Mailinglist Archive: opensuse-security (520 mails)

< Previous Next >
Re: [suse-security] chroot
  • From: "Kurt Seifried" <listuser@xxxxxxxxxxxx>
  • Date: Wed, 6 Dec 2000 17:19:38 -0700
  • Message-id: <00ba01c05fe3$630598e0$ca00030a@xxxxxxxxxxxx>

crom - The version of Vixie Cron shipped with Debian GNU/Linux 2.2 is
vulnerable to a local attack, discovered by Michal Zalewski. Several
problems, including insecure permissions on temporary files and race
conditions in their deletion, allowed attacks from a denial of service
(preventing the editing of crontabs) to an escalation of priviledge (when
another user edited their crontab). As a temporary fix, "chmod go-rx
/var/spool/cron/crontabs" prevents the only available exploit; however, it
does not address the problem. We recommend upgrading to version
3.0pl1-57.1, for Debian 2.2, or 3.0pl1-61, for Debian unstable. Also, in the
new cron packages, it is no longer possible to specify special files
(devices, named pipes, etc.) by name to crontab. Note that this is not so
much a security fix as a sanity check.

This is the most recent one that pops to mind (about 2 weeks old).

Kurt Seifried, seifried@xxxxxxxxxxxxxxxxxx
SecurityPortal - your focal point for security on the 'net

< Previous Next >