[SECURITY] [DSA 4254-1] slurm-llnl security update

2018-07-2419:33:09

lists.debian.org

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

JSON

Debian Security Advisory DSA-4254-1 [email protected]
https://www.debian.org/security/ Salvatore Bonaccorso
July 24, 2018 https://www.debian.org/security/faq

Package : slurm-llnl
CVE ID : CVE-2018-7033 CVE-2018-10995
Debian Bug : 893044 900548

Several vulnerabilities were discovered in the Simple Linux Utility for
Resource Management (SLURM), a cluster resource management and job
scheduling system. The Common Vulnerabilities and Exposures project
identifies the following problems:

CVE-2018-7033

Incomplete sanitization of user-provided text strings could lead to
SQL injection attacks against slurmdbd.

CVE-2018-10995

Insecure handling of user_name and gid fields leading to improper
authentication handling.

For the stable distribution (stretch), these problems have been fixed in
version 16.05.9-1+deb9u2.

We recommend that you upgrade your slurm-llnl packages.

For the detailed security status of slurm-llnl please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/slurm-llnl

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: [email protected]

OSVersionArchitecturePackageVersionFilename
Debian8i386libslurm27< 14.03.9-5+deb8u3libslurm27_14.03.9-5+deb8u3_i386.deb
Debian9mipsslurm-client< 16.05.9-1+deb9u2slurm-client_16.05.9-1+deb9u2_mips.deb
Debian9arm64libpam-slurm-dbgsym< 16.05.9-1+deb9u2libpam-slurm-dbgsym_16.05.9-1+deb9u2_arm64.deb
Debian8i386libslurmdb-perl< 14.03.9-5+deb8u3libslurmdb-perl_14.03.9-5+deb8u3_i386.deb
Debian9amd64libpmi2-0-dev< 16.05.9-1+deb9u2libpmi2-0-dev_16.05.9-1+deb9u2_amd64.deb
Debian7armelslurm-llnl-basic-plugins-dev< 2.3.4-2+deb7u2slurm-llnl-basic-plugins-dev_2.3.4-2+deb7u2_armel.deb
Debian9s390xlibslurm-perl< 16.05.9-1+deb9u2libslurm-perl_16.05.9-1+deb9u2_s390x.deb
Debian9mipslibpam-slurm-dbgsym< 16.05.9-1+deb9u2libpam-slurm-dbgsym_16.05.9-1+deb9u2_mips.deb
Debian7i386slurm-llnl< 2.3.4-2+deb7u2slurm-llnl_2.3.4-2+deb7u2_i386.deb
Debian9mips64ellibslurm30< 16.05.9-1+deb9u2libslurm30_16.05.9-1+deb9u2_mips64el.deb

OS	Version	Architecture	Package	Version	Filename
Debian	8	i386	libslurm27	< 14.03.9-5+deb8u3	libslurm27_14.03.9-5+deb8u3_i386.deb
Debian	9	mips	slurm-client	< 16.05.9-1+deb9u2	slurm-client_16.05.9-1+deb9u2_mips.deb
Debian	9	arm64	libpam-slurm-dbgsym	< 16.05.9-1+deb9u2	libpam-slurm-dbgsym_16.05.9-1+deb9u2_arm64.deb
Debian	8	i386	libslurmdb-perl	< 14.03.9-5+deb8u3	libslurmdb-perl_14.03.9-5+deb8u3_i386.deb
Debian	9	amd64	libpmi2-0-dev	< 16.05.9-1+deb9u2	libpmi2-0-dev_16.05.9-1+deb9u2_amd64.deb
Debian	7	armel	slurm-llnl-basic-plugins-dev	< 2.3.4-2+deb7u2	slurm-llnl-basic-plugins-dev_2.3.4-2+deb7u2_armel.deb
Debian	9	s390x	libslurm-perl	< 16.05.9-1+deb9u2	libslurm-perl_16.05.9-1+deb9u2_s390x.deb
Debian	9	mips	libpam-slurm-dbgsym	< 16.05.9-1+deb9u2	libpam-slurm-dbgsym_16.05.9-1+deb9u2_mips.deb
Debian	7	i386	slurm-llnl	< 2.3.4-2+deb7u2	slurm-llnl_2.3.4-2+deb7u2_i386.deb
Debian	9	mips64el	libslurm30	< 16.05.9-1+deb9u2	libslurm30_16.05.9-1+deb9u2_mips64el.deb