- Issued:
- 2005-10-05
- Updated:
- 2005-10-05
RHSA-2005:361 - Security Advisory
Synopsis
vixie-cron security update
Type/Severity
Security Advisory: Low
Topic
An updated vixie-cron package that fixes various bugs and a security issue
is now available.
This update has been rated as having low security impact by the Red Hat
Security Response Team.
Description
The vixie-cron package contains the Vixie version of cron. Cron is a
standard UNIX daemon that runs specified programs at scheduled times.
A bug was found in the way vixie-cron installs new crontab files. It is
possible for a local attacker to execute the crontab command in such a way
that they can view the contents of another user's crontab file. The Common
Vulnerabilities and Exposures project assigned the name CAN-2005-1038 to
this issue.
Additionally, this update addresses the following issues:
o Fixed improper limits on filename and command line lengths
o Improved PAM access control conforming to EAL certification requirements
o Improved reliability when running in a chroot environment
o Mail recipient name checking disabled by default, can be re-enabled
o Added '-p' "permit all crontabs" option to disable crontab mode checking
All users of vixie-cron should upgrade to this updated package, which
contains backported patches and is not vulnerable to these issues.
Solution
Before applying this update, make sure that all previously-released
errata relevant to your system have been applied. Use Red Hat
Network to download and update your packages. To launch the Red Hat
Update Agent, use the following command:
up2date
For information on how to install packages manually, refer to the
following Web page for the System Administration or Customization
guide specific to your system:
http://www.redhat.com/docs/manuals/enterprise/
Affected Products
- Red Hat Enterprise Linux Server 4 x86_64
- Red Hat Enterprise Linux Server 4 ia64
- Red Hat Enterprise Linux Server 4 i386
- Red Hat Enterprise Linux Workstation 4 x86_64
- Red Hat Enterprise Linux Workstation 4 ia64
- Red Hat Enterprise Linux Workstation 4 i386
- Red Hat Enterprise Linux Desktop 4 x86_64
- Red Hat Enterprise Linux Desktop 4 i386
- Red Hat Enterprise Linux for IBM z Systems 4 s390x
- Red Hat Enterprise Linux for IBM z Systems 4 s390
- Red Hat Enterprise Linux for Power, big endian 4 ppc
Fixes
- BZ - 147636 - cron fails to run user jobs and gives vague error message
- BZ - 154920 - CAN-2005-1038 vixie-cron information leak
- BZ - 159216 - vixie-cron updates for new audit system
- BZ - 163881 - Cron no longer allows read-only crontabs, enforces write access
- BZ - 163882 - cron fails with pam_access
- BZ - 163885 - crontab truncates file names greater than 100 characters.
- BZ - 163888 - CAN-2005-1038 vixie-cron information leak
- BZ - 163889 - [PATCH] List corruption when items are removed from /etc/cron.d
CVEs
References
Red Hat Enterprise Linux Server 4
| SRPM | |
|---|---|
| vixie-cron-4.1-36.EL4.src.rpm | SHA-256: 5118bb88bfa743a057d0ca1e159a62496efac39190cc3edda80ad02578f1faa6 |
| x86_64 | |
| vixie-cron-4.1-36.EL4.x86_64.rpm | SHA-256: 005c50eeed4bf60919d8db9db501ad1aef8d58773ff42eb8e75cb885aa3c0e5d |
| vixie-cron-4.1-36.EL4.x86_64.rpm | SHA-256: 005c50eeed4bf60919d8db9db501ad1aef8d58773ff42eb8e75cb885aa3c0e5d |
| ia64 | |
| vixie-cron-4.1-36.EL4.ia64.rpm | SHA-256: 00d17ab671ab8f32d93f7c2ac8b6b15a9fe37e6ba04b87b5d5aebab691f50a04 |
| vixie-cron-4.1-36.EL4.ia64.rpm | SHA-256: 00d17ab671ab8f32d93f7c2ac8b6b15a9fe37e6ba04b87b5d5aebab691f50a04 |
| i386 | |
| vixie-cron-4.1-36.EL4.i386.rpm | SHA-256: eceaa37e85f54a13fcd9eab8f2800d9dea6c2c8a4bb9bf9662d8ebab346a9740 |
| vixie-cron-4.1-36.EL4.i386.rpm | SHA-256: eceaa37e85f54a13fcd9eab8f2800d9dea6c2c8a4bb9bf9662d8ebab346a9740 |
Red Hat Enterprise Linux Workstation 4
| SRPM | |
|---|---|
| vixie-cron-4.1-36.EL4.src.rpm | SHA-256: 5118bb88bfa743a057d0ca1e159a62496efac39190cc3edda80ad02578f1faa6 |
| x86_64 | |
| vixie-cron-4.1-36.EL4.x86_64.rpm | SHA-256: 005c50eeed4bf60919d8db9db501ad1aef8d58773ff42eb8e75cb885aa3c0e5d |
| ia64 | |
| vixie-cron-4.1-36.EL4.ia64.rpm | SHA-256: 00d17ab671ab8f32d93f7c2ac8b6b15a9fe37e6ba04b87b5d5aebab691f50a04 |
| i386 | |
| vixie-cron-4.1-36.EL4.i386.rpm | SHA-256: eceaa37e85f54a13fcd9eab8f2800d9dea6c2c8a4bb9bf9662d8ebab346a9740 |
Red Hat Enterprise Linux Desktop 4
| SRPM | |
|---|---|
| vixie-cron-4.1-36.EL4.src.rpm | SHA-256: 5118bb88bfa743a057d0ca1e159a62496efac39190cc3edda80ad02578f1faa6 |
| x86_64 | |
| vixie-cron-4.1-36.EL4.x86_64.rpm | SHA-256: 005c50eeed4bf60919d8db9db501ad1aef8d58773ff42eb8e75cb885aa3c0e5d |
| i386 | |
| vixie-cron-4.1-36.EL4.i386.rpm | SHA-256: eceaa37e85f54a13fcd9eab8f2800d9dea6c2c8a4bb9bf9662d8ebab346a9740 |
Red Hat Enterprise Linux for IBM z Systems 4
| SRPM | |
|---|---|
| vixie-cron-4.1-36.EL4.src.rpm | SHA-256: 5118bb88bfa743a057d0ca1e159a62496efac39190cc3edda80ad02578f1faa6 |
| s390x | |
| vixie-cron-4.1-36.EL4.s390x.rpm | SHA-256: 27e34b237af96422899c57fd1933a0a6aec75821dc09f5184d8b04d85953fb1f |
| s390 | |
| vixie-cron-4.1-36.EL4.s390.rpm | SHA-256: 39b1bc211b6d8effdf1f3b5af018639d00a26fccf864805df58c59dc408372ce |
Red Hat Enterprise Linux for Power, big endian 4
| SRPM | |
|---|---|
| vixie-cron-4.1-36.EL4.src.rpm | SHA-256: 5118bb88bfa743a057d0ca1e159a62496efac39190cc3edda80ad02578f1faa6 |
| ppc | |
| vixie-cron-4.1-36.EL4.ppc.rpm | SHA-256: 3dd83b298ce8c305f35424772753a824fd41acd1133032285147ec8aa551b42f |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.