Your message dated Thu, 28 Nov 2013 22:17:34 +0000 with message-id <e1vm9tu-0001h1...@franck.debian.org> and subject line Bug#729333: fixed in torque 2.4.16+dfsg-1+deb7u2 has caused the Debian Bug report #729333, regarding torque: CVE-2013-4495 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 729333: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=729333 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: torque Version: 2.4.8+dfsg-9 Severity: grave Tags: security upstream patch fixed-upstream pending Justification: user security hole Hi Torque upstream has released 4.2.6 fixing CVE-2013-4495[1]: "pbs_user used popen to send mail using the email addresses specified on the command line, which posed a security risk. TORQUE no longer allows you to run root commands in the email portion of qsub (TRQ-2310). CVE 2013-4495". [1] https://www.adaptivecomputing.com/wp-content/uploads/releasenotes/releaseNotes-4.2.6.html In upstream git there are the relevant commits for older branches as well: [2] https://github.com/adaptivecomputing/torque/commit/2aad72c3d2ac612ecbb66828ac6ed5ab51eff5f3 [3] https://github.com/adaptivecomputing/torque/commit/64da0af7ed27284f3397081313850bba270593db Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: torque Source-Version: 2.4.16+dfsg-1+deb7u2 We believe that the bug you reported is fixed in the latest version of torque, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 729...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated torque package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 11 Nov 2013 22:44:32 +0100 Source: torque Binary: torque-common torque-server torque-pam torque-scheduler torque-client torque-mom torque-client-x11 libtorque2 libtorque2-dev Architecture: source amd64 Version: 2.4.16+dfsg-1+deb7u2 Distribution: wheezy-security Urgency: high Maintainer: Morten Kjeldgaard <m...@bioxray.au.dk> Changed-By: Salvatore Bonaccorso <car...@debian.org> Description: libtorque2 - shared library for Torque client and server libtorque2-dev - header files for libtorque2 torque-client - command line interface to Torque server torque-client-x11 - GUI for torque clients torque-common - Torque Queueing System shared files torque-mom - job execution engine for Torque batch system torque-pam - PAM module for PBS MOM nodes torque-scheduler - scheduler part of Torque torque-server - PBS-derived batch processing server Closes: 725870 729333 Changes: torque (2.4.16+dfsg-1+deb7u2) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Add fix-FTBFS-on-kfreebsd.patch patch. Fix FTBFS on kfreebsd-{amd64,i386} due to use of deprecated header <nlist.h>. Switch to use <bsd/nlist.h>. (Closes: #725870) * Add CVE-2013-4495.patch patch. CVE-2013-4495: the pbs_server daemon would pass some user-input data to popen() in order to send an email allowing remote privilege escalation. (Closes: #729333) Checksums-Sha1: b0e9db79858de10abceeb71ebdf296977ba7f8c4 2629 torque_2.4.16+dfsg-1+deb7u2.dsc 730802bc00101421c8d841cce97880cb43dcee32 21469 torque_2.4.16+dfsg-1+deb7u2.debian.tar.gz 039c297301076696de3a8b4340eee51c32824431 41876 torque-common_2.4.16+dfsg-1+deb7u2_amd64.deb ed5f99b4edd6997b96a255a2b33837ba2d71fd76 196070 torque-server_2.4.16+dfsg-1+deb7u2_amd64.deb eacdadecde3918729bf3201443b49e9528388880 38328 torque-pam_2.4.16+dfsg-1+deb7u2_amd64.deb d65c352dcfcf3d3081eac405451df44938b1dab5 96908 torque-scheduler_2.4.16+dfsg-1+deb7u2_amd64.deb 6d06fb150ee26b84ac29f3c78818ac56c0a1ff2c 398692 torque-client_2.4.16+dfsg-1+deb7u2_amd64.deb 721f71403caa726a7c41d09af37287a1f1c67d53 200536 torque-mom_2.4.16+dfsg-1+deb7u2_amd64.deb 3a983ab0a0a77da6dd345003088416541d219734 647980 torque-client-x11_2.4.16+dfsg-1+deb7u2_amd64.deb 07f235ec40069ae994685755b5d9b0f73342586b 120468 libtorque2_2.4.16+dfsg-1+deb7u2_amd64.deb d545b5e26d48336b0b894d879730ceaf025d5104 49718 libtorque2-dev_2.4.16+dfsg-1+deb7u2_amd64.deb Checksums-Sha256: 89ce92f3a0f950678ad1a7132a7139f1019a864efaadb82e451331134852d094 2629 torque_2.4.16+dfsg-1+deb7u2.dsc 909c3c7c92e3ad86ab8afda77d3e4bb66da7e79834f5187cbfee5f7e08c33143 21469 torque_2.4.16+dfsg-1+deb7u2.debian.tar.gz 9a198e976af96fe26c58d363ed489489268e0146efc4209203ffef46ee865a97 41876 torque-common_2.4.16+dfsg-1+deb7u2_amd64.deb dc180685adf32bd07d787120288794daaf96b7502c0b67248c2b89e9779c5075 196070 torque-server_2.4.16+dfsg-1+deb7u2_amd64.deb 01bef6c4a1cc141531891c7a48f93b434b67d954a2132119cb84f3781586ebae 38328 torque-pam_2.4.16+dfsg-1+deb7u2_amd64.deb 247569dfbf3171df7ff0a5fe23783f2c2fb19c694da107c70f3dbb7214722155 96908 torque-scheduler_2.4.16+dfsg-1+deb7u2_amd64.deb a6215f880c625b50ce7c23ad7ba9fbd5272d3566856e52fd6e33378d9989ee3b 398692 torque-client_2.4.16+dfsg-1+deb7u2_amd64.deb f22c61bdf2e3c021703a3abd3cbb6f2b73ef12e16c763f085d9f97297411a58d 200536 torque-mom_2.4.16+dfsg-1+deb7u2_amd64.deb d426c0873433aab21d5d8da01f7c9caaa9d1dda0d73adf93289fe4500f80de8f 647980 torque-client-x11_2.4.16+dfsg-1+deb7u2_amd64.deb df62da1bd4f261896d0764f481094c1ab74543590cc420c408c26c8c06b05c94 120468 libtorque2_2.4.16+dfsg-1+deb7u2_amd64.deb 542feb6060821d5f96655f73bd3bcb7ab90cbf5b076a94cf161271d40c1dfcad 49718 libtorque2-dev_2.4.16+dfsg-1+deb7u2_amd64.deb Files: c8718643b3a315a78a0d6baac6c095e0 2629 net optional torque_2.4.16+dfsg-1+deb7u2.dsc 7c58f4776bd36d36423ec1e6b6d3e8b2 21469 net optional torque_2.4.16+dfsg-1+deb7u2.debian.tar.gz c7a538ddcdd1789c70adc2960e2a750e 41876 utils optional torque-common_2.4.16+dfsg-1+deb7u2_amd64.deb 9349d63adc1872ebbaea4afed6e09bf0 196070 utils optional torque-server_2.4.16+dfsg-1+deb7u2_amd64.deb 94e173edcef2996b93a4fb16e2e14034 38328 utils optional torque-pam_2.4.16+dfsg-1+deb7u2_amd64.deb af93e46c01975bdb942cd49f6fa5baef 96908 net optional torque-scheduler_2.4.16+dfsg-1+deb7u2_amd64.deb 698c334dbfd38f56bcba468a4a7b9d36 398692 utils optional torque-client_2.4.16+dfsg-1+deb7u2_amd64.deb 5f78fba1a7b2dce6015aaf61ed65e0a2 200536 utils optional torque-mom_2.4.16+dfsg-1+deb7u2_amd64.deb 219a1e34265d9d4f9631edf70434e6f8 647980 x11 optional torque-client-x11_2.4.16+dfsg-1+deb7u2_amd64.deb cd9284cac2982554f68246ec3e13c2a6 120468 libs optional libtorque2_2.4.16+dfsg-1+deb7u2_amd64.deb 5cff728f4a5982f91a50a8a0ea78f3db 49718 libdevel optional libtorque2-dev_2.4.16+dfsg-1+deb7u2_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBCgAGBQJSgVW2AAoJEAVMuPMTQ89Ez9YQAJhb/Hs5Z4NI2Z2i+J8z8XsI +jER6XsKmu7IYe1k8tQl+NaxMlC5a3xEuHa45QtLK9mTkSAS53soB3SQSbgA4GVq 5zw5Udcm46psQohjz8i61l2EWQKuv6ZUsw1usjc5XubAvDZlBA0xn/cm3fbmu3F+ PQlh4K6LKIi5pjDLhMMk0QMptX6xU+cC5RI2cZIWVr9MAOyExHojQC0BMzClfmYw bn2LCv/TxO9LtIdriCd98/lsmYJhaZz0qcBaR43Rlhsy8VDEU/0fScChwPG9ZhiV gOwzS0+o8BSJrQeO63WiZLy11exJ0HObD1/J391iLVidecFXYN8B622ZI0DJd4IK RcHhfleKm/rCTeAiQ8nnCqqdC8DxfH470aOPaC1GnZoJsRKLZGHFh/zO5vK8PTmL ZUQt4RIrckT+gQ1aQ3p586iLar9vZyKVqIPxyOo84nvM+PsnzVjI6tgUZzgIS29/ VhXvPLoN+7ePf1tVQnWlB4sGNDDv/MbLItTArOvK1nTF92Q+rjVq08vCP02mBGA2 4d/abTC0gcJo+aKsb8rnObc08UOjJzK0CB+NGDpeO/xIH4ZiO64m1I7zObxpr0Ln NP44NafwXh6ArMk/U+iF8eFhx6+RKwUYePeDv7hxQSawOuKCIwtZOb39khucsxtP 5nx7GC9/TkQFyQXjW2At =1yJv -----END PGP SIGNATURE-----
--- End Message ---
