Source: slurm-wlm Version: 23.02.6-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi Gennaro, The following vulnerabilities were published for slurm-wlm. CVE-2023-49933[0]: | An issue was discovered in SchedMD Slurm 22.05.x, 23.02.x, and | 23.11.x. There is Improper Enforcement of Message Integrity During | Transmission in a Communication Channel. This allows attackers to | modify RPC traffic in a way that bypasses message hash checks. The | fixed versions are 22.05.11, 23.02.7, and 23.11.1. CVE-2023-49935[1]: | An issue was discovered in SchedMD Slurm 23.02.x and 23.11.x. There | is Incorrect Access Control because of a slurmd Message Integrity | Bypass. An attacker can reuse root-level authentication tokens | during interaction with the slurmd process. This bypasses the RPC | message hashes that protect against undesired MUNGE credential | reuse. The fixed versions are 23.02.7 and 23.11.1. CVE-2023-49936[2]: | An issue was discovered in SchedMD Slurm 22.05.x, 23.02.x, and | 23.11.x. A NULL pointer dereference leads to denial of service. The | fixed versions are 22.05.11, 23.02.7, and 23.11.1. CVE-2023-49937[3]: | An issue was discovered in SchedMD Slurm 22.05.x, 23.02.x, and | 23.11.x. Because of a double free, attackers can cause a denial of | service or possibly execute arbitrary code. The fixed versions are | 22.05.11, 23.02.7, and 23.11.1. CVE-2023-49938[4]: | An issue was discovered in SchedMD Slurm 22.05.x and 23.02.x. There | is Incorrect Access Control: an attacker can modified their extended | group list that is used with the sbcast subsystem, and open files | with an unauthorized set of extended groups. The fixed versions are | 22.05.11 and 23.02.7. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-49933 https://www.cve.org/CVERecord?id=CVE-2023-49933 [1] https://security-tracker.debian.org/tracker/CVE-2023-49935 https://www.cve.org/CVERecord?id=CVE-2023-49935 [2] https://security-tracker.debian.org/tracker/CVE-2023-49936 https://www.cve.org/CVERecord?id=CVE-2023-49936 [3] https://security-tracker.debian.org/tracker/CVE-2023-49937 https://www.cve.org/CVERecord?id=CVE-2023-49937 [4] https://security-tracker.debian.org/tracker/CVE-2023-49938 https://www.cve.org/CVERecord?id=CVE-2023-49938 Regards, Salvatore