[slurm-users] Slurm versions 19.05.5 and 18.08.9 are now available (CVE-2019-19727 and CVE-2019-19728)

[Tim Wickberg]

Slurm versions 19.05.5 and 18.08.9 are now available, and include a 
series of recent bug fixes, as well as a fix for two moderate security 
vulnerabilities discussed below.

SchedMD customers were informed on December 11th and provided a patch on 
request; this process is documented in our security policy [1].

CVE-2019-19727:
Johannes Segitz from SUSE reported that slurmdbd.conf may be installed 
with insecure permissions by certain Slurm packaging systems.

Slurm itself - as shipped by SchedMD - does not manage slurmdbd.conf 
directly, but the slurmdbd.conf.example sets a poor example by 
installing itself with 0644 permissions instead of 0600 in both the 
slurm.spec and slurm.spec-legacy packaging scripts.

Sites are encourage to verify that the slurmdbd.conf file - which 
usually will contain your MySQL user and password - is secure on their 
clusters. Note that this configuration file is only needed by the 
slurmdbd primary (and optional backup) servers, and does not need to be 
accessible throughout the cluster.

CVE-2019-19728:

Harald Barth from the KTH Royal Institute of Technology reported that 
"srun --uid" may not always drop into the correct user account, and 
instead will print a warning message but launch the tasks as root.

Note that "srun --uid" is only available to the root user, and that this 
issue is only shown by a race condition between successive lookup calls 
within the srun client command. SchedMD does not recommend use of the 
"srun --uid" option (e.g., it does not load the target user's 
environment but will export the root users) and may remove this option 
in a future release.

Downloads are available at https://www.schedmd.com/downloads.php .

Release notes follow below.

- Tim

[1] https://www.schedmd.com/security.php

-- 
Tim Wickberg
Chief Technology Officer, SchedMD LLC
Commercial Slurm Development and Support

> * Changes in Slurm 19.05.5
> ==========================
>  -- Fix both socket-[un]constrained GRES issues that would lead to incorrect
>     GRES allocations and GRES underflow errors at deallocation time.
>  -- Reject unrunnable jobs submitted to reservations.
>  -- Fix misleading error returned for immediate allocation requests when defer
>     in SchedulerParameters by decoupling defer from too fragmented logic.
>  -- Fix printf format string error on FreeBSD.
>  -- Fix parsing of delay_boot in controller when additional arguments follow it.
>  -- Fix --ntasks-per-node in cons_tres.
>  -- Fix array tasks getting same reject reason.
>  -- Ignore DOWN/DRAIN partitions in reduce_completing_frag logic.
>  -- Fix alloc_node validation when updating a job.
>  -- Fix for requesting specific nodes when using cons_tres topology.
>  -- Ensure x11 is setup before launching a job step.
>  -- Fix incorrect SLURM_CLUSTER_NAME env var in batch step.
>  -- Perl API - Fix undefined symbol for slurmdbd_pack_fini_msg.
>  -- Install slurmdbd.conf.example with 0600 permissions to encourage secure
>     use. CVE-2019-19727.
>  -- srun - do not continue with job launch if --uid fails. CVE-2019-19728.

> * Changes in Slurm 18.08.9
> ==========================
>  -- Wrap END_TIMER{,2,3} macro definition in "do {} while (0)" block.
>  -- Make sview work with glib2 v2.62.
>  -- Make Slurm compile on linux after sys/sysctl.h was deprecated.
>  -- Install slurmdbd.conf.example with 0600 permissions to encourage secure
>     use. CVE-2019-19727.
>  -- srun - do not continue with job launch if --uid fails. CVE-2019-19728