Debian has issued an advisory today (October 9):
Patched packages uploaded for Mageia 2, Mageia 3, and Cauldron.
Updated torque package fixes security vulnerability:
A non-priviledged user who was able to run jobs or login to a node which ran
pbs_server or pbs_mom, could submit arbitrary jobs to a pbs_mom daemon to queue
and run the job, which would run as root (CVE-2013-4319).
Updated packages in core/updates_testing:
Steps to Reproduce:
To test the torque mom daemon, please start from a clean install and then.
1) Install torque-server, torque-sched, torque-mom.
2) Execute as root
service pbs_server start
service pbs_sched start
verifies that the daemon runs
service pbs_server status
service pbs_sched status
3) Edit /etc/torque/nodes by appending the line
4) start mom daemon
service pbs_mom start
5) check that it works
service pbs_mom status
Thanks for the procedure Chris.
Testing complete mga3 64
MGA2TOO has_procedure =>
MGA2TOO has_procedure mga3-64-ok
Sorry that was mga2 64, testing others shortly
MGA2TOO has_procedure mga3-64-ok =>
MGA2TOO has_procedure mga2-64-ok
Testing complete mga2 32 and mga3 32 & 64
Found that any with a hostname set had to have hostname in /etc/torque/nodes rather than 'localhost' or restarting pbs_server shows an error in the status.
LOG_ERROR::get_node_from_str, Node localhost is reporting on node <hostname>, which pbs_server doesn't know about
Once set though and restarted, the error cleared.
MGA2TOO has_procedure mga2-64-ok =>
MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-ok
Suffers from the same harmless warnings during removal as quagga and dropbear (see bug 11458) due to the redundant SysV init scripts.
Validating. Advisory uploaded.
Could sysadmin please push from 2&3 core/updates_testing to updates
"LOG_ERROR::get_node_from_str, Node localhost is reporting on node <hostname>, which pbs_server doesn't know about"
yes, I fought for a while with this, if "localhost" is not your hostname pbs_server fails and the way you solved is what is in the Torque manual.
(I'll add a README to the torque package for mga4 to make various of these annoying "features" clearer)