The TORQUE pbs_server daemon was found to pass some user-input data to popen() in order to send an email. Because pbs_server runs as root, this could allow an authenticated attacker to execute arbitrary code on the pbs_server host with root privileges. The upstream 4.2.6 release corrects this flaw by forking and calling exec() to the sendmail program instead of passing the entire user-supplied string to popen(). Acknowledgements: Red Hat would like to thank David Beer of Adaptive Computer for reporting this issue. Upstream acknowledges Matt Ezell of Oak Ridge National Labs as the original reporter.
This issue is now public: https://www.adaptivecomputing.com/wp-content/uploads/releasenotes/releaseNotes-4.2.6.html http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=729333
Created torque tracking bugs for this issue: Affects: fedora-all [bug 1029752] Affects: epel-all [bug 1029754]