Bug 29040 - slurm new security issue CVE-2021-31215
Summary: slurm new security issue CVE-2021-31215
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-05-30 04:07 CEST by David Walser
Modified: 2021-06-13 23:34 CEST (History)
4 users (show)

See Also:
Source RPM: slurm-20.11.2-1.mga8.src.rpm
CVE: CVE-2021-31215
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-05-30 04:07:25 CEST 
Fedora has issued an advisory on May 24:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3ODMJQNY4FAV7G3DSKVIO5KY7Q7DKBPU/

The issue is fixed upstream in 20.11.7.

Mageia 8 is also affected.
David Walser 2021-05-30 04:07:40 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 20.11.7

Comment 1 Chris Denice 2021-05-31 11:22:23 CEST 
New version 20.11.7 landing in updates_testing and Cauldron.


Updated slurm packages to fix security issue CVE-2021-31215.


Updated packages in core/updates_testing:
========================
slurm-20.11.7-1.mga8
lib(64)slurm36-20.11.7-1.mga8
lib(64)slurm-devel-20.11.7-1.mga8
lib(64)slurm-static-devel-20.11.7-1.mga8

Source RPMs: 
slurm-20.11.7-1.mga8.src.rpm

CC: (none) => eatdirt
Assignee: eatdirt => qa-bugs

Thomas Backlund 2021-05-31 12:10:49 CEST

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)

Comment 2 Thomas Andrews 2021-06-09 02:10:42 CEST 
A look back in Bugzilla reveals that slurm is a recent addition to Mageia, and there are no earlier updates with test suggestions.

According to https://slurm.schedmd.com/overview.html slurm is "an open source, fault-tolerant, and highly scalable cluster management and job scheduling system for large and small Linux clusters." Reading the rest of that page, it becomes obvious that testing even the most basic of operations of slurm is much too complicated for most of QA - or maybe at least for me.

I can test for a clean install over the original, and I did do that in VirtualBox. So, I am going to give this an OK and validate, with the advisory in Comment 1. If there is something else I should do, please let me know.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Aurelien Oudelet 2021-06-13 21:52:28 CEST

CC: (none) => ouaurelien
Keywords: (none) => advisory
CVE: (none) => CVE-2021-31215

Comment 3 Aurelien Oudelet 2021-06-13 21:56:04 CEST 
Advisory:
========================

Updated slurm packages fix a security vulnerability:

SchedMD Slurm before 20.02.7 and 20.03.x through 20.11.x before 20.11.7 allows remote code execution as SlurmUser because use of a PrologSlurmctld or EpilogSlurmctld script leads to environment mishandling (CVE-2021-31215).

References:
 - https://bugs.mageia.org/show_bug.cgi?id=29040
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31215
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3ODMJQNY4FAV7G3DSKVIO5KY7Q7DKBPU/
========================

Updated packages in 8/core/updates_testing:
========================
slurm-20.11.7-1.mga8
lib(64)slurm36-20.11.7-1.mga8
lib(64)slurm-devel-20.11.7-1.mga8
lib(64)slurm-static-devel-20.11.7-1.mga8

Source RPMs: 
slurm-20.11.7-1.mga8.src.rpm

Status comment: Fixed upstream in 20.11.7 => (none)
Source RPM: slurm-20.11.2-2.mga9.src.rpm => slurm-20.11.2-1.mga8.src.rpm

Comment 4 Mageia Robot 2021-06-13 23:34:46 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0253.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.