[20627] in bugtraq
Re: Vixie cron vulnerability
daemon@ATHENA.MIT.EDU (Kris Kennaway)
Tue May 15 09:52:59 2001
Date: Tue, 8 May 2001 15:07:52 -0700
From: Kris Kennaway <kris@obsecurity.org>
To: "Jay D. Dyson" <jdyson@TREACHERY.NET>
Cc: BUGTRAQ@securityfocus.com
Message-ID: <20010508150751.A3900@xor.obsecurity.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature"; boundary="GvXjxJ+pjyke8COw"
Content-Disposition: inline
In-Reply-To: <Pine.GSO.3.96.1010508135756.3740B-100000@crypto>; from jdyson@TREACHERY.NET on Tue, May 08, 2001 at 02:01:21PM -0700
--GvXjxJ+pjyke8COw
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Tue, May 08, 2001 at 02:01:21PM -0700, Jay D. Dyson wrote:
> On Tue, 8 May 2001, Edwin Chiu wrote:
>=20
> > The exploit failed for:
> > Redhat 6.1
> > vixie-cron-3.0.1-39
> > Redhat 6.2
> > vixie-cron-3.0.1-40
>=20
> *nod* I wrote to Cade directly regarding the advisory as it seems
> to me that the issue is more a matter of Debian's implementation of Vixie
> cron than an issue with Vixie cron itself. I'm still futzing with it to
> see if any other implementations will squeal. Fun and interesting results
> will be posted when found. ;)
I think this is a Linux-specific "enhancement" to vixie cron; nothing
remotely similar to the affected code seems to be in the FreeBSD
version, and I thought we were using the most recent vendor version.
Kris
--GvXjxJ+pjyke8COw
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.5 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE6+G43Wry0BWjoQKURAix9AKCIdP12011eSCfVg23DXrFkDM9sHgCgr/E5
OWunALAn1pHuBNZ+a4P0ojQ=
=rsVR
-----END PGP SIGNATURE-----
--GvXjxJ+pjyke8COw--
