-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- CONECTIVA LINUX SECURITY ANNOUNCEMENT - -------------------------------------------------------------------------- PACKAGE : vixie-cron SUMMARY : Local vulnerability DATE : 2003-04-17 16:01:00 ID : CLA-2003:628 RELEVANT RELEASES : 6.0, 7.0, 8 - ------------------------------------------------------------------------- DESCRIPTION The vixie-cron package contains the Vixie version of cron. Cron is a standard UNIX daemon that runs specified programs at scheduled times. The ISS X-Force team found a local vulnerability[1] in vixie-cron that may allow users to obtain root privileges in a system running it. The crontab utility, which is part of the vixie-cron package and is suid root, is used by local users to schedule their jobs. Due to a failure in the dropping of root privileges in certain circumstances, it is possible for an attacker to gain root privileges by exploiting this vulnerability. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2001-0559 to this issue[2]. This update corrects this vulnerability and adds a fix[3] for a problem regarding a leak of read-only file descriptors of the /etc/cron.allow and /etc/cron.deny files to the users' text editor during crontab modifications. Although these files are not distributed with Conectiva Linux, the system administrator can create them to restrict access to the cron service. Conectiva Linux 6.0 users are also vulnerable to some buffer overflow vulnerabilities[3] that can be exploited by local users. This update also fixes these issues. SOLUTION All users should upgrade. REFERENCES: 1.http://www.iss.net/security_center/static/6508.php 2.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0559 3.http://distro2.conectiva.com.br/bugzilla/show_bug.cgi?id=7852 UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/6.0/RPMS/vixie-cron-3.0.1-43U60_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/vixie-cron-3.0.1-43U60_2cl.src.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/vixie-cron-3.0.1-50U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/vixie-cron-3.0.1-50U70_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/vixie-cron-3.0.1-50U80_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/SRPMS/vixie-cron-3.0.1-50U80_1cl.src.rpm ADDITIONAL INSTRUCTIONS The apt tool can be used to perform RPM packages upgrades: - run: apt-get update - after that, execute: apt-get upgrade Detailed instructions reagarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en - ------------------------------------------------------------------------- All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at http://distro.conectiva.com.br/seguranca/chave/?idioma=en Instructions on how to check the signatures of the RPM packages can be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en - ------------------------------------------------------------------------- All our advisories and generic update instructions can be viewed at http://distro.conectiva.com.br/atualizacoes/?idioma=en - ------------------------------------------------------------------------- Copyright (c) 2003 Conectiva Inc. http://www.conectiva.com - ------------------------------------------------------------------------- subscribe: conectiva-updates-subscribeat_private unsubscribe: conectiva-updates-unsubscribeat_private -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+nwCd42jd0JmAcZARAvwEAKC+otHUr++OjRAoKVuMSpp03cjZmgCg2Ha6 9msP+PPi2/JRlgfrQyqMAWU= =P4Nl -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Thu Apr 17 2003 - 14:47:37 PDT