Security update for slurm

Announcement ID:	SUSE-SU-2017:3311-1
Rating:	moderate
References:	bsc#1007053 bsc#1031872 bsc#1041706 bsc#1065697 bsc#1067580
Cross-References:	CVE-2017-15566
CVSS scores:	CVE-2017-15566 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:	HPC Module 12 SUSE Linux Enterprise High Performance Computing 12 SP2 SUSE Linux Enterprise High Performance Computing 12 SP3 SUSE Linux Enterprise High Performance Computing 12 SP4 SUSE Linux Enterprise High Performance Computing 12 SP5 SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server 12 SP3 SUSE Linux Enterprise Server 12 SP4 SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP3 SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE Linux Enterprise Server for SAP Applications 12 SP5

An update that solves one vulnerability and has four security fixes can now be installed.

Description:

This update for slurm fixes the following issues:

Slurm was updated to 17.02.9 to fix a security bug, bringing new features and bugfixes (fate#323998 bsc#1067580).

Security issue fixed:

• CVE-2017-15566: Fix security issue in Prolog and Epilog by always prepending SPANK_ to all user-set environment variables. (bsc#1065697)

Changes in 17.02.9:

• When resuming powered down nodes, mark DOWN nodes right after ResumeTimeout has been reached (previous logic would wait about one minute longer).
• Fix sreport not showing full column name for TRES Count.
• Fix slurmdb_reservations_get() giving wrong usage data when job's spanned reservation that was modified.
• Fix sreport reservation utilization report showing bad data.
• Show all TRES' on a reservation in sreport reservation utilization report by default.
• Fix sacctmgr show reservation handling "end" parameter.
• Work around issue with sysmacros.h and gcc7 / glibc 2.25.
• Fix layouts code to only allow setting a boolean.
• Fix sbatch --wait to keep waiting even if a message timeout occurs.
• CRAY - If configured with NodeFeatures=knl_cray and there are non-KNL nodes which include no features the slurmctld will abort without this patch when attemping strtok_r(NULL).
• Fix regression in 17.02.7 which would run the spank_task_privileged as part of the slurmstepd instead of it's child process.

Changes in 17.02.8:

• Add 'slurmdbd:' to the accounting plugin to notify message is from dbd instead of local.
• mpi/mvapich - Buffer being only partially cleared. No failures observed.
• Fix for job --switch option on dragonfly network.
• In salloc with --uid option, drop supplementary groups before changing UID.
• jobcomp/elasticsearch - strip any trailing slashes from JobCompLoc.
• jobcomp/elasticsearch - fix memory leak when transferring generated buffer.
• Prevent slurmstepd ABRT when parsing gres.conf CPUs.
• Fix sbatch --signal to signal all MPI ranks in a step instead of just those on node 0.
• Check multiple partition limits when scheduling a job that were previously only checked on submit.
• Cray: Avoid running application/step Node Health Check on the external job step.
• Optimization enhancements for partition based job preemption.
• Address some build warnings from GCC 7.1, and one possible memory leak if /proc is inaccessible.
• If creating/altering a core based reservation with scontrol/sview on a remote cluster correctly determine the select type.
• Fix autoconf test for libcurl when clang is used.
• Fix default location for cgroup_allowed_devices_file.conf to use correct default path.
• Document NewName option to sacctmgr.
• Reject a second PMI2_Init call within a single step to prevent slurmstepd from hanging.
• Handle old 32bit values stored in the database for requested memory correctly in sacct.
• Fix memory leaks in the task/cgroup plugin when constraining devices.
• Make extremely verbose info messages debug2 messages in the task/cgroup plugin when constraining devices.
• Fix issue that would deny the stepd access to /dev/null where GRES has a 'type' but no file defined.
• Fix issue where the slurmstepd would fatal on job launch if you have no gres listed in your slurm.conf but some in gres.conf.
• Fix validating time spec to correctly validate various time formats.
• Make scontrol work correctly with job update timelimit [+|-]=.
• Reduce the visibily of a number of warnings in _part_access_check.
• Prevent segfault in sacctmgr if no association name is specified for an update command.
• burst_buffer/cray plugin modified to work with changes in Cray UP05 software release.
• Fix job reasons for jobs that are violating assoc MaxTRESPerNode limits.
• Fix segfault when unpacking a 16.05 slurm_cred in a 17.02 daemon.
• Fix setting TRES limits with case insensitive TRES names.
• Add alias for xstrncmp() -- slurm_xstrncmp().
• Fix sorting of case insensitive strings when using xstrcasecmp().
• Gracefully handle race condition when reading /proc as process exits.
• Avoid error on Cray duplicate setup of core specialization.
• Skip over undefined (hidden in Slurm) nodes in pbsnodes.
• Add empty hashes in perl api's slurm_load_node() for hidden nodes.
• CRAY - Add rpath logic to work for the alpscomm libs.
• Fixes for administrator extended TimeLimit (job reason & time limit reset).
• Fix gres selection on systems running select/linear.
• sview: Added window decorator for maximize,minimize,close buttons for all systems.
• squeue: interpret negative length format specifiers as a request to delimit values with spaces.
• Fix the torque pbsnodes wrapper script to parse a gres field with a type set correctly.

This update also contains pdsh rebuilt against the new libslurm version.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• HPC Module 12
  zypper in -t patch SUSE-SLE-Module-HPC-12-2017-2072=1

Package List:

• HPC Module 12 (aarch64 x86_64)
  • slurm-debugsource-17.02.9-6.10.1
  • slurm-debuginfo-17.02.9-6.10.1
  • pdsh-debugsource-2.33-7.5.17
  • slurm-slurmdbd-17.02.9-6.10.1
  • slurm-torque-debuginfo-17.02.9-6.10.1
  • libslurm31-17.02.9-6.10.1
  • libpmi0-debuginfo-17.02.9-6.10.1
  • slurm-munge-debuginfo-17.02.9-6.10.1
  • slurm-pam_slurm-debuginfo-17.02.9-6.10.1
  • perl-slurm-17.02.9-6.10.1
  • slurm-auth-none-debuginfo-17.02.9-6.10.1
  • slurm-plugins-debuginfo-17.02.9-6.10.1
  • slurm-slurmdb-direct-17.02.9-6.10.1
  • pdsh-debuginfo-2.33-7.5.17
  • libslurm31-debuginfo-17.02.9-6.10.1
  • slurm-lua-17.02.9-6.10.1
  • libslurm29-16.05.8.1-6.1
  • slurm-sql-debuginfo-17.02.9-6.10.1
  • slurm-doc-17.02.9-6.10.1
  • slurm-pam_slurm-17.02.9-6.10.1
  • slurm-sched-wiki-17.02.9-6.10.1
  • slurm-17.02.9-6.10.1
  • slurm-munge-17.02.9-6.10.1
  • libslurm29-debuginfo-16.05.8.1-6.1
  • slurm-plugins-17.02.9-6.10.1
  • libpmi0-17.02.9-6.10.1
  • slurm-auth-none-17.02.9-6.10.1
  • perl-slurm-debuginfo-17.02.9-6.10.1
  • slurm-torque-17.02.9-6.10.1
  • slurm-devel-17.02.9-6.10.1
  • slurm-lua-debuginfo-17.02.9-6.10.1
  • slurm-sql-17.02.9-6.10.1
  • pdsh-2.33-7.5.17
  • slurm-slurmdbd-debuginfo-17.02.9-6.10.1

References:

• https://www.suse.com/security/cve/CVE-2017-15566.html
• https://bugzilla.suse.com/show_bug.cgi?id=1007053
• https://bugzilla.suse.com/show_bug.cgi?id=1031872
• https://bugzilla.suse.com/show_bug.cgi?id=1041706
• https://bugzilla.suse.com/show_bug.cgi?id=1065697
• https://bugzilla.suse.com/show_bug.cgi?id=1067580