User: Password:
|
|
Subscribe / Log in / New account

Red Hat alert RHSA-2005:361-01 (vixie-cron)

From:  bugzilla@redhat.com
To:  enterprise-watch-list@redhat.com
Subject:  [RHSA-2005:361-01] Low: vixie-cron security update
Date:  Wed, 5 Oct 2005 09:44:09 -0400

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Low: vixie-cron security update Advisory ID: RHSA-2005:361-01 Advisory URL: https://rhn.redhat.com/errata/RHSA-2005-361.html Issue date: 2005-10-05 Updated on: 2005-10-05 Product: Red Hat Enterprise Linux CVE Names: CAN-2005-1038 - --------------------------------------------------------------------- 1. Summary: An updated vixie-cron package that fixes various bugs and a security issue is now available. This update has been rated as having low security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Problem description: The vixie-cron package contains the Vixie version of cron. Cron is a standard UNIX daemon that runs specified programs at scheduled times. A bug was found in the way vixie-cron installs new crontab files. It is possible for a local attacker to execute the crontab command in such a way that they can view the contents of another user's crontab file. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-1038 to this issue. Additionally, this update addresses the following issues: o Fixed improper limits on filename and command line lengths o Improved PAM access control conforming to EAL certification requirements o Improved reliability when running in a chroot environment o Mail recipient name checking disabled by default, can be re-enabled o Added '-p' "permit all crontabs" option to disable crontab mode checking All users of vixie-cron should upgrade to this updated package, which contains backported patches and is not vulnerable to these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ 5. Bug IDs fixed (http://bugzilla.redhat.com/): 147636 - cron fails to run user jobs and gives vague error message 154920 - CAN-2005-1038 vixie-cron information leak 159216 - vixie-cron updates for new audit system 163881 - Cron no longer allows read-only crontabs, enforces write access 163882 - cron fails with pam_access 163885 - crontab truncates file names greater than 100 characters. 163888 - CAN-2005-1038 vixie-cron information leak 163889 - [PATCH] List corruption when items are removed from /etc/cron.d 6. RPMs required: Red Hat Enterprise Linux AS version 4: SRPMS: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/vixie... e3fd76e5ba9887c8e11e1bc82d5fd485 vixie-cron-4.1-36.EL4.src.rpm i386: e8243ed213f8cfa5b50ac8f42a7ec9c7 vixie-cron-4.1-36.EL4.i386.rpm ia64: 97380fd176e344f7df2d40d8e47f954c vixie-cron-4.1-36.EL4.ia64.rpm ppc: 2388e466c3e485de7b9e0a340d55d3b2 vixie-cron-4.1-36.EL4.ppc.rpm s390: 85d62715dd6471e87b7bfbc14463c8bd vixie-cron-4.1-36.EL4.s390.rpm s390x: 14772968639ea37dc713e2f73e3292e0 vixie-cron-4.1-36.EL4.s390x.rpm x86_64: b3e6bbc02843e4e09d6488ab9c962cc2 vixie-cron-4.1-36.EL4.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: SRPMS: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/... e3fd76e5ba9887c8e11e1bc82d5fd485 vixie-cron-4.1-36.EL4.src.rpm i386: e8243ed213f8cfa5b50ac8f42a7ec9c7 vixie-cron-4.1-36.EL4.i386.rpm x86_64: b3e6bbc02843e4e09d6488ab9c962cc2 vixie-cron-4.1-36.EL4.x86_64.rpm Red Hat Enterprise Linux ES version 4: SRPMS: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/vixie... e3fd76e5ba9887c8e11e1bc82d5fd485 vixie-cron-4.1-36.EL4.src.rpm i386: e8243ed213f8cfa5b50ac8f42a7ec9c7 vixie-cron-4.1-36.EL4.i386.rpm ia64: 97380fd176e344f7df2d40d8e47f954c vixie-cron-4.1-36.EL4.ia64.rpm x86_64: b3e6bbc02843e4e09d6488ab9c962cc2 vixie-cron-4.1-36.EL4.x86_64.rpm Red Hat Enterprise Linux WS version 4: SRPMS: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/vixie... e3fd76e5ba9887c8e11e1bc82d5fd485 vixie-cron-4.1-36.EL4.src.rpm i386: e8243ed213f8cfa5b50ac8f42a7ec9c7 vixie-cron-4.1-36.EL4.i386.rpm ia64: 97380fd176e344f7df2d40d8e47f954c vixie-cron-4.1-36.EL4.ia64.rpm x86_64: b3e6bbc02843e4e09d6488ab9c962cc2 vixie-cron-4.1-36.EL4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://www.securityfocus.com/archive/1/395093 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1038 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://www.redhat.com/security/team/contact/ Copyright 2005 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFDQ9hwXlSAg2UNWIIRAjroAKCyeh8njyEyB/GBDud6szkiac+ItwCggqhX aDQ6U+fTO6Q9AmTm1sstUVk= =GQzs -----END PGP SIGNATURE----- -- Enterprise-watch-list mailing list Enterprise-watch-list@redhat.com https://www.redhat.com/mailman/listinfo/enterprise-watch-...


(Log in to post comments)


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds