SUSE-SU-2017:3311-1: moderate: Security update for slurm
sle-updates at lists.suse.com
sle-updates at lists.suse.com
Thu Dec 14 13:08:51 MST 2017
SUSE Security Update: Security update for slurm
______________________________________________________________________________
Announcement ID: SUSE-SU-2017:3311-1
Rating: moderate
References: #1007053 #1031872 #1041706 #1065697 #1067580
Cross-References: CVE-2017-15566
Affected Products:
SUSE Linux Enterprise Module for HPC 12
______________________________________________________________________________
An update that solves one vulnerability and has four fixes
is now available.
Description:
This update for slurm fixes the following issues:
Slurm was updated to 17.02.9 to fix a security bug, bringing new features
and bugfixes (fate#323998 bsc#1067580).
Security issue fixed:
* CVE-2017-15566: Fix security issue in Prolog and Epilog by always
prepending SPANK_ to all user-set environment variables. (bsc#1065697)
Changes in 17.02.9:
* When resuming powered down nodes, mark DOWN nodes right after
ResumeTimeout has been reached (previous logic would wait about one
minute longer).
* Fix sreport not showing full column name for TRES Count.
* Fix slurmdb_reservations_get() giving wrong usage data when job's
spanned reservation that was modified.
* Fix sreport reservation utilization report showing bad data.
* Show all TRES' on a reservation in sreport reservation utilization
report by default.
* Fix sacctmgr show reservation handling "end" parameter.
* Work around issue with sysmacros.h and gcc7 / glibc 2.25.
* Fix layouts code to only allow setting a boolean.
* Fix sbatch --wait to keep waiting even if a message timeout occurs.
* CRAY - If configured with NodeFeatures=knl_cray and there are non-KNL
nodes which include no features the slurmctld will abort without this
patch when attemping strtok_r(NULL).
* Fix regression in 17.02.7 which would run the spank_task_privileged
as part of the slurmstepd instead of it's child process.
Changes in 17.02.8:
* Add 'slurmdbd:' to the accounting plugin to notify message is from
dbd instead of local.
* mpi/mvapich - Buffer being only partially cleared. No failures
observed.
* Fix for job --switch option on dragonfly network.
* In salloc with --uid option, drop supplementary groups before
changing UID.
* jobcomp/elasticsearch - strip any trailing slashes from JobCompLoc.
* jobcomp/elasticsearch - fix memory leak when transferring generated
buffer.
* Prevent slurmstepd ABRT when parsing gres.conf CPUs.
* Fix sbatch --signal to signal all MPI ranks in a step instead of just
those
on node 0.
* Check multiple partition limits when scheduling a job that were
previously
only checked on submit.
* Cray: Avoid running application/step Node Health Check on the
external job step.
* Optimization enhancements for partition based job preemption.
* Address some build warnings from GCC 7.1, and one possible memory
leak if /proc is inaccessible.
* If creating/altering a core based reservation with scontrol/sview on
a remote cluster correctly determine the select type.
* Fix autoconf test for libcurl when clang is used.
* Fix default location for cgroup_allowed_devices_file.conf to use
correct default path.
* Document NewName option to sacctmgr.
* Reject a second PMI2_Init call within a single step to prevent
slurmstepd from hanging.
* Handle old 32bit values stored in the database for requested memory
correctly in sacct.
* Fix memory leaks in the task/cgroup plugin when constraining devices.
* Make extremely verbose info messages debug2 messages in the
task/cgroup plugin when constraining devices.
* Fix issue that would deny the stepd access to /dev/null where GRES
has a 'type' but no file defined.
* Fix issue where the slurmstepd would fatal on job launch if you have
no gres listed in your slurm.conf but some in gres.conf.
* Fix validating time spec to correctly validate various time formats.
* Make scontrol work correctly with job update timelimit [+|-]=.
* Reduce the visibily of a number of warnings in _part_access_check.
* Prevent segfault in sacctmgr if no association name is specified for
an update command.
* burst_buffer/cray plugin modified to work with changes in Cray UP05
software release.
* Fix job reasons for jobs that are violating assoc MaxTRESPerNode
limits.
* Fix segfault when unpacking a 16.05 slurm_cred in a 17.02 daemon.
* Fix setting TRES limits with case insensitive TRES names.
* Add alias for xstrncmp() -- slurm_xstrncmp().
* Fix sorting of case insensitive strings when using xstrcasecmp().
* Gracefully handle race condition when reading /proc as process exits.
* Avoid error on Cray duplicate setup of core specialization.
* Skip over undefined (hidden in Slurm) nodes in pbsnodes.
* Add empty hashes in perl api's slurm_load_node() for hidden nodes.
* CRAY - Add rpath logic to work for the alpscomm libs.
* Fixes for administrator extended TimeLimit (job reason & time limit
reset).
* Fix gres selection on systems running select/linear.
* sview: Added window decorator for maximize,minimize,close buttons for
all systems.
* squeue: interpret negative length format specifiers as a request to
delimit values with spaces.
* Fix the torque pbsnodes wrapper script to parse a gres field with a
type set correctly.
This update also contains pdsh rebuilt against the new libslurm version.
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Module for HPC 12:
zypper in -t patch SUSE-SLE-Module-HPC-12-2017-2072=1
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Linux Enterprise Module for HPC 12 (aarch64 x86_64):
libpmi0-17.02.9-6.10.1
libpmi0-debuginfo-17.02.9-6.10.1
libslurm29-16.05.8.1-6.1
libslurm29-debuginfo-16.05.8.1-6.1
libslurm31-17.02.9-6.10.1
libslurm31-debuginfo-17.02.9-6.10.1
pdsh-2.33-7.5.17
pdsh-debuginfo-2.33-7.5.17
pdsh-debugsource-2.33-7.5.17
perl-slurm-17.02.9-6.10.1
perl-slurm-debuginfo-17.02.9-6.10.1
slurm-17.02.9-6.10.1
slurm-auth-none-17.02.9-6.10.1
slurm-auth-none-debuginfo-17.02.9-6.10.1
slurm-debuginfo-17.02.9-6.10.1
slurm-debugsource-17.02.9-6.10.1
slurm-devel-17.02.9-6.10.1
slurm-doc-17.02.9-6.10.1
slurm-lua-17.02.9-6.10.1
slurm-lua-debuginfo-17.02.9-6.10.1
slurm-munge-17.02.9-6.10.1
slurm-munge-debuginfo-17.02.9-6.10.1
slurm-pam_slurm-17.02.9-6.10.1
slurm-pam_slurm-debuginfo-17.02.9-6.10.1
slurm-plugins-17.02.9-6.10.1
slurm-plugins-debuginfo-17.02.9-6.10.1
slurm-sched-wiki-17.02.9-6.10.1
slurm-slurmdb-direct-17.02.9-6.10.1
slurm-slurmdbd-17.02.9-6.10.1
slurm-slurmdbd-debuginfo-17.02.9-6.10.1
slurm-sql-17.02.9-6.10.1
slurm-sql-debuginfo-17.02.9-6.10.1
slurm-torque-17.02.9-6.10.1
slurm-torque-debuginfo-17.02.9-6.10.1
References:
https://www.suse.com/security/cve/CVE-2017-15566.html
https://bugzilla.suse.com/1007053
https://bugzilla.suse.com/1031872
https://bugzilla.suse.com/1041706
https://bugzilla.suse.com/1065697
https://bugzilla.suse.com/1067580
More information about the sle-updates
mailing list