[379] in linux-security and linux-alert archive
cron 3.0pl1-20: URGENT SECURITY FIX (fwd)
daemon@ATHENA.MIT.EDU (Aleph One)
Thu Sep 21 05:43:41 1995
Date: Wed, 20 Sep 1995 20:43:25 -0500 (CDT)
From: Aleph One <aleph1@dfw.net>
To: linux-security@tarsier.cv.nrao.edu
Anyone know anything more?
Aleph One / aleph1@dfw.net
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
---------- Forwarded message ----------
Date: Thu, 21 Sep 95 01:58 BST
From: Ian Jackson <iwj10@cus.cam.ac.uk>
To: Debian package announcements <debian-changes@pixar.com>
Subject: cron 3.0pl1-20: URGENT SECURITY FIX
There is a major security hole in cron 3.0pl1-19 and earlier, allowing
any user to gain access to the `root' group. On many (most?) systems
this will quickly allow them to gain superuser access.
I am currently uploading cron-3.0pl1-20.deb using my 2400-baud modem.
In the meantime, please disable your cron daemon:
# killall cron
# chmod 400 /usr/sbin/cron
Ian M.: please replace the cron in the binary directory with this one
immediately. The source will arrive tomorrow - my modem is too slow
to get it uploaded today.
If you download from Incoming, please check the file size - the binary
package file is 27737 bytes.
cron (3.0pl1-20); priority=URGENT
* cron now uses initgroups when running jobs. Bug#1400. AARGH!
-- Ian Jackson <iwj10@cus.cam.ac.uk> Thu, 21 Sep 1995 01:44:11 +0100
169cec1ee4387c994798608385826363 cron-3.0pl1-20.deb
e9b26cb21aac62dcee5d443ce6dd7ab4 cron-3.0pl1-20.diff.gz
29655e14fff95cd477f1b3775d85d8d2 cron-3.0pl1-20.tar.gz
-rw-r--r-- 1 root root 27737 Sep 21 01:52 cron-3.0pl1-20.deb
-rw-rw-r-- 1 ian ian 10093 Sep 21 01:50 cron-3.0pl1-20.diff.gz
-rw-rw-r-- 1 ian ian 66738 Sep 21 01:50 cron-3.0pl1-20.tar.gz
