[slurm-users] Slurm versions 17.02.11 and 17.11.7 are now available (CVE-2018-10995)

[Tim Wickberg]

Slurm versions 17.02.11 and 17.11.7 are now available, and include a 
series of recent bug fixes, as well as a fix for a security 
vulnerability (CVE-2018-10995) related to mishandling of user names and 
group ids.

Downloads are available at https://www.schedmd.com/downloads.php .

While fixes are only available for the supported 17.02 and 17.11 
releases, we believe similar vulnerabilities do affect past versions as 
well. The only resolution is to upgrade Slurm to a fixed release.

SchedMD customers were informed on May 16th and provided a patch on 
request. This is in keeping with our responsible disclosure process [1].

Release notes follow below.

- Tim

[1] https://www.schedmd.com/security.php

-- 
Tim Wickberg
Director of Support, SchedMD LLC
Commercial Slurm Development and Support

> * Changes in Slurm 17.11.7
> ==========================
>  -- Fix for possible slurmctld daemon abort with NULL pointer.
>  -- Fix different issues when requesting memory per cpu/node.
>  -- PMIx - override default paths at configure time if --with-pmix is used.
>  -- Have sprio display jobs before eligible time when
>     PriorityFlags=ACCRUE_ALWAYS is set.
>  -- Make sure locks are always in place when calling _post_qos_list().
>  -- Notify srun and ctld when unkillable stepd exits.
>  -- Fix slurmstepd deadlock in stepd cleanup caused by race condition in
>     the jobacct_gather fini() interfaces introduced in 17.11.6.
>  -- Fix slurmstepd deadlock in PMIx startup.
>  -- task/cgroup - fix invalid free() if the hwloc library does not return a
>     string as expected.
>  -- Fix insecure handling of job requested gid field. CVE-2018-10995.

> * Changes in Slurm 17.02.11
> ==========================
>  -- Fix insecure handling of user_name and gid fields. CVE-2018-10995