Bugzilla – Bug 1215190
VUL-0: CVE-2023-41915: pmix: symlink ownership change via race condition during execution of library code with UID 0
Last modified: 2024-06-05 07:48:35 UTC
CVE-2023-41915 OpenPMIx PMIx before 4.2.6 and 5.0.x before 5.0.1 allows attackers to obtain ownership of arbitrary files via a race condition during execution of library code with UID 0. Upstream commit: https://github.com/openpmix/openpmix/pull/3150/commits/383d48d63452d0523319dab20922cb1fb2cb8175 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-41915 https://www.cve.org/CVERecord?id=CVE-2023-41915 https://docs.openpmix.org/en/latest/security.html https://github.com/openpmix/openpmix/releases/tag/v4.2.6 https://github.com/openpmix/openpmix/releases/tag/v5.0.1
This is an autogenerated message for OBS integration: This bug (1215190) was mentioned in https://build.opensuse.org/request/show/1110642 Factory / pmix
SUSE-SU-2023:3859-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1215190 CVE References: CVE-2023-41915 Sources used: openSUSE Leap 15.4 (src): pmix-3.2.3-150300.3.8.1 openSUSE Leap 15.5 (src): pmix-3.2.3-150300.3.8.1 HPC Module 15-SP4 (src): pmix-3.2.3-150300.3.8.1 HPC Module 15-SP5 (src): pmix-3.2.3-150300.3.8.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
done, closing