fence: Multiple symlink vulnerabilities — GLSA 201009-09

fence contains multiple programs containing vulnerabilities that may allow local users to overwrite arbitrary files via a symlink attack.

Affected packages

sys-cluster/fence on all architectures
Affected versions < 2.03.09
Unaffected versions

Background

fence is an I/O group fencing system.

Description

The fence_apc, fence_apc_snmp (CVE-2008-4579) and fence_manual (CVE-2008-4580) programs contain symlink vulnerabilities.

Impact

These vulnerabilities may allow arbitrary files to be overwritten with root privileges.

Workaround

There is no known workaround at this time.

Resolution

Gentoo discontinued support for fence. All fence users should uninstall and choose another software that provides the same functionality.

 # emerge --unmerge sys-cluster/fence

References

Release date
September 29, 2010

Latest revision
September 29, 2010: 01

Severity
normal

Exploitable
local

Bugzilla entries