|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2022-29501: slurm_20_02,slurmlibs,slurm_20_11,slurm,slurm_18_08: Unprivileged user can send data to arbitrary unix socket as root | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Hu <cathy.hu> |
| Component: | Incidents | Assignee: | HPC Issue Tracker <hpc-bugs> |
| Status: | NEW --- | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P3 - Medium | CC: | hpc-bugs, meissner, smash_bz, thomas.leroy |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://smash.suse.de/issue/330836/ | ||
| Whiteboard: | CVSSv3.1:SUSE:CVE-2022-29501:8.8:(AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) | ||
| Found By: | Security Response Team | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
Hu
2022-05-06 12:23:53 UTC
Affected: - SUSE:SLE-12-SP2:GA:Products:Update/slurmlibs 16.05.8.1 - SUSE:SLE-12-SP2:GA:Products:Update/slurm 17.02.11 - SUSE:SLE-15:Update/slurm 17.11.13 - SUSE:SLE-12-SP2:GA:Products:Update/slurm_18_08 18.08.9 - SUSE:SLE-15-SP1:Update/slurm 18.08.9 - SUSE:SLE-15:Update/slurm_18_08 18.08.9 - SUSE:SLE-12-SP2:GA:Products:Update/slurm_20_02 20.02.7 - SUSE:SLE-15-SP1:Update/slurm_20_02 20.02.7 - SUSE:SLE-15-SP2:Update/slurm 20.02.7 - openSUSE:Backports:SLE-15-SP3/slurm 20.11.5 - SUSE:SLE-12-SP2:GA:Products:Update/slurm_20_11 20.11.7 - SUSE:SLE-15-SP2:Update/slurm_20_11 20.11.7 - SUSE:SLE-15-SP1:Update/slurm_20_11 20.11.7 - SUSE:SLE-15-SP3:Update/slurm 20.11.7 - openSUSE:Factory/slurm 21.08.7 This is an autogenerated message for OBS integration: This bug (1199279) was mentioned in https://build.opensuse.org/request/show/976280 Factory / slurm SUSE-SU-2022:1666-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1199278,1199279 CVE References: CVE-2022-29500,CVE-2022-29501 JIRA References: Sources used: openSUSE Leap 15.4 (src): slurm-20.11.9-150300.4.6.1 openSUSE Leap 15.3 (src): slurm-20.11.9-150300.4.6.1 SUSE Linux Enterprise Module for HPC 15-SP4 (src): slurm-20.11.9-150300.4.6.1 SUSE Linux Enterprise Module for HPC 15-SP3 (src): slurm-20.11.9-150300.4.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2022:1726-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1199278,1199279 CVE References: CVE-2022-29500,CVE-2022-29501 JIRA References: Sources used: SUSE Linux Enterprise Module for HPC 12 (src): slurm_20_11-20.11.9-3.11.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2022:1815-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1199278,1199279 CVE References: CVE-2022-29500,CVE-2022-29501 JIRA References: Sources used: SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): slurm_20_11-20.11.9-150100.3.14.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): slurm_20_11-20.11.9-150100.3.14.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2022:1831-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1199278,1199279 CVE References: CVE-2022-29500,CVE-2022-29501 JIRA References: Sources used: openSUSE Leap 15.4 (src): slurm_20_11-20.11.9-150200.6.10.1 openSUSE Leap 15.3 (src): slurm_20_11-20.11.9-150200.6.10.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): slurm_20_11-20.11.9-150200.6.10.1 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): slurm_20_11-20.11.9-150200.6.10.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. Hi, we're still missing submissions for the following codestreams:
> Affected:
> - SUSE:SLE-12-SP2:GA:Products:Update/slurmlibs 16.05.8.1
> - SUSE:SLE-12-SP2:GA:Products:Update/slurm 17.02.11
> - SUSE:SLE-15:Update/slurm 17.11.13
> - SUSE:SLE-12-SP2:GA:Products:Update/slurm_18_08 18.08.9
> - SUSE:SLE-15-SP1:Update/slurm 18.08.9
> - SUSE:SLE-15:Update/slurm_18_08 18.08.9
> - SUSE:SLE-12-SP2:GA:Products:Update/slurm_20_02 20.02.7
> - SUSE:SLE-15-SP1:Update/slurm_20_02 20.02.7
> - SUSE:SLE-15-SP2:Update/slurm 20.02.7
The fix has been back-ported, however, still requires testing. This testing is stalled at the moment as all of our infrastructure is down due to heat problems. The changes were extensive, not localized and touched large parts of the code, thus, breakages in the back-ports are to be expected. Therefore we are not comfortable to ship any updates untested. However, without appropriate test hardware we are unable to proceed. Please advise! (In reply to Egbert Eich from comment #11) > The fix has been back-ported, however, still requires testing. This testing > is stalled at the moment as all of our infrastructure is down due to heat > problems. > > The changes were extensive, not localized and touched large parts of the > code, thus, breakages in the back-ports are to be expected. > > Therefore we are not comfortable to ship any updates untested. However, > without appropriate test hardware we are unable to proceed. > > Please advise! If you think you can rigorously test the backports once the infra is working, we can go with it, otherwise we can proceed with a version update, approved by an ECO. But if you think properly testing will take too much time/complexity, the version update could be the easiest solution. Technically speaking, could we update the affected codestreams to a version fixing this (and possibly other) CVE? We provide an upgrades - an upgrade is different from an update in that it will constitute a new code stream. Slurm is nothing that you update simply by typing 'zypper patch' - it is a client server infrastructure with at least one server and a multitude of clients. There are strict version dependencies between the components, so to upgrade you will have to follow a strict order when updating individual components. A version upgrade may provide a fix for the CVEs, however, this comes at a cost: you need to follow a specific routine to migrate and you may lose features that have been deprecated in the new version. Therefore, it has been our goal to keep the old versions alive. I believe we have updated the 20.11 code stream across all SPs already, thus the solution you propose exists already. (In reply to Egbert Eich from comment #13) > We provide an upgrades - an upgrade is different from an update in that it > will constitute a new code stream. > Slurm is nothing that you update simply by typing 'zypper patch' - it is a > client server infrastructure with at least one server and a multitude of > clients. There are strict version dependencies between the components, so to > upgrade you will have to follow a strict order when updating individual > components. > A version upgrade may provide a fix for the CVEs, however, this comes at a > cost: you need to follow a specific routine to migrate and you may lose > features that have been deprecated in the new version. > Therefore, it has been our goal to keep the old versions alive. > I believe we have updated the 20.11 code stream across all SPs already, thus > the solution you propose exists already. Thanks for the clarification Egbert. I can see that slurm_20_11 has been fixed in every codestream (from 12-SP2 to 15-SP2), so creating a new slurm package with the last version shipped in the same codestream would pretty useless, right? And since we can't do version upgrade for the older packages (like slurm_18_08), I guess we have no other choice than backporting. In this case, I think we have to wait for the test infra to be ready... Well, if the user wanted to have the security update now, she could upgrade. This is what we would recommend if the backport was impossible. However, since I've done the backport already, it doesn't seem to be impossible - unless testing turns up something that I hadn't thought of. We already found one issue in our testing - which I then fixed. There may be more. Version upgrades from really old versions would be a bit more complicated as the database can only be migrated from two versions back. The user would have to do a multi step upgrade - at least for the database. Updates for Slurm 17.11 (SUSE:SLE-15:Update) and 17.02 (SUSE:SLE-12-SP2:GA:Products:Update) have just been pushed: 17.11 - SR#280673 17.02 - SR#280683 This concludes the series of updates. We will not publish an update for libslurm 16.05 as this doesn't really make sense: libslurm doesn't provide a library API only, it also provides a wire protocol. The latter has only limited backward compatibility and thus applications built against libslurm for Slurm 16.05 may not work. We have succeeded Slurm 16.05 by 17.02, thus anyone installing Slurm on SLE-12 service packs (or update it) will get 17.02. We do not ship any package linking against libslurm from Slurm 16.08. It should be release noted that users who use self-built software linking against this version (libslurm29) should rebuild their software. SUSE-SU-2022:3454-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1199278,1199279,1201674 CVE References: CVE-2022-29500,CVE-2022-29501,CVE-2022-31251 JIRA References: Sources used: SUSE Linux Enterprise Module for HPC 12 (src): slurm_18_08-18.08.9-3.17.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2022:3468-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1199278,1199279,1201674 CVE References: CVE-2022-29500,CVE-2022-29501,CVE-2022-31251 JIRA References: Sources used: openSUSE Leap 15.4 (src): slurm-18.08.9-150100.3.22.1 openSUSE Leap 15.3 (src): slurm-18.08.9-150100.3.22.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): slurm-18.08.9-150100.3.22.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): slurm-18.08.9-150100.3.22.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2022:3462-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1199278,1199279,1201674 CVE References: CVE-2022-29500,CVE-2022-29501,CVE-2022-31251 JIRA References: Sources used: openSUSE Leap 15.4 (src): slurm_18_08-18.08.9-150000.1.17.1 openSUSE Leap 15.3 (src): slurm_18_08-18.08.9-150000.1.17.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): slurm_18_08-18.08.9-150000.1.17.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): slurm_18_08-18.08.9-150000.1.17.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2022:3477-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1186646,1199278,1199279,1201674 CVE References: CVE-2022-29500,CVE-2022-29501,CVE-2022-31251 JIRA References: Sources used: SUSE Linux Enterprise Module for HPC 12 (src): slurm_20_02-20.02.7-3.14.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2022:3490-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1199278,1199279,1201674 CVE References: CVE-2022-29500,CVE-2022-29501,CVE-2022-31251 JIRA References: Sources used: openSUSE Leap 15.4 (src): slurm-20.02.7-150200.3.14.2 openSUSE Leap 15.3 (src): slurm-20.02.7-150200.3.14.2 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): slurm-20.02.7-150200.3.14.2 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): slurm-20.02.7-150200.3.14.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2022:3491-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1186646,1199278,1199279,1201674 CVE References: CVE-2022-29500,CVE-2022-29501,CVE-2022-31251 JIRA References: Sources used: openSUSE Leap 15.4 (src): slurm_20_02-20.02.7-150100.3.24.1 openSUSE Leap 15.3 (src): slurm_20_02-20.02.7-150100.3.24.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): slurm_20_02-20.02.7-150100.3.24.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): slurm_20_02-20.02.7-150100.3.24.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2022:3497-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1199278,1199279,1201674 CVE References: CVE-2022-29500,CVE-2022-29501,CVE-2022-31251 JIRA References: Sources used: SUSE Linux Enterprise Module for HPC 12 (src): slurm-17.02.11-6.53.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2022:3535-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1199278,1199279,1201674 CVE References: CVE-2022-29500,CVE-2022-29501,CVE-2022-31251 JIRA References: Sources used: openSUSE Leap 15.4 (src): slurm-17.11.13-150000.6.40.1 openSUSE Leap 15.3 (src): slurm-17.11.13-150000.6.40.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): slurm-17.11.13-150000.6.40.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): slurm-17.11.13-150000.6.40.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. |