A vulnerability was reported [1],[2] in TORQUE that could be exploited by a malicious user to bypass certain security restrictions. This is due to an unspecified error when using munge authentication, which a malicious user could exploit to impersonate another user. Upstream has released 2.5.9 to correct this flaw. It is unclear whether or not 3.x is affected; 3.0.3 was released 10 days after 2.5.9 but no mention of this flaw exists in the changelog, so it may not be affected (or it may be affected and not fixed, it is difficult to say). I have not been able to find a patch which could be used to check. [1] http://www.adaptivecomputing.com/resources/docs/torque/3-0-3/changelog.php#259 [2] http://secunia.com/advisories/47381
Created torque tracking bugs for this issue Affects: epel-all [bug 772059]
I've not filed a tracking bug for Fedora because I'm not sure whether or not it's affected, and whether or not even updating to 3.0.3 will fix anything.
This is duplicate of: https://bugzilla.redhat.com/show_bug.cgi?id=752079 and is released for for .el4, 5 and 6 and Fedora 16.
Indeed. Thank you, this has been addressed for all branches (including Fedora 15, which has just been submitted as an update).