Your message dated Wed, 05 Nov 2014 23:48:57 +0000 with message-id <e1xmajt-0008ey...@franck.debian.org> and subject line Bug#763922: fixed in torque 2.4.16+dfsg-1+deb7u4 has caused the Debian Bug report #763922, regarding torque: CVE-2014-3684: non-root users able to kill any process on any node in a job to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 763922: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=763922 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: torque Version: 2.4.8+dfsg-9 Severity: grave Tags: security upstream fixed-upstream Dear Torque maintainers, the following vulnerability was published for torque. CVE-2014-3684[0]: non-root users able to kill any process on any node in a job >From a quick look it looked also applicable to the old (upstrema end-of-lifed) version we have in Debian, could you confirm that? If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2014-3684 [1] https://github.com/adaptivecomputing/torque/commit/967cdc80150690459a47a35a658abeee0ca6e5cb https://github.com/adaptivecomputing/torque/commit/f2f4c950f3d461a249111c8826da3beaafccace9 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: torque Source-Version: 2.4.16+dfsg-1+deb7u4 We believe that the bug you reported is fixed in the latest version of torque, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 763...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated torque package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 21 Oct 2014 17:41:56 +0200 Source: torque Binary: torque-common torque-server torque-pam torque-scheduler torque-client torque-mom torque-client-x11 libtorque2 libtorque2-dev Architecture: source amd64 Version: 2.4.16+dfsg-1+deb7u4 Distribution: wheezy-security Urgency: high Maintainer: Morten Kjeldgaard <m...@bioxray.au.dk> Changed-By: Salvatore Bonaccorso <car...@debian.org> Description: libtorque2 - shared library for Torque client and server libtorque2-dev - header files for libtorque2 torque-client - command line interface to Torque server torque-client-x11 - GUI for torque clients torque-common - Torque Queueing System shared files torque-mom - job execution engine for Torque batch system torque-pam - PAM module for PBS MOM nodes torque-scheduler - scheduler part of Torque torque-server - PBS-derived batch processing server Closes: 763922 Changes: torque (2.4.16+dfsg-1+deb7u4) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Add CVE-2014-3684.patch patch. CVE-2014-3684: Within a TORQUE Resource Manager job, the tm_adopt() TORQUE library call enables a user-built executable calling tm_adopt() to adopt any session id (and its child processes) regardless of the session id owner on any node within a job. When a job that includes the executable calling tm_adopt() exits, the adopted processes are killed along with the job processes during normal job cleanup. This can enable a non-root user to kill processes he doesn't own including root-owned ones on any node in a job. (Closes: #763922) Checksums-Sha1: 76d5b8d42165052b692eca99445461731fb9cec8 2612 torque_2.4.16+dfsg-1+deb7u4.dsc 7cd23abd399fbec5b778a6677598d9c2ff064ca1 24405 torque_2.4.16+dfsg-1+deb7u4.debian.tar.gz c83f827a300b448bf2dfdde5456df465fbee9335 42258 torque-common_2.4.16+dfsg-1+deb7u4_amd64.deb 91ee1393b2283de83261dad11daca121f2f6ba21 196486 torque-server_2.4.16+dfsg-1+deb7u4_amd64.deb a2f153ff74b0b785a6871dfd5105466fc38c0230 38608 torque-pam_2.4.16+dfsg-1+deb7u4_amd64.deb 33d1116ffea3a05d2ae05c228616b324057dcb38 97310 torque-scheduler_2.4.16+dfsg-1+deb7u4_amd64.deb c4e97adebfaa69ad93d5825e8b1afd989d1fd6c3 399188 torque-client_2.4.16+dfsg-1+deb7u4_amd64.deb 1a3e9e1e3db77d30f32ee756fa3c528de7e93a1c 200848 torque-mom_2.4.16+dfsg-1+deb7u4_amd64.deb 0387347ea597b0574014c35f2efae289379ce7ff 648548 torque-client-x11_2.4.16+dfsg-1+deb7u4_amd64.deb 4bf2ef48bd9c527d0f9880d076c12d86201aedc6 120880 libtorque2_2.4.16+dfsg-1+deb7u4_amd64.deb fb08409b882d5df09dae5c5f9cead65d6b23332c 49974 libtorque2-dev_2.4.16+dfsg-1+deb7u4_amd64.deb Checksums-Sha256: 205559c6baf2399574fc67709b330f6b5c43480b968b4dd32011a659264c49ee 2612 torque_2.4.16+dfsg-1+deb7u4.dsc 93e2c90072162242ab14921055ce51c9eecdd09c9cfaec6ae40016f6093daebd 24405 torque_2.4.16+dfsg-1+deb7u4.debian.tar.gz 413bd818404273307b6066bf8b120ba89fdd6bbee1a13f3a8145abf37213f99e 42258 torque-common_2.4.16+dfsg-1+deb7u4_amd64.deb 5d86b1fcb831e1f374e823a757a95e599820ef2b7b0f8e9e28b77a9db45f01a8 196486 torque-server_2.4.16+dfsg-1+deb7u4_amd64.deb 8bdb477a4c518fa1e29c2e4186e9cd2a203569b97f5b4af99d26435acb0da377 38608 torque-pam_2.4.16+dfsg-1+deb7u4_amd64.deb 7aa47b905d77bf931ae3cffc6fefa988caa9e3fd66ebd07d6c367ca73ba08d31 97310 torque-scheduler_2.4.16+dfsg-1+deb7u4_amd64.deb c9b160fd74940fdeafa25c128e4a23728e3c1eac9c71f99d1ceef7cc608e94a6 399188 torque-client_2.4.16+dfsg-1+deb7u4_amd64.deb f22a11869494bb3a01f23b2d4cb5087d3bdef84c0c4c202a01cd783cd09cbcf2 200848 torque-mom_2.4.16+dfsg-1+deb7u4_amd64.deb 2a892be53e0b44cf6435a07e4e18c96fdc231e8e068151abee585c82659a9366 648548 torque-client-x11_2.4.16+dfsg-1+deb7u4_amd64.deb 55ddfc477f32cf7e74914d2ca27e717c04e9cd61a5b7b7f89680f1ed65648b1d 120880 libtorque2_2.4.16+dfsg-1+deb7u4_amd64.deb 9709472fce748cc0cdb715ac86486421a83db73192690d1906be2500f509c69f 49974 libtorque2-dev_2.4.16+dfsg-1+deb7u4_amd64.deb Files: 61b75cd5d922858e319f241d00dba89b 2612 net optional torque_2.4.16+dfsg-1+deb7u4.dsc 3587206e92c92734aae4f8db0456b90d 24405 net optional torque_2.4.16+dfsg-1+deb7u4.debian.tar.gz 85f13aa802c2c63019ec9d03bdac6027 42258 utils optional torque-common_2.4.16+dfsg-1+deb7u4_amd64.deb 4efa69b51643dc16afc85c1a693b76b4 196486 utils optional torque-server_2.4.16+dfsg-1+deb7u4_amd64.deb 3e6c33cd1b191d8d3569ed0390f18a94 38608 utils optional torque-pam_2.4.16+dfsg-1+deb7u4_amd64.deb c74b9c0a884713e2f99c0cd580018308 97310 net optional torque-scheduler_2.4.16+dfsg-1+deb7u4_amd64.deb 4d0a0a401aac7221acfdb91dc8bc3db3 399188 utils optional torque-client_2.4.16+dfsg-1+deb7u4_amd64.deb 7d8a0fc73fc8b950102c571f8e06be5e 200848 utils optional torque-mom_2.4.16+dfsg-1+deb7u4_amd64.deb d1d63a937438d60726be49564df66cc3 648548 x11 optional torque-client-x11_2.4.16+dfsg-1+deb7u4_amd64.deb 42227a1fde42e8ad959252d2f837efdc 120880 libs optional libtorque2_2.4.16+dfsg-1+deb7u4_amd64.deb a9dc51540a2d288acdcdd65504d78127 49974 libdevel optional libtorque2-dev_2.4.16+dfsg-1+deb7u4_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJUTPq8AAoJEAVMuPMTQ89EXQYP/jfqpp1Ns0tDST2KbuS6Arc7 pTpTL0eclD0obHHLDAD1mO3tdWQ67DG04cUfarEbHuSiae3qyyNzBqfgP3vXAPgs ftsfLLAScxaUCNJAlqelPg5jVtnGBAtsSZS7osnPPDDwSRVOhl/X89xfmbNRAQ93 PjMnMc094pytd7Mh6pfdlvn2zLQL3yayXtf9b9vt9hNFb1ShPY6lx8/TLj3PTObh 2f2Hp6eKd+E9tpKS/QxlK2RiRLF9TEX6jzw35A+JXF+2j8r82fZcqDrVXpPs+Sfw 7kuHpzAw7fw0cw+uGf4cxoBuW4+iAMG25TooICW8+4AkESJBHXIVR/m6q2e7tmZr kueA/HCCSBVzCRQIUrKH9B6Ard3KXyLFbqXQOrfPxRQ6rLXVmCcVmQXWYEylEO9h Qhxbh7EQ7QlSVn2PM+EEN9gfZ0ZDgHL+YEmXMTCQj+RkGg4T6cLj6HCgFIACNBQC ZFMrw+xGFrEMtKdfqSEIzL773vHaPuPeEOUSLJfhj+dnbtZpInoCrEoo2Z7lv0kp jl2UFMM0c0WYUZ6+y8f3HjFvxGyblc4vIKS+bPUDviA72RvBlYRfwQFhd32jSrHq zzlxtSSln9n/Df6gfNhEJuXQSEHP78VXVAqcrcjCmV3o9CbEU4zgvqDbOJMYdmE7 CRdBva3XMrwrVIBzjhMD =RDdn -----END PGP SIGNATURE-----
--- End Message ---
