Debian Security Advisory

DSA-1959-1 ganeti -- missing input sanitation

Date Reported:
19 Dec 2009
Affected Packages:
ganeti
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2009-4261.
More information:

It was discovered that ganeti, a virtual server cluster manager, does not validate the path of scripts passed as arguments to certain commands, which allows local or remote users (via the web interface in versions 2.x) to execute arbitrary commands on a host acting as a cluster master.

The oldstable distribution (etch) does not include ganeti.

For the stable distribution (lenny), this problem has been fixed in version 1.2.6-3+lenny2.

For the testing distribution (squeeze), this problem will be fixed in version 2.0.5-1.

For the unstable distribution (sid), this problem has been fixed in version 2.0.5-1.

We recommend that you upgrade your ganeti packages.

Fixed in:

Debian GNU/Linux 5.0 (lenny)

Source:
http://security.debian.org/pool/updates/main/g/ganeti/ganeti_1.2.6-3+lenny2.diff.gz
http://security.debian.org/pool/updates/main/g/ganeti/ganeti_1.2.6.orig.tar.gz
http://security.debian.org/pool/updates/main/g/ganeti/ganeti_1.2.6-3+lenny2.dsc
Architecture-independent component:
http://security.debian.org/pool/updates/main/g/ganeti/ganeti_1.2.6-3+lenny2_all.deb

MD5 checksums of the listed files are available in the original advisory.