Debian has issued an advisory today (October 9): http://lists.debian.org/debian-security-announce/2013/msg00181.html Patched packages uploaded for Mageia 2, Mageia 3, and Cauldron. Advisory: ======================== Updated torque package fixes security vulnerability: A non-priviledged user who was able to run jobs or login to a node which ran pbs_server or pbs_mom, could submit arbitrary jobs to a pbs_mom daemon to queue and run the job, which would run as root (CVE-2013-4319). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4319 http://www.supercluster.org/pipermail/torqueusers/2013-September/016098.html http://www.debian.org/security/2013/dsa-2770 ======================== Updated packages in core/updates_testing: ======================== torque-2.5.12-1.1.mga2 libtorque2-2.5.12-1.1.mga2 libtorque-devel-2.5.12-1.1.mga2 torque-client-2.5.12-1.1.mga2 torque-server-2.5.12-1.1.mga2 torque-sched-2.5.12-1.1.mga2 torque-mom-2.5.12-1.1.mga2 torque-gui-2.5.12-1.1.mga2 torque-4.1.5.1-1.1.mga3 libtorque2-4.1.5.1-1.1.mga3 libtorque-devel-4.1.5.1-1.1.mga3 torque-client-4.1.5.1-1.1.mga3 torque-server-4.1.5.1-1.1.mga3 torque-sched-4.1.5.1-1.1.mga3 torque-mom-4.1.5.1-1.1.mga3 torque-gui-4.1.5.1-1.1.mga3 from SRPMS: torque-2.5.12-1.1.mga2.src.rpm torque-4.1.5.1-1.1.mga3.src.rpm Reproducible: Steps to Reproduce:
CC: (none) => dirteatWhiteboard: (none) => MGA2TOO
Procedure: https://bugs.mageia.org/show_bug.cgi?id=6082#c5
Whiteboard: MGA2TOO => MGA2TOO has_procedure
To test the torque mom daemon, please start from a clean install and then. 1) Install torque-server, torque-sched, torque-mom. 2) Execute as root service pbs_server start service pbs_sched start verifies that the daemon runs service pbs_server status service pbs_sched status 3) Edit /etc/torque/nodes by appending the line localhost np=1 4) start mom daemon service pbs_mom start 5) check that it works service pbs_mom status your done! cheers, chris.
Thanks for the procedure Chris. Testing complete mga3 64
Whiteboard: MGA2TOO has_procedure => MGA2TOO has_procedure mga3-64-ok
Sorry that was mga2 64, testing others shortly
Whiteboard: MGA2TOO has_procedure mga3-64-ok => MGA2TOO has_procedure mga2-64-ok
Testing complete mga2 32 and mga3 32 & 64 Found that any with a hostname set had to have hostname in /etc/torque/nodes rather than 'localhost' or restarting pbs_server shows an error in the status. LOG_ERROR::get_node_from_str, Node localhost is reporting on node <hostname>, which pbs_server doesn't know about Once set though and restarted, the error cleared.
Whiteboard: MGA2TOO has_procedure mga2-64-ok => MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-ok
Suffers from the same harmless warnings during removal as quagga and dropbear (see bug 11458) due to the redundant SysV init scripts.
Validating. Advisory uploaded. Could sysadmin please push from 2&3 core/updates_testing to updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
"LOG_ERROR::get_node_from_str, Node localhost is reporting on node <hostname>, which pbs_server doesn't know about" yes, I fought for a while with this, if "localhost" is not your hostname pbs_server fails and the way you solved is what is in the Torque manual. (I'll add a README to the torque package for mga4 to make various of these annoying "features" clearer) thanks Claire.
Update pushed: http://advisories.mageia.org/MGASA-2013-0308.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED