Your message dated Wed, 13 Nov 2013 18:49:11 +0000 with message-id <e1vgfv1-000331...@franck.debian.org> and subject line Bug#729333: fixed in torque 2.4.16+dfsg-1.3 has caused the Debian Bug report #729333, regarding torque: CVE-2013-4495 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 729333: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=729333 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: torque Version: 2.4.8+dfsg-9 Severity: grave Tags: security upstream patch fixed-upstream pending Justification: user security hole Hi Torque upstream has released 4.2.6 fixing CVE-2013-4495[1]: "pbs_user used popen to send mail using the email addresses specified on the command line, which posed a security risk. TORQUE no longer allows you to run root commands in the email portion of qsub (TRQ-2310). CVE 2013-4495". [1] https://www.adaptivecomputing.com/wp-content/uploads/releasenotes/releaseNotes-4.2.6.html In upstream git there are the relevant commits for older branches as well: [2] https://github.com/adaptivecomputing/torque/commit/2aad72c3d2ac612ecbb66828ac6ed5ab51eff5f3 [3] https://github.com/adaptivecomputing/torque/commit/64da0af7ed27284f3397081313850bba270593db Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: torque Source-Version: 2.4.16+dfsg-1.3 We believe that the bug you reported is fixed in the latest version of torque, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 729...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated torque package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 11 Nov 2013 23:00:35 +0100 Source: torque Binary: torque-common torque-server torque-pam torque-scheduler torque-client torque-mom torque-client-x11 libtorque2 libtorque2-dev Architecture: source amd64 Version: 2.4.16+dfsg-1.3 Distribution: unstable Urgency: high Maintainer: Morten Kjeldgaard <m...@bioxray.au.dk> Changed-By: Salvatore Bonaccorso <car...@debian.org> Description: libtorque2 - shared library for Torque client and server libtorque2-dev - header files for libtorque2 torque-client - command line interface to Torque server torque-client-x11 - GUI for torque clients torque-common - Torque Queueing System shared files torque-mom - job execution engine for Torque batch system torque-pam - PAM module for PBS MOM nodes torque-scheduler - scheduler part of Torque torque-server - PBS-derived batch processing server Closes: 729333 Changes: torque (2.4.16+dfsg-1.3) unstable; urgency=high . * Non-maintainer upload by the Security Team. * Add CVE-2013-4495.patch patch. CVE-2013-4495: the pbs_server daemon would pass some user-input data to popen() in order to send an email allowing remote privilege escalation. (Closes: #729333) Checksums-Sha1: b4cc149ce5e37680af0715e0d28c80669eac6b30 2586 torque_2.4.16+dfsg-1.3.dsc 0b9a4898621b08c550a408c0e829a66c39a7f1b5 21410 torque_2.4.16+dfsg-1.3.debian.tar.gz 00402f337411fdea8bccd87248c5e60d0c9a5c93 40440 torque-common_2.4.16+dfsg-1.3_amd64.deb 66cc9180097238f03b1c0b913d2d70ceaad785e5 171548 torque-server_2.4.16+dfsg-1.3_amd64.deb 9546e2c14199358069666bbbdcd28b90b4333a9c 37132 torque-pam_2.4.16+dfsg-1.3_amd64.deb 26b50d979a4a18e065f5b3fb5bff33bf3047d8b8 87032 torque-scheduler_2.4.16+dfsg-1.3_amd64.deb d7272dc42dec50c115872f5a1207b97e54d6ab3c 331350 torque-client_2.4.16+dfsg-1.3_amd64.deb 9f64a115169d0c703ae8e5afef8b6ba8659e389f 176272 torque-mom_2.4.16+dfsg-1.3_amd64.deb 29b54de13a58c7f7990e207d1c3c05188bfeaafa 478482 torque-client-x11_2.4.16+dfsg-1.3_amd64.deb 86cd4dbc2f917d0750c56d6510ed0c3e5998ceab 104370 libtorque2_2.4.16+dfsg-1.3_amd64.deb e071661ff96b952be4f52c6415b03db45c77d623 46204 libtorque2-dev_2.4.16+dfsg-1.3_amd64.deb Checksums-Sha256: 31acbdad3eb7f5c194ab8af0081864d2a67f89b1af760414736709dadb18ed5e 2586 torque_2.4.16+dfsg-1.3.dsc 8a4bf8aa60cbc16016b2affce979238909355dbcfae90544e34a48266f5a48cb 21410 torque_2.4.16+dfsg-1.3.debian.tar.gz 672a863ba2ae5f67b9e9398ec67b9790d8343472672e0f1776b82891903165d6 40440 torque-common_2.4.16+dfsg-1.3_amd64.deb a32b42713fee8e338e4eddbf6594aec666e92d633a209d53fb286cf7f0989bc7 171548 torque-server_2.4.16+dfsg-1.3_amd64.deb 7fdf7c62c326e8184df4dee73897f766f9168204533cd5c35568f4bfff477c6b 37132 torque-pam_2.4.16+dfsg-1.3_amd64.deb 3845123a79f0727047e58c25b5c22dbc26a58fc929b61304b3b43ec7b8f0e198 87032 torque-scheduler_2.4.16+dfsg-1.3_amd64.deb e1be015631cf0244b23cfeee79072080519f54c5197dc5524757f22e45ea6e74 331350 torque-client_2.4.16+dfsg-1.3_amd64.deb 74d18c9d41532ca152a81ad4897843a553a15e7118dbc6053d96aaf90b56d620 176272 torque-mom_2.4.16+dfsg-1.3_amd64.deb a55b1c03c405fb576680a4dffa873a15c173d62300df75700571513c70ba0eda 478482 torque-client-x11_2.4.16+dfsg-1.3_amd64.deb d0f0d57990476f7887beba2d0fe3426bd644554f6f3842e7840dee6be3af222b 104370 libtorque2_2.4.16+dfsg-1.3_amd64.deb 67df4d23cba7299e0034ae7b80373a80253d7713d6ef1f407ce5e48532df54d6 46204 libtorque2-dev_2.4.16+dfsg-1.3_amd64.deb Files: 3244caec4c7a78bfd2720a51570d8569 2586 net optional torque_2.4.16+dfsg-1.3.dsc 825559746bcb799b42ab68d354fd2ac0 21410 net optional torque_2.4.16+dfsg-1.3.debian.tar.gz 0e2e1aab0b3a7f5d3c8b72cb4f634884 40440 utils optional torque-common_2.4.16+dfsg-1.3_amd64.deb 4616cfc4a068b47a075db84fe2fa4933 171548 utils optional torque-server_2.4.16+dfsg-1.3_amd64.deb ae0feb20d7f5cbc835681c4f86dbf128 37132 utils optional torque-pam_2.4.16+dfsg-1.3_amd64.deb 09450a44f7faf96184a1a744b7fa8eae 87032 net optional torque-scheduler_2.4.16+dfsg-1.3_amd64.deb 98b36004bba02a07d2e9dca2d7156ffb 331350 utils optional torque-client_2.4.16+dfsg-1.3_amd64.deb 498a0c140e9e164bee563a6258adaa53 176272 utils optional torque-mom_2.4.16+dfsg-1.3_amd64.deb 11a9065b44b2a3e7a29bdcfda81f4ec1 478482 x11 optional torque-client-x11_2.4.16+dfsg-1.3_amd64.deb 7b6440ef85f53bb38ed606421dde9ed1 104370 libs optional libtorque2_2.4.16+dfsg-1.3_amd64.deb dcf216e578f5a8ac1a474cf77a709bde 46204 libdevel optional libtorque2-dev_2.4.16+dfsg-1.3_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBCgAGBQJSgpvPAAoJEAVMuPMTQ89ECpQP/iSlbXGZ2BTphe51TWq326ok 3JimBroz0f3xaacenmac8HgxcquHYBT5fvlZ2lvKsjjTu90QicoIFTjzhfGmigiZ izx8E6O3xUUpjqNH7ey+avMs2iPA3pxsPCBdphkqHwTa6sLsBzP2i7bfOFeaFthF o1Si5Fr8ISEuG2rhixFSmP1jDY2oDizVIxNKBxqee7efVRyhkSVXGxufCIQRFYOW yZnuyFYmc+1cGp/QOs2T6bJg49xAK4sQjlY+eQxaBQGDw73WT4aBZ7K4IJBaL1Yl b+i7hacC6MY7ipZF2LSDENDSqOyhK08k1U18n/DK8At6I1EBskyqrSy3DCJyAY+x Q+l2sbgikzjUv84zEGH8ibu+mOVby2d1gHtZj53sk1LcZlO8edd0yzWEoIpi+LWI Ct0LjtTF7JXvbgaut5ejEuDBjtszqm7tTGXx0vEL/UmWbrQs3Gt3dPjKE5k52DuO Ri+y88b/t3mU4B891DjJI5qJ2S7DM08TeKNQTBMGRU1lKUF8Vm55c11czwOqVpMU ttrCezwfUPDe467brbfVPVzOmcDKIU5nUjqSH8ehqEXdHh+pOHxqwroy0P/aQ9By Slz9k5ka50I6Kgmj4LGdh9wQPXBxIvHiMRbtGUQm+4C6kuPdU7YXtggGFx/h1d/K PUW03fP4aoqV/UeTQtxe =ipYC -----END PGP SIGNATURE-----
--- End Message ---
