Detections
Analytics
SUSE SLES12 Security Update : slurm (SUSE-SU-2017:3311-1)
high Nessus Plugin ID 120011
Language:
Synopsis
The remote SUSE host is missing one or more security updates.Description
This update for slurm fixes the following issues: Slurm was updated to 17.02.9 to fix a security bug, bringing new features and bugfixes (fate#323998 bsc#1067580). Security issue fixed :- CVE-2017-15566: Fix security issue in Prolog and Epilog by always prepending SPANK_ to all user-set environment variables. (bsc#1065697) Changes in 17.02.9 :
- When resuming powered down nodes, mark DOWN nodes right after ResumeTimeout has been reached (previous logic would wait about one minute longer).
- Fix sreport not showing full column name for TRES Count.
- Fix slurmdb_reservations_get() giving wrong usage data when job's spanned reservation that was modified.
- Fix sreport reservation utilization report showing bad data.
- Show all TRES' on a reservation in sreport reservation utilization report by default.
- Fix sacctmgr show reservation handling 'end' parameter.
- Work around issue with sysmacros.h and gcc7 / glibc 2.25.
- Fix layouts code to only allow setting a boolean.
- Fix sbatch --wait to keep waiting even if a message timeout occurs.
- CRAY - If configured with NodeFeatures=knl_cray and there are non-KNL nodes which include no features the slurmctld will abort without this patch when attemping strtok_r(NULL).
- Fix regression in 17.02.7 which would run the spank_task_privileged as part of the slurmstepd instead of it's child process. Changes in 17.02.8 :
- Add 'slurmdbd:' to the accounting plugin to notify message is from dbd instead of local.
- mpi/mvapich - Buffer being only partially cleared. No failures observed.
- Fix for job --switch option on dragonfly network.
- In salloc with --uid option, drop supplementary groups before changing UID.
- jobcomp/elasticsearch - strip any trailing slashes from JobCompLoc.
- jobcomp/elasticsearch - fix memory leak when transferring generated buffer.
- Prevent slurmstepd ABRT when parsing gres.conf CPUs.
- Fix sbatch --signal to signal all MPI ranks in a step instead of just those on node 0.
- Check multiple partition limits when scheduling a job that were previously only checked on submit.
- Cray: Avoid running application/step Node Health Check on the external job step.
- Optimization enhancements for partition based job preemption.
- Address some build warnings from GCC 7.1, and one possible memory leak if /proc is inaccessible.
- If creating/altering a core based reservation with scontrol/sview on a remote cluster correctly determine the select type.
- Fix autoconf test for libcurl when clang is used.
- Fix default location for cgroup_allowed_devices_file.conf to use correct default path.
- Document NewName option to sacctmgr.
- Reject a second PMI2_Init call within a single step to prevent slurmstepd from hanging.
- Handle old 32bit values stored in the database for requested memory correctly in sacct.
- Fix memory leaks in the task/cgroup plugin when constraining devices.
- Make extremely verbose info messages debug2 messages in the task/cgroup plugin when constraining devices.
- Fix issue that would deny the stepd access to /dev/null where GRES has a 'type' but no file defined.
- Fix issue where the slurmstepd would fatal on job launch if you have no gres listed in your slurm.conf but some in gres.conf.
- Fix validating time spec to correctly validate various time formats.
- Make scontrol work correctly with job update timelimit [+|-]=.
- Reduce the visibily of a number of warnings in
_part_access_check.
- Prevent segfault in sacctmgr if no association name is specified for an update command.
- burst_buffer/cray plugin modified to work with changes in Cray UP05 software release.
- Fix job reasons for jobs that are violating assoc MaxTRESPerNode limits.
- Fix segfault when unpacking a 16.05 slurm_cred in a 17.02 daemon.
- Fix setting TRES limits with case insensitive TRES names.
- Add alias for xstrncmp() -- slurm_xstrncmp().
- Fix sorting of case insensitive strings when using xstrcasecmp().
- Gracefully handle race condition when reading /proc as process exits.
- Avoid error on Cray duplicate setup of core specialization.
- Skip over undefined (hidden in Slurm) nodes in pbsnodes.
- Add empty hashes in perl api's slurm_load_node() for hidden nodes.
- CRAY - Add rpath logic to work for the alpscomm libs.
- Fixes for administrator extended TimeLimit (job reason & time limit reset).
- Fix gres selection on systems running select/linear.
- sview: Added window decorator for maximize,minimize,close buttons for all systems.
- squeue: interpret negative length format specifiers as a request to delimit values with spaces.
- Fix the torque pbsnodes wrapper script to parse a gres field with a type set correctly. This update also contains pdsh rebuilt against the new libslurm version.
Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
Solution
To install this SUSE Security Update use YaST online_update.Alternatively you can run the command listed for your product :
SUSE Linux Enterprise Module for HPC 12:zypper in -t patch SUSE-SLE-Module-HPC-12-2017-2072=1
To bring your system up-to-date, use 'zypper patch'.
See Also
https://bugzilla.suse.com/show_bug.cgi?id=1007053
https://bugzilla.suse.com/show_bug.cgi?id=1031872
https://bugzilla.suse.com/show_bug.cgi?id=1041706
https://bugzilla.suse.com/show_bug.cgi?id=1065697
https://bugzilla.suse.com/show_bug.cgi?id=1067580
Plugin Details
Severity: High
ID: 120011
File Name: suse_SU-2017-3311-1.nasl
Version: 1.4
Type: local
Agent: unix
Family: SuSE Local Security Checks
Published: 1/2/2019
Updated: 1/6/2021
Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 5.9
CVSS v2
Risk Factor: High
Base Score: 7.2
Temporal Score: 5.3
Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSS v3
Risk Factor: High
Base Score: 7.8
Temporal Score: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: p-cpe:/a:novell:suse_linux:libpmi0, p-cpe:/a:novell:suse_linux:libpmi0-debuginfo, p-cpe:/a:novell:suse_linux:libslurm29, p-cpe:/a:novell:suse_linux:libslurm29-debuginfo, p-cpe:/a:novell:suse_linux:libslurm31, p-cpe:/a:novell:suse_linux:libslurm31-debuginfo, p-cpe:/a:novell:suse_linux:pdsh, p-cpe:/a:novell:suse_linux:pdsh-debuginfo, p-cpe:/a:novell:suse_linux:pdsh-debugsource, p-cpe:/a:novell:suse_linux:perl-slurm, p-cpe:/a:novell:suse_linux:perl-slurm-debuginfo, p-cpe:/a:novell:suse_linux:slurm, p-cpe:/a:novell:suse_linux:slurm-auth-none, p-cpe:/a:novell:suse_linux:slurm-auth-none-debuginfo, p-cpe:/a:novell:suse_linux:slurm-debuginfo, p-cpe:/a:novell:suse_linux:slurm-debugsource, p-cpe:/a:novell:suse_linux:slurm-devel, p-cpe:/a:novell:suse_linux:slurm-doc, p-cpe:/a:novell:suse_linux:slurm-lua, p-cpe:/a:novell:suse_linux:slurm-lua-debuginfo, p-cpe:/a:novell:suse_linux:slurm-munge, p-cpe:/a:novell:suse_linux:slurm-munge-debuginfo, p-cpe:/a:novell:suse_linux:slurm-pam_slurm, p-cpe:/a:novell:suse_linux:slurm-pam_slurm-debuginfo, p-cpe:/a:novell:suse_linux:slurm-plugins, p-cpe:/a:novell:suse_linux:slurm-plugins-debuginfo, p-cpe:/a:novell:suse_linux:slurm-sched-wiki, p-cpe:/a:novell:suse_linux:slurm-slurmdb-direct, p-cpe:/a:novell:suse_linux:slurm-slurmdbd, p-cpe:/a:novell:suse_linux:slurm-slurmdbd-debuginfo, p-cpe:/a:novell:suse_linux:slurm-sql, p-cpe:/a:novell:suse_linux:slurm-sql-debuginfo, p-cpe:/a:novell:suse_linux:slurm-torque, p-cpe:/a:novell:suse_linux:slurm-torque-debuginfo, cpe:/o:novell:suse_linux:12
Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list
Exploit Ease: No known exploits are available
Patch Publication Date: 12/14/2017
Vulnerability Publication Date: 11/1/2017
Reference Information
CVE: CVE-2017-15566