On Wed, Dec 28, 2011 at 07:30:10PM +0100, Moritz Mühlenhoff wrote: > CVE_2011_2193 was fixed in DSA 2329. > > The second issue, CVE-2011-2907, is still unfixed in stable.
My read of the Bugzilla log was that Redhat didn't actually "fix" the issue, but provided a workaround, by enabling Munge support. https://bugzilla.redhat.com/show_bug.cgi?id=713090#c6 As far as I can tell, our torque version doesn't support munge, and they did an upgrade to 2.5.7 to provide munge support. Even so, Munge appears to require distributing auth tokens, keys or whatever before a munge-enabled cluster is operational, so this is quite a change for a DSA, not to mention the version bump if we went that route. As far as I can tell, there is no real fix, and upstream doesn't seem interested, as they seem to be promoting munge, or claiming you should have a firewall. http://www.clusterresources.com/pipermail/torqueusers/2011-August/013195.html The idea behind this is that a Torque cluster is assumed to be under control, including all submitting hosts. If someone gains root access to one of the hosts in the cluster, not only they can submit hosts to the torque server, but do other fun things as well, unrelated to torque. Yes, I think this is way a bit too much of assumption, but it seems this is what settled the issue upstream. Sorry, I actually had looked this up two months ago or so, but had dropped the ball before mailing the Security team. Jordi -- Jordi Mallach Pérez -- Debian developer http://www.debian.org/ jo...@sindominio.net jo...@debian.org http://www.sindominio.net/ GnuPG public key information available at http://oskuro.net/ -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
