SUSE-SU-2017:3311-1: moderate: Security update for slurm

Thu Dec 14 13:08:51 MST 2017

   SUSE Security Update: Security update for slurm
______________________________________________________________________________

Announcement ID:    SUSE-SU-2017:3311-1
Rating:             moderate
References:         #1007053 #1031872 #1041706 #1065697 #1067580 

Cross-References:   CVE-2017-15566
Affected Products:
                    SUSE Linux Enterprise Module for HPC 12
______________________________________________________________________________

   An update that solves one vulnerability and has four fixes
   is now available.

Description:

   This update for slurm fixes the following issues:

   Slurm was updated to 17.02.9 to fix a security bug, bringing new features
   and bugfixes (fate#323998 bsc#1067580).

   Security issue fixed:

   * CVE-2017-15566: Fix security issue in Prolog and Epilog by always
     prepending SPANK_ to all user-set environment variables. (bsc#1065697)

   Changes in 17.02.9:

      * When resuming powered down nodes, mark DOWN nodes right after
        ResumeTimeout has been reached (previous logic would wait about one
        minute longer).
      * Fix sreport not showing full column name for TRES Count.
      * Fix slurmdb_reservations_get() giving wrong usage data when job's
        spanned reservation that was modified.
      * Fix sreport reservation utilization report showing bad data.
      * Show all TRES' on a reservation in sreport reservation utilization
        report by default.
      * Fix sacctmgr show reservation handling "end" parameter.
      * Work around issue with sysmacros.h and gcc7 / glibc 2.25.
      * Fix layouts code to only allow setting a boolean.
      * Fix sbatch --wait to keep waiting even if a message timeout occurs.
      * CRAY - If configured with NodeFeatures=knl_cray and there are non-KNL
        nodes which include no features the slurmctld will abort without this
        patch when attemping strtok_r(NULL).
      * Fix regression in 17.02.7 which would run the spank_task_privileged
        as part of the slurmstepd instead of it's child process.

   Changes in 17.02.8:

      * Add 'slurmdbd:' to the accounting plugin to notify message is from
        dbd instead of local.
      * mpi/mvapich - Buffer being only partially cleared. No failures
        observed.
      * Fix for job  --switch option on dragonfly network.
      * In salloc with  --uid option, drop supplementary groups before
        changing UID.
      * jobcomp/elasticsearch - strip any trailing slashes from JobCompLoc.
      * jobcomp/elasticsearch - fix memory leak when transferring generated
        buffer.
      * Prevent slurmstepd ABRT when parsing gres.conf CPUs.
      * Fix sbatch --signal to signal all MPI ranks in a step instead of just
        those
        on node 0.
      * Check multiple partition limits when scheduling a job that were
        previously
        only checked on submit.
      * Cray: Avoid running application/step Node Health Check on the
        external job step.
      * Optimization enhancements for partition based job preemption.
      * Address some build warnings from GCC 7.1, and one possible memory
        leak if /proc is inaccessible.
      * If creating/altering a core based reservation with scontrol/sview on
        a remote cluster correctly determine the select type.
      * Fix autoconf test for libcurl when clang is used.
      * Fix default location for cgroup_allowed_devices_file.conf to use
        correct default path.
      * Document NewName option to sacctmgr.
      * Reject a second PMI2_Init call within a single step to prevent
        slurmstepd from hanging.
      * Handle old 32bit values stored in the database for requested memory
        correctly in sacct.
      * Fix memory leaks in the task/cgroup plugin when constraining devices.
      * Make extremely verbose info messages debug2 messages in the
        task/cgroup plugin when constraining devices.
      * Fix issue that would deny the stepd access to /dev/null where GRES
        has a 'type' but no file defined.
      * Fix issue where the slurmstepd would fatal on job launch if you have
        no gres listed in your slurm.conf but some in gres.conf.
      * Fix validating time spec to correctly validate various time formats.
      * Make scontrol work correctly with job update timelimit [+|-]=.
      * Reduce the visibily of a number of warnings in _part_access_check.
      * Prevent segfault in sacctmgr if no association name is specified for
        an update command.
      * burst_buffer/cray plugin modified to work with changes in Cray UP05
        software release.
      * Fix job reasons for jobs that are violating assoc MaxTRESPerNode
        limits.
      * Fix segfault when unpacking a 16.05 slurm_cred in a 17.02 daemon.
      * Fix setting TRES limits with case insensitive TRES names.
      * Add alias for xstrncmp() -- slurm_xstrncmp().
      * Fix sorting of case insensitive strings when using xstrcasecmp().
      * Gracefully handle race condition when reading /proc as process exits.
      * Avoid error on Cray duplicate setup of core specialization.
      * Skip over undefined (hidden in Slurm) nodes in pbsnodes.
      * Add empty hashes in perl api's slurm_load_node() for hidden nodes.
      * CRAY - Add rpath logic to work for the alpscomm libs.
      * Fixes for administrator extended TimeLimit (job reason & time limit
        reset).
      * Fix gres selection on systems running select/linear.
      * sview: Added window decorator for maximize,minimize,close buttons for
        all systems.
      * squeue: interpret negative length format specifiers as a request to
        delimit values with spaces.
      * Fix the torque pbsnodes wrapper script to parse a gres field with a
        type set correctly.

   This update also contains pdsh rebuilt against the new libslurm version.

Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Module for HPC 12:

      zypper in -t patch SUSE-SLE-Module-HPC-12-2017-2072=1

   To bring your system up-to-date, use "zypper patch".

Package List:

   - SUSE Linux Enterprise Module for HPC 12 (aarch64 x86_64):

      libpmi0-17.02.9-6.10.1
      libpmi0-debuginfo-17.02.9-6.10.1
      libslurm29-16.05.8.1-6.1
      libslurm29-debuginfo-16.05.8.1-6.1
      libslurm31-17.02.9-6.10.1
      libslurm31-debuginfo-17.02.9-6.10.1
      pdsh-2.33-7.5.17
      pdsh-debuginfo-2.33-7.5.17
      pdsh-debugsource-2.33-7.5.17
      perl-slurm-17.02.9-6.10.1
      perl-slurm-debuginfo-17.02.9-6.10.1
      slurm-17.02.9-6.10.1
      slurm-auth-none-17.02.9-6.10.1
      slurm-auth-none-debuginfo-17.02.9-6.10.1
      slurm-debuginfo-17.02.9-6.10.1
      slurm-debugsource-17.02.9-6.10.1
      slurm-devel-17.02.9-6.10.1
      slurm-doc-17.02.9-6.10.1
      slurm-lua-17.02.9-6.10.1
      slurm-lua-debuginfo-17.02.9-6.10.1
      slurm-munge-17.02.9-6.10.1
      slurm-munge-debuginfo-17.02.9-6.10.1
      slurm-pam_slurm-17.02.9-6.10.1
      slurm-pam_slurm-debuginfo-17.02.9-6.10.1
      slurm-plugins-17.02.9-6.10.1
      slurm-plugins-debuginfo-17.02.9-6.10.1
      slurm-sched-wiki-17.02.9-6.10.1
      slurm-slurmdb-direct-17.02.9-6.10.1
      slurm-slurmdbd-17.02.9-6.10.1
      slurm-slurmdbd-debuginfo-17.02.9-6.10.1
      slurm-sql-17.02.9-6.10.1
      slurm-sql-debuginfo-17.02.9-6.10.1
      slurm-torque-17.02.9-6.10.1
      slurm-torque-debuginfo-17.02.9-6.10.1

References:

   https://www.suse.com/security/cve/CVE-2017-15566.html
   https://bugzilla.suse.com/1007053
   https://bugzilla.suse.com/1031872
   https://bugzilla.suse.com/1041706
   https://bugzilla.suse.com/1065697
   https://bugzilla.suse.com/1067580