Bugzilla – Bug 1216207
VUL-0: CVE-2023-41914: slurm,slurm_18_08,slurm_20_02,slurm_20_11,slurm_22_05,slurm_23_02,slurmlibs: race conditions causing file overwrites
Last modified: 2024-06-07 15:02:46 UTC
References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-41914 https://groups.google.com/g/slurm-users/c/N9WHFVefSHA Slurm versions 23.02.6 and 22.05.10 are now available to address a number of filesystem race conditions that could let an attacker take control of an arbitrary file, or remove entire directories' contents (CVE-2023-41914). SchedMD customers were informed on September 27th and provided a patch on request; this process is documented in our security policy [1]. -------- CVE-2023-41914: A number of race conditions have been identified within the slurmd/slurmstepd processes that can lead to the user taking ownership of an arbitrary file on the system. A related issue can lead to the user overwriting an arbitrary file on the compute node (although with data that is not directly under their control). A related issue can also lead to the user deleting all files and sub-directories of an arbitrary target directory on the compute node. Thank you to François Diakhate (CEA) for reporting the original issue to us. A number of related issues were found during an extensive audit of Slurm's filesystem handling code in reaction to that report, and are included here in this same disclosure. -------- SchedMD only issues security fixes for the supported releases (currently 23.02 and 22.05). Due to the complexity of these fixes, we do not recommend attempting to backport the fixes to older releases, and strongly encourage sites to upgrade to fixed versions immediately. Downloads are available at https://www.schedmd.com/downloads.php .
Submissions predated this ticket: Slurm v23.03: 310340: SUSE:SLE-15-SP5:Update 310341 SUSE:SLE-12-SP2:GA:Products:Update 310342 SUSE:SLE-15-SP1:Update 310343 SUSE:SLE-15-SP3:Update 310344 SUSE:SLE-15-SP3:Update Slurm v22.05: 310348: SUSE:SLE-12-SP2:GA:Products:Update 310349: SUSE:SLE-15-SP1:Update 310350: SUSE:SLE-15-SP2:Update 310351: SUSE:SLE-15-SP3:Update
Submissions: Slurm v20.11: 310525 SUSE:SLE-15-SP3:Update 310526 SUSE:SLE-12-SP2:GA:Products:Update 310527 SUSE:SLE-15-SP1:Update 310528 SUSE:SLE-15-SP2:Update Slurm v20.02: 310613 SUSE:SLE-15-SP2:Update 310614 SUSE:SLE-12-SP2:GA:Products:Update 310615 SUSE:SLE-15-SP1:Update Slurm v18.08: 310638 SUSE:SLE-15-SP1:Update 310639 SUSE:SLE-12-SP2:GA:Products:Update Slurm v17.02: 310640 SUSE:SLE-12-SP2:GA:Products:Update
This is an autogenerated message for OBS integration: This bug (1216207) was mentioned in https://build.opensuse.org/request/show/1118220 Factory / slurm
SUSE-SU-2023:4114-1: An update that solves one vulnerability and has one security fix can now be installed. Category: security (important) Bug References: 1208810, 1216207 CVE References: CVE-2023-41914 Sources used: SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): slurm-20.11.9-150300.4.9.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): slurm-20.11.9-150300.4.9.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4113-1: An update that solves one vulnerability and has one security fix can now be installed. Category: security (important) Bug References: 1208810, 1216207 CVE References: CVE-2023-41914 Sources used: SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): slurm_20_11-20.11.9-150100.3.19.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4121-1: An update that solves one vulnerability and has one security fix can now be installed. Category: security (important) Bug References: 1208810, 1216207 CVE References: CVE-2023-41914 Sources used: SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): slurm-18.08.9-150100.3.25.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4120-1: An update that solves one vulnerability and has one security fix can now be installed. Category: security (important) Bug References: 1208810, 1216207 CVE References: CVE-2023-41914 Sources used: HPC Module 12 (src): slurm-17.02.11-6.56.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4119-1: An update that solves one vulnerability and has one security fix can now be installed. Category: security (important) Bug References: 1208810, 1216207 CVE References: CVE-2023-41914 Sources used: HPC Module 12 (src): slurm_20_02-20.02.7-3.17.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4118-1: An update that solves one vulnerability and has one security fix can now be installed. Category: security (important) Bug References: 1208810, 1216207 CVE References: CVE-2023-41914 Sources used: SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): slurm_20_02-20.02.7-150100.3.27.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4117-1: An update that solves one vulnerability and has one security fix can now be installed. Category: security (important) Bug References: 1208810, 1216207 CVE References: CVE-2023-41914 Sources used: HPC Module 12 (src): slurm_18_08-18.08.9-3.20.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4116-1: An update that solves one vulnerability and has one security fix can now be installed. Category: security (important) Bug References: 1208810, 1216207 CVE References: CVE-2023-41914 Sources used: SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): slurm-20.02.7-150200.3.17.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4115-1: An update that solves one vulnerability and has one security fix can now be installed. Category: security (important) Bug References: 1208810, 1216207 CVE References: CVE-2023-41914 Sources used: HPC Module 12 (src): slurm_20_11-20.11.9-3.16.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4329-1: An update that solves one vulnerability and has one security fix can now be installed. Category: security (important) Bug References: 1208810, 1216207 CVE References: CVE-2023-41914 Sources used: openSUSE Leap 15.4 (src): slurm_20_11-20.11.9-150200.6.13.1 openSUSE Leap 15.5 (src): slurm_20_11-20.11.9-150200.6.13.1 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): slurm_20_11-20.11.9-150200.6.13.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4566-1: An update that solves one vulnerability and has one security fix can now be installed. Category: security (important) Bug References: 1216207, 1216869 CVE References: CVE-2023-41914 Sources used: openSUSE Leap 15.3 (src): slurm_23_02-23.02.6-150300.7.14.1 openSUSE Leap 15.4 (src): slurm_23_02-23.02.6-150300.7.14.1 HPC Module 15-SP4 (src): slurm_23_02-23.02.6-150300.7.14.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): slurm_23_02-23.02.6-150300.7.14.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): slurm_23_02-23.02.6-150300.7.14.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4565-1: An update that solves one vulnerability and has one security fix can now be installed. Category: security (important) Bug References: 1216207, 1216869 CVE References: CVE-2023-41914 Sources used: SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): slurm_23_02-23.02.6-150200.5.14.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4564-1: An update that solves one vulnerability and has one security fix can now be installed. Category: security (important) Bug References: 1216207, 1216869 CVE References: CVE-2023-41914 Sources used: SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): slurm_23_02-23.02.6-150100.3.14.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4563-1: An update that solves one vulnerability and has one security fix can now be installed. Category: security (important) Bug References: 1216207, 1216869 CVE References: CVE-2023-41914 Sources used: HPC Module 12 (src): slurm_23_02-23.02.6-3.13.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4582-1: An update that solves one vulnerability and has two security fixes can now be installed. Category: security (important) Bug References: 1208810, 1216207, 1216869 CVE References: CVE-2023-41914 Sources used: HPC Module 12 (src): slurm_22_05-22.05.10-3.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4581-1: An update that solves one vulnerability and has two security fixes can now be installed. Category: security (important) Bug References: 1208810, 1216207, 1216869 CVE References: CVE-2023-41914 Sources used: SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): slurm_22_05-22.05.10-150100.3.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4580-1: An update that solves one vulnerability and has two security fixes can now be installed. Category: security (important) Bug References: 1208810, 1216207, 1216869 CVE References: CVE-2023-41914 Sources used: SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): slurm_22_05-22.05.10-150200.5.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4579-1: An update that solves one vulnerability and has two security fixes can now be installed. Category: security (important) Bug References: 1208810, 1216207, 1216869 CVE References: CVE-2023-41914 Sources used: openSUSE Leap 15.3 (src): slurm_22_05-22.05.10-150300.7.6.1 openSUSE Leap 15.4 (src): slurm_22_05-22.05.10-150300.7.6.1 openSUSE Leap 15.5 (src): slurm_22_05-22.05.10-150300.7.6.1 HPC Module 15-SP4 (src): slurm_22_05-22.05.10-150300.7.6.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): slurm_22_05-22.05.10-150300.7.6.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): slurm_22_05-22.05.10-150300.7.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4578-1: An update that solves one vulnerability and has one security fix can now be installed. Category: security (important) Bug References: 1216207, 1216869 CVE References: CVE-2023-41914 Sources used: SUSE Package Hub 15 15-SP5 (src): slurm-23.02.6-150500.5.12.1 openSUSE Leap 15.5 (src): slurm-23.02.6-150500.5.12.1 HPC Module 15-SP5 (src): slurm-23.02.6-150500.5.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Ca n you check why https://smelt.suse.de/incident/31080/ has not been released for SLE-15-SP4? While this package appeared in SLE-15-SP3 SLE-15-SP4 still contains the same code stream.
slurm is forked into the SP4 codestream: SUSE:SLE-15-SP4:Update/slurm we will also need a submit there.
SUSE-SU-2024:0279-1: An update that solves five vulnerabilities and has two security fixes can now be installed. Category: security (important) Bug References: 1216207, 1216869, 1217711, 1218046, 1218050, 1218051, 1218053 CVE References: CVE-2023-41914, CVE-2023-49933, CVE-2023-49936, CVE-2023-49937, CVE-2023-49938 Sources used: openSUSE Leap 15.3 (src): slurm-20.11.9-150300.4.12.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): slurm-20.11.9-150300.4.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:0288-1: An update that solves five vulnerabilities and has two security fixes can now be installed. Category: security (important) Bug References: 1216207, 1216869, 1217711, 1218046, 1218050, 1218051, 1218053 CVE References: CVE-2023-41914, CVE-2023-49933, CVE-2023-49936, CVE-2023-49937, CVE-2023-49938 Sources used: openSUSE Leap 15.5 (src): slurm_20_11-20.11.9-150200.6.16.1 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): slurm_20_11-20.11.9-150200.6.16.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:0313-1: An update that solves five vulnerabilities and has one security fix can now be installed. Category: security (important) Bug References: 1216207, 1216869, 1218046, 1218050, 1218051, 1218053 CVE References: CVE-2023-41914, CVE-2023-49933, CVE-2023-49936, CVE-2023-49937, CVE-2023-49938 Sources used: HPC Module 12 (src): slurm_18_08-18.08.9-3.23.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:0314-1: An update that solves five vulnerabilities and has three security fixes can now be installed. Category: security (important) Bug References: 1208810, 1216207, 1216869, 1217711, 1218046, 1218050, 1218051, 1218053 CVE References: CVE-2023-41914, CVE-2023-49933, CVE-2023-49936, CVE-2023-49937, CVE-2023-49938 Sources used: openSUSE Leap 15.4 (src): slurm-20.11.9-150400.3.3.1 SUSE Package Hub 15 15-SP5 (src): slurm-20.11.9-150400.3.3.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): slurm-20.11.9-150400.3.3.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): slurm-20.11.9-150400.3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
done, closing