[slurm-announce] Slurm versions 17.02.11 and 17.11.7 are now available (CVE-2018-10995)
tim at schedmd.com
Wed May 30 13:09:05 MDT 2018
Slurm versions 17.02.11 and 17.11.7 are now available, and include a
series of recent bug fixes, as well as a fix for a security
vulnerability (CVE-2018-10995) related to mishandling of user names and
Downloads are available at https://www.schedmd.com/downloads.php .
While fixes are only available for the supported 17.02 and 17.11
releases, we believe similar vulnerabilities do affect past versions as
well. The only resolution is to upgrade Slurm to a fixed release.
SchedMD customers were informed on May 16th and provided a patch on
request. This is in keeping with our responsible disclosure process .
Release notes follow below.
Director of Support, SchedMD LLC
Commercial Slurm Development and Support
> * Changes in Slurm 17.11.7
> -- Fix for possible slurmctld daemon abort with NULL pointer.
> -- Fix different issues when requesting memory per cpu/node.
> -- PMIx - override default paths at configure time if --with-pmix is used.
> -- Have sprio display jobs before eligible time when
> PriorityFlags=ACCRUE_ALWAYS is set.
> -- Make sure locks are always in place when calling _post_qos_list().
> -- Notify srun and ctld when unkillable stepd exits.
> -- Fix slurmstepd deadlock in stepd cleanup caused by race condition in
> the jobacct_gather fini() interfaces introduced in 17.11.6.
> -- Fix slurmstepd deadlock in PMIx startup.
> -- task/cgroup - fix invalid free() if the hwloc library does not return a
> string as expected.
> -- Fix insecure handling of job requested gid field. CVE-2018-10995.
> * Changes in Slurm 17.02.11
> -- Fix insecure handling of user_name and gid fields. CVE-2018-10995
More information about the slurm-announce