Your message dated Tue, 07 Nov 2023 21:18:01 +0000
with message-id <e1r0tst-000dhl...@fasolo.debian.org>
and subject line Bug#1051729: fixed in pmix 4.0.0-4.1+deb11u1
has caused the Debian Bug report #1051729,
regarding pmix: CVE-2023-41915
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1051729: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051729
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: pmix
Version: 5.0.0~rc1-2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for pmix.
CVE-2023-41915[0]:
| OpenPMIx PMIx before 4.2.6 and 5.0.x before 5.0.1 allows attackers
| to obtain ownership of arbitrary files via a race condition during
| execution of library code with UID 0.
As mentioned in [2]:
| A filesystem race condition could permit a malicious user
| to obtain ownership of an arbitrary file on the filesystem
| when parts of the PMIx library are called by a process
| running as uid 0. This may happen under the default
| configuration of certain workload managers, including Slurm.
(fs.protected_symlinks not protecting in such a case)
Please downgrade the severity if you do not agree on the assessment,
but at a very start the unstable version should be fixed. We can have
a look what need to be done for bookworm and bullseye in next step.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-41915
https://www.cve.org/CVERecord?id=CVE-2023-41915
[1]
https://github.com/openpmix/openpmix/commit/0bf9801a3017eb6ca411e158da39570ccb998c17
[2] https://github.com/openpmix/openpmix/releases/tag/v5.0.1
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: pmix
Source-Version: 4.0.0-4.1+deb11u1
Done: Salvatore Bonaccorso <car...@debian.org>
We believe that the bug you reported is fixed in the latest version of
pmix, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1051...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated pmix package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 28 Oct 2023 20:49:38 +0200
Source: pmix
Architecture: source
Version: 4.0.0-4.1+deb11u1
Distribution: bullseye-security
Urgency: high
Maintainer: Alastair McKinstry <mckins...@debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Closes: 1051729
Changes:
pmix (4.0.0-4.1+deb11u1) bullseye-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Do not follow links when doing "chown" (CVE-2023-41915) (Closes: #1051729)
Checksums-Sha1:
590a10d899808466b45b7a5f8a4673b082b885a6 2417 pmix_4.0.0-4.1+deb11u1.dsc
2f0078824ea5ff508f14dfdf38f05e30385fffa9 806668 pmix_4.0.0.orig.tar.xz
28d47e4a41952d2b6e62a645b412162a7a1e1c46 10312
pmix_4.0.0-4.1+deb11u1.debian.tar.xz
15dd558c5dedf496b0d8c37df82181abf151ac03 7887
pmix_4.0.0-4.1+deb11u1_source.buildinfo
Checksums-Sha256:
abc0dc3e7ad659c22daa3b3ac70db41af99662326bf09ce5603cb3835b4838fa 2417
pmix_4.0.0-4.1+deb11u1.dsc
b11eb90a88cd387515b96b8ab8e2f035eeef24f51fa6f15a9ca5cc89778eb1f7 806668
pmix_4.0.0.orig.tar.xz
af67a0e52dc1f478a12def44e7e3a5cfc143ae4fcae26ea9f973d64a06cfd6aa 10312
pmix_4.0.0-4.1+deb11u1.debian.tar.xz
f9b62ee40473909280c573b677eb846fc6112947789d85b1adabe0df1fd71f0c 7887
pmix_4.0.0-4.1+deb11u1_source.buildinfo
Files:
37411e153475bd510ee7ecaa23143e83 2417 net optional pmix_4.0.0-4.1+deb11u1.dsc
efb717846526fc6cdd1e8f338ac4bebb 806668 net optional pmix_4.0.0.orig.tar.xz
df5580dc91f6cdfccf9190a2b1b549f7 10312 net optional
pmix_4.0.0-4.1+deb11u1.debian.tar.xz
ef1db4107b85a534655a958b67ac56a0 7887 net optional
pmix_4.0.0-4.1+deb11u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmU9XKdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EOzIP/3oJ6kcu6sVdQ2e+81POptiteB4xc8CB
mSS2BYaF0U3jVwct/C88bCob4EQclzJY3yYqGRemawUF4r/3Qsf8KBQjcRiGx7qv
iwRnrpjJiJAzebRv1VXf596wcp2AJ2ONw06Oc2KyimeUxkGk0DDJev6kj0dASFOD
o8lqQTE6XHV1PvF9jSqF2fk4LL3zaChSrJ8tcAhswsLAEWaTv9x2OuVMHZI+1taH
Hqa1vNlqsxt58wB2G3zwEN9JjL76xQ+CKA3PiR8wwSyBy/FXXbhr6cGHqeZTqD7r
cxerR1yKsZQ7hxhix2oWeKwPA4kvpR5YXRbkVsg8brvQ1pXw33nmX+mXL0x24tuT
tBhBB37LuFofCxgdrcRl9RV680i7bNRWhOwIX2mGCL/AQsmuddaCxJu0ip5/tccW
Q9TrWGazHbvrlTobMGp79pqM8ffgo7Du5Y/6IHF6GG4TQ/HkHgXJhcIwzbVkG7Uf
FB6sQ7gOOlcOVxwOv48uT0b/q/bJvRDQfLQoPf1BvDrtEDpDIWZqikeES12jL0Nh
blnxl48ltRrfqm4AMBUX/jgSOjAOGUS5o//6Tx3HKjodrJkYtsvUeAgZH/zbNERl
bgJV1POmMAI7sMzJ3K7z4HJIfK4dfw86lOhaTFQv0liCEuGDXwUglsRec9PBjPu4
0h/DIOmbGUSG
=iIfb
-----END PGP SIGNATURE-----
--- End Message ---
