Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.2845 slurm-llnl security update 8 November 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: slurm-llnl Publisher: Debian Operating System: Debian GNU/Linux 9 UNIX variants (UNIX, Linux, OSX) Impact/Access: Root Compromise -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2017-15566 Original Bulletin: http://www.debian.org/security/2017/dsa-4023 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running slurm-llnl check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4023-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso November 07, 2017 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : slurm-llnl CVE ID : CVE-2017-15566 Debian Bug : 880530 Ryan Day discovered that the Simple Linux Utility for Resource Management (SLURM), a cluster resource management and job scheduling system, does not properly handle SPANK environment variables, allowing a user permitted to submit jobs to execute code as root during the Prolog or Epilog. All systems using a Prolog or Epilog script are vulnerable, regardless of whether SPANK plugins are in use. For the stable distribution (stretch), this problem has been fixed in version 16.05.9-1+deb9u1. For the unstable distribution (sid), this problem has been fixed in version 17.02.9-1. We recommend that you upgrade your slurm-llnl packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAloCMJ5fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TtSw/7BpJktGFPvaJWEw+tqyqb/adgprZzHJKAuZHyBrM4njcmASOU8xgGLQzU r6dYbXFl1KVZAvLr9bOJx+rUKP/2M7Th0bb+bS1TO/QXpNNlAtqmDSn/U2meB5zF Qs57FEJJZHTmcvFiPMvn+WuRJTmje4dneNdWKhrNqJ9sq74eeDuw2hmbp2tf8l2r tiTVeOgvlnorqAxVXeJovZZa3fPgioxURMMHeDxM62er5JBrg/TvJ6zskeDx//HI QO92lyBTxuiwI4eAmgoETwEgQmDs/7FRfx4LD7RJDaOTUflHILLjxWg1Kft0m5al baAE6k1bGBRgNq8hTx5HCrTrqg849NG9QgmNbXCWq5tIDChefAWT1XGrbpxZlTrY hbZBHLc2lt+vCyqENEz1p568PejbekQNMwEobJu38ZWFWFN1nm+2qqHJVJKqp3bZ RuH9Qbq4bA9HSkJDwy21+Mwisq4N5Y3BAJODwHM/SUGb36DX9fPfLncWOoAKLb49 YVJ1kV/4Ncp7sckokmTc8H76rdlolUlI0pqImx0o3KByWuItqL5iyVg0EW/iw85U t6Amh9kbzx1XXyWvMBsGC0MJlsvPmacsy1ZYQ1QVlTNPnhidiFhOAN+NSNsvc6Gg 24xL5ENzBDa7rI6Q/awmFLPa0P2cd1d/8fDo0EfADZyfLJIWFOc= =8VJo - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWgJLRIx+lLeg9Ub1AQgRAQ/9EbxNtbTTYZQKeVssxoYKNIFNMFa4AhH3 vse/scDinVOe/MSsfu7crUEzeFIvsZ5zh6CT3fbovn6z1HBTWG01f+OJ3mv7J7CG R6PScOz92ZxEAB2YvAL6IhbB3XN2acgVScV0WJz0hSAQV12SqdoVcXmKdPuQR00D o/yhzz413rWkbgWU2n/eV4fhNuf9XziarPQ3CgJV5tzUtRT5si+OHW7IEZos9HJq l+nmeYTN4PgOKUKYUPorifBo9x34i098hSYKdzUJa4ydCq9V7N9L2X5bw0F3F8C1 WlJl5HNXL8JMmKVeg3Bzsg+S0pfb81GCHN4Evb2L7G2IjXjTJ4EG2JkZQt/5Hu1o ND9gFROUTgJzKExnV9zsU7+4vtnuc4L8RFADGAtkPQXPn2O+1YfHbhLnEairoLAu kCoFY3VLmyFbvMpC9S081n4yNu/F9+jZGTPWhmtCgOln5HdAhoQ/5/M8+6WdL8KV V+SzjKI6zuODmrPqKdVRgPJ0ALrR3DvZXZt2s/IzLORerpTAbiVLdY5nHdLBNdIx l4qvjDFsGzjEIvuRlO0w57LJwMyvt4VsVqABCKgJzSFALudXAwLNN8/TrLnFPzrn iIXkDfxWoKCFR0Kik65y+e0UW+T3ffEF8P2A5XMqh6rRj5LYq+S6P3Hp4wF6LpeP vYcR841odjc= =HKue -----END PGP SIGNATURE-----