Your message dated Sun, 26 Oct 2014 13:19:38 +0000 with message-id <e1xinjo-0002by...@franck.debian.org> and subject line Bug#763922: fixed in torque 2.4.16+dfsg-1.5 has caused the Debian Bug report #763922, regarding torque: CVE-2014-3684: non-root users able to kill any process on any node in a job to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 763922: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=763922 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: torque Version: 2.4.8+dfsg-9 Severity: grave Tags: security upstream fixed-upstream Dear Torque maintainers, the following vulnerability was published for torque. CVE-2014-3684[0]: non-root users able to kill any process on any node in a job >From a quick look it looked also applicable to the old (upstrema end-of-lifed) version we have in Debian, could you confirm that? If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2014-3684 [1] https://github.com/adaptivecomputing/torque/commit/967cdc80150690459a47a35a658abeee0ca6e5cb https://github.com/adaptivecomputing/torque/commit/f2f4c950f3d461a249111c8826da3beaafccace9 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: torque Source-Version: 2.4.16+dfsg-1.5 We believe that the bug you reported is fixed in the latest version of torque, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 763...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated torque package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 25 Oct 2014 13:18:37 +0200 Source: torque Binary: torque-common torque-server torque-pam torque-scheduler torque-client torque-mom torque-client-x11 libtorque2 libtorque2-dev Architecture: source amd64 Version: 2.4.16+dfsg-1.5 Distribution: unstable Urgency: high Maintainer: Morten Kjeldgaard <m...@bioxray.au.dk> Changed-By: Salvatore Bonaccorso <car...@debian.org> Description: libtorque2 - shared library for Torque client and server libtorque2-dev - header files for libtorque2 torque-client - command line interface to Torque server torque-client-x11 - GUI for torque clients torque-common - Torque Queueing System shared files torque-mom - job execution engine for Torque batch system torque-pam - PAM module for PBS MOM nodes torque-scheduler - scheduler part of Torque torque-server - PBS-derived batch processing server Closes: 763922 Changes: torque (2.4.16+dfsg-1.5) unstable; urgency=high . * Non-maintainer upload. * Add CVE-2014-3684.patch patch. CVE-2014-3684: Within a TORQUE Resource Manager job, the tm_adopt() TORQUE library call enables a user-built executable calling tm_adopt() to adopt any session id (and its child processes) regardless of the session id owner on any node within a job. When a job that includes the executable calling tm_adopt() exits, the adopted processes are killed along with the job processes during normal job cleanup. This can enable a non-root user to kill processes he doesn't own including root-owned ones on any node in a job. (Closes: #763922) Checksums-Sha1: a1cf10500698483514073cbb8a35e1ddcd36f11d 2646 torque_2.4.16+dfsg-1.5.dsc ba0429249f50b3aed34a9c09a33ec969c159a403 21200 torque_2.4.16+dfsg-1.5.debian.tar.xz Checksums-Sha256: 1542821f9fbe54822e693d74d9c5d401cf205b59ff93e85be5cbd4eafa994908 2646 torque_2.4.16+dfsg-1.5.dsc f4fdd85307f606836b97d12601914ab6a5d78ea49775c330fa04ab85ab8dbd9f 21200 torque_2.4.16+dfsg-1.5.debian.tar.xz Files: 3417f401e84b6434f0aed873e252b606 2646 net optional torque_2.4.16+dfsg-1.5.dsc 1c028890f4aa8b6c322b72ef374ebd83 21200 net optional torque_2.4.16+dfsg-1.5.debian.tar.xz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJUTJxXAAoJEAVMuPMTQ89E9QQQAI9qGiMidpJi6EJ/fnKJ5LcE 3GWTnxxsEKipjIuHufkvZbyE5l86zISXxYNUrt0KnPaGNzHQ4Y2wlPX0qK911Zq0 mbUVWamziNrU6V0c0pYNSn02Xl7lRKaZfCiZh9n8zmOSFgtXiwC0Yd888wbyDOUK q78YpE9DO4GoEZivT3IJjMdrtmuS3fOsYr3mzmLI8lbzDHdICGeYE3DwAv1c/WWO vfbRvkXxhSnmTEzcN9NVZaN69ccHLkGcqb8mGclsL4/gUWRzWAOveuSREK6NRcSp Op8QKjASnSRVwxzYtrT2v3F1J4WzHKu1S7k8XCw6hgdHmbsTpHjlgax6wvMx7ZZ+ ky61xPMBsT/uEmG51JxIk5A8VPOh7vu2bAEWZhMJiQjBTcV28Z5Nry90vdn2c4C2 VYD4A0NCWBjguWrdlv/ocf5XubBXoIuc08wZ9Hvk35kphB6dgpzcYN3guxcO2bnF t7TMqeSETdY5J8E/qtqyKB02/T1o87vkZNw32Zs2dQ5OKfiGAIH5GSRB3pQzHzSe +qW1asL74fUN170r7SPRNUmCs+41lK3Ym51EHkkmTSXWtfmRrdA3p2kBIu0hsvd3 LrucbleqD2XpYHPzxiBIi5+4dxtFe3cgAhJnYkO4X1EAK062VREyQ1VjmtwhLV91 8NmwIRHf6If5Z7tKSoiA =K2OO -----END PGP SIGNATURE-----
--- End Message ---
