ESB-2017.2845 - [UNIX/Linux][Debian] slurm-llnl: Root compromise - Existing account 2017-11-08

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2845
                        slurm-llnl security update
                              8 November 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           slurm-llnl
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Root Compromise -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-15566  

Original Bulletin: 
   http://www.debian.org/security/2017/dsa-4023

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running slurm-llnl check for an updated version of the software for
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4023-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
November 07, 2017                     https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : slurm-llnl
CVE ID         : CVE-2017-15566
Debian Bug     : 880530

Ryan Day discovered that the Simple Linux Utility for Resource
Management (SLURM), a cluster resource management and job scheduling
system, does not properly handle SPANK environment variables, allowing a
user permitted to submit jobs to execute code as root during the Prolog
or Epilog. All systems using a Prolog or Epilog script are vulnerable,
regardless of whether SPANK plugins are in use.

For the stable distribution (stretch), this problem has been fixed in
version 16.05.9-1+deb9u1.

For the unstable distribution (sid), this problem has been fixed in
version 17.02.9-1.

We recommend that you upgrade your slurm-llnl packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAloCMJ5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0TtSw/7BpJktGFPvaJWEw+tqyqb/adgprZzHJKAuZHyBrM4njcmASOU8xgGLQzU
r6dYbXFl1KVZAvLr9bOJx+rUKP/2M7Th0bb+bS1TO/QXpNNlAtqmDSn/U2meB5zF
Qs57FEJJZHTmcvFiPMvn+WuRJTmje4dneNdWKhrNqJ9sq74eeDuw2hmbp2tf8l2r
tiTVeOgvlnorqAxVXeJovZZa3fPgioxURMMHeDxM62er5JBrg/TvJ6zskeDx//HI
QO92lyBTxuiwI4eAmgoETwEgQmDs/7FRfx4LD7RJDaOTUflHILLjxWg1Kft0m5al
baAE6k1bGBRgNq8hTx5HCrTrqg849NG9QgmNbXCWq5tIDChefAWT1XGrbpxZlTrY
hbZBHLc2lt+vCyqENEz1p568PejbekQNMwEobJu38ZWFWFN1nm+2qqHJVJKqp3bZ
RuH9Qbq4bA9HSkJDwy21+Mwisq4N5Y3BAJODwHM/SUGb36DX9fPfLncWOoAKLb49
YVJ1kV/4Ncp7sckokmTc8H76rdlolUlI0pqImx0o3KByWuItqL5iyVg0EW/iw85U
t6Amh9kbzx1XXyWvMBsGC0MJlsvPmacsy1ZYQ1QVlTNPnhidiFhOAN+NSNsvc6Gg
24xL5ENzBDa7rI6Q/awmFLPa0P2cd1d/8fDo0EfADZyfLJIWFOc=
=8VJo
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWgJLRIx+lLeg9Ub1AQgRAQ/9EbxNtbTTYZQKeVssxoYKNIFNMFa4AhH3
vse/scDinVOe/MSsfu7crUEzeFIvsZ5zh6CT3fbovn6z1HBTWG01f+OJ3mv7J7CG
R6PScOz92ZxEAB2YvAL6IhbB3XN2acgVScV0WJz0hSAQV12SqdoVcXmKdPuQR00D
o/yhzz413rWkbgWU2n/eV4fhNuf9XziarPQ3CgJV5tzUtRT5si+OHW7IEZos9HJq
l+nmeYTN4PgOKUKYUPorifBo9x34i098hSYKdzUJa4ydCq9V7N9L2X5bw0F3F8C1
WlJl5HNXL8JMmKVeg3Bzsg+S0pfb81GCHN4Evb2L7G2IjXjTJ4EG2JkZQt/5Hu1o
ND9gFROUTgJzKExnV9zsU7+4vtnuc4L8RFADGAtkPQXPn2O+1YfHbhLnEairoLAu
kCoFY3VLmyFbvMpC9S081n4yNu/F9+jZGTPWhmtCgOln5HdAhoQ/5/M8+6WdL8KV
V+SzjKI6zuODmrPqKdVRgPJ0ALrR3DvZXZt2s/IzLORerpTAbiVLdY5nHdLBNdIx
l4qvjDFsGzjEIvuRlO0w57LJwMyvt4VsVqABCKgJzSFALudXAwLNN8/TrLnFPzrn
iIXkDfxWoKCFR0Kik65y+e0UW+T3ffEF8P2A5XMqh6rRj5LYq+S6P3Hp4wF6LpeP
vYcR841odjc=
=HKue
-----END PGP SIGNATURE-----

« Back to bulletins