CVE-2019-19728

NameCVE-2019-19728
DescriptionSchedMD Slurm before 18.08.9 and 19.x before 19.05.5 executes srun --uid with incorrect privileges.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-4841-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
slurm-llnl (PTS)jessie, jessie (lts)14.03.9-5+deb8u5vulnerable
stretch (security), stretch (lts), stretch16.05.9-1+deb9u5vulnerable
buster (security), buster, buster (lts)18.08.5.2-1+deb10u2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
slurm-llnlsourcewheezy(unfixed)end-of-life
slurm-llnlsourcebuster18.08.5.2-1+deb10u2DSA-4841-1
slurm-llnlsource(unstable)19.05.5-1

Notes

[stretch] - slurm-llnl <ignored> (Minor issue, fix introduces regression, upstream refuses access to bug tracker)
[jessie] - slurm-llnl <ignored> (Minor issue, fix introduces regression, upstream refuses access to bug tracker)
https://github.com/SchedMD/slurm/commit/5ac031b2ef5462f6e8e47dad0247bd474614c118
https://bugzilla.suse.com/show_bug.cgi?id=1159692
https://bugs.schedmd.com/show_bug.cgi?id=8084
Fixed upstream in 18.08.9, 19.05.5
regression: running 'srun --uid ...' can lock the node 'alloc' state, requiring manually reset
(with 'nobody' in stretch, with all users in jessie)

Search for package or bug name: Reporting problems