linux, säkerhet

5744070 2000-11-17 19:36 -0800  /106 rader/  <debian-security-announce@LISTS.DEBIAN.ORG>
Importerad: 2000-11-18  07:47  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: security@debian.org
Mottagare: Bugtraq (import) <13794>
Ärende: [SECURITY] New Debian cron packages released
------------------------------------------------------------
From: debian-security-announce@LISTS.DEBIAN.ORG
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <0JP94C.A.2N.aifF6@murphy>

-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------
Debian Security Advisory                                 security@debian.org
http://www.debian.org/security/                            Daniel Jacobowitz
November 17, 2000
- ----------------------------------------------------------------------------

Package: cron
Vulnerability: local priviledge escalation
Debian-specific: no
Vulnerable: yes

The version of Vixie Cron shipped with Debian GNU/Linux 2.2 is
vulnerable to a local attack, discovered by Michal Zalewski.  Several
problems, including insecure permissions on temporary files and race
conditions in their deletion, allowed attacks from a denial of
service (preventing the editing of crontabs) to an escalation of
priviledge (when another user edited their crontab).

As a temporary fix, "chmod go-rx /var/spool/cron/crontabs" prevents
the only available exploit; however, it does not address the problem.
We recommend upgrading to version 3.0pl1-57.1, for Debian 2.2, or
3.0pl1-61, for Debian unstable.

Also, in the new cron packages, it is no longer possible to specify
special files (devices, named pipes, etc.) by name to crontab.  Note
that this is not so much a security fix as a sanity check.

Debian GNU/Linux 2.1 alias slink
- --------------------------------

  Slink is no longer being supported by the Debian Security Team.  We
  highly recommend an upgrade to the current stable release.

Debian GNU/Linux 2.2 (stable) alias potato
- ------------------------------------------

  Fixes are currently available for the Alpha, ARM, Intel ia32,
  Motorola 680x0, PowerPC and Sun SPARC architectures, and will be
  included in 2.2r2.

  Source archives:
    http://security.debian.org/dists/potato/updates/main/source/cron_3.0pl1-57.1.diff.gz
      MD5 checksum: 4fac4be2841908090d1c877a65cf5ef9
    http://security.debian.org/dists/potato/updates/main/source/cron_3.0pl1-57.1.dsc
      MD5 checksum: caed3f1556203618544eec823347df30
    http://security.debian.org/dists/potato/updates/main/source/cron_3.0pl1.orig.tar.gz
      MD5 checksum: 4c64aece846f8483daf440f8e3dd210f

  Alpha architecture:
    http://security.debian.org/dists/potato/updates/main/binary-alpha/cron_3.0pl1-57.1_alpha.deb
      MD5 checksum: 3b146f5227182343d3b20cf8fce8a86c

  ARM architecture:
    http://security.debian.org/dists/potato/updates/main/binary-arm/cron_3.0pl1-57.1_arm.deb
      MD5 checksum: 559e80e83abf371a8d09759ee900daf5

  Intel IA32 architecture:
    http://security.debian.org/dists/potato/updates/main/binary-arm/cron_3.0pl1-57.1_i386.deb
      MD5 checksum: 922bb72b07a05fb888771364697f52e1

  Motorola 680x0 architecture:
    http://security.debian.org/dists/potato/updates/main/binary-m68k/cron_3.0pl1-57.1_m68k.deb
      MD5 checksum: 2e0d8152ec03a66bb88ba84215fe4de3

  PowerPC architecture:
    http://security.debian.org/dists/potato/updates/main/binary-powerpc/cron_3.0pl1-57.1_powerpc.deb
      MD5 checksum: 16ad8c4a26436239e7a25260340be6d5

  Sun Sparc architecture:
    http://security.debian.org/dists/potato/updates/main/binary-sparc/cron_3.0pl1-57.1_sparc.deb
      MD5 checksum: 2bd401a635eedc47e9f6dd1652f71e35

Debian GNU/Linux Unstable alias woody
- -------------------------------------

  This version of Debian is not yet released.

  Fixes will be made available for Alpha, ARM, Intel ia32, Motorola
  680x0, PowerPC, and SPARC in the Debian archive over the next
  several days.

- ----------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBOhX30z5fjwqn/34JAQEBgAQAjE4b75YohlZB/bE7xvDtjZ5UchkpIUyC
T3CwbwduLDOylVW7lqQz4Qb/wX4+k02z2keFaVU/neWqqj58/imX6Io5L2klt4uw
+UmFpm5qKWqEg0A7dRVHEehjQzWa0DSo8gnwbBlpq6prJ+yKavkJ04v5J6/tcVtD
hgF+R1UAwdk=
=QTfW
-----END PGP SIGNATURE-----


-- To UNSUBSCRIBE, email to
debian-security-announce-request@lists.debian.org with a subject of
"unsubscribe". Trouble? Contact listmaster@lists.debian.org
(5744070) --------------------------------(Ombruten)