Debian Bug report logs -
#602340
CVE-2010-3380
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Wed, 3 Nov 2010 21:57:02 UTC
Severity: grave
Tags: security
Fixed in version slurm-llnl/2.1.15-2
Done: Gennaro Oliva <oliva.g@na.icar.cnr.it>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Gennaro Oliva <oliva.g@na.icar.cnr.it>:
Bug#602340; Package slurm-llnl.
(Wed, 03 Nov 2010 21:57:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Gennaro Oliva <oliva.g@na.icar.cnr.it>.
(Wed, 03 Nov 2010 21:57:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: slurm-llnl
Severity: grave
Tags: security
Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3380
I'm attaching the extracted upstream fix. Please note that while upstream
has fixed this issue in 2.1.4, Debian is still affected since we ship
our own init scripts in debian/. As such, sid still needs a fix.
As for Squeeze, please prepare a targeted testing upload with the security
fix only. At this point of the release freeze release managers don't
accept new upstream releases any longer.
Cheers,
Moritz
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
Versions of packages slurm-llnl depends on:
ii adduser 3.112+nmu1 add and remove users and groups
ii libc6 2.11.2-6 Embedded GNU C Library: Shared lib
ii libncurses5 5.7+20100313-4 shared libraries for terminal hand
ii lsb-base 3.2-26 Linux Standard Base 3.2 init scrip
pn munge <none> (no description available)
ii openssl 0.9.8o-2 Secure Socket Layer (SSL) binary a
pn openssl-blacklist <none> (no description available)
pn slurm-llnl-basic-plugins <none> (no description available)
ii ucf 3.0025+nmu1 Update Configuration File: preserv
slurm-llnl recommends no packages.
slurm-llnl suggests no packages.
[slurm.diff (text/x-diff, attachment)]
Reply sent
to Gennaro Oliva <oliva.g@na.icar.cnr.it>:
You have taken responsibility.
(Sat, 06 Nov 2010 21:21:07 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Sat, 06 Nov 2010 21:21:07 GMT) (full text, mbox, link).
Message #10 received at 602340-close@bugs.debian.org (full text, mbox, reply):
Source: slurm-llnl
Source-Version: 2.1.15-2
We believe that the bug you reported is fixed in the latest version of
slurm-llnl, which is due to be installed in the Debian FTP archive:
libpmi0-dev_2.1.15-2_i386.deb
to main/s/slurm-llnl/libpmi0-dev_2.1.15-2_i386.deb
libpmi0_2.1.15-2_i386.deb
to main/s/slurm-llnl/libpmi0_2.1.15-2_i386.deb
libslurm21-dev_2.1.15-2_i386.deb
to main/s/slurm-llnl/libslurm21-dev_2.1.15-2_i386.deb
libslurm21_2.1.15-2_i386.deb
to main/s/slurm-llnl/libslurm21_2.1.15-2_i386.deb
slurm-llnl-basic-plugins-dev_2.1.15-2_i386.deb
to main/s/slurm-llnl/slurm-llnl-basic-plugins-dev_2.1.15-2_i386.deb
slurm-llnl-basic-plugins_2.1.15-2_i386.deb
to main/s/slurm-llnl/slurm-llnl-basic-plugins_2.1.15-2_i386.deb
slurm-llnl-doc_2.1.15-2_all.deb
to main/s/slurm-llnl/slurm-llnl-doc_2.1.15-2_all.deb
slurm-llnl-slurmdbd_2.1.15-2_i386.deb
to main/s/slurm-llnl/slurm-llnl-slurmdbd_2.1.15-2_i386.deb
slurm-llnl-sview_2.1.15-2_i386.deb
to main/s/slurm-llnl/slurm-llnl-sview_2.1.15-2_i386.deb
slurm-llnl_2.1.15-2.debian.tar.gz
to main/s/slurm-llnl/slurm-llnl_2.1.15-2.debian.tar.gz
slurm-llnl_2.1.15-2.dsc
to main/s/slurm-llnl/slurm-llnl_2.1.15-2.dsc
slurm-llnl_2.1.15-2_i386.deb
to main/s/slurm-llnl/slurm-llnl_2.1.15-2_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 602340@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Gennaro Oliva <oliva.g@na.icar.cnr.it> (supplier of updated slurm-llnl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 04 Nov 2010 12:36:33 +0100
Source: slurm-llnl
Binary: slurm-llnl libslurm21 libpmi0 libslurm21-dev libpmi0-dev slurm-llnl-doc slurm-llnl-basic-plugins slurm-llnl-basic-plugins-dev slurm-llnl-sview slurm-llnl-slurmdbd
Architecture: source i386 all
Version: 2.1.15-2
Distribution: unstable
Urgency: low
Maintainer: Gennaro Oliva <oliva.g@na.icar.cnr.it>
Changed-By: Gennaro Oliva <oliva.g@na.icar.cnr.it>
Description:
libpmi0 - SLURM PMI library implementation
libpmi0-dev - SLURM PMI library implementation development files
libslurm21 - Runtime library files for SLURM
libslurm21-dev - SLURM development files
slurm-llnl - Simple Linux Utility for Resource Management
slurm-llnl-basic-plugins - SLURM basic plugins
slurm-llnl-basic-plugins-dev - SLURM basic plugins development files
slurm-llnl-doc - SLURM docmentation
slurm-llnl-slurmdbd - Secure enterprise-wide interface to a database for SLURM
slurm-llnl-sview - GUI to view and modify SLURM state
Closes: 602340
Changes:
slurm-llnl (2.1.15-2) unstable; urgency=low
.
* Properly set LD_LIBRARY_PATH in slurm and slurmdbd init scripts
FIX CVE-2010-3380 (Closes: #602340)
Checksums-Sha1:
7c5b3b0eb912f5c94df67cfae62b43de50c1633b 1435 slurm-llnl_2.1.15-2.dsc
80af6828edf1fa3235c146c6c736991b306dde39 67247 slurm-llnl_2.1.15-2.debian.tar.gz
f8c16babd11b6977689547b96ba70cc146dae375 7086784 slurm-llnl_2.1.15-2_i386.deb
6ef7812926732a4ca5d885e97751d03c529892ac 330518 libslurm21_2.1.15-2_i386.deb
67a37807c9bf878b474418121ae2a4c051f4cc44 19644 libpmi0_2.1.15-2_i386.deb
08bda59c5d1fb1c5f5870ea005a7714da5f0c2ce 526958 libslurm21-dev_2.1.15-2_i386.deb
123b240334c971ab13fc423c83e140eec29be08a 23888 libpmi0-dev_2.1.15-2_i386.deb
3494850830860821836720cc26f8cb031e640a0a 345562 slurm-llnl-basic-plugins_2.1.15-2_i386.deb
0257b6d7cddc9fee7fb26be9859c9065fa1944e3 1168546 slurm-llnl-basic-plugins-dev_2.1.15-2_i386.deb
3f1a4c34db74228346b6910142a1f6bc9b11f1fe 422728 slurm-llnl-sview_2.1.15-2_i386.deb
9169e54ecb8a6e16047e2a08555f5710a3ff7692 786328 slurm-llnl-slurmdbd_2.1.15-2_i386.deb
51fc962d0750c9e34e7bd07e6b74d294b2b06946 1053602 slurm-llnl-doc_2.1.15-2_all.deb
Checksums-Sha256:
b80f7cbfc0bee04a446f1ee1d92658c64e6a83ff06974ec5ef7c64b85955ecc2 1435 slurm-llnl_2.1.15-2.dsc
4bcba08ae654622180a94dd4690ae30c335c47eff9474c0b4a06c62b11189276 67247 slurm-llnl_2.1.15-2.debian.tar.gz
3c6ce8611240e1e1da12788008e209faa25c2a0e6f8f4487398082f4643e7853 7086784 slurm-llnl_2.1.15-2_i386.deb
b23af0c370ad5c98df0cc7fa6a313fb817a98ca09f5c46981fb001438a82deeb 330518 libslurm21_2.1.15-2_i386.deb
36859476565179df4944d663ab0776381db686b879efac09b7d97ca102c0c7a0 19644 libpmi0_2.1.15-2_i386.deb
c5293a9d13f13e9a4c9c199f3bc1068adc51782a7722e570ce71a4a0ee87b067 526958 libslurm21-dev_2.1.15-2_i386.deb
d329d745c83ab7f04805a292b3af5eabefd71bbf9b7d69c5db74982b8264d2b2 23888 libpmi0-dev_2.1.15-2_i386.deb
d8ce0e72f2e113fbc0ca8b323d42c6e1f804aa641bac17aef50649f1c8b05f78 345562 slurm-llnl-basic-plugins_2.1.15-2_i386.deb
cb86f5375a9dc7d2f686fcb2c6a96538cf7423fbbf0e31d47ced6f38d703cd22 1168546 slurm-llnl-basic-plugins-dev_2.1.15-2_i386.deb
09ba8a30f61a929d9ed19e68fa584922f5934189cd9bd4eb4d022255a1fb3881 422728 slurm-llnl-sview_2.1.15-2_i386.deb
957a4605d0fbf7aa15a044f15480a25ac6161df9bb08ff1b0c98a8ac0b9c5cd7 786328 slurm-llnl-slurmdbd_2.1.15-2_i386.deb
e5d21115573c9d3094bdbb152349d991118f2b6851eaf7826019d2bb9993738d 1053602 slurm-llnl-doc_2.1.15-2_all.deb
Files:
a29ce23591c32c9667ea369321dbfb91 1435 admin extra slurm-llnl_2.1.15-2.dsc
16d8f05cb32f7595436d8142a0b7c3a5 67247 admin extra slurm-llnl_2.1.15-2.debian.tar.gz
d77f2b0001284576c467d8e52a90ef8b 7086784 admin extra slurm-llnl_2.1.15-2_i386.deb
a4526b185d44a1b4589e8bfaeb237707 330518 libs extra libslurm21_2.1.15-2_i386.deb
29640c68e66aaf8f569de936e1e326b6 19644 libs extra libpmi0_2.1.15-2_i386.deb
a216fdf59f25e59b3fd33f691fc2de1c 526958 libdevel extra libslurm21-dev_2.1.15-2_i386.deb
61fef721f348d16cdcd4468a685322b2 23888 libdevel extra libpmi0-dev_2.1.15-2_i386.deb
0a9bbe96032fc16b4937bf02e13ff6bf 345562 admin extra slurm-llnl-basic-plugins_2.1.15-2_i386.deb
1524fa08735f4b22f4c02d2622d124ea 1168546 devel extra slurm-llnl-basic-plugins-dev_2.1.15-2_i386.deb
75da01d9a437c98e40ffe9d0384dc07c 422728 admin extra slurm-llnl-sview_2.1.15-2_i386.deb
4aebe18e0769befa4053c5f910199f8b 786328 admin extra slurm-llnl-slurmdbd_2.1.15-2_i386.deb
2990a8d913b3c0a0a2f98d871b7b9460 1053602 doc extra slurm-llnl-doc_2.1.15-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iD8DBQFM1cJFCZSR95Gw07cRAnFjAJ9yM5qSP0UvMHpqmHQCOvaPS/S8zwCdGpyl
J22U6A5ZQh4punVbfNAe/G0=
=RY1n
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 06 Dec 2010 07:32:22 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:21:54 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon