SUSE-SU-2021:2295-1: important: Security update for slurm_20_11

sle-updates at lists.suse.com sle-updates at lists.suse.com
Mon Jul 12 10:18:18 UTC 2021 

   SUSE Security Update: Security update for slurm_20_11
______________________________________________________________________________

Announcement ID:    SUSE-SU-2021:2295-1
Rating:             important
References:         #1180700 #1185603 #1186024 
Cross-References:   CVE-2021-31215
CVSS scores:
                    CVE-2021-31215 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
                    CVE-2021-31215 (SUSE): 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

Affected Products:
                    SUSE Linux Enterprise Module for HPC 15-SP2
                    SUSE Linux Enterprise High Performance Computing 15-SP2
______________________________________________________________________________

   An update that solves one vulnerability and has two fixes
   is now available.

Description:

   This update for slurm_20_11 fixes the following issues:

   Updated to 20.11.7

   Summary of new features:

   * CVE-2021-31215: Fixed a remote code execution as SlurmUser (bsc#1186024).
   * slurmd - handle configless failures gracefully instead of hanging
     indefinitely.
   * select/cons_tres - fix Dragonfly topology not selecting nodes in the
     same leaf switch when it should as well as requests with *-switches
     option.
   * Fix issue where certain step requests wouldn't run if the first node in
     the job allocation was full and there were idle resources on other nodes
     in the job allocation.
   * Fix deadlock issue with <Prolog|Epilog>Slurmctld.
   * torque/qstat - fix printf error message in output.
   * When adding associations or wckeys avoid checking multiple times a user
     or cluster name.
   * Fix wrong jobacctgather information on a step on multiple nodes due to
     timeouts sending its the information gathered on its node.
   * Fix missing xstrdup which could result in slurmctld segfault on array
     jobs.
   * Fix security issue in PrologSlurmctld and EpilogSlurmctld by always
     prepending SPANK_ to all user-set environment variables. CVE-2021-31215.
   * Fix sacct assert with the --qos option.
   * Use pkg-config --atleast-version instead of --modversion for systemd.
   * common/fd - fix getsockopt() call in fd_get_socket_error().
   * Properly handle the return from fd_get_socket_error() in
     _conn_readable().
   * cons_res - Fix issue where running jobs were not taken into
     consideration when creating a reservation.
   * Avoid a deadlock between job_list for_each and assoc QOS_LOCK.
   * Fix TRESRunMins usage for partition qos on restart/reconfig.
   * Fix printing of number of tasks on a completed job that didn't request
     tasks.
   * Fix updating GrpTRESRunMins when decrementing job time is bigger than it.
   * Make it so we handle multithreaded allocations correctly when doing
     --exclusive or --core-spec allocations.
   * Fix incorrect round-up division in _pick_step_cores
   * Use appropriate math to adjust cpu counts when --ntasks-per-core=1.
   * cons_tres - Fix consideration of power downed nodes.
   * cons_tres - Fix DefCpuPerGPU, increase cpus-per-task to match with
     gpus-per-task * cpus-per-gpu.
   * Fix under-cpu memory auto-adjustment when MaxMemPerCPU is set.
   * Make it possible to override CR_CORE_DEFAULT_DIST_BLOCK.
   * Perl API - fix retrieving/storing of slurm_step_id_t in job_step_info_t.
   * Recover state of burst buffers when slurmctld is restarted to avoid
     skipping burst buffer stages.
   * Fix race condition in burst buffer plugin which caused a burst buffer in
     stage-in to not get state saved if slurmctld stopped.
   * auth/jwt - print an error if jwt_file= has not been set in slurmdbd.
   * Fix RESV_DEL_HOLD not being a valid state when using squeue --states.
   * Add missing squeue selectable states in valid states error message.
   * Fix scheduling last array task multiple times on error, causing segfault.
   * Fix issue where a step could be allocated more memory than the job when
     dealing with --mem-per-cpu and --threads-per-core.
   * Fix removing qos from assoc with -= can lead to assoc with no qos
   * auth/jwt - fix segfault on invalid credential in slurmdbd due to missing
     validate_slurm_user() function in context.
   * Fix single Port= not being applied to range of nodes in slurm.conf
   * Fix Jobs not requesting a tres are not starting because of that tres
     limit.
   * acct_gather_energy/rapl - fix AveWatts calculation.
   * job_container/tmpfs - Fix issues with cleanup and slurmd restarting on
     running jobs.


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Module for HPC 15-SP2:

      zypper in -t patch SUSE-SLE-Module-HPC-15-SP2-2021-2295=1

   - SUSE Linux Enterprise High Performance Computing 15-SP2:

      zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-2021-2295=1



Package List:

   - SUSE Linux Enterprise Module for HPC 15-SP2 (aarch64 x86_64):

      libnss_slurm2_20_11-20.11.7-6.5.1
      libpmi0_20_11-20.11.7-6.5.1
      libslurm36-20.11.7-6.5.1
      perl-slurm_20_11-20.11.7-6.5.1
      slurm_20_11-20.11.7-6.5.1
      slurm_20_11-auth-none-20.11.7-6.5.1
      slurm_20_11-config-20.11.7-6.5.1
      slurm_20_11-config-man-20.11.7-6.5.1
      slurm_20_11-devel-20.11.7-6.5.1
      slurm_20_11-doc-20.11.7-6.5.1
      slurm_20_11-lua-20.11.7-6.5.1
      slurm_20_11-munge-20.11.7-6.5.1
      slurm_20_11-node-20.11.7-6.5.1
      slurm_20_11-pam_slurm-20.11.7-6.5.1
      slurm_20_11-plugins-20.11.7-6.5.1
      slurm_20_11-slurmdbd-20.11.7-6.5.1
      slurm_20_11-sql-20.11.7-6.5.1
      slurm_20_11-sview-20.11.7-6.5.1
      slurm_20_11-torque-20.11.7-6.5.1
      slurm_20_11-webdoc-20.11.7-6.5.1

   - SUSE Linux Enterprise High Performance Computing 15-SP2 (aarch64 x86_64):

      libnss_slurm2_20_11-20.11.7-6.5.1
      libpmi0_20_11-20.11.7-6.5.1
      libslurm36-20.11.7-6.5.1
      perl-slurm_20_11-20.11.7-6.5.1
      slurm_20_11-20.11.7-6.5.1
      slurm_20_11-auth-none-20.11.7-6.5.1
      slurm_20_11-config-20.11.7-6.5.1
      slurm_20_11-config-man-20.11.7-6.5.1
      slurm_20_11-devel-20.11.7-6.5.1
      slurm_20_11-doc-20.11.7-6.5.1
      slurm_20_11-lua-20.11.7-6.5.1
      slurm_20_11-munge-20.11.7-6.5.1
      slurm_20_11-node-20.11.7-6.5.1
      slurm_20_11-pam_slurm-20.11.7-6.5.1
      slurm_20_11-plugins-20.11.7-6.5.1
      slurm_20_11-slurmdbd-20.11.7-6.5.1
      slurm_20_11-sql-20.11.7-6.5.1
      slurm_20_11-sview-20.11.7-6.5.1
      slurm_20_11-torque-20.11.7-6.5.1
      slurm_20_11-webdoc-20.11.7-6.5.1


References:

   https://www.suse.com/security/cve/CVE-2021-31215.html
   https://bugzilla.suse.com/1180700
   https://bugzilla.suse.com/1185603
   https://bugzilla.suse.com/1186024

More information about the sle-updates mailing list