| Name | CVE-2010-2496 |
| Description | stonith-ng in pacemaker and cluster-glue passed passwords as commandline parameters, making it possible for local attackers to gain access to passwords of the HA stack and potentially influence its operations. This is fixed in cluster-glue 1.0.6 and newer, and pacemaker 1.1.3 and newer. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| cluster-glue (PTS) | buster | 1.0.12-12 | fixed |
| bullseye | 1.0.12-20 | fixed | |
| bookworm | 1.0.12-21 | fixed | |
| trixie | 1.0.12-22 | fixed | |
| sid | 1.0.12-22.1 | fixed | |
| pacemaker (PTS) | buster | 2.0.1-5+deb10u2 | fixed |
| buster (security) | 2.0.1-5+deb10u1 | fixed | |
| bullseye | 2.0.5-2 | fixed | |
| bookworm | 2.1.5-1+deb12u1 | fixed | |
| trixie | 2.1.6-4 | fixed | |
| sid | 2.1.7-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| cluster-glue | source | (unstable) | 1.0.6-1 | |||
| pacemaker | source | (unstable) | 1.1.13-1 |
https://bugzilla.suse.com/show_bug.cgi?id=620781
https://github.com/ClusterLabs/cluster-glue/commit/3d7b464439ee0271da76e0ee9480f3dc14005879 (glue-1.0.6)
https://github.com/ClusterLabs/pacemaker/commit/7901f43c5800374d41ae2287fe122692fe045664 (Pacemaker-1.1.3)