Slurm version 24.05.4 is now available (CVE-2024-48936)

Slurm version 24.05.4 is now available and includes a fix for a recently discovered security issue with the new stepmgr subsystem.

SchedMD customers were informed on October 9th and provided a patch on request; this process is documented in our security policy.

A mistake in authentication handling in stepmgr could permit an attacker to execute processes under other users’ jobs. This is limited to jobs explicitly running with –stepmgr, or on systems that have globally enabled stepmgr through “SlurmctldParameters=enable_stepmgr” in their configuration. CVE-2024-48936.