Debian has issued an advisory on November 13: http://lists.debian.org/debian-security-announce/2013/msg00208.html The issue was fixed upstream in 4.2.6, as well as in patches for the 4.1.x and 2.5.x branches, links to which are in the Debian bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=729333 The upstream announcement is here: http://www.supercluster.org/pipermail/torqueusers/2013-November/016425.html Patched packages uploaded for Mageia 2, Mageia 3, and Cauldron. Advisory: ======================== Updated torque packages fix security vulnerability: A user could submit executable shell commands on the tail of what is passed with the -M switch for qsub. This was later passed to a pipe, making it possible for these commands to be executed as root on the pbs_server (CVE-2013-4495). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4495 http://www.supercluster.org/pipermail/torqueusers/2013-November/016425.html http://www.debian.org/security/2013/dsa-2796 ======================== Updated packages in core/updates_testing: ======================== torque-2.5.12-1.2.mga2 libtorque2-2.5.12-1.2.mga2 libtorque-devel-2.5.12-1.2.mga2 torque-client-2.5.12-1.2.mga2 torque-server-2.5.12-1.2.mga2 torque-sched-2.5.12-1.2.mga2 torque-mom-2.5.12-1.2.mga2 torque-gui-2.5.12-1.2.mga2 torque-4.1.5.1-1.2.mga3 libtorque2-4.1.5.1-1.2.mga3 libtorque-devel-4.1.5.1-1.2.mga3 torque-client-4.1.5.1-1.2.mga3 torque-server-4.1.5.1-1.2.mga3 torque-sched-4.1.5.1-1.2.mga3 torque-mom-4.1.5.1-1.2.mga3 torque-gui-4.1.5.1-1.2.mga3 from SRPMS: torque-2.5.12-1.2.mga2.src.rpm torque-4.1.5.1-1.2.mga3.src.rpm Reproducible: Steps to Reproduce:
CC: (none) => dirteatWhiteboard: (none) => MGA2TOO
Testing procedure is here: https://bugs.mageia.org/show_bug.cgi?id=11421#c2
Whiteboard: MGA2TOO => MGA2TOO has_procedure
tested and ok on mga2-64 and mga3-64 using Testing procedure : https://bugs.mageia.org/show_bug.cgi?id=11421#c2
CC: (none) => makowski.mageiaWhiteboard: MGA2TOO has_procedure => MGA2TOO has_procedure mga2-64-ok mga3-64-ok
Testing complete mga3 32 As before, on a system with a hostname set it showed errors. Using the hostname in /etc/torque/nodes instead of localhost cured one but pbs_mom shows connection errors unless the hostname is also set in /etc/torque/server_name After this is done and the services restarted the errors clear. Also after starting trqauthd service ran qmgr as below which displays some settings. # qmgr -c 'p s'
Whiteboard: MGA2TOO has_procedure mga2-64-ok mga3-64-ok => MGA2TOO has_procedure mga2-64-ok mga3-32-ok mga3-64-ok
Testing complete mga2 32 In mga2 version there is no separate trqauthd but qmgr works without it.
Whiteboard: MGA2TOO has_procedure mga2-64-ok mga3-32-ok mga3-64-ok => MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-ok
Validating. Advisory uploaded. Could sysadmin please push from 2&3 core/updates_testing to updates Thanks!
Keywords: (none) => validated_updateWhiteboard: MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-ok => MGA2TOO has_procedure advisory mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2013-0327.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED