Mageia Bugzilla – Bug 11421
torque new security issue CVE-2013-4319
Last modified: 2013-10-17 22:04:47 CEST
Debian has issued an advisory today (October 9):
Patched packages uploaded for Mageia 2, Mageia 3, and Cauldron.
Updated torque package fixes security vulnerability:
A non-priviledged user who was able to run jobs or login to a node which ran
pbs_server or pbs_mom, could submit arbitrary jobs to a pbs_mom daemon to queue
and run the job, which would run as root (CVE-2013-4319).
Updated packages in core/updates_testing:
Steps to Reproduce:
To test the torque mom daemon, please start from a clean install and then.
1) Install torque-server, torque-sched, torque-mom.
2) Execute as root
service pbs_server start
service pbs_sched start
verifies that the daemon runs
service pbs_server status
service pbs_sched status
3) Edit /etc/torque/nodes by appending the line
4) start mom daemon
service pbs_mom start
5) check that it works
service pbs_mom status
Thanks for the procedure Chris.
Testing complete mga3 64
Sorry that was mga2 64, testing others shortly
Testing complete mga2 32 and mga3 32 & 64
Found that any with a hostname set had to have hostname in /etc/torque/nodes rather than 'localhost' or restarting pbs_server shows an error in the status.
LOG_ERROR::get_node_from_str, Node localhost is reporting on node <hostname>, which pbs_server doesn't know about
Once set though and restarted, the error cleared.
Suffers from the same harmless warnings during removal as quagga and dropbear (see bug 11458) due to the redundant SysV init scripts.
Validating. Advisory uploaded.
Could sysadmin please push from 2&3 core/updates_testing to updates
"LOG_ERROR::get_node_from_str, Node localhost is reporting on node <hostname>, which pbs_server doesn't know about"
yes, I fought for a while with this, if "localhost" is not your hostname pbs_server fails and the way you solved is what is in the Torque manual.
(I'll add a README to the torque package for mga4 to make various of these annoying "features" clearer)