Bugzilla – Bug 1155784
VUL-0: CVE-2019-19727: slurm: slurmdbd: slurmdbd.conf has an insecure Permission by default
Last modified: 2023-09-11 12:11:17 UTC
slurmdbd.conf may hold teh database access password for the slurm user. Therefore it is recommended to not give other users read access to this file. It should have permission 0600 when installed.
So this is about the subpackage slurm-slurmdbd. Basically it's a packaging error then, right? If so then security team will need to assign a SUSE CNA CVE for this issue.
(In reply to Matthias Gerstner from comment #1) > So this is about the subpackage slurm-slurmdbd. Basically it's a packaging > error then, right? If so then security team will need to assign a SUSE CNA > CVE > for this issue. This situation can be mitigated by improving the package, yes. To mitigate the issue retrospectively on update, some code is required would be similar to bsc#1155075 on which I'm still waiting for an answer by the security team on my proposal to be sure I handle this correctly.
A similar issue is in the upstream spec file. The only install slurmdbd.conf.example, but it's also world readable. So it's not a SUSE only issue and we can't assign a CVE. I'll talk to upstream how they want to handle this
The example file should not matter here. We install as well with the 'insecure' permissions. Of course I can change this if you think this is an issue.
This is CVE-2019-19727. Upstream confirmed CRD: 2019-12-20
Announced on Dec, 20 2019: https://www.schedmd.com/news.php
is public, see above url Slurm versions 19.05.5 and 18.08.9 are now available (CVE-2019-19727 and CVE-2019-19728) SchedMD News Release: Dec 20, 2019 Slurm versions 19.05.5 and 18.08.9 are now available, and include a series of recent bug fixes, as well as a fix for two moderate security vulnerabilities discussed below. SchedMD customers were informed on December 11th and provided a patch on request; this process is documented in our security policy. CVE-2019-19727: Johannes Segitz from SUSE reported that slurmdbd.conf may be installed with insecure permissions by certain Slurm packaging systems. Slurm itself — as shipped by SchedMD — does not manage slurmdbd.conf directly, but the slurmdbd.conf.example sets a poor example by installing itself with 0644 permissions instead of 0600 in both the slurm.spec and slurm.spec-legacy packaging scripts. Sites are encourage to verify that the slurmdbd.conf file - which usually will contain your MySQL user and password - is secure on their clusters. Note that this configuration file is only needed by the slurmdbd primary (and optional backup) servers, and does not need to be accessible throughout the cluster. CVE-2019-19728: Harald Barth from the KTH Royal Institute of Technology reported that "srun --uid" may not always drop into the correct user account, and instead will print a warning message but launch the tasks as root. Note that "srun --uid" is only available to the root user, and that this issue is only shown by a race condition between successive lookup calls within the srun client command. SchedMD does not recommend use of the "srun --uid" option (e.g., it does not load the target user's environment but will export the root users) and may remove this option in a future release. Downloads are available here.
SUSE-SU-2019:3385-1: An update that solves one vulnerability and has three fixes is now available. Category: security (important) Bug References: 1123304,1153259,1155784,1158696 CVE References: CVE-2019-6438 Sources used: SUSE Linux Enterprise Module for HPC 12 (src): slurm-17.02.11-6.36.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Backport has been released for SLE-12 (HPC Module) as well.
This is an autogenerated message for OBS integration: This bug (1155784) was mentioned in https://build.opensuse.org/request/show/761961 Factory / slurm
SUSE-SU-2020:0110-1: An update that solves three vulnerabilities and has three fixes is now available. Category: security (important) Bug References: 1140709,1153095,1153259,1155784,1158696,1159692 CVE References: CVE-2019-12838,CVE-2019-19727,CVE-2019-19728 Sources used: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): slurm-18.08.9-3.10.1 SUSE Linux Enterprise Module for HPC 15-SP1 (src): slurm-18.08.9-3.10.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:0085-1: An update that solves three vulnerabilities and has three fixes is now available. Category: security (important) Bug References: 1140709,1153095,1153259,1155784,1158696,1159692 CVE References: CVE-2019-12838,CVE-2019-19727,CVE-2019-19728 Sources used: openSUSE Leap 15.1 (src): slurm-18.08.9-lp151.2.6.1
SUSE-SU-2020:0228-1: An update that solves one vulnerability and has two fixes is now available. Category: security (moderate) Bug References: 1153259,1155784,1158696 CVE References: CVE-2019-19727 Sources used: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): slurm-17.11.13-6.23.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): slurm-17.11.13-6.23.1 SUSE Linux Enterprise Module for HPC 15-SP1 (src): slurm-17.11.13-6.23.1 SUSE Linux Enterprise Module for HPC 15 (src): slurm-17.11.13-6.23.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:0443-1: An update that solves 8 vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 1018371,1065697,1085240,1095508,1123304,1140709,1155784,1158709,1158798,1159692 CVE References: CVE-2016-10030,CVE-2017-15566,CVE-2018-10995,CVE-2018-7033,CVE-2019-12838,CVE-2019-19727,CVE-2019-19728,CVE-2019-6438 Sources used: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): pdsh-2.33-7.6.1 SUSE Linux Enterprise Module for HPC 15-SP1 (src): pdsh-2.33-7.6.1 SUSE Linux Enterprise Module for HPC 15 (src): pdsh-2.33-7.6.1, slurm_18_08-18.08.9-1.5.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:2607-1: An update that solves 9 vulnerabilities, contains four features and has 22 fixes is now available. Category: security (moderate) Bug References: 1007053,1018371,1031872,1041706,1065697,1084125,1084917,1085240,1085606,1086859,1088693,1090292,1095508,1100850,1103561,1108671,1109373,1116758,1123304,1140709,1153095,1153259,1155784,1158696,1159692,1161716,1162377,1164326,1164386,1172004,1173805 CVE References: CVE-2016-10030,CVE-2017-15566,CVE-2018-10995,CVE-2018-7033,CVE-2019-12838,CVE-2019-19727,CVE-2019-19728,CVE-2019-6438,CVE-2020-12693 JIRA References: SLE-10800,SLE-7341,SLE-7342,SLE-8491 Sources used: SUSE Linux Enterprise Module for HPC 12 (src): pdsh_slurm_18_08-2.34-7.26.2, pdsh_slurm_20_02-2.34-7.26.2, slurm_20_02-20.02.3-3.5.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:3878-1: An update that solves two vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 1153259,1155784,1178890,1178891 CVE References: CVE-2020-27745,CVE-2020-27746 JIRA References: Sources used: SUSE Linux Enterprise Module for HPC 15-SP1 (src): slurm-17.11.13-6.34.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): slurm-17.11.13-6.34.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): slurm-17.11.13-6.34.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:0773-1: An update that fixes 11 vulnerabilities, contains one feature is now available. Category: security (important) Bug References: 1018371,1065697,1085240,1095508,1123304,1140709,1155784,1159692,1172004,1178890,1178891 CVE References: CVE-2016-10030,CVE-2017-15566,CVE-2018-10995,CVE-2018-7033,CVE-2019-12838,CVE-2019-19727,CVE-2019-19728,CVE-2019-6438,CVE-2020-12693,CVE-2020-27745,CVE-2020-27746 JIRA References: ECO-2412 Sources used: SUSE Linux Enterprise Module for HPC 12 (src): pdsh-2.34-7.32.1, pdsh_slurm_18_08-2.34-7.32.1, pdsh_slurm_20_02-2.34-7.32.1, pdsh_slurm_20_11-2.34-7.32.1, slurm_20_11-20.11.4-3.5.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.