Bug#931880: slurm-llnl: CVE-2019-12838

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#931880: slurm-llnl: CVE-2019-12838
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 11 Jul 2019 22:04:59 +0200
Message-id: <[🔎] 156287549929.2514.1729135693821486813.reportbug@eldamar.local>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 931880@bugs.debian.org

Source: slurm-llnl
Version: 18.08.6.2-1
Severity: grave
Tags: security upstream
Control: found -1 18.08.5.2-1 
Control: found -1 16.05.9-1+deb9u4
Control: found -1 16.05.9-1

Hi,

The following vulnerability was published for slurm-llnl. I'm filling
it with an RC severity to be on safe side, but if you have more
information available and think the RC severity is not warranted
please feel free to then downgrade.

CVE-2019-12838[0]:
| SchedMD Slurm 17.11.x, 18.08.0 through 18.08.7, and 19.05.0 allows SQL
| Injection.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-12838
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12838
[1] https://lists.schedmd.com/pipermail/slurm-announce/2019/000025.html

Please adjust the affected versions in the BTS as needed. [1] say that
whilest only 19.05 and 18.08 releases are patched previous releases
were affected as well.

Regards,
Salvatore

Reply to:

Follow-Ups:
- Processed: slurm-llnl: CVE-2019-12838
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#929600: marked as done (slurm-llnl: FTBFS on 32-bit architectures)
Next by Date: Processed: slurm-llnl: CVE-2019-12838
Previous by thread: Bug#929600: marked as done (slurm-llnl: FTBFS on 32-bit architectures)
Next by thread: Processed: slurm-llnl: CVE-2019-12838
Index(es):
- Date
- Thread