Upstream has issued an advisory on May 4: https://lists.schedmd.com/pipermail/slurm-announce/2022/000072.html The issues are fixed upstream in 20.11.9 and 21.08.8. Mageia 8 is also affected by the first two issues. The first issue is very serious.
Status comment: (none) => Fixed upstream in 20.11.9 and 21.08.8Whiteboard: (none) => MGA8TOO
Thanks, I'll update all that!
All right, new versions pushed for both mageia 8 and Cauldron. Suggested advisory: ======================== Updated slurm packages to fix security issues CVE-2022-29500, 29501, 29502. All users are requested to update their package as these issues allow privilege escalation by unauthenticated users. ======================== Updated packages in core/updates_testing: ======================== lib(64)slurm-devel-20.11.9-1.mga8 lib(64)slurm36-20.11.9-1.mga8 slurm-20.11.9-1.mga8 lib(64)slurm-static-devel-20.11.9-1.mga8 Source RPMs: slurm-20.11.9-1.mga8.src.rpm
Assignee: eatdirt => qa-bugsCC: (none) => eatdirt
Thanks. Advisory should have CVE descriptions, not just vague references to them. Also remember that 29502 does not affect Mageia 8, so it wouldn't be in the advisory.
Whiteboard: MGA8TOO => (none)Version: Cauldron => 8Status comment: Fixed upstream in 20.11.9 and 21.08.8 => (none)
Yes, feel free to fix the advisory.
MGA8-64 Plasma on Lenovo B50 in Dutch No installation issues. Googling for info found https://support.ceci-hpc.be/doc/_contents/QuickStart/SubmittingJobs/SlurmTutorial.html and https://slurm.schedmd.com/quickstart.html That inspired me to: # sinfo -N -l Wed May 11 14:14:59 2022 slurm_load_partitions: Unable to contact slurm controller (connect failure) # systemctl -l status slurmctld * slurmctld.service - Slurm controller daemon Loaded: loaded (/usr/lib/systemd/system/slurmctld.service; disabled; vendor preset: disabled) Active: inactive (dead) # systemctl start slurmctld # systemctl -l status slurmctld * slurmctld.service - Slurm controller daemon Loaded: loaded (/usr/lib/systemd/system/slurmctld.service; disabled; vendor preset: disabled) Active: active (running) since Wed 2022-05-11 14:19:24 CEST; 4s ago Process: 171402 ExecStart=/usr/sbin/slurmctld $SLURMCTLD_OPTIONS (code=exited, status=0/SUCCESS) Main PID: 171404 (slurmctld) Tasks: 11 Memory: 1.4M CPU: 43ms CGroup: /system.slice/slurmctld.service `-171404 /usr/sbin/slurmctld mei 11 14:19:24 mach5.hviaene.thuis slurmctld[171404]: error: Could not open trigger state file /var/spool/slurmctld/trigger_state: No such file or directory mei 11 14:19:24 mach5.hviaene.thuis slurmctld[171404]: error: NOTE: Trying backup state save file. Triggers may be lost! mei 11 14:19:24 mach5.hviaene.thuis slurmctld[171404]: No trigger state file (/var/spool/slurmctld/trigger_state.old) to recover mei 11 14:19:24 mach5.hviaene.thuis slurmctld[171404]: read_slurm_conf: backup_controller not specified mei 11 14:19:24 mach5.hviaene.thuis slurmctld[171404]: Reinitializing job accounting state mei 11 14:19:24 mach5.hviaene.thuis slurmctld[171404]: select/cons_tres: select_p_reconfigure: select/cons_tres: reconfigure mei 11 14:19:24 mach5.hviaene.thuis slurmctld[171404]: select/cons_tres: part_data_create_array: select/cons_tres: preparing for 1 partitions mei 11 14:19:24 mach5.hviaene.thuis slurmctld[171404]: Running as primary controller mei 11 14:19:24 mach5.hviaene.thuis slurmctld[171404]: No parameter for mcs plugin, default values set mei 11 14:19:24 mach5.hviaene.thuis slurmctld[171404]: mcs: MCSParameters = (null). ondemand set. # sinfo -N -l Wed May 11 14:19:34 2022 NODELIST NODES PARTITION STATE CPUS S:C:T MEMORY TMP_DISK WEIGHT AVAIL_FE REASON localhost 1 debug* unknown 1 1:1:1 1 0 1 (null) none That's not much, but at least it shows the central part of slurm running and responding. OK for me, unless someone else has a better idea.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA8-64-OK
Validating. Advisory in Comment 2, but needs corrections described in Comment 3.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Advisory committed to svn as ... type: security subject: Updated slurm packages fix security vulnerability CVE: - CVE-2022-29500 - CVE-2022-29501 src: 8: core: - slurm-20.11.9-1.mga8 description: | Incorrect Access Control that leads to Information Disclosure. (CVE-2022-29500) Incorrect Access Control that leads to Escalation of Privileges and code execution. (CVE-2022-29501) references: - https://bugs.mageia.org/show_bug.cgi?id=30382 - https://lists.schedmd.com/pipermail/slurm-announce/2022/000072.html
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0174.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED