[slurm-users] Slurm version 21.08.4 is now available (CVE-2021-43337)

Tue, 16 Nov 2021 14:08:22 -0800

Slurm version 21.08.4 is now available, and includes a series of recent bug fixes, as well as a moderate security fix.
Note that this security issue is only present in the 21.08 release series. Slurm 20.11 and older releases are unaffected. 


SchedMD customers were informed of this issue on November 2nd and 
provided a fix on request; this process is documented in our security 
policy. [1]


CVE-2021-43337:
For sites using the new AccountingStoreFlags=job_script and/or job_env
options, an issue was reported with the access control rules in SlurmDBD
that will permit users to request job scripts and environment files that
they should not have access to.

(Scripts/environments are meant to only be accessible by user accounts
with administrator privileges, by account coordinators for jobs
submitted under their account, and by the user themselves.)

Downloads are available at https://www.schedmd.com/downloads.php .

Release notes follow below.

- Tim

[1] https://www.schedmd.com/security.php

--
Tim Wickberg
Chief Technology Officer, SchedMD LLC
Commercial Slurm Development and Support


* Changes in Slurm 21.08.4
==========================
 -- Fix potential deadlock when using PMI v1.
 -- Fix tight loop sending DBD_SEND_MULT_JOB_START when the slurmctld has an
    issue talking correctly to the DBD.
 -- Fix memory leak in step creation.
 -- Fix potential deadlock when shutting down slurmctld.
 -- Fix regression in 21.08 where multi-node steps that requested MemPerCPU
    were not counted against the job's memory allocation on some nodes.
 -- Fix issue with select/cons_tres and the partition limit MaxCpusPerNode where
    the limit was enforced for one less CPU than the configured value.
 -- jobacct_gather/common - compare Pss to Rss after scaling Pss to Rss units.
 -- Fix SLURM_NODE_ALIASES in RPC Prolog for batch jobs.
 -- Fix regression in 21.08 where slurmd and slurmstepd were not constrained
    with CpuSpecList or CoreSpecCount.
 -- Fix cloud jobs running without powering up nodes after a reconfig/restart.
 -- CVE-2021-43337 - Fix security issue with new AccountingStoreFlags=job_script
    and job_env options where users could request scripts and environments they
    should not have been permitted to access.
















    











					Reply via email to