Debian has issued an advisory on November 13:
The issue was fixed upstream in 4.2.6, as well as in patches for the 4.1.x and 2.5.x branches, links to which are in the Debian bug:
The upstream announcement is here:
Patched packages uploaded for Mageia 2, Mageia 3, and Cauldron.
Updated torque packages fix security vulnerability:
A user could submit executable shell commands on the tail of what is passed
with the -M switch for qsub. This was later passed to a pipe, making it
possible for these commands to be executed as root on the pbs_server
Updated packages in core/updates_testing:
Steps to Reproduce:
Testing procedure is here:
tested and ok on mga2-64 and mga3-64 using Testing procedure :
Testing complete mga3 32
As before, on a system with a hostname set it showed errors. Using the hostname in /etc/torque/nodes instead of localhost cured one but pbs_mom shows connection errors unless the hostname is also set in /etc/torque/server_name
After this is done and the services restarted the errors clear.
Also after starting trqauthd service ran qmgr as below which displays some settings.
# qmgr -c 'p s'
Testing complete mga2 32
In mga2 version there is no separate trqauthd but qmgr works without it.
Validating. Advisory uploaded.
Could sysadmin please push from 2&3 core/updates_testing to updates