Slurm versions 17.02.11 and 17.11.7 are now available, and include a
series of recent bug fixes, as well as a fix for a security
vulnerability (CVE-2018-10995) related to mishandling of user names and
group ids.
Downloads are available at https://www.schedmd.com/downloads.php .
While fixes are only available for the supported 17.02 and 17.11
releases, we believe similar vulnerabilities do affect past versions as
well. The only resolution is to upgrade Slurm to a fixed release.
SchedMD customers were informed on May 16th and provided a patch on
request. This is in keeping with our responsible disclosure process [1].
Release notes follow below.
- Tim
[1] https://www.schedmd.com/security.php
--
Tim Wickberg
Director of Support, SchedMD LLC
Commercial Slurm Development and Support
* Changes in Slurm 17.11.7
==========================
-- Fix for possible slurmctld daemon abort with NULL pointer.
-- Fix different issues when requesting memory per cpu/node.
-- PMIx - override default paths at configure time if --with-pmix is used.
-- Have sprio display jobs before eligible time when
PriorityFlags=ACCRUE_ALWAYS is set.
-- Make sure locks are always in place when calling _post_qos_list().
-- Notify srun and ctld when unkillable stepd exits.
-- Fix slurmstepd deadlock in stepd cleanup caused by race condition in
the jobacct_gather fini() interfaces introduced in 17.11.6.
-- Fix slurmstepd deadlock in PMIx startup.
-- task/cgroup - fix invalid free() if the hwloc library does not return a
string as expected.
-- Fix insecure handling of job requested gid field. CVE-2018-10995.
* Changes in Slurm 17.02.11
==========================
-- Fix insecure handling of user_name and gid fields. CVE-2018-10995
