ganeti - arbitrary command execution

It was discovered that ganeti, a virtual server cluster manager, does
not validate the path of scripts passed as arguments to certain
commands, which allows local or remote users (via the web interface in
versions 2.x) to execute arbitrary commands on a host acting as a
cluster master.

The oldstable distribution (etch) does not include ganeti.

For the stable distribution (lenny), this problem has been fixed in
version 1.2.6-3+lenny2.

For the testing distribution (squeeze), this problem will be fixed
in version 2.0.5-1.

For the unstable distribution (sid), this problem has been fixed in
version 2.0.5-1.

We recommend that you upgrade your ganeti packages.