[slurm-announce] Slurm version 21.08.4 is now available (CVE-2021-43337)

Tim Wickberg tim at schedmd.com
Tue Nov 16 22:06:22 UTC 2021 

Slurm version 21.08.4 is now available, and includes a series of recent 
bug fixes, as well as a moderate security fix.

Note that this security issue is only present in the 21.08 release 
series. Slurm 20.11 and older releases are unaffected.

SchedMD customers were informed of this issue on November 2nd and 
provided a fix on request; this process is documented in our security 
policy. [1]

CVE-2021-43337:
For sites using the new AccountingStoreFlags=job_script and/or job_env
options, an issue was reported with the access control rules in SlurmDBD
that will permit users to request job scripts and environment files that
they should not have access to.

(Scripts/environments are meant to only be accessible by user accounts
with administrator privileges, by account coordinators for jobs
submitted under their account, and by the user themselves.)

Downloads are available at https://www.schedmd.com/downloads.php .

Release notes follow below.

- Tim

[1] https://www.schedmd.com/security.php

-- 
Tim Wickberg
Chief Technology Officer, SchedMD LLC
Commercial Slurm Development and Support

> * Changes in Slurm 21.08.4
> ==========================
>  -- Fix potential deadlock when using PMI v1.
>  -- Fix tight loop sending DBD_SEND_MULT_JOB_START when the slurmctld has an
>     issue talking correctly to the DBD.
>  -- Fix memory leak in step creation.
>  -- Fix potential deadlock when shutting down slurmctld.
>  -- Fix regression in 21.08 where multi-node steps that requested MemPerCPU
>     were not counted against the job's memory allocation on some nodes.
>  -- Fix issue with select/cons_tres and the partition limit MaxCpusPerNode where
>     the limit was enforced for one less CPU than the configured value.
>  -- jobacct_gather/common - compare Pss to Rss after scaling Pss to Rss units.
>  -- Fix SLURM_NODE_ALIASES in RPC Prolog for batch jobs.
>  -- Fix regression in 21.08 where slurmd and slurmstepd were not constrained
>     with CpuSpecList or CoreSpecCount.
>  -- Fix cloud jobs running without powering up nodes after a reconfig/restart.
>  -- CVE-2021-43337 - Fix security issue with new AccountingStoreFlags=job_script
>     and job_env options where users could request scripts and environments they
>     should not have been permitted to access.

More information about the slurm-announce mailing list