[11613] in bugtraq
Re: Debian not vulnerable to recent cron buffer overflow
daemon@ATHENA.MIT.EDU (Martin Schulze)
Mon Aug 30 20:29:39 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19990829082332.R29569@finlandia.infodrom.north.de>
Date: Sun, 29 Aug 1999 08:23:32 +0200
Reply-To: Martin Schulze <joey@infodrom.north.de>
From: Martin Schulze <joey@FINLANDIA.INFODROM.NORTH.DE>
X-To: Marc Merlin <marc_news@merlins.org>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <19990828224303.D15627@merlins.org>; from Marc Merlin on Sat,
Aug 28, 1999 at 10:43:03PM -0700
Marc Merlin wrote:
> On Thu, Aug 26, 1999 at 09:47:22AM -0700, Aleph One wrote:
> > ----------------------------------------------------------------------------
> > Debian Security Advisory security@debian.org
> > http://www.debian.org/security/ Martin Schulze
> > August 26, 1999
> > ----------------------------------------------------------------------------
> >
> > Red Hat has recently released a Security Advisory (RHSA-1999:030-01)
> > covering a buffer overflow in the vixie cron package. Debian has
> > discovered this bug two years ago and fixed it. Therefore versions in
> > both, the stable and the unstable, distributions of Debian are not
> > vulnerable to this problem..
>
> Does anyone know if Debian never sent the fix to Paul Vixie, or if it was
> sent and Paul "missed it"?
>
> Even in the second case, unless Paul repeatedly refused the patch, it'd have
> been nice for the Debian maintainer to make sure that the patch was
> incorporated in the main source code, not just in Debian...
The upstream source of Vixie Cron hasn't been maintained for years.
I remember working on the same code before I joined Debian, trying
to send him patches.
The patch wasn't hidden, Caldera knew it and Caldera immediately
reacted to the advisory from Red Hat, stating that it's an old
- and fixed - bug.
Regards,
Joey
--
The good thing about standards is that there are so many to choose from.
-- Andrew S. Tanenbaum
