Debian Bug report logs -
#900548
slurm-llnl: CVE-2018-10995: Insecure handling of username and gid fields
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 1 Jun 2018 07:54:01 UTC
Severity: grave
Tags: security, upstream
Found in version slurm-llnl/14.03.9-5
Fixed in versions slurm-llnl/17.11.7-1, slurm-llnl/16.05.9-1+deb9u2
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Gennaro Oliva <oliva.g@na.icar.cnr.it>:
Bug#900548; Package src:slurm-llnl.
(Fri, 01 Jun 2018 07:54:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Gennaro Oliva <oliva.g@na.icar.cnr.it>.
(Fri, 01 Jun 2018 07:54:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: slurm-llnl
Version: 14.03.9-5
Severity: grave
Tags: security upstream
Hi,
The following vulnerability was published for slurm-llnl.
CVE-2018-10995[0]:
| SchedMD Slurm before 17.02.11 and 17.1x.x before 17.11.7 mishandles
| user names (aka user_name fields) and group ids (aka gid fields).
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-10995
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10995
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Gennaro Oliva <oliva.g@na.icar.cnr.it>:
Bug#900548; Package src:slurm-llnl.
(Thu, 07 Jun 2018 05:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Gennaro Oliva <oliva.g@na.icar.cnr.it>.
(Thu, 07 Jun 2018 05:21:04 GMT) (full text, mbox, link).
Message #10 received at 900548@bugs.debian.org (full text, mbox, reply):
Source: slurm-llnl
Source-Version: 17.11.7-1
On Fri, Jun 01, 2018 at 09:51:28AM +0200, Salvatore Bonaccorso wrote:
> Source: slurm-llnl
> Version: 14.03.9-5
> Severity: grave
> Tags: security upstream
>
> Hi,
>
> The following vulnerability was published for slurm-llnl.
>
> CVE-2018-10995[0]:
> | SchedMD Slurm before 17.02.11 and 17.1x.x before 17.11.7 mishandles
> | user names (aka user_name fields) and group ids (aka gid fields).
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
This issue was adressed with the 17.11.7-1 upload to unstable, closing
the bug accordingly.
Regards,
Salvatore
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Thu, 07 Jun 2018 05:21:07 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 07 Jun 2018 05:21:07 GMT) (full text, mbox, link).
Marked as fixed in versions slurm-llnl/16.05.9-1+deb9u2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 24 Jul 2018 18:39:06 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 25 Nov 2018 07:27:21 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:56:25 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon