|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- CONECTIVA LINUX SECURITY ANNOUNCEMENT - -------------------------------------------------------------------------- PACKAGE : vixie-cron SUMMARY : Local vulnerability [Update to CLSA-2003:628] DATE : 2003-10-03 14:46:00 ID : CLA-2003:757 RELEVANT RELEASES : 8 - ------------------------------------------------------------------------- DESCRIPTION The vixie-cron package contains the Vixie version of cron. Cron is a standard UNIX daemon that runs specified programs at scheduled times. [Update 2003-Oct-03] This advisory is an update for the CLSA-2003:628[] one. The packages released for Conectiva Linux 8 (vixie-cron-3.0.1-50U80_1cl) did not contain the corresponding fixes. The ISS X-Force team found a local vulnerability[1] in vixie-cron that may allow users to obtain root privileges in a system running it. The crontab utility, which is part of the vixie-cron package and is suid root, is used by local users to schedule their jobs. Due to a failure in the dropping of root privileges in certain circumstances, it is possible for an attacker to gain root privileges by exploiting this vulnerability. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2001-0559 to this issue[2]. This update corrects this vulnerability and adds a fix[3] for a problem regarding a leak of read-only file descriptors of the /etc/cron.allow and /etc/cron.deny files to the users' text editor during crontab modifications. Although these files are not distributed with Conectiva Linux, the system administrator can create them to restrict access to the cron service. SOLUTION All users should upgrade. REFERENCES: 1.http://www.iss.net/security_center/static/6508.php 2.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0559 3.http://distro2.conectiva.com.br/bugzilla/show_bug.cgi?id=7852 4.http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000628&idioma=en UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/8/RPMS/vixie-cron-3.0.1-50U80_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/SRPMS/vixie-cron-3.0.1-50U80_2cl.src.rpm ADDITIONAL INSTRUCTIONS The apt tool can be used to perform RPM packages upgrades: - run: apt-get update - after that, execute: apt-get upgrade Detailed instructions reagarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en - ------------------------------------------------------------------------- All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at http://distro.conectiva.com.br/seguranca/chave/?idioma=en Instructions on how to check the signatures of the RPM packages can be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en - ------------------------------------------------------------------------- All our advisories and generic update instructions can be viewed at http://distro.conectiva.com.br/atualizacoes/?idioma=en - ------------------------------------------------------------------------- Copyright (c) 2003 Conectiva Inc. http://www.conectiva.com - ------------------------------------------------------------------------- subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE/fbZE42jd0JmAcZARAiiOAKC+BM6s6lAbGZqaQuAFw4PuPP7mPQCgy/RQ 3OxGCGwDGnjDQDIbI0nqnFw= =O4c9 -----END PGP SIGNATURE-----