From 90bba6a8aa5042b52b8159960ab9882cc6d7a5f4fa21fe6b21a4ff9a9c62021e Mon Sep 17 00:00:00 2001 From: Egbert Eich Date: Thu, 12 Oct 2023 08:49:44 +0000 Subject: [PATCH 1/3] Accepting request 1117137 from home:mslacken:branches:network:cluster - update to 23.02.6 to fix (CVE-2023-41914) * Removed Fix-test-32.8.patch as fixed upstream OBS-URL: https://build.opensuse.org/request/show/1117137 OBS-URL: https://build.opensuse.org/package/show/network:cluster/slurm?expand=0&rev=267 --- Fix-test-32.8.patch | 26 -------------------------- slurm-23.02.5.tar.bz2 | 3 --- slurm-23.02.6.tar.bz2 | 3 +++ slurm.changes | 6 ++++++ slurm.spec | 4 +--- 5 files changed, 10 insertions(+), 32 deletions(-) delete mode 100644 Fix-test-32.8.patch delete mode 100644 slurm-23.02.5.tar.bz2 create mode 100644 slurm-23.02.6.tar.bz2 diff --git a/Fix-test-32.8.patch b/Fix-test-32.8.patch deleted file mode 100644 index 9927bbd..0000000 --- a/Fix-test-32.8.patch +++ /dev/null @@ -1,26 +0,0 @@ -From: Egbert Eich -Date: Wed Jun 15 08:41:16 2022 +0200 -Subject: Fix test 32.8 -Patch-mainline: Not yet -Git-repo: https://github.com/SchedMD/slurm -Git-commit: 6641a03b1d1dfcb937617067f50c8069a04ec9b0 -References: - -Signed-off-by: Egbert Eich -Signed-off-by: Egbert Eich ---- - testsuite/expect/test32.8 | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) -diff --git a/testsuite/expect/test32.8 b/testsuite/expect/test32.8 -index 76f65c3ccc..61dba8759b 100755 ---- a/testsuite/expect/test32.8 -+++ b/testsuite/expect/test32.8 -@@ -86,7 +86,7 @@ if {$job_id == 0} { - } - - wait_for_job -fail $job_id "DONE" --wai_for_file -fail $file_out -+wait_for_file -fail $file_out - - set number_1 -1 - set number_2 -1 diff --git a/slurm-23.02.5.tar.bz2 b/slurm-23.02.5.tar.bz2 deleted file mode 100644 index 1918068..0000000 --- a/slurm-23.02.5.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:7620f1dd1134d14dff402a9127d5a36c340d7a2b69b55f67d8a44b3b8681a59d -size 7274119 diff --git a/slurm-23.02.6.tar.bz2 b/slurm-23.02.6.tar.bz2 new file mode 100644 index 0000000..ab12454 --- /dev/null +++ b/slurm-23.02.6.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4a5cbc19228c324aea267266e49b034a12529f20052edb5cbd63599a431e3f23 +size 7444926 diff --git a/slurm.changes b/slurm.changes index 4676bba..d43b92a 100644 --- a/slurm.changes +++ b/slurm.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Thu Oct 12 08:23:20 UTC 2023 - Christian Goll + +- update to 23.02.6 to fix (CVE-2023-41914) + * Removed Fix-test-32.8.patch as fixed upstream + ------------------------------------------------------------------- Mon Sep 18 05:23:19 UTC 2023 - Egbert Eich diff --git a/slurm.spec b/slurm.spec index 15be0c0..6cc8771 100644 --- a/slurm.spec +++ b/slurm.spec @@ -18,7 +18,7 @@ # Check file META in sources: update so_version to (API_CURRENT - API_AGE) %define so_version 39 -%define ver 23.02.5 +%define ver 23.02.6 %define _ver _23_02 #%%define rc_v 0rc1 %define dl_ver %{ver} @@ -146,7 +146,6 @@ Source21: README_Testsuite.md Patch0: Remove-rpath-from-build.patch Patch2: pam_slurm-Initialize-arrays-and-pass-sizes.patch Patch10: Fix-test-21.41.patch -Patch12: Fix-test-32.8.patch Patch14: Keep-logs-of-skipped-test-when-running-test-cases-sequentially.patch Patch15: Fix-test7.2-to-find-libpmix-under-lib64-as-well.patch @@ -597,7 +596,6 @@ Do not run test suite and file bug reports for each failed test! %patch0 -p1 %patch2 -p1 %patch10 -p1 -%patch12 -p1 %patch14 -p1 %patch15 -p1 From cd2c5bfc505828837a0442e9d544ea0a0b41a22fb4e9475984879de6b4a684f7 Mon Sep 17 00:00:00 2001 From: Christian Goll Date: Thu, 12 Oct 2023 09:09:32 +0000 Subject: [PATCH 2/3] Accepting request 1117145 from home:mslacken:branches:network:cluster * Bug Fixes: + Fix CpusPerTres= not upgreadable with scontrol update + Fix unintentional gres removal when validating the gres job state. + Fix --without-hpe-slingshot configure option. + Fix cgroup v2 memory calculations when transparent huge pages are used. + Fix parsing of sgather --timeout option. + Fix regression from 22.05.0 that caused srun --cpu-bind "=verbose" and "=v" options give different CPU bind masks. + Fix "_find_node_record: lookup failure for node" error message appearing for all dynamic nodes during reconfigure. + Avoid segfault if loading serializer plugin fails. + slurmrestd - Correct OpenAPI format for 'GET /slurm/v0.0.39/licenses'. + slurmrestd - Correct OpenAPI format for 'GET /slurm/v0.0.39/job/{job_id}'. + slurmrestd - Change format to multiple fields in 'GET /slurmdb/v0.0.39/assocations' and 'GET /slurmdb/v0.0.39/qos' to handle infinite and unset states. + When a node fails in a job with --no-kill, preserve the extern step on the remaining nodes to avoid breaking features that rely on the extern step such as pam_slurm_adopt, x11, and job_container/tmpfs. + auth/jwt - Ignore 'x5c' field in JWKS files. + auth/jwt - Treat 'alg' field as optional in JWKS files. + Allow job_desc.selinux_context to be read from the job_submit.lua script. + Skip check in slurmstepd that causes a large number of errors in the munge log: "Unauthorized credential for client UID=0 GID=0". This error will still appear on slurmd/slurmctld/slurmdbd start up and is not a cause for concern. + slurmctld - Allow startup with zero partitions. + Fix some mig profile names in slurm not matching nvidia mig profiles. + Prevent slurmscriptd processing delays from blocking other threads in slurmctld while trying to launch {Prolog|Epilog}Slurmctld. OBS-URL: https://build.opensuse.org/request/show/1117145 OBS-URL: https://build.opensuse.org/package/show/network:cluster/slurm?expand=0&rev=268 --- slurm.changes | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) diff --git a/slurm.changes b/slurm.changes index d43b92a..3be27e8 100644 --- a/slurm.changes +++ b/slurm.changes @@ -3,6 +3,63 @@ Thu Oct 12 08:23:20 UTC 2023 - Christian Goll - update to 23.02.6 to fix (CVE-2023-41914) * Removed Fix-test-32.8.patch as fixed upstream + * Bug Fixes: + + Fix CpusPerTres= not upgreadable with scontrol update + + Fix unintentional gres removal when validating the gres job state. + + Fix --without-hpe-slingshot configure option. + + Fix cgroup v2 memory calculations when transparent huge pages are used. + + Fix parsing of sgather --timeout option. + + Fix regression from 22.05.0 that caused srun --cpu-bind "=verbose" and "=v" + options give different CPU bind masks. + + Fix "_find_node_record: lookup failure for node" error message appearing + for all dynamic nodes during reconfigure. + + Avoid segfault if loading serializer plugin fails. + + slurmrestd - Correct OpenAPI format for 'GET /slurm/v0.0.39/licenses'. + + slurmrestd - Correct OpenAPI format for 'GET /slurm/v0.0.39/job/{job_id}'. + + slurmrestd - Change format to multiple fields in 'GET + /slurmdb/v0.0.39/assocations' and 'GET /slurmdb/v0.0.39/qos' to handle + infinite and unset states. + + When a node fails in a job with --no-kill, preserve the extern step on the + remaining nodes to avoid breaking features that rely on the extern step + such as pam_slurm_adopt, x11, and job_container/tmpfs. + + auth/jwt - Ignore 'x5c' field in JWKS files. + + auth/jwt - Treat 'alg' field as optional in JWKS files. + + Allow job_desc.selinux_context to be read from the job_submit.lua script. + + Skip check in slurmstepd that causes a large number of errors in the munge + log: "Unauthorized credential for client UID=0 GID=0". This error will + still appear on slurmd/slurmctld/slurmdbd start up and is not a cause for + concern. + + slurmctld - Allow startup with zero partitions. + + Fix some mig profile names in slurm not matching nvidia mig profiles. + + Prevent slurmscriptd processing delays from blocking other threads in + slurmctld while trying to launch {Prolog|Epilog}Slurmctld. + + Fix sacct printing ReqMem field when memory doesn't exist in requested TRES. + + Fix how heterogenous steps in an allocation with CR_PACK_NODE or -mpack are + created. + + Fix slurmctld crash from race condition within job_submit_throttle plugin. + + Fix --with-systemdsystemunitdir when requesting a default location. + + Fix not being able to cancel an array task by the jobid (i.e. not + _) through scancel, job launch failure or prolog failure. + + Fix cancelling the whole array job when the array task is the meta job and + it fails job or prolog launch and is not requeable. Cancel only the + specific task instead. + + Fix regression in 21.08.2 where MailProg did not run for mail-type=end for + jobs with non+zero exit codes. + + Fix incorrect setting of memory.swap.max in cgroup/v2. + + Fix jobacctgather/cgroup collection of disk/io, gpumem, gpuutil TRES values. + + Fix -d singleton for heterogeneous jobs. + + Downgrade info logs about a job meeting a "maximum node limit" in the + select plugin to DebugFlags=SelectType. These info logs could spam the + slurmctld log file under certain circumstances. + + prep/script - Fix [Srun|Task] missing SLURM_JOB_NODELIST. + + gres - Rebuild GRES core bitmap for nodes at startup. This fixes error: + "Core bitmaps size mismatch on node [HOSTNAME]", which causes jobs to enter + state "Requested node configuration is not available". + + slurmctd - Allow startup with zero nodes. + + Fix filesystem handling race conditions that could lead to an attacker + taking control of an arbitrary file, or removing entire directories' + contents. CVE-2023-41914. + ------------------------------------------------------------------- Mon Sep 18 05:23:19 UTC 2023 - Egbert Eich From 449ea49bf9115ecf5d3d6b859b1c9d93e97aebffec2e0ba24343d63782a6c269 Mon Sep 17 00:00:00 2001 From: Egbert Eich Date: Thu, 12 Oct 2023 10:02:10 +0000 Subject: [PATCH 3/3] - Fix changes file formatting OBS-URL: https://build.opensuse.org/package/show/network:cluster/slurm?expand=0&rev=269 --- slurm.changes | 119 ++++++++++++++++++++++++++------------------------ 1 file changed, 62 insertions(+), 57 deletions(-) diff --git a/slurm.changes b/slurm.changes index 3be27e8..365f836 100644 --- a/slurm.changes +++ b/slurm.changes @@ -1,65 +1,70 @@ ------------------------------------------------------------------- Thu Oct 12 08:23:20 UTC 2023 - Christian Goll -- update to 23.02.6 to fix (CVE-2023-41914) +- update to 23.02.6 to fix (CVE-2023-41914) * Removed Fix-test-32.8.patch as fixed upstream * Bug Fixes: - + Fix CpusPerTres= not upgreadable with scontrol update - + Fix unintentional gres removal when validating the gres job state. - + Fix --without-hpe-slingshot configure option. - + Fix cgroup v2 memory calculations when transparent huge pages are used. - + Fix parsing of sgather --timeout option. - + Fix regression from 22.05.0 that caused srun --cpu-bind "=verbose" and "=v" - options give different CPU bind masks. - + Fix "_find_node_record: lookup failure for node" error message appearing - for all dynamic nodes during reconfigure. - + Avoid segfault if loading serializer plugin fails. - + slurmrestd - Correct OpenAPI format for 'GET /slurm/v0.0.39/licenses'. - + slurmrestd - Correct OpenAPI format for 'GET /slurm/v0.0.39/job/{job_id}'. - + slurmrestd - Change format to multiple fields in 'GET - /slurmdb/v0.0.39/assocations' and 'GET /slurmdb/v0.0.39/qos' to handle - infinite and unset states. - + When a node fails in a job with --no-kill, preserve the extern step on the - remaining nodes to avoid breaking features that rely on the extern step - such as pam_slurm_adopt, x11, and job_container/tmpfs. - + auth/jwt - Ignore 'x5c' field in JWKS files. - + auth/jwt - Treat 'alg' field as optional in JWKS files. - + Allow job_desc.selinux_context to be read from the job_submit.lua script. - + Skip check in slurmstepd that causes a large number of errors in the munge - log: "Unauthorized credential for client UID=0 GID=0". This error will - still appear on slurmd/slurmctld/slurmdbd start up and is not a cause for - concern. - + slurmctld - Allow startup with zero partitions. - + Fix some mig profile names in slurm not matching nvidia mig profiles. - + Prevent slurmscriptd processing delays from blocking other threads in - slurmctld while trying to launch {Prolog|Epilog}Slurmctld. - + Fix sacct printing ReqMem field when memory doesn't exist in requested TRES. - + Fix how heterogenous steps in an allocation with CR_PACK_NODE or -mpack are - created. - + Fix slurmctld crash from race condition within job_submit_throttle plugin. - + Fix --with-systemdsystemunitdir when requesting a default location. - + Fix not being able to cancel an array task by the jobid (i.e. not - _) through scancel, job launch failure or prolog failure. - + Fix cancelling the whole array job when the array task is the meta job and - it fails job or prolog launch and is not requeable. Cancel only the - specific task instead. - + Fix regression in 21.08.2 where MailProg did not run for mail-type=end for - jobs with non+zero exit codes. - + Fix incorrect setting of memory.swap.max in cgroup/v2. - + Fix jobacctgather/cgroup collection of disk/io, gpumem, gpuutil TRES values. - + Fix -d singleton for heterogeneous jobs. - + Downgrade info logs about a job meeting a "maximum node limit" in the - select plugin to DebugFlags=SelectType. These info logs could spam the - slurmctld log file under certain circumstances. - + prep/script - Fix [Srun|Task] missing SLURM_JOB_NODELIST. - + gres - Rebuild GRES core bitmap for nodes at startup. This fixes error: - "Core bitmaps size mismatch on node [HOSTNAME]", which causes jobs to enter - state "Requested node configuration is not available". - + slurmctd - Allow startup with zero nodes. - + Fix filesystem handling race conditions that could lead to an attacker - taking control of an arbitrary file, or removing entire directories' - contents. CVE-2023-41914. - + + Fix `CpusPerTres=` not upgreadable with scontrol update + + Fix unintentional gres removal when validating the gres job state. + + Fix `--without-hpe-slingshot` configure option. + + Fix cgroup v2 memory calculations when transparent huge pages are used. + + Fix parsing of `sgather --timeout` option. + + Fix regression from 22.05.0 that caused `srun --cpu-bind "=verbose"` + and `"=v"` options give different CPU bind masks. + + Fix "_find_node_record: lookup failure for node" error message appearing + for all dynamic nodes during reconfigure. + + Avoid segfault if loading serializer plugin fails. + + `slurmrestd` - Correct OpenAPI format for `GET /slurm/v0.0.39/licenses`. + + `slurmrestd` - Correct OpenAPI format for + `GET /slurm/v0.0.39/job/{job_id}`. + + `slurmrestd` - Change format to multiple fields in + 'GET /slurmdb/v0.0.39/assocations` and `GET /slurmdb/v0.0.39/qos` to + handle infinite and unset states. + + When a node fails in a job with `--no-kill`, preserve the extern step on the + remaining nodes to avoid breaking features that rely on the extern step + such as `pam_slurm_adopt`, `x11`, and `job_container/tmpfs`. + + `auth/jwt` - Ignore `x5c` field in JWKS files. + + `auth/jwt` - Treat 'alg' field as optional in JWKS files. + + Allow job_desc.selinux_context to be read from the job_submit.lua script. + + Skip check in slurmstepd that causes a large number of errors in the + munge log: "Unauthorized credential for client UID=0 GID=0". + This error will still appear on `slurmd`/`slurmctld`/`slurmdbd` start up + and is not a cause for concern. + + `slurmctld` - Allow startup with zero partitions. + + Fix some mig profile names in slurm not matching nvidia mig profiles. + + Prevent `slurmscriptd` processing delays from blocking other threads in + `slurmctld` while trying to launch `{Prolog|Epilog}Slurmctld`. + + Fix sacct printing ReqMem field when memory doesn't exist in requested + TRES. + + Fix how heterogenous steps in an allocation with `CR_PACK_NODE` or + `-mpack` are created. + + Fix `slurmctld` crash from race condition within `job_submit_throttle` + plugin. + + Fix `--with-systemdsystemunitdir` when requesting a default location. + + Fix not being able to cancel an array task by the jobid (i.e. not + `_`) through scancel, job launch failure or prolog + failure. + + Fix cancelling the whole array job when the array task is the meta job + and it fails job or prolog launch and is not requeable. Cancel only the + specific task instead. + + Fix regression in 21.08.2 where MailProg did not run for `mail-type=end` + for jobs with non+zero exit codes. + + Fix incorrect setting of memory.swap.max in cgroup/v2. + + Fix `jobacctgather/cgroup` collection of disk/io, gpumem, gpuutil TRES + values. + + Fix -d singleton for heterogeneous jobs. + + Downgrade info logs about a job meeting a "maximum node limit" in the + select plugin to `DebugFlags=SelectType`. These info logs could spam the + slurmctld log file under certain circumstances. + + `prep/script` - Fix `[Srun|Task]` missing + `SLURM_JOB_NODELIST`. + + gres - Rebuild GRES core bitmap for nodes at startup. This fixes error: + "Core bitmaps size mismatch on node [HOSTNAME]", which causes jobs to + enter state "Requested node configuration is not available". + + `slurmctd` - Allow startup with zero nodes. + + Fix filesystem handling race conditions that could lead to an attacker + taking control of an arbitrary file, or removing entire directories' + contents. CVE-2023-41914. ------------------------------------------------------------------- Mon Sep 18 05:23:19 UTC 2023 - Egbert Eich