Package: torque Version: 2.4.8+dfsg-9 Severity: grave Tags: security upstream patch fixed-upstream pending Justification: user security hole
Hi Torque upstream has released 4.2.6 fixing CVE-2013-4495[1]: "pbs_user used popen to send mail using the email addresses specified on the command line, which posed a security risk. TORQUE no longer allows you to run root commands in the email portion of qsub (TRQ-2310). CVE 2013-4495". [1] https://www.adaptivecomputing.com/wp-content/uploads/releasenotes/releaseNotes-4.2.6.html In upstream git there are the relevant commits for older branches as well: [2] https://github.com/adaptivecomputing/torque/commit/2aad72c3d2ac612ecbb66828ac6ed5ab51eff5f3 [3] https://github.com/adaptivecomputing/torque/commit/64da0af7ed27284f3397081313850bba270593db Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
