[slurm-users] Slurm versions 23.02.6 and 22.05.10 are now available (CVE-2023-41914)
Kilian Cavalotti
kilian.cavalotti.work at gmail.com
Mon Oct 16 23:53:12 UTC 2023
Those CVEs are indeed for different software (one for PMIx, one for
Slurm), even though they're ultimately for the same kind of underlying
problem (chown() being used instead of lchown(), which could lead in
taking over privileged files).
The Slurm patches include more fixes related to permissions and race
conditions, but both vulnerabilities have been discovered and reported
by the same person (Hi François! ;).
CHeers,
--
Kilian
On Mon, Oct 16, 2023 at 9:48 AM Christopher Samuel <chris at csamuel.org> wrote:
>
> On 10/16/23 08:22, Groner, Rob wrote:
>
> > It is my understanding that it is a different issue than pmix.
>
> That's my understanding too. The PMIx issue wasn't in Slurm, it was in
> the PMIx code that Slurm was linked to. This CVE is for Slurm itself.
>
> --
> Chris Samuel : http://www.csamuel.org/ : Berkeley, CA, USA
>
>
--
Kilian
More information about the slurm-users
mailing list