[slurm-announce] Slurm versions 20.11.7 and 20.02.7 are now available (CVE-2021-31215)

Tim Wickberg tim at schedmd.com
Wed May 12 20:42:30 UTC 2021 

Slurm versions 20.11.7 and 20.02.7 are now available, and include a 
series of recent bug fixes, as well as a critical security fix.

SchedMD customers were informed of this issue on April 28th and provided 
a fix on request; this process is documented in our security policy. [1]

CVE-2021-31215:
An issue was identified with environment handling within Slurm that can 
allow any user to run arbitrary commands as SlurmUser if the 
installation uses a PrologSlurmctld and/or EpilogSlurmctld script.

Downloads are available at https://www.schedmd.com/downloads.php .

Release notes follow below.

- Tim

[1] https://www.schedmd.com/security.php

-- 
Tim Wickberg
Chief Technology Officer, SchedMD LLC
Commercial Slurm Development and Support

> * Changes in Slurm 20.11.7
> ==========================
>  -- slurmd - handle configless failures gracefully instead of hanging
>     indefinitely.
>  -- select/cons_tres - fix Dragonfly topology not selecting nodes in the same
>     leaf switch when it should as well as requests with --switches option.
>  -- Fix issue where certain step requests wouldn't run if the first node in the
>     job allocation was full and there were idle resources on other nodes in
>     the job allocation.
>  -- Fix deadlock issue with <Prolog|Epilog>Slurmctld.
>  -- torque/qstat - fix printf error message in output.
>  -- When adding associations or wckeys avoid checking multiple times a user or
>     cluster name.
>  -- Fix wrong jobacctgather information on a step on multiple nodes
>     due to timeouts sending its the information gathered on its node.
>  -- Fix missing xstrdup which could result in slurmctld segfault on array jobs.
>  -- Fix security issue in PrologSlurmctld and EpilogSlurmctld by always
>     prepending SPANK_ to all user-set environment variables. CVE-2021-31215.

> * Changes in Slurm 20.02.7
> ==========================
>  -- cons_tres - Fix DefCpuPerGPU
>  -- select/cray_aries - Correctly remove jobs/steps from blades using NPC.
>  -- Fix false positive oom-kill events on extern step termination when
>     jobacct_gather/cgroup configured.
>  -- Ensure SPANK prolog and epilog run without an explicit PlugStackConfig.
>  -- Fix missing xstrdup which could result in slurmctld segfault on array jobs.
>  -- Fix security issue in PrologSlurmctld and EpilogSlurmctld by always
>     prepending SPANK_ to all user-set environment variables. CVE-2021-31215.

More information about the slurm-announce mailing list