Security update for slurm

Announcement ID:	SUSE-SU-2021:2473-1
Rating:	important
References:	bsc#1180700 bsc#1186024
Cross-References:	CVE-2021-31215
CVSS scores:	CVE-2021-31215 ( SUSE ): 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H CVE-2021-31215 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:	HPC Module 15-SP3 openSUSE Leap 15.3 SUSE Linux Enterprise High Performance Computing 15 SP3

An update that solves one vulnerability and has one security fix can now be installed.

Description:

This update for slurm fixes the following issues:

Updated to 20.11.7

Summary of new features:

• CVE-2021-31215: Fixed a remote code execution as SlurmUser (bsc#1186024).
• slurmd - handle configless failures gracefully instead of hanging indefinitely.
• select/cons_tres - fix Dragonfly topology not selecting nodes in the same leaf switch when it should as well as requests with *-switches option.
• Fix issue where certain step requests wouldn't run if the first node in the job allocation was full and there were idle resources on other nodes in the job allocation.
• Fix deadlock issue with <Prolog|Epilog>Slurmctld.
• torque/qstat - fix printf error message in output.
• When adding associations or wckeys avoid checking multiple times a user or cluster name.
• Fix wrong jobacctgather information on a step on multiple nodes due to timeouts sending its the information gathered on its node.
• Fix missing xstrdup which could result in slurmctld segfault on array jobs.
• Fix security issue in PrologSlurmctld and EpilogSlurmctld by always prepending SPANK_ to all user-set environment variables. CVE-2021-31215.
• Fix sacct assert with the --qos option.
• Use pkg-config --atleast-version instead of --modversion for systemd.
• common/fd - fix getsockopt() call in fd_get_socket_error().
• Properly handle the return from fd_get_socket_error() in _conn_readable().
• cons_res - Fix issue where running jobs were not taken into consideration when creating a reservation.
• Avoid a deadlock between job_list for_each and assoc QOS_LOCK.
• Fix TRESRunMins usage for partition qos on restart/reconfig.
• Fix printing of number of tasks on a completed job that didn't request tasks.
• Fix updating GrpTRESRunMins when decrementing job time is bigger than it.
• Make it so we handle multithreaded allocations correctly when doing --exclusive or --core-spec allocations.
• Fix incorrect round-up division in _pick_step_cores
• Use appropriate math to adjust cpu counts when --ntasks-per-core=1.
• cons_tres - Fix consideration of power downed nodes.
• cons_tres - Fix DefCpuPerGPU, increase cpus-per-task to match with gpus-per-task * cpus-per-gpu.
• Fix under-cpu memory auto-adjustment when MaxMemPerCPU is set.
• Make it possible to override CR_CORE_DEFAULT_DIST_BLOCK.
• Perl API - fix retrieving/storing of slurm_step_id_t in job_step_info_t.
• Recover state of burst buffers when slurmctld is restarted to avoid skipping burst buffer stages.
• Fix race condition in burst buffer plugin which caused a burst buffer in stage-in to not get state saved if slurmctld stopped.
• auth/jwt - print an error if jwt_file= has not been set in slurmdbd.
• Fix RESV_DEL_HOLD not being a valid state when using squeue --states.
• Add missing squeue selectable states in valid states error message.
• Fix scheduling last array task multiple times on error, causing segfault.
• Fix issue where a step could be allocated more memory than the job when dealing with --mem-per-cpu and --threads-per-core.
• Fix removing qos from assoc with -= can lead to assoc with no qos
• auth/jwt - fix segfault on invalid credential in slurmdbd due to missing validate_slurm_user() function in context.
• Fix single Port= not being applied to range of nodes in slurm.conf
• Fix Jobs not requesting a tres are not starting because of that tres limit.
• acct_gather_energy/rapl - fix AveWatts calculation.
• job_container/tmpfs - Fix issues with cleanup and slurmd restarting on running jobs.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• openSUSE Leap 15.3
  zypper in -t patch SUSE-2021-2473=1
• HPC Module 15-SP3
  zypper in -t patch SUSE-SLE-Module-HPC-15-SP3-2021-2473=1

Package List:

• openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64)
  • slurm-rest-debuginfo-20.11.7-4.3.1
  • slurm-cray-debuginfo-20.11.7-4.3.1
  • libnss_slurm2-debuginfo-20.11.7-4.3.1
  • slurm-debugsource-20.11.7-4.3.1
  • slurm-slurmdbd-20.11.7-4.3.1
  • slurm-munge-debuginfo-20.11.7-4.3.1
  • slurm-openlava-20.11.7-4.3.1
  • libnss_slurm2-20.11.7-4.3.1
  • slurm-devel-20.11.7-4.3.1
  • slurm-debuginfo-20.11.7-4.3.1
  • slurm-plugins-20.11.7-4.3.1
  • slurm-sql-20.11.7-4.3.1
  • slurm-lua-20.11.7-4.3.1
  • slurm-torque-20.11.7-4.3.1
  • libpmi0-20.11.7-4.3.1
  • slurm-doc-20.11.7-4.3.1
  • slurm-torque-debuginfo-20.11.7-4.3.1
  • slurm-sview-20.11.7-4.3.1
  • slurm-pam_slurm-debuginfo-20.11.7-4.3.1
  • slurm-auth-none-debuginfo-20.11.7-4.3.1
  • slurm-pam_slurm-20.11.7-4.3.1
  • slurm-rest-20.11.7-4.3.1
  • libslurm36-debuginfo-20.11.7-4.3.1
  • slurm-config-man-20.11.7-4.3.1
  • slurm-hdf5-20.11.7-4.3.1
  • slurm-node-debuginfo-20.11.7-4.3.1
  • slurm-sql-debuginfo-20.11.7-4.3.1
  • slurm-config-20.11.7-4.3.1
  • slurm-cray-20.11.7-4.3.1
  • slurm-webdoc-20.11.7-4.3.1
  • slurm-munge-20.11.7-4.3.1
  • slurm-sjstat-20.11.7-4.3.1
  • slurm-20.11.7-4.3.1
  • perl-slurm-debuginfo-20.11.7-4.3.1
  • slurm-hdf5-debuginfo-20.11.7-4.3.1
  • slurm-seff-20.11.7-4.3.1
  • slurm-auth-none-20.11.7-4.3.1
  • libpmi0-debuginfo-20.11.7-4.3.1
  • slurm-plugins-debuginfo-20.11.7-4.3.1
  • slurm-slurmdbd-debuginfo-20.11.7-4.3.1
  • slurm-sview-debuginfo-20.11.7-4.3.1
  • slurm-lua-debuginfo-20.11.7-4.3.1
  • perl-slurm-20.11.7-4.3.1
  • libslurm36-20.11.7-4.3.1
  • slurm-node-20.11.7-4.3.1
• HPC Module 15-SP3 (aarch64 x86_64)
  • slurm-rest-debuginfo-20.11.7-4.3.1
  • libnss_slurm2-debuginfo-20.11.7-4.3.1
  • slurm-debugsource-20.11.7-4.3.1
  • slurm-slurmdbd-20.11.7-4.3.1
  • slurm-munge-debuginfo-20.11.7-4.3.1
  • slurm-plugins-20.11.7-4.3.1
  • libnss_slurm2-20.11.7-4.3.1
  • slurm-devel-20.11.7-4.3.1
  • slurm-debuginfo-20.11.7-4.3.1
  • slurm-sql-20.11.7-4.3.1
  • slurm-lua-20.11.7-4.3.1
  • slurm-torque-20.11.7-4.3.1
  • libpmi0-20.11.7-4.3.1
  • slurm-doc-20.11.7-4.3.1
  • slurm-torque-debuginfo-20.11.7-4.3.1
  • slurm-sview-20.11.7-4.3.1
  • slurm-pam_slurm-debuginfo-20.11.7-4.3.1
  • slurm-auth-none-debuginfo-20.11.7-4.3.1
  • slurm-pam_slurm-20.11.7-4.3.1
  • slurm-rest-20.11.7-4.3.1
  • libslurm36-debuginfo-20.11.7-4.3.1
  • slurm-config-man-20.11.7-4.3.1
  • slurm-node-debuginfo-20.11.7-4.3.1
  • slurm-sql-debuginfo-20.11.7-4.3.1
  • slurm-config-20.11.7-4.3.1
  • slurm-webdoc-20.11.7-4.3.1
  • slurm-munge-20.11.7-4.3.1
  • slurm-20.11.7-4.3.1
  • perl-slurm-debuginfo-20.11.7-4.3.1
  • slurm-auth-none-20.11.7-4.3.1
  • libpmi0-debuginfo-20.11.7-4.3.1
  • slurm-plugins-debuginfo-20.11.7-4.3.1
  • slurm-slurmdbd-debuginfo-20.11.7-4.3.1
  • slurm-sview-debuginfo-20.11.7-4.3.1
  • slurm-lua-debuginfo-20.11.7-4.3.1
  • perl-slurm-20.11.7-4.3.1
  • libslurm36-20.11.7-4.3.1
  • slurm-node-20.11.7-4.3.1

References:

• https://www.suse.com/security/cve/CVE-2021-31215.html
• https://bugzilla.suse.com/show_bug.cgi?id=1180700
• https://bugzilla.suse.com/show_bug.cgi?id=1186024