On Wed, Dec 28, 2011 at 08:21:50PM +0100, Jordi Mallach wrote: > On Wed, Dec 28, 2011 at 07:30:10PM +0100, Moritz Mühlenhoff wrote: > > CVE_2011_2193 was fixed in DSA 2329. > > > > The second issue, CVE-2011-2907, is still unfixed in stable. > > My read of the Bugzilla log was that Redhat didn't actually "fix" the > issue, but provided a workaround, by enabling Munge support. > > https://bugzilla.redhat.com/show_bug.cgi?id=713090#c6 > > As far as I can tell, our torque version doesn't support munge, and they > did an upgrade to 2.5.7 to provide munge support.
Coincidently there's been an advisory on a security issue in Munge support, which I'll mark as not affecting the Debian package: http://article.gmane.org/gmane.comp.security.oss.general/6601 > Even so, Munge appears to require distributing auth tokens, keys or > whatever before a munge-enabled cluster is operational, so this is quite a > change for a DSA, not to mention the version bump if we went that route. I agree, that's too much impact. I've marked it as no-dsa in the security tracker. This likely has no impact in reality anyway; anyone running a computation cluster will keep it w/o untrusted users anyway. Will you be updating to a MUNGE-enabled version of Torque before Wheezy? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
