From af603b8163c5e640582b599fd6688f2abe66b6e2f89423ca9d2d99d8322dcfb9 Mon Sep 17 00:00:00 2001 From: Egbert Eich Date: Fri, 5 Jan 2024 12:29:13 +0000 Subject: [PATCH] Accepting request 1136624 from home:eeich:branches:network:cluster - Update to 23.02.6 to fix (CVE-2023-49933 - bsc#1218046, CVE-2023-49935 - bsc#1218049, CVE-2023-49936 - bsc#1218050, CVE-2023-49937 - bsc#1218051, CVE-2023-49938 - bsc#1218053) * Security Fixes: + Add `JobAcctGatherParams=DisableGPUAcct` to disable gpu accounting. + `acct_gather_energy/ipmi` - Improve logging of DCMI issues. + `gpu/oneapi` - Add support for new env vars `ZE_FLAT_DEVICE_HIERARCHY` and `ZE_ENABLE_PCI_ID_DEVICE_ORDER`. + `data_parser/v0.0.39` - skip empty string when parsing QOS ids. + Remove error message from `assoc_mgr_update_assocs` when purposefully resetting the default QOS. * Bug Fixes: + `libslurm_nss` - Avoid causing glibc to assert due to an unexpected return from slurm_nss due to an error during lookup. + Fix job requests with `--tres-per-task` sometimes resulting in bad allocations that cannot run subsequent job steps. + Fix issue with `slurmd` where `srun` fails to be warned when a node prolog script runs beyond `MsgTimeout` set in `slurm.conf`. + `gres/shard` - Fix plugin functions to have matching parameter orders. + `gpu/nvml` - Fix issue that resulted in the wrong MIG devices being constrained to a job + `gpu/nvml` - Fix linking issue with MIGs that prevented multiple MIGs being used in a single job for certain MIG configurations + Fix file descriptor leak in slurmd when using `acct_gather_energy/ipmi` with DCMI devices. + `sview` - avoid crash when job has a node list string > 49 characters. + Prevent `slurmctld` crash during reconfigure when packing job start messages. + Preserve reason uid on reconfig. + Update node reason with updated `INVAL` state reason if different from OBS-URL: https://build.opensuse.org/request/show/1136624 OBS-URL: https://build.opensuse.org/package/show/network:cluster/slurm?expand=0&rev=282 --- slurm-23.02.6.tar.bz2 | 3 -- slurm-23.02.7.tar.bz2 | 3 ++ slurm.changes | 69 +++++++++++++++++++++++++++++++++++++++++++ slurm.spec | 8 ++--- upgrades | 2 ++ 5 files changed, 77 insertions(+), 8 deletions(-) delete mode 100644 slurm-23.02.6.tar.bz2 create mode 100644 slurm-23.02.7.tar.bz2 diff --git a/slurm-23.02.6.tar.bz2 b/slurm-23.02.6.tar.bz2 deleted file mode 100644 index ab12454..0000000 --- a/slurm-23.02.6.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:4a5cbc19228c324aea267266e49b034a12529f20052edb5cbd63599a431e3f23 -size 7444926 diff --git a/slurm-23.02.7.tar.bz2 b/slurm-23.02.7.tar.bz2 new file mode 100644 index 0000000..91f8f1d --- /dev/null +++ b/slurm-23.02.7.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:eba6db8990abf40402d8e30d8706a7ddd0560e0e307c567f0fb72f1c8a522078 +size 7447239 diff --git a/slurm.changes b/slurm.changes index d51419a..296f0ba 100644 --- a/slurm.changes +++ b/slurm.changes @@ -1,3 +1,72 @@ +------------------------------------------------------------------- +Wed Jan 3 10:45:48 UTC 2024 - Egbert Eich + +- Update to 23.02.6 to fix (CVE-2023-49933 - bsc#1218046, CVE-2023-49935 - + bsc#1218049, CVE-2023-49936 - bsc#1218050, CVE-2023-49937 - bsc#1218051, + CVE-2023-49938 - bsc#1218053) + * Security Fixes: + + Add `JobAcctGatherParams=DisableGPUAcct` to disable gpu accounting. + + `acct_gather_energy/ipmi` - Improve logging of DCMI issues. + + `gpu/oneapi` - Add support for new env vars `ZE_FLAT_DEVICE_HIERARCHY` + and `ZE_ENABLE_PCI_ID_DEVICE_ORDER`. + + `data_parser/v0.0.39` - skip empty string when parsing QOS ids. + + Remove error message from `assoc_mgr_update_assocs` when purposefully + resetting the default QOS. + * Bug Fixes: + + `libslurm_nss` - Avoid causing glibc to assert due to an unexpected + return from slurm_nss due to an error during lookup. + + Fix job requests with `--tres-per-task` sometimes resulting in bad + allocations that cannot run subsequent job steps. + + Fix issue with `slurmd` where `srun` fails to be warned when a node + prolog script runs beyond `MsgTimeout` set in `slurm.conf`. + + `gres/shard` - Fix plugin functions to have matching parameter orders. + + `gpu/nvml` - Fix issue that resulted in the wrong MIG devices being + constrained to a job + + `gpu/nvml` - Fix linking issue with MIGs that prevented multiple MIGs + being used in a single job for certain MIG configurations + + Fix file descriptor leak in slurmd when using `acct_gather_energy/ipmi` + with DCMI devices. + + `sview` - avoid crash when job has a node list string > 49 characters. + + Prevent `slurmctld` crash during reconfigure when packing job start + messages. + + Preserve reason uid on reconfig. + + Update node reason with updated `INVAL` state reason if different from + last registration. + + `conmgr` - Avoid NULL dereference when using `auth/none`. + + `data_parser/v0.0.39` - Fixed how deleted QOS and associations for jobs + are dumped. + + `burst_buffer/lua` - fix stage in counter not decrementing when a job is + cancelled during stage in. This counter is used to enforce the limit of + 128 scripts per stage. + + `data_parser/v0.0.39` - Fix how the `INVALID` nodes state is dumped. + + `data_parser/v0.0.39` - Fix parsing of flag arrays to allow muliple + flags to be set. + + Avoid leaking sockets when an x11 application is closed in an allocation. + + Fix missing mutex unlock in group cache code which could cause slurmctld + to freeze. + + Fix scrontab monthly jobs possibly skipping a month if added near the + end of the month. + + Fix loading of the gpu account gather energy plugin. + + Fix `slurmctld` segfault when reconfiguring after a job resize. + + Fix crash in slurmstepd that can occur when launching tasks via mpi using + the `pmi2` plugin and using the `route/topology` plugin. + + Fix `qos doesn't exist` error message in `assoc_mgr_update_assocs` + to print the attempted new default qos, rather than the current default + qos. + + `data_parser/v0.0.39` - Fix segfault when POSTing data with association + usage. + * Other Changes and Improvements: + + Prevent message extension attacks that could bypass the message hash. + CVE-2023-49933. + + Prevent message hash bypass in slurmd which can allow an attacker to + reuse root-level MUNGE tokens and escalate permissions. CVE-2023-49935. + + Prevent NULL pointer dereference on `size_valp` overflow. CVE-2023-49936. + + Prevent double-xfree() on error in `_unpack_node_reg_resp()`. + CVE-2023-49937. + + Prevent modified `sbcast` RPCs from opening a file with the wrong group + permissions. CVE-2023-49938. +- Fix %do_obsoletes macro expansion to work with SLE-12. + ------------------------------------------------------------------- Thu Nov 30 18:52:44 UTC 2023 - Egbert Eich diff --git a/slurm.spec b/slurm.spec index 3c6de37..9ca78f0 100644 --- a/slurm.spec +++ b/slurm.spec @@ -1,7 +1,7 @@ # # spec file # -# Copyright (c) 2023 SUSE LLC +# Copyright (c) 2024 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -19,7 +19,7 @@ # Check file META in sources: update so_version to (API_CURRENT - API_AGE) %define so_version 39 # Make sure to update `upgrades` as well! -%define ver 23.02.6 +%define ver 23.02.7 %define _ver _23_02 #%%define rc_v 0rc1 %define dl_ver %{ver} @@ -92,7 +92,7 @@ Conflicts: %{*} >= %{ver_m}.99 } %define upgrade_dep() %{?upgrade: # Provides: %{*} = %{version} -%{do_obsoletes %{*}} +%{expand:%%do_obsoletes %{*}} Conflicts: %{*} } %if 0%{?suse_version} >= 1500 @@ -405,8 +405,6 @@ Requires: libpmix%{pmix_so} Requires: pmix %endif Requires: %{name}-config = %{version} -# This may be removed once older versions have all been fixed. -%{base_conflicts %{pname}-sview} %description plugins This package contains the SLURM plugins (loadable shared objects) diff --git a/upgrades b/upgrades index 55ae78f..b03b0e1 100644 --- a/upgrades +++ b/upgrades @@ -1,6 +1,8 @@ +23.02.6 23.02.5 23.02.3 23.02.0 +22.05.11 22.05.10 22.05.5 22.05.2