Security update for pdsh, slurm_20_02

Announcement ID:	SUSE-SU-2020:2607-1
Rating:	moderate
References:	bsc#1007053 bsc#1018371 bsc#1031872 bsc#1041706 bsc#1065697 bsc#1084125 bsc#1084917 bsc#1085240 bsc#1085606 bsc#1086859 bsc#1088693 bsc#1090292 bsc#1095508 bsc#1100850 bsc#1103561 bsc#1108671 bsc#1109373 bsc#1116758 bsc#1123304 bsc#1140709 bsc#1153095 bsc#1153259 bsc#1155784 bsc#1158696 bsc#1159692 bsc#1161716 bsc#1162377 bsc#1164326 bsc#1164386 bsc#1172004 bsc#1173805 jsc#SLE-10800 jsc#SLE-7341 jsc#SLE-7342 jsc#SLE-8491
Cross-References:	CVE-2016-10030 CVE-2017-15566 CVE-2018-10995 CVE-2018-7033 CVE-2019-12838 CVE-2019-19727 CVE-2019-19728 CVE-2019-6438 CVE-2020-12693
CVSS scores:	CVE-2016-10030 ( NVD ): 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2017-15566 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-10995 ( SUSE ): 5.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVE-2018-10995 ( NVD ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2018-7033 ( SUSE ): 4.4 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVE-2018-7033 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-12838 ( SUSE ): 6.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVE-2019-12838 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-12838 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-19727 ( SUSE ): 4.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2019-19727 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2019-19728 ( SUSE ): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2019-19728 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2019-6438 ( SUSE ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-6438 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-12693 ( SUSE ): 6.3 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N CVE-2020-12693 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products:	HPC Module 12 SUSE Linux Enterprise High Performance Computing 12 SP2 SUSE Linux Enterprise High Performance Computing 12 SP3 SUSE Linux Enterprise High Performance Computing 12 SP4 SUSE Linux Enterprise High Performance Computing 12 SP5 SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server 12 SP3 SUSE Linux Enterprise Server 12 SP4 SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP3 SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE Linux Enterprise Server for SAP Applications 12 SP5

An update that solves nine vulnerabilities, contains four features and has 22 security fixes can now be installed.

Description:

This update for pdsh, slurm_20_02 fixes the following issues:

Changes in slurm_20_02:

• Add support for openPMIx also for Leap/SLE 15.0/1 (bsc#1173805).
• Do not run %check on SLE-12-SP2: Some incompatibility in tcl makes this fail.
• Remove unneeded build dependency to postgresql-devel.

• Disable build on s390 (requires 64bit).

• Bring QA to the package build: add %%check stage.

• Remove cruft that isn't needed any longer.
• Add 'ghosted' run-file.

• Add rpmlint filter to handle issues with library packages for Leap and enterprise upgrade versions.

• Updated to 20.02.3 which fixes CVE-2020-12693 (bsc#1172004).

• Other changes are:
• Factor in ntasks-per-core=1 with cons_tres.
• Fix formatting in error message in cons_tres.
• Fix calling stat on a NULL variable.
• Fix minor memory leak when using reservations with flags=first_cores.
• Fix gpu bind issue when CPUs=Cores and ThreadsPerCore > 1 on a node.
• Fix --mem-per-gpu for heterogenous --gres requests.
• Fix slurmctld load order in load_all_part_state().
• Fix race condition not finding jobacct gather task cgroup entry.
• Suppress error message when selecting nodes on disjoint topologies.
• Improve performance of _pack_default_job_details() with large number of job
• arguments.
• Fix archive loading previous to 17.11 jobs per-node req_mem.
• Fix regresion validating that --gpus-per-socket requires --sockets-per-node
• for steps. Should only validate allocation requests.
• error() instead of fatal() when parsing an invalid hostlist.
• nss_slurm - fix potential deadlock in slurmstepd on overloaded systems.
• cons_tres - fix --gres-flags=enforce-binding and related --cpus-per-gres.
• cons_tres - Allocate lowest numbered cores when filtering cores with gres.
• Fix getting system counts for named GRES/TRES.
• MySQL - Fix for handing typed GRES for association rollups.
• Fix step allocations when tasks_per_core > 1.

• Fix allocating more GRES than requested when asking for multiple GRES types.

• Treat libnss_slurm like any other package: add version string to upgrade package.

• Updated to 20.02.1 with following changes"

• Improve job state reason for jobs hitting partition_job_depth.
• Speed up testing of singleton dependencies.
• Fix negative loop bound in cons_tres.
• srun - capture the MPI plugin return code from mpi_hook_client_fini() and use as final return code for step failure.
• Fix segfault in cli_filter/lua.
• Fix --gpu-bind=map_gpu reusability if tasks > elements.
• Make sure config_flags on a gres are sent to the slurmctld on node registration.
• Prolog/Epilog - Fix missing GPU information.
• Fix segfault when using config parser for expanded lines.
• Fix bit overlap test function.
• Don't accrue time if job begin time is in the future.
• Remove accrue time when updating a job start/eligible time to the future.
• Fix regression in 20.02.0 that broke --depend=expand.
• Reset begin time on job release if it's not in the future.
• Fix for recovering burst buffers when using high-availability.
• Fix invalid read due to freeing an incorrectly allocated env array.
• Update slurmctld -i message to warn about losing data.
• Fix scontrol cancel_reboot so it clears the DRAIN flag and node reason for a pending ASAP reboot.

Changes in pdsh: - Bring QA to the package build: add %%check stage

• Since the build for the SLE-12 HPC Module got fixed, simplify spec file and remove legacy workarounds.
• Remove _multibuild file where not needed.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• HPC Module 12
  zypper in -t patch SUSE-SLE-Module-HPC-12-2020-2607=1

Package List:

• HPC Module 12 (aarch64 x86_64)
  • libnss_slurm2_20_02-20.02.3-3.5.1
  • libpmi0_20_02-20.02.3-3.5.1
  • slurm_20_02-plugins-debuginfo-20.02.3-3.5.1
  • perl-slurm_20_02-debuginfo-20.02.3-3.5.1
  • slurm_20_02-sview-debuginfo-20.02.3-3.5.1
  • slurm_20_02-pam_slurm-debuginfo-20.02.3-3.5.1
  • slurm_20_02-torque-20.02.3-3.5.1
  • slurm_20_02-pam_slurm-20.02.3-3.5.1
  • slurm_20_02-config-20.02.3-3.5.1
  • slurm_20_02-plugins-20.02.3-3.5.1
  • libpmi0_20_02-debuginfo-20.02.3-3.5.1
  • slurm_20_02-auth-none-debuginfo-20.02.3-3.5.1
  • slurm_20_02-debugsource-20.02.3-3.5.1
  • slurm_20_02-node-20.02.3-3.5.1
  • slurm_20_02-munge-debuginfo-20.02.3-3.5.1
  • perl-slurm_20_02-20.02.3-3.5.1
  • slurm_20_02-lua-debuginfo-20.02.3-3.5.1
  • slurm_20_02-auth-none-20.02.3-3.5.1
  • pdsh-slurm_18_08-2.34-7.26.2
  • libslurm35-debuginfo-20.02.3-3.5.1
  • slurm_20_02-sql-debuginfo-20.02.3-3.5.1
  • slurm_20_02-sview-20.02.3-3.5.1
  • slurm_20_02-devel-20.02.3-3.5.1
  • slurm_20_02-sql-20.02.3-3.5.1
  • slurm_20_02-node-debuginfo-20.02.3-3.5.1
  • slurm_20_02-munge-20.02.3-3.5.1
  • slurm_20_02-config-man-20.02.3-3.5.1
  • slurm_20_02-lua-20.02.3-3.5.1
  • slurm_20_02-20.02.3-3.5.1
  • slurm_20_02-debuginfo-20.02.3-3.5.1
  • pdsh-slurm_20_02-debuginfo-2.34-7.26.2
  • libslurm35-20.02.3-3.5.1
  • slurm_20_02-torque-debuginfo-20.02.3-3.5.1
  • slurm_20_02-slurmdbd-20.02.3-3.5.1
  • slurm_20_02-doc-20.02.3-3.5.1
  • libnss_slurm2_20_02-debuginfo-20.02.3-3.5.1
  • slurm_20_02-slurmdbd-debuginfo-20.02.3-3.5.1
  • pdsh-slurm_20_02-2.34-7.26.2
  • pdsh-slurm_18_08-debuginfo-2.34-7.26.2

References:

• https://www.suse.com/security/cve/CVE-2016-10030.html
• https://www.suse.com/security/cve/CVE-2017-15566.html
• https://www.suse.com/security/cve/CVE-2018-10995.html
• https://www.suse.com/security/cve/CVE-2018-7033.html
• https://www.suse.com/security/cve/CVE-2019-12838.html
• https://www.suse.com/security/cve/CVE-2019-19727.html
• https://www.suse.com/security/cve/CVE-2019-19728.html
• https://www.suse.com/security/cve/CVE-2019-6438.html
• https://www.suse.com/security/cve/CVE-2020-12693.html
• https://bugzilla.suse.com/show_bug.cgi?id=1007053
• https://bugzilla.suse.com/show_bug.cgi?id=1018371
• https://bugzilla.suse.com/show_bug.cgi?id=1031872
• https://bugzilla.suse.com/show_bug.cgi?id=1041706
• https://bugzilla.suse.com/show_bug.cgi?id=1065697
• https://bugzilla.suse.com/show_bug.cgi?id=1084125
• https://bugzilla.suse.com/show_bug.cgi?id=1084917
• https://bugzilla.suse.com/show_bug.cgi?id=1085240
• https://bugzilla.suse.com/show_bug.cgi?id=1085606
• https://bugzilla.suse.com/show_bug.cgi?id=1086859
• https://bugzilla.suse.com/show_bug.cgi?id=1088693
• https://bugzilla.suse.com/show_bug.cgi?id=1090292
• https://bugzilla.suse.com/show_bug.cgi?id=1095508
• https://bugzilla.suse.com/show_bug.cgi?id=1100850
• https://bugzilla.suse.com/show_bug.cgi?id=1103561
• https://bugzilla.suse.com/show_bug.cgi?id=1108671
• https://bugzilla.suse.com/show_bug.cgi?id=1109373
• https://bugzilla.suse.com/show_bug.cgi?id=1116758
• https://bugzilla.suse.com/show_bug.cgi?id=1123304
• https://bugzilla.suse.com/show_bug.cgi?id=1140709
• https://bugzilla.suse.com/show_bug.cgi?id=1153095
• https://bugzilla.suse.com/show_bug.cgi?id=1153259
• https://bugzilla.suse.com/show_bug.cgi?id=1155784
• https://bugzilla.suse.com/show_bug.cgi?id=1158696
• https://bugzilla.suse.com/show_bug.cgi?id=1159692
• https://bugzilla.suse.com/show_bug.cgi?id=1161716
• https://bugzilla.suse.com/show_bug.cgi?id=1162377
• https://bugzilla.suse.com/show_bug.cgi?id=1164326
• https://bugzilla.suse.com/show_bug.cgi?id=1164386
• https://bugzilla.suse.com/show_bug.cgi?id=1172004
• https://bugzilla.suse.com/show_bug.cgi?id=1173805
• https://jira.suse.com/browse/SLE-10800
• https://jira.suse.com/browse/SLE-7341
• https://jira.suse.com/browse/SLE-7342
• https://jira.suse.com/browse/SLE-8491