DescriptionSchedMD Slurm before 20.02.7 and 20.03.x through 20.11.x before 20.11.7 allows remote code execution as SlurmUser because use of a PrologSlurmctld or EpilogSlurmctld script leads to environment mishandling.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs988439

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
slurm-llnl (PTS)stretch16.05.9-1+deb9u4fixed
stretch (security)16.05.9-1+deb9u2fixed
buster, buster (security)
slurm-wlm (PTS)bookworm, bullseye20.11.7+really20.11.4-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
slurm-llnlsourcestretch(not affected)


[buster] - slurm-llnl <no-dsa> (Minor issue)
[stretch] - slurm-llnl <not-affected> (env is already SPANKed) (2.11.7)
Initially already fixed in 20.11.7-1 (the tracker would do the right thing)
but the unstable upload invalidated the changelog 20.11.7-1 so use 20.11.7+really20.11.4-2
for consistency with BTS.

Search for package or bug name: Reporting problems