CVE-2019-10153

NameCVE-2019-10153
DescriptionA flaw was discovered in fence-agents, prior to version 4.3.4, where using non-ASCII characters in a guest VM's comment or other fields would cause fence_rhevm to exit with an exception. In cluster environments, this could lead to preventing automated recovery or otherwise denying service to clusters of which that VM is a member.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs930887

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
fence-agents (PTS)buster4.3.3-2+deb10u1fixed
bullseye4.7.1-1fixed
sid, trixie, bookworm4.12.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
fence-agentssourcejessie(not affected)
fence-agentssourcestretch4.0.25-1+deb9u1
fence-agentssource(unstable)4.3.3-2low930887

Notes

[jessie] - fence-agents <not-affected> (Vulnerable code introduced later)
https://bugzilla.redhat.com/show_bug.cgi?id=1670460
https://github.com/ClusterLabs/fence-agents/pull/255
https://github.com/ClusterLabs/fence-agents/pull/272
Search for package or bug name: Reporting problems