Date: Sat, 27 Jan 2001 23:49:54 +0100
From: Martin Schulze joey@finlandia.infodrom.north.de
To: Debian Security Announcements
debian-security-announce@lists.debian.org
Subject: [SECURITY] [DSA 024-1] New version of cron released
Package : cron
Vulnerability : local insecure crontab handling
Debian-specific: no
The FreeBSD team has found a bug in the way new crontabs were
handled which allowed malicious users to display arbitrary crontab
files on the local system. This only affects valid crontab files so
can't be used to get access to /etc/shadow or something. crontab
files are not especially secure anyway, as there are other ways
they can leak. No passwords or similar sensitive data should be in
there.
We recommend you upgrade your cron packages.
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 2.2 alias potato
Potato was released for the alpha, arm, i386, m68k, powerpc and
sparc architectures.