Candidate: CVE-2010-2496
PublicDate: 2021-10-18 13:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2496
 https://bugzilla.suse.com/show_bug.cgi?id=620781
 https://github.com/ClusterLabs/cluster-glue/commit/3d7b464439ee0271da76e0ee9480f3dc14005879 (glue-1.0.6)
 https://github.com/ClusterLabs/pacemaker/commit/7901f43c5800374d41ae2287fe122692fe045664 (Pacemaker-1.1.3)
Description:
 stonith-ng in pacemaker and cluster-glue passed passwords as commandline
 parameters, making it possible for local attackers to gain access to
 passwords of the HA stack and potentially influence its operations. This is
 fixed in cluster-glue 1.0.6 and newer, and pacemaker 1.1.3 and newer.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N [5.5 MEDIUM]


Patches_cluster-glue:
upstream_cluster-glue: released (1.0.6-1)
trusty_cluster-glue: ignored (out of standard support)
trusty/esm_cluster-glue: not-affected
xenial_cluster-glue: ignored (out of standard support)
esm-infra/xenial_cluster-glue: not-affected
bionic_cluster-glue: not-affected (1.0.12-7build1)
focal_cluster-glue: not-affected
groovy_cluster-glue: not-affected
hirsute_cluster-glue: not-affected
impish_cluster-glue: not-affected
jammy_cluster-glue: not-affected
devel_cluster-glue: not-affected

Patches_pacemaker:
upstream_pacemaker: released (1.1.13-1)
trusty_pacemaker: ignored (out of standard support)
trusty/esm_pacemaker: DNE
xenial_pacemaker: ignored (out of standard support)
esm-infra/xenial_pacemaker: needs-triage
bionic_pacemaker: not-affected (1.1.18-0ubuntu1.3)
focal_pacemaker: not-affected
groovy_pacemaker: not-affected
hirsute_pacemaker: not-affected
impish_pacemaker: not-affected
jammy_pacemaker: not-affected
devel_pacemaker: not-affected