Debian Security Advisory: New Debian cron packages releasedNov 18, 2000, 05:29 (0 Talkback[s])
(Other stories by Daniel Jacobowitz)
Date: Fri, 17 Nov 2000 22:33:37 -0500
Debian Security Advisory firstname.lastname@example.org http://www.debian.org/security/ Daniel Jacobowitz November 17, 2000
Package: cron Vulnerability: local priviledge escalation Debian-specific: no Vulnerable: yesThe version of Vixie Cron shipped with Debian GNU/Linux 2.2 is vulnerable to a local attack, discovered by Michal Zalewski. Several problems, including insecure permissions on temporary files and race conditions in their deletion, allowed attacks from a denial of service (preventing the editing of crontabs) to an escalation of priviledge (when another user edited their
As a temporary fix, "chmod go-rx /var/spool/cron/crontabs" prevents the only available exploit; however, it does not address the problem. We recommend upgrading to version 3.0pl1-57.1, for Debian 2.2, or 3.0pl1-61, for Debian unstable.
Also, in the new cron packages, it is no longer possible to specify special files (devices, named pipes, etc.) by name to crontab. Note that this is not so much a security fix as a sanity check.
Debian GNU/Linux 2.1 alias slink
Slink is no longer being supported by the Debian Security Team. We highly recommend an upgrade to the current stable release.
Debian GNU/Linux 2.2 (stable) alias potato
Fixes are currently available for the Alpha, ARM, Intel ia32, Motorola 680x0, PowerPC and Sun SPARC architectures, and will be included in 2.2r2.
Intel IA32 architecture:
Motorola 680x0 architecture:
Sun Sparc architecture:
Debian GNU/Linux Unstable alias woody
This version of Debian is not yet released.
Fixes will be made available for Alpha, ARM, Intel ia32, Motorola 680x0, PowerPC, and SPARC in the Debian archive over the next several days.
For apt-get: deb http://security.debian.org/