm-munge-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:slurm-pam_slurm-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:slurm-plugins-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:slurm-sched-wiki-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:slurm-slurmdb-direct-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:slurm-slurmdbd-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:slurm-sql-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:slurm-torque-17.02.11-6.59.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20240315-1/ https://www.suse.com/security/cve/CVE-2023-49936.html CVE-2023-49936 https://bugzilla.suse.com/1218050 SUSE Bug 1218050 An issue was discovered in SchedMD Slurm 22.05.x, 23.02.x, and 23.11.x. Because of a double free, attackers can cause a denial of service or possibly execute arbitrary code. The fixed versions are 22.05.11, 23.02.7, and 23.11.1. CVE-2023-49937 SUSE Linux Enterprise Module for HPC 12:libpmi0-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:libslurm31-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:perl-slurm-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:slurm-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:slurm-auth-none-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:slurm-config-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:slurm-devel-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:slurm-doc-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:slurm-lua-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:slurm-munge-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:slurm-pam_slurm-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:slurm-plugins-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:slurm-sched-wiki-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:slurm-slurmdb-direct-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:slurm-slurmdbd-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:slurm-sql-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:slurm-torque-17.02.11-6.59.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20240315-1/ https://www.suse.com/security/cve/CVE-2023-49937.html CVE-2023-49937 https://bugzilla.suse.com/1218051 SUSE Bug 1218051 An issue was discovered in SchedMD Slurm 22.05.x and 23.02.x. There is Incorrect Access Control: an attacker can modified their extended group list that is used with the sbcast subsystem, and open files with an unauthorized set of extended groups. The fixed versions are 22.05.11 and 23.02.7. CVE-2023-49938 SUSE Linux Enterprise Module for HPC 12:libpmi0-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:libslurm31-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:perl-slurm-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:slurm-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:slurm-auth-none-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:slurm-config-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:slurm-devel-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:slurm-doc-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:slurm-lua-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:slurm-munge-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:slurm-pam_slurm-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:slurm-plugins-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:slurm-sched-wiki-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:slurm-slurmdb-direct-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:slurm-slurmdbd-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:slurm-sql-17.02.11-6.59.1 SUSE Linux Enterprise Module for HPC 12:slurm-torque-17.02.11-6.59.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20240315-1/ https://www.suse.com/security/cve/CVE-2023-49938.html CVE-2023-49938 https://bugzilla.suse.com/1218053 SUSE Bug 1218053