[gentoo-announce] [ GLSA 201412-47 ] TORQUE Resource Manager: Multiple vulnerabilities - gentoo-announce

From:	Yury German <blueknight@g.o>
To:	gentoo-announce@g.o
Subject:	[gentoo-announce] [ GLSA 201412-47 ] TORQUE Resource Manager: Multiple vulnerabilities
Date:	Fri, 26 Dec 2014 20:01:26
Message-Id:	`549DBE42.6020907@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201412-47

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: High

8

    Title: TORQUE Resource Manager: Multiple vulnerabilities

9

     Date: December 26, 2014

10

     Bugs: #372959, #378805, #390167, #484320, #491270, #510726

11

       ID: 201412-47

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple vulnerabilities have been found in TORQUE Resource Manager,

19

possibly resulting in escalation of privileges or remote code

20

execution.

21

22

Background

23

==========

24

25

TORQUE is a resource manager and queuing system based on OpenPBS.

26

27

Affected packages

28

=================

29

30

    -------------------------------------------------------------------

31

     Package              /     Vulnerable     /            Unaffected

32

    -------------------------------------------------------------------

33

  1  sys-cluster/torque           < 4.1.7                  *>= 2.5.13

34

                                                             >= 4.1.7

35

36

Description

37

===========

38

39

Multiple vulnerabilities have been discovered in TORQUE Resource

40

Manager. Please review the CVE identifiers referenced below for

41

details.

42

43

Impact

44

======

45

46

A context-dependent attacker may be able to gain escalated privileges,

47

execute arbitrary code, or bypass security restrictions.

48

49

Workaround

50

==========

51

52

There is no known workaround at this time.

53

54

Resolution

55

==========

56

57

All TORQUE Resource Manager 4.x users should upgrade to the latest

58

version:

59

60

  # emerge --sync

61

  # emerge --ask --oneshot --verbose ">=sys-cluster/torque-4.1.7"

62

63

All TORQUE Resource Manager 2.x users should upgrade to the latest

64

version:

65

66

  # emerge --sync

67

  # emerge --ask --oneshot --verbose ">=sys-cluster/torque-2.5.13"

68

69

NOTE: One or more of the issues described in this advisory have been

70

fixed in previous updates. They are included in this advisory for the

71

sake of completeness. It is likely that your system is already no

72

longer affected by them.

73

74

References

75

==========

76

77

[ 1 ] CVE-2011-2193

78

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2193

79

[ 2 ] CVE-2011-2907

80

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2907

81

[ 3 ] CVE-2011-4925

82

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4925

83

[ 4 ] CVE-2013-4319

84

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4319

85

[ 5 ] CVE-2013-4495

86

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4495

87

[ 6 ] CVE-2014-0749

88

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0749

89

90

Availability

91

============

92

93

This GLSA and any updates to it are available for viewing at

94

the Gentoo Security Website:

95

96

 http://security.gentoo.org/glsa/glsa-201412-47.xml

97

98

Concerns?

99

=========

100

101

Security is a primary focus of Gentoo Linux and ensuring the

102

confidentiality and security of our users' machines is of utmost

103

importance to us. Any security concerns should be addressed to

104

security@g.o or alternatively, you may file a bug at

105

https://bugs.gentoo.org.

106

107

License

108

=======

109

110

Copyright 2014 Gentoo Foundation, Inc; referenced text

111

belongs to its owner(s).

112

113

The contents of this document are licensed under the

114

Creative Commons - Attribution / Share Alike license.

115

116

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201412-47
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: High
8	Title: TORQUE Resource Manager: Multiple vulnerabilities
9	Date: December 26, 2014
10	Bugs: #372959, #378805, #390167, #484320, #491270, #510726
11	ID: 201412-47
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple vulnerabilities have been found in TORQUE Resource Manager,
19	possibly resulting in escalation of privileges or remote code
20	execution.
21
22	Background
23	==========
24
25	TORQUE is a resource manager and queuing system based on OpenPBS.
26
27	Affected packages
28	=================
29
30	-------------------------------------------------------------------
31	Package / Vulnerable / Unaffected
32	-------------------------------------------------------------------
33	1 sys-cluster/torque < 4.1.7 *>= 2.5.13
34	>= 4.1.7
35
36	Description
37	===========
38
39	Multiple vulnerabilities have been discovered in TORQUE Resource
40	Manager. Please review the CVE identifiers referenced below for
41	details.
42
43	Impact
44	======
45
46	A context-dependent attacker may be able to gain escalated privileges,
47	execute arbitrary code, or bypass security restrictions.
48
49	Workaround
50	==========
51
52	There is no known workaround at this time.
53
54	Resolution
55	==========
56
57	All TORQUE Resource Manager 4.x users should upgrade to the latest
58	version:
59
60	# emerge --sync
61	# emerge --ask --oneshot --verbose ">=sys-cluster/torque-4.1.7"
62
63	All TORQUE Resource Manager 2.x users should upgrade to the latest
64	version:
65
66	# emerge --sync
67	# emerge --ask --oneshot --verbose ">=sys-cluster/torque-2.5.13"
68
69	NOTE: One or more of the issues described in this advisory have been
70	fixed in previous updates. They are included in this advisory for the
71	sake of completeness. It is likely that your system is already no
72	longer affected by them.
73
74	References
75	==========
76
77	[ 1 ] CVE-2011-2193
78	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2193
79	[ 2 ] CVE-2011-2907
80	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2907
81	[ 3 ] CVE-2011-4925
82	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4925
83	[ 4 ] CVE-2013-4319
84	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4319
85	[ 5 ] CVE-2013-4495
86	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4495
87	[ 6 ] CVE-2014-0749
88	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0749
89
90	Availability
91	============
92
93	This GLSA and any updates to it are available for viewing at
94	the Gentoo Security Website:
95
96	http://security.gentoo.org/glsa/glsa-201412-47.xml
97
98	Concerns?
99	=========
100
101	Security is a primary focus of Gentoo Linux and ensuring the
102	confidentiality and security of our users' machines is of utmost
103	importance to us. Any security concerns should be addressed to
104	security@g.o or alternatively, you may file a bug at
105	https://bugs.gentoo.org.
106
107	License
108	=======
109
110	Copyright 2014 Gentoo Foundation, Inc; referenced text
111	belongs to its owner(s).
112
113	The contents of this document are licensed under the
114	Creative Commons - Attribution / Share Alike license.
115
116	http://creativecommons.org/licenses/by-sa/2.5