SecurityFocus BUGTRAQ Mailing List: BugTraqLink Number One Link Number One Link Number Two Link Number Two Link Number One Link Number One Link Number Two Link Number Two Entire Site Advisories Calendar Columnists Elsewhere Guest Feature Infocus Library Links Mailing Lists (all) -- BUGTRAQ -- FOCUS-IDS -- FOCUS-IH -- FOCUS-LINUX -- FOCUS-MS -- FOCUS-SUN -- FOCUS-VIRUS -- FORENSICS -- INCIDENTS -- PEN-TEST -- SEC JOBS -- SF NEWS -- VULN-DEV News Products Services Tools Vulns BUGTRAQ ARCHIVE [ Message Index ] [ Thread Index ][ Reply ] [ prev Msg by Date ][ next Msg by Date ] To: BugTraq Subject: [CLA-2003:758] Conectiva Security Announcement - vixie-cron Date: Oct 3 2003 6:41PM Author: Conectiva Updates Message-ID: <200310031841.PAA20585@frajuto.distro.conectiva> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- CONECTIVA LINUX SECURITY ANNOUNCEMENT - -------------------------------------------------------------------------- PACKAGE : vixie-cron SUMMARY : Problem with the use of cron.allow and cron.deny DATE : 2003-10-03 15:41:00 ID : CLA-2003:758 RELEVANT RELEASES : 7.0, 9 - ------------------------------------------------------------------------- DESCRIPTION The vixie-cron package contains the Vixie version of cron. Cron is a standard UNIX daemon that runs specified programs at scheduled times. This update fixes a problem[1] introduced by a previous vixie-cron security advisory[2] (CLSA-2003:628) which, besides a fix for a local vulnerability, contained the following: "[...] fix for a problem regarding a leak of read-only file descriptors of the /etc/cron.allow and /etc/cron.deny files to the users' text editor during crontab modifications. Although these files are not distributed with Conectiva Linux, the system administrator can create them to restrict access to the cron service." The patch originally used to fix this issue contains an error that breaks the cron.allow/cron.deny usage, causing a crash of the crontab program if there is more than one user listed in these files. Packages for Conectiva Linux 9, although not released by that update, contain the same patch and are being fixed as well. The packages for Conectiva Linux 8 did not contain the patches (see the CLSA-2003:757 announcement[3]) and therefore are not affected by this issue. SOLUTION All users are advised to upgrade. REFERENCES: 1.http://distro.conectiva.com.br/bugzilla/show_bug.cgi?id=9461 2.http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000628&idioma=en 3.http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000757&idioma=en UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/7.0/RPMS/vixie-cron-3.0.1-50U70_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/vixie-cron-3.0.1-50U70_2cl.src.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/vixie-cron-3.0.1-27403U90_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/SRPMS/vixie-cron-3.0.1-27403U90_1cl.src.rpm ADDITIONAL INSTRUCTIONS The apt tool can be used to perform RPM packages upgrades: - run: apt-get update - after that, execute: apt-get upgrade Detailed instructions reagarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en - ------------------------------------------------------------------------- All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at http://distro.conectiva.com.br/seguranca/chave/?idioma=en Instructions on how to check the signatures of the RPM packages can be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en - ------------------------------------------------------------------------- All our advisories and generic update instructions can be viewed at http://distro.conectiva.com.br/atualizacoes/?idioma=en - ------------------------------------------------------------------------- Copyright (c) 2003 Conectiva Inc. http://www.conectiva.com - ------------------------------------------------------------------------- subscribe: conectiva-updates-subscribe papaleguas conectiva com br unsubscribe: conectiva-updates-unsubscribe papaleguas conectiva com br -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE/fcLv42jd0JmAcZARAgUlAKDyIAY7AmgC8Nv7damxq8ZZCx3q5ACfVNsT PwUCXCVrGzC8webe2LZOia8= =fThb -----END PGP SIGNATURE----- Want to link to this message? Use this URL: Disclaimer, Terms & Conditions About this List Featured Lists: ARIS Users bugtraq bugtraq-es bugtraq-french NEW bugtraq-jp firewalls focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics forensics-es honeypots incidents libnet pen-test secevents secpapers secprog sectools secureshell security-basics security-management NEW securityjobs vpn vuln-dev webappsec Newsletters: sf-news ms-secnews linux-secnews [ more . . . ] Privacy Statement Copyright © 1999-2003 SecurityFocus