Bug 29040

Summary: slurm new security issue CVE-2021-31215
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, eatdirt, ouaurelien, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: slurm-20.11.2-1.mga8.src.rpm CVE: CVE-2021-31215
Status comment:

Description David Walser 2021-05-30 04:07:25 CEST 
Fedora has issued an advisory on May 24:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3ODMJQNY4FAV7G3DSKVIO5KY7Q7DKBPU/

The issue is fixed upstream in 20.11.7.

Mageia 8 is also affected.
David Walser 2021-05-30 04:07:40 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 20.11.7

Comment 1 Chris Denice 2021-05-31 11:22:23 CEST 
New version 20.11.7 landing in updates_testing and Cauldron.


Updated slurm packages to fix security issue CVE-2021-31215.


Updated packages in core/updates_testing:
========================
slurm-20.11.7-1.mga8
lib(64)slurm36-20.11.7-1.mga8
lib(64)slurm-devel-20.11.7-1.mga8
lib(64)slurm-static-devel-20.11.7-1.mga8

Source RPMs: 
slurm-20.11.7-1.mga8.src.rpm

CC: (none) => eatdirt
Assignee: eatdirt => qa-bugs

Thomas Backlund 2021-05-31 12:10:49 CEST

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)

Comment 2 Thomas Andrews 2021-06-09 02:10:42 CEST 
A look back in Bugzilla reveals that slurm is a recent addition to Mageia, and there are no earlier updates with test suggestions.

According to https://slurm.schedmd.com/overview.html slurm is "an open source, fault-tolerant, and highly scalable cluster management and job scheduling system for large and small Linux clusters." Reading the rest of that page, it becomes obvious that testing even the most basic of operations of slurm is much too complicated for most of QA - or maybe at least for me.

I can test for a clean install over the original, and I did do that in VirtualBox. So, I am going to give this an OK and validate, with the advisory in Comment 1. If there is something else I should do, please let me know.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Aurelien Oudelet 2021-06-13 21:52:28 CEST

CC: (none) => ouaurelien
Keywords: (none) => advisory
CVE: (none) => CVE-2021-31215

Comment 3 Aurelien Oudelet 2021-06-13 21:56:04 CEST 
Advisory:
========================

Updated slurm packages fix a security vulnerability:

SchedMD Slurm before 20.02.7 and 20.03.x through 20.11.x before 20.11.7 allows remote code execution as SlurmUser because use of a PrologSlurmctld or EpilogSlurmctld script leads to environment mishandling (CVE-2021-31215).

References:
 - https://bugs.mageia.org/show_bug.cgi?id=29040
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31215
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3ODMJQNY4FAV7G3DSKVIO5KY7Q7DKBPU/
========================

Updated packages in 8/core/updates_testing:
========================
slurm-20.11.7-1.mga8
lib(64)slurm36-20.11.7-1.mga8
lib(64)slurm-devel-20.11.7-1.mga8
lib(64)slurm-static-devel-20.11.7-1.mga8

Source RPMs: 
slurm-20.11.7-1.mga8.src.rpm

Status comment: Fixed upstream in 20.11.7 => (none)
Source RPM: slurm-20.11.2-2.mga9.src.rpm => slurm-20.11.2-1.mga8.src.rpm

Comment 4 Mageia Robot 2021-06-13 23:34:46 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0253.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED