Operating System:

[UNIX/Linux][Debian]

Published:

14 November 2013

Protect yourself against future threats.

//Service

Malicious URL Feed

Add this Australian-based feed to your firewall blacklist and SIEM to prevent compromises to your network.

Read more
Resources > Security Bulletins > ESB-2013.1628 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2013.1628
                          torque security update
                             14 November 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           torque
Publisher:         Debian
Operating System:  Debian GNU/Linux 6
                   Debian GNU/Linux 7
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Root Compromise -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2013-4495  

Original Bulletin: 
   http://www.debian.org/security/2013/dsa-2796

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running torque check for an updated version of the software for 
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2796-1                   security@debian.org
http://www.debian.org/security/                      Salvatore Bonaccorso
November 13, 2013                      http://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : torque
Vulnerability  : arbitrary code execution
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2013-4495
Debian Bug     : 729333

Matt Ezell from Oak Ridge National Labs reported a vulnerability in
torque, a PBS-derived batch processing queueing system.

A user could submit executable shell commands on the tail of what is
passed with the -M switch for qsub. This was later passed to a pipe,
making it possible for these commands to be executed as root on the
pbs_server.

For the oldstable distribution (squeeze), this problem has been fixed in
version 2.4.8+dfsg-9squeeze3.

For the stable distribution (wheezy), this problem has been fixed in
version 2.4.16+dfsg-1+deb7u2.

For the unstable distribution (sid), this problem has been fixed in
version 2.4.16+dfsg-1.3.

We recommend that you upgrade your torque packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBCgAGBQJSg9JgAAoJEAVMuPMTQ89EqOIP/Au7xN2tw30qBBOtnlyDxonv
Dqn5FxfAyxvsrBuD4uB4wOELNR8UiqHn1xWcRBLHTP5DJonhAHMH3VeCFJIjfj0a
vUcnzu0SnChvrT1OaZEF7M7RzOzT03ylSKwA5ED6U7ZuXOPqWPSXI+hzDhjLuThf
S6hrw4yAc9RI6uoMQIK5HHbPf8EwjhO+ep/cXPH7KizCw64xdpqBrkEqNvPS851C
m7CjfiGp2nOMLcdr0MUA62P/tRn9PYcCrNLcVge+2TXAtZ4gWctCxd3iud4R8Abt
EYnzv8uckW1/yhTyd4l2wc5U34Xbf6O6ZbuQwt9ZzF/s4XNCaX26BLcwTNWYYOmy
+YnRW+QqBsiTXIS3W2uTW9w93iwgkP7t087tZx6enllxplqkkI8GNX7bWNXA2lcY
iQuCLfxzsNYkhNiGkuf4NgglUbcMEw4D8V4vuHoTAVSwemLLY2ghkwSCLW1ZUHTb
wI0gDJPSFp10Z3CORSHJghFX5LH25HgrKDJ4S0Waz5WjBRT21r4Li/bsYHGOMht2
jAyQ3H1Ahfk4KK/IKu5V/q6UoYMtX5On2ozCfTdUa/fLvvQHzDj6zHLmWa+ob3Xg
yH+T0Fsj+laxky1N+QeYnN2uMPiAsxKsR1RLvoZk2dniStdldkwR37Pmv9jlFjnf
RFqk8VMbBlX9kb5qxPdq
=z3T1
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUoQyBBLndAQH1ShLAQKDFRAAgQQ/0N25ki+4w4unWptCI+vZ6BX1Vb/3
Pa2vjcTxFpsEgXU+sEtxRd0SjuOlqzh4j3AKXKyjNHpd4ObacDu9+5EQo4VOXQE/
FqEKSldIJQTMVnS4NsHAWDRP/yDckilxuXc2iS3gh+08VWqDZGKJCGNsPan8pDht
BkNUDM+/OWjqmmhwFTMCTmwqUKjPfC+sR/P44HvXl4excQQc3tklOW+H6w+jOT0R
d7HqwritkAToOGW/EgEdB6uRXYZVweNztnv0bxht0IXOc+uYkKMBVd68poQ1RpU1
x0hMo8ywh/29FnsxWfiw2jfYwrMXE2KR0oDlbfbFQC6EJgBP+UxUESLkcv4QaKva
WYtgdAMw0RG77O/yinB0xUHe3+nfgwrscnVrtH8GhBbD8eCPYLf2mYa0nGSJbWjv
i9d/7eDhG3VktKuHLN74y9VvcBf1R0EHx3RpoWaJnheeHxIIR/pDccn61kYQlkxa
72kFLi/+eP5S7iE5xCnfq/DML5zIkYdH5rX2Mi8a8u1RHorBHTIW2bOayH/FBe0V
sfu9Z7/CNcPV8UYtQyuRyTXdd5+edQP+8SZxrlpbEqSGMkgQye0XCh/cyRMppuji
8NP+7NAttopbSMeHtTtDviSv9jSOIOX4yimiVS/DJrog+prVWtX184pLnv565vYk
DvEXt2LM1fw=
=B3Dz
-----END PGP SIGNATURE-----