Bug#1010632: slurm-wlm: CVE-2022-29502

[Jörg Behrmann]

Package: slurm-wlm
Version: 20.11.7+really20.11.4-2
Followup-For: Bug #1010632

This bug is is also present in the package version released in bullseye and
fixed in upstream version 20.11.9.

bullseye should definitely receive this update.


-- System Information:
Debian Release: 11.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.0-13-amd64 (SMP w/6 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages slurm-wlm depends on:
ii  slurm-client  20.11.7+really20.11.4-2
ii  slurmctld 20.11.7+really20.11.4-2
ii  slurmd20.11.7+really20.11.4-2

slurm-wlm recommends no packages.

slurm-wlm suggests no packages.

-- no debconf information

Bug#1010632: slurm-wlm: CVE-2022-29502

[Salvatore Bonaccorso]

Source: slurm-wlm
Version: 21.08.7-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team 

Hi,

The following vulnerability was published for slurm-wlm.

CVE-2022-29502[0]:
| SchedMD Slurm 21.08.x through 20.11.x has Incorrect Access Control
| that leads to Escalation of Privileges.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-29502
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29502
[1] https://lists.schedmd.com/pipermail/slurm-announce/2022/72.html
[2] 
https://github.com/SchedMD/slurm/commit/351669e7db3b5bc84b5791dc3626d683b8abe18e

Regards,
Salvatore