Red Hat Product Errata RHSA-2006:0117 - Security Advisory
Issued:
2006-03-15
Updated:
2006-03-15

RHSA-2006:0117 - Security Advisory

Synopsis

vixie-cron security update

Type/Severity

Security Advisory: Low

Topic

An updated vixie-cron package that fixes a bug and security issue is now
available.

This update has been rated as having low security impact by the Red Hat
Security Response Team.

Description

The vixie-cron package contains the Vixie version of cron. Cron is a
standard UNIX daemon that runs specified programs at scheduled times.

A bug was found in the way vixie-cron installs new crontab files. It is
possible for a local attacker to execute the crontab command in such a way
that they can view the contents of another user's crontab file. The Common
Vulnerabilities and Exposures project assigned the name CVE-2005-1038 to
this issue.

This update also fixes an issue where cron jobs could start before their
scheduled time.

All users of vixie-cron should upgrade to this updated package, which
contains backported patches and is not vulnerable to these issues.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via Red Hat Network. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

Affected Products

  • Red Hat Enterprise Linux Server 3 x86_64
  • Red Hat Enterprise Linux Server 3 ia64
  • Red Hat Enterprise Linux Server 3 i386
  • Red Hat Enterprise Linux Workstation 3 x86_64
  • Red Hat Enterprise Linux Workstation 3 ia64
  • Red Hat Enterprise Linux Workstation 3 i386
  • Red Hat Enterprise Linux Desktop 3 x86_64
  • Red Hat Enterprise Linux Desktop 3 i386
  • Red Hat Enterprise Linux for IBM z Systems 3 s390x
  • Red Hat Enterprise Linux for IBM z Systems 3 s390
  • Red Hat Enterprise Linux for Power, big endian 3 ppc

Fixes

  • BZ - 154424 - [RHEL-3] cronjobs start too early
  • BZ - 162022 - CVE-2005-1038 vixie-cron information leak
  • BZ - 178432 - prediction: vixie-cron-4.1's pam_unix session log messages will be most unpopular
  • BZ - 178436 - network service interruption can cause initgroups() to delay cron job execution by more than one minute

References

(none)

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.