Security update for slurm

Announcement ID:	SUSE-SU-2020:0110-1
Rating:	important
References:	bsc#1140709 bsc#1153095 bsc#1153259 bsc#1155784 bsc#1158696 bsc#1159692 jsc#SLE-10800 jsc#SLE-7341 jsc#SLE-7342
Cross-References:	CVE-2019-12838 CVE-2019-19727 CVE-2019-19728
CVSS scores:	CVE-2019-12838 ( SUSE ): 6.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVE-2019-12838 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-12838 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-19727 ( SUSE ): 4.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2019-19727 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2019-19728 ( SUSE ): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2019-19728 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:	HPC Module 15-SP1 SUSE Linux Enterprise High Performance Computing 15 SP1

An update that solves three vulnerabilities, contains three features and has three security fixes can now be installed.

Description:

This update for slurm to version 18.08.9 fixes the following issues:

Security issues fixed:

• CVE-2019-19728: Fixed a privilege escalation with srun, where --uid might have unintended side effects (bsc#1159692).
• CVE-2019-12838: Fixed SchedMD Slurm SQL Injection issue (bnc#1140709).
• CVE-2019-19727: Fixed permissions of slurmdbd.conf (bsc#1155784).

Bug fixes:

• Fix ownership of /var/spool/slurm on new installations and upgrade (bsc#1158696).
• Fix %posttrans macro _res_update to cope with added newline (bsc#1153259).
• Move srun from 'slurm' to 'slurm-node': srun is required on the nodes as well so sbatch will work. 'slurm-node' is a requirement when 'slurm' is installed (bsc#1153095).

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• HPC Module 15-SP1
  zypper in -t patch SUSE-SLE-Module-HPC-15-SP1-2020-110=1

Package List:

• HPC Module 15-SP1 (aarch64 x86_64)
  • slurm-doc-18.08.9-3.10.1
  • slurm-devel-18.08.9-3.10.1
  • slurm-18.08.9-3.10.1
  • slurm-munge-debuginfo-18.08.9-3.10.1
  • slurm-node-debuginfo-18.08.9-3.10.1
  • slurm-torque-debuginfo-18.08.9-3.10.1
  • slurm-plugins-18.08.9-3.10.1
  • slurm-config-18.08.9-3.10.1
  • slurm-munge-18.08.9-3.10.1
  • slurm-torque-18.08.9-3.10.1
  • libslurm33-18.08.9-3.10.1
  • slurm-lua-debuginfo-18.08.9-3.10.1
  • perl-slurm-18.08.9-3.10.1
  • libslurm33-debuginfo-18.08.9-3.10.1
  • slurm-pam_slurm-debuginfo-18.08.9-3.10.1
  • slurm-plugins-debuginfo-18.08.9-3.10.1
  • slurm-config-man-18.08.9-3.10.1
  • slurm-sql-debuginfo-18.08.9-3.10.1
  • slurm-sview-debuginfo-18.08.9-3.10.1
  • slurm-slurmdbd-debuginfo-18.08.9-3.10.1
  • libpmi0-debuginfo-18.08.9-3.10.1
  • perl-slurm-debuginfo-18.08.9-3.10.1
  • slurm-auth-none-debuginfo-18.08.9-3.10.1
  • slurm-sql-18.08.9-3.10.1
  • slurm-sview-18.08.9-3.10.1
  • slurm-pam_slurm-18.08.9-3.10.1
  • slurm-slurmdbd-18.08.9-3.10.1
  • slurm-debuginfo-18.08.9-3.10.1
  • libpmi0-18.08.9-3.10.1
  • slurm-lua-18.08.9-3.10.1
  • slurm-node-18.08.9-3.10.1
  • slurm-auth-none-18.08.9-3.10.1
  • slurm-debugsource-18.08.9-3.10.1

References:

• https://www.suse.com/security/cve/CVE-2019-12838.html
• https://www.suse.com/security/cve/CVE-2019-19727.html
• https://www.suse.com/security/cve/CVE-2019-19728.html
• https://bugzilla.suse.com/show_bug.cgi?id=1140709
• https://bugzilla.suse.com/show_bug.cgi?id=1153095
• https://bugzilla.suse.com/show_bug.cgi?id=1153259
• https://bugzilla.suse.com/show_bug.cgi?id=1155784
• https://bugzilla.suse.com/show_bug.cgi?id=1158696
• https://bugzilla.suse.com/show_bug.cgi?id=1159692
• https://jira.suse.com/browse/SLE-10800
• https://jira.suse.com/browse/SLE-7341
• https://jira.suse.com/browse/SLE-7342