Matt Ezell from Oak Ridge National Labs reported a vulnerability in torque, a PBS-derived batch processing queueing system. A user could submit executable shell commands on the tail of what is passed with the -M switch for qsub. This was later passed to a pipe, making it possible for these commands to be executed as root on the pbs_server.

For the oldstable distribution (squeeze), this problem has been fixed in version 2.4.8+dfsg-9squeeze3. For the stable distribution (wheezy), this problem has been fixed in version 2.4.16+dfsg-1+deb7u2. For the unstable distribution (sid), this problem has been fixed in version 2.4.16+dfsg-1.3. We recommend that you upgrade your torque packages.

The TORQUE server dispatches jobs across physically separated machines. It may also be beneficial for single machines to organise the sequential execution of multiple jobs.

torque on Debian Linux

This check tests the installed software version using the apt package manager.

• http://www.debian.org/security/2013/dsa-2796.html

---

Updated on 2015-03-25