<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
Are the older versions affected as well?</div>
<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
Best regards,</div>
<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
Taras</div>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> slurm-users <slurm-users-bounces@lists.schedmd.com> on behalf of Tim Wickberg <tim@schedmd.com><br>
<b>Sent:</b> Thursday, October 12, 2023 00:01<br>
<b>To:</b> slurm-announce@schedmd.com <slurm-announce@schedmd.com>; slurm-users@schedmd.com <slurm-users@schedmd.com><br>
<b>Subject:</b> [slurm-users] Slurm versions 23.02.6 and 22.05.10 are now available (CVE-2023-41914)</font>
<div> </div>
</div>
<div class="BodyFragment"><font size="2"><span style="font-size:11pt;">
<div class="PlainText">External email: Use caution opening links or attachments<br>
<br>
<br>
Slurm versions 23.02.6 and 22.05.10 are now available to address a<br>
number of filesystem race conditions that could let an attacker take<br>
control of an arbitrary file, or remove entire directories' contents<br>
(CVE-2023-41914).<br>
<br>
SchedMD customers were informed on September 27th and provided a patch<br>
on request; this process is documented in our security policy [1].<br>
<br>
--------<br>
CVE-2023-41914:<br>
<br>
A number of race conditions have been identified within the<br>
slurmd/slurmstepd processes that can lead to the user taking ownership<br>
of an arbitrary file on the system. A related issue can lead to the user<br>
overwriting an arbitrary file on the compute node (although with data<br>
that is not directly under their control). A related issue can also lead<br>
to the user deleting all files and sub-directories of an arbitrary<br>
target directory on the compute node.<br>
<br>
Thank you to François Diakhate (CEA) for reporting the original issue to<br>
us. A number of related issues were found during an extensive audit of<br>
Slurm's filesystem handling code in reaction to that report, and are<br>
included here in this same disclosure.<br>
--------<br>
<br>
SchedMD only issues security fixes for the supported releases (currently<br>
23.02 and 22.05). Due to the complexity of these fixes, we do not<br>
recommend attempting to backport the fixes to older releases, and<br>
strongly encourage sites to upgrade to fixed versions immediately.<br>
<br>
Downloads are available at <a href="https://www.schedmd.com/downloads.php">https://www.schedmd.com/downloads.php</a> .<br>
<br>
Release notes follow below.<br>
<br>
- Tim<br>
<br>
[1] <a href="https://www.schedmd.com/security.php">https://www.schedmd.com/security.php</a><br>
<br>
--<br>
Tim Wickberg<br>
Chief Technology Officer, SchedMD LLC<br>
Commercial Slurm Development and Support<br>
<br>
> * Changes in Slurm 23.02.6<br>
> ==========================<br>
> -- Fix CpusPerTres= not upgreadable with scontrol update<br>
> -- Fix unintentional gres removal when validating the gres job state.<br>
> -- Fix --without-hpe-slingshot configure option.<br>
> -- Fix cgroup v2 memory calculations when transparent huge pages are used.<br>
> -- Fix parsing of sgather --timeout option.<br>
> -- Fix regression from 22.05.0 that caused srun --cpu-bind "=verbose" and "=v"<br>
> options give different CPU bind masks.<br>
> -- Fix "_find_node_record: lookup failure for node" error message appearing<br>
> for all dynamic nodes during reconfigure.<br>
> -- Avoid segfault if loading serializer plugin fails.<br>
> -- slurmrestd - Correct OpenAPI format for 'GET /slurm/v0.0.39/licenses'.<br>
> -- slurmrestd - Correct OpenAPI format for 'GET /slurm/v0.0.39/job/{job_id}'.<br>
> -- slurmrestd - Change format to multiple fields in 'GET<br>
> /slurmdb/v0.0.39/assocations' and 'GET /slurmdb/v0.0.39/qos' to handle<br>
> infinite and unset states.<br>
> -- When a node fails in a job with --no-kill, preserve the extern step on the<br>
> remaining nodes to avoid breaking features that rely on the extern step<br>
> such as pam_slurm_adopt, x11, and job_container/tmpfs.<br>
> -- auth/jwt - Ignore 'x5c' field in JWKS files.<br>
> -- auth/jwt - Treat 'alg' field as optional in JWKS files.<br>
> -- Allow job_desc.selinux_context to be read from the job_submit.lua script.<br>
> -- Skip check in slurmstepd that causes a large number of errors in the munge<br>
> log: "Unauthorized credential for client UID=0 GID=0". This error will<br>
> still appear on slurmd/slurmctld/slurmdbd start up and is not a cause for<br>
> concern.<br>
> -- slurmctld - Allow startup with zero partitions.<br>
> -- Fix some mig profile names in slurm not matching nvidia mig profiles.<br>
> -- Prevent slurmscriptd processing delays from blocking other threads in<br>
> slurmctld while trying to launch {Prolog|Epilog}Slurmctld.<br>
> -- Fix sacct printing ReqMem field when memory doesn't exist in requested TRES.<br>
> -- Fix how heterogenous steps in an allocation with CR_PACK_NODE or -mpack are<br>
> created.<br>
> -- Fix slurmctld crash from race condition within job_submit_throttle plugin.<br>
> -- Fix --with-systemdsystemunitdir when requesting a default location.<br>
> -- Fix not being able to cancel an array task by the jobid (i.e. not<br>
> <jobid>_<taskid>) through scancel, job launch failure or prolog failure.<br>
> -- Fix cancelling the whole array job when the array task is the meta job and<br>
> it fails job or prolog launch and is not requeable. Cancel only the<br>
> specific task instead.<br>
> -- Fix regression in 21.08.2 where MailProg did not run for mail-type=end for<br>
> jobs with non-zero exit codes.<br>
> -- Fix incorrect setting of memory.swap.max in cgroup/v2.<br>
> -- Fix jobacctgather/cgroup collection of disk/io, gpumem, gpuutil TRES values.<br>
> -- Fix -d singleton for heterogeneous jobs.<br>
> -- Downgrade info logs about a job meeting a "maximum node limit" in the<br>
> select plugin to DebugFlags=SelectType. These info logs could spam the<br>
> slurmctld log file under certain circumstances.<br>
> -- prep/script - Fix [Srun|Task]<Prolog|Epilog> missing SLURM_JOB_NODELIST.<br>
> -- gres - Rebuild GRES core bitmap for nodes at startup. This fixes error:<br>
> "Core bitmaps size mismatch on node [HOSTNAME]", which causes jobs to enter<br>
> state "Requested node configuration is not available".<br>
> -- slurmctd - Allow startup with zero nodes.<br>
> -- Fix filesystem handling race conditions that could lead to an attacker<br>
> taking control of an arbitrary file, or removing entire directories'<br>
> contents. CVE-2023-41914.<br>
<br>
> * Changes in Slurm 22.05.10<br>
> ===========================<br>
> -- Fix filesystem handling race conditions that could lead to an attacker<br>
> taking control of an arbitrary file, or removing entire directories'<br>
> contents. CVE-2023-41914.<br>
<br>
</div>
</span></font></div>
</body>
</html>