Your message dated Thu, 28 Nov 2013 22:32:50 +0000 with message-id <e1vma8g-0004zf...@franck.debian.org> and subject line Bug#729333: fixed in torque 2.4.8+dfsg-9squeeze3 has caused the Debian Bug report #729333, regarding torque: CVE-2013-4495 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 729333: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=729333 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: torque Version: 2.4.8+dfsg-9 Severity: grave Tags: security upstream patch fixed-upstream pending Justification: user security hole Hi Torque upstream has released 4.2.6 fixing CVE-2013-4495[1]: "pbs_user used popen to send mail using the email addresses specified on the command line, which posed a security risk. TORQUE no longer allows you to run root commands in the email portion of qsub (TRQ-2310). CVE 2013-4495". [1] https://www.adaptivecomputing.com/wp-content/uploads/releasenotes/releaseNotes-4.2.6.html In upstream git there are the relevant commits for older branches as well: [2] https://github.com/adaptivecomputing/torque/commit/2aad72c3d2ac612ecbb66828ac6ed5ab51eff5f3 [3] https://github.com/adaptivecomputing/torque/commit/64da0af7ed27284f3397081313850bba270593db Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: torque Source-Version: 2.4.8+dfsg-9squeeze3 We believe that the bug you reported is fixed in the latest version of torque, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 729...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated torque package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 11 Nov 2013 23:52:34 +0100 Source: torque Binary: torque-common torque-server torque-pam torque-scheduler torque-client torque-mom torque-client-x11 libtorque2 libtorque2-dev Architecture: source amd64 Version: 2.4.8+dfsg-9squeeze3 Distribution: squeeze-security Urgency: high Maintainer: Morten Kjeldgaard <m...@bioxray.au.dk> Changed-By: Salvatore Bonaccorso <car...@debian.org> Description: libtorque2 - shared library for Torque client and server libtorque2-dev - header files for libtorque2 torque-client - command line interface to Torque server torque-client-x11 - GUI for torque clients torque-common - Torque Queueing System shared files torque-mom - job execution engine for Torque batch system torque-pam - PAM module for PBS MOM nodes torque-scheduler - scheduler part of Torque torque-server - PBS-derived batch processing server Closes: 729333 Changes: torque (2.4.8+dfsg-9squeeze3) squeeze-security; urgency=high . * Non-maintainer upload by the Security Team. * Add CVE-2013-4495.patch patch. CVE-2013-4495: the pbs_server daemon would pass some user-input data to popen() in order to send an email allowing remote privilege escalation. (Closes: #729333) Checksums-Sha1: 2ada47b956759bcd192bb089a9fac0435a1ac26b 2332 torque_2.4.8+dfsg-9squeeze3.dsc 670121f479ea79bf5eebd9008f7f94a1d523c153 25766 torque_2.4.8+dfsg-9squeeze3.debian.tar.gz 1d9386ecc34c96cc24d8b8b48ed5c668f5c8c396 37954 torque-common_2.4.8+dfsg-9squeeze3_amd64.deb 932cfbf56b7c456b623f92acbd4312a91eab7a50 187744 torque-server_2.4.8+dfsg-9squeeze3_amd64.deb 9c1063bf0dc8f898107452fa3461140732db8a63 34444 torque-pam_2.4.8+dfsg-9squeeze3_amd64.deb 1ceb441072442585b675d6e0621240f2415d511a 92216 torque-scheduler_2.4.8+dfsg-9squeeze3_amd64.deb 59e9ef883f1be3f9cb097c336db90df5347a8c35 388120 torque-client_2.4.8+dfsg-9squeeze3_amd64.deb 14a9bd025b645cc43d1c0db735fde77c20cdb6b7 194440 torque-mom_2.4.8+dfsg-9squeeze3_amd64.deb 9f5c753a132686cf0bcdf097f43a406884cc4a6e 641612 torque-client-x11_2.4.8+dfsg-9squeeze3_amd64.deb fc67c126d95cca75b424ed32e2ecbbe9ce57f299 115226 libtorque2_2.4.8+dfsg-9squeeze3_amd64.deb 8540efe9f4d9b38d06204679e7036b45b7c56a76 46518 libtorque2-dev_2.4.8+dfsg-9squeeze3_amd64.deb Checksums-Sha256: 10ead0b31bf334d37f916e41f9572f1cb371b3f50d46edc2ee7863b81e64e0fa 2332 torque_2.4.8+dfsg-9squeeze3.dsc fe737ec865d609335687b189ea9b78d1d3711e99082906b89f5193b62b9f657e 25766 torque_2.4.8+dfsg-9squeeze3.debian.tar.gz ac9eab3e54092707c90f2d7eaffe56aa753d038bbe7223b2194386b189797e36 37954 torque-common_2.4.8+dfsg-9squeeze3_amd64.deb b73d6315c612c673b95383f13bd90bd33d7c6d99cc85237a074f539386cf9df4 187744 torque-server_2.4.8+dfsg-9squeeze3_amd64.deb 0f172b63e414f449db8e69177e06eaa0331f1eaede62796f7ea36e5568567e23 34444 torque-pam_2.4.8+dfsg-9squeeze3_amd64.deb 2cc66afa2eece9fbe44055661542948e53f9df6b06036b21a782c8ee54140563 92216 torque-scheduler_2.4.8+dfsg-9squeeze3_amd64.deb 3d6cade4eb11ef260db46ba86c97e14b6d7fb20a238e3f9f448528cbcb1773aa 388120 torque-client_2.4.8+dfsg-9squeeze3_amd64.deb 3a3bbf482280f5dafce53ddc777528c1a6397633a65b86e0549289f1f3640318 194440 torque-mom_2.4.8+dfsg-9squeeze3_amd64.deb 2db6e369253bba244af64e8301bcb54cf662b2e7ebaf8d553037bfea4f46e6de 641612 torque-client-x11_2.4.8+dfsg-9squeeze3_amd64.deb 42367c7f3fba3416b7fdb21b198bd76102c8bee6bcafaafa852394ee7b5620bc 115226 libtorque2_2.4.8+dfsg-9squeeze3_amd64.deb a3f9ccdd1a9f71cef729289733d7bcc9bb64dc7bd2a48bc205bdeaa21d207a71 46518 libtorque2-dev_2.4.8+dfsg-9squeeze3_amd64.deb Files: 62a6a416183bd457ddb45e84b1d4ec72 2332 net optional torque_2.4.8+dfsg-9squeeze3.dsc 3456a81ff436cf76e4560696eed7cbcb 25766 net optional torque_2.4.8+dfsg-9squeeze3.debian.tar.gz 5d95ebac1abb3c41e8951b8ae2cd7df0 37954 utils optional torque-common_2.4.8+dfsg-9squeeze3_amd64.deb 53e206c7637c49a592884f99a2e91b98 187744 utils optional torque-server_2.4.8+dfsg-9squeeze3_amd64.deb e71e432c627c0b808f9f3a576e50b279 34444 utils optional torque-pam_2.4.8+dfsg-9squeeze3_amd64.deb 4b3c518c560408e78ef299d6b19b2c5a 92216 net optional torque-scheduler_2.4.8+dfsg-9squeeze3_amd64.deb e262368d844a33ad935f7202409a4e02 388120 utils optional torque-client_2.4.8+dfsg-9squeeze3_amd64.deb 496a3b04b894523cb079002046a85289 194440 utils optional torque-mom_2.4.8+dfsg-9squeeze3_amd64.deb f58d74265ffdee5c751ae7749b94bd7e 641612 x11 optional torque-client-x11_2.4.8+dfsg-9squeeze3_amd64.deb 7531ef54831eb109f207d06f5b42c7dd 115226 libs optional libtorque2_2.4.8+dfsg-9squeeze3_amd64.deb d5d42f4de96b6861bb6bc690965b6adf 46518 libdevel optional libtorque2-dev_2.4.8+dfsg-9squeeze3_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBCgAGBQJSgWDuAAoJEAVMuPMTQ89EwKkP/RrYM2iAMlzz9tlW96/Zo5sX Mt7qTryVJ408APPYygyVBuVxBTBCqu0IW6ImTrtWFZ5j/DvwpyxIdbr6stYXgxND 5W0vSdBPtwXPtQA/Tducal/UOClwSyVpoOiM1I+iXLoI7C/Q3A4opIlWoqZMfdre QhKMIVu/W1NhKVm4EP3b1XcvudSkLOAwHdsKjb99AMhgrSiLZtjVviANN/T8xr2D kzBoHV9CMSY48vf28qYl1u9WuyQTdVfOmanZKJbpJW9MbRSGM3WHMdMgCxox/5ga 1+18WZZD4dM4F1sgaEdJc1b4P68P+CFLwpohPqaWrhjJfzxbXc4aCfFF7A/JatJz d3UoxyVrFaq/cYlv0+fW54hqeORhdG1Fo1rg0SCvsinY6jxWMZghNYGYbtVLRDuG Gd+/KHoBNIo4bYz1i1OyoNT6SMICeywOLoUPZWyLcpI+/Zl64rejoTd95sllcYjf 6CYwUfaqYN+fsN/Nzr1eiJ4pKQOOnJ2FE3ptUMASQb3dpmpwTNJXYBopYgvoGec7 jw9h0RyuyLQ+DOhTrglPs+FB6enB4BvOuo5ezjFitFXjvd/OKdrzT1vsid5uoo3p Nxg+gS7QmcL4MvnxNh27/ZbjTZhzhyNxye1i7whUtp6iSrKBA6y1QuQWnfnyZyCi U67+B8m/qr1BAb86NGQn =DPQp -----END PGP SIGNATURE-----
--- End Message ---
