[RHSA-2005:361-01] Low: vixie-cron security update

bugzilla at redhat.com bugzilla at redhat.com
Wed Oct 5 13:44:09 UTC 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Low: vixie-cron security update
Advisory ID:       RHSA-2005:361-01
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2005-361.html
Issue date:        2005-10-05
Updated on:        2005-10-05
Product:           Red Hat Enterprise Linux
CVE Names:         CAN-2005-1038
- ---------------------------------------------------------------------

1. Summary:

An updated vixie-cron package that fixes various bugs and a security issue
is now available.

This update has been rated as having low security impact by the Red Hat
Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux Desktop version 4 - i386, x86_64
Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64

3. Problem description:

The vixie-cron package contains the Vixie version of cron. Cron is a
standard UNIX daemon that runs specified programs at scheduled times.

A bug was found in the way vixie-cron installs new crontab files. It is
possible for a local attacker to execute the crontab command in such a way
that they can view the contents of another user's crontab file. The Common
Vulnerabilities and Exposures project assigned the name CAN-2005-1038 to
this issue. 

Additionally, this update addresses the following issues:

o Fixed improper limits on filename and command line lengths 
o Improved PAM access control conforming to EAL certification requirements
o Improved reliability when running in a chroot environment
o Mail recipient name checking disabled by default, can be re-enabled 
o Added '-p' "permit all crontabs" option to disable crontab mode checking

All users of vixie-cron should upgrade to this updated package, which
contains backported patches and is not vulnerable to these issues.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.  Use Red Hat
Network to download and update your packages.  To launch the Red Hat
Update Agent, use the following command:

    up2date

For information on how to install packages manually, refer to the
following Web page for the System Administration or Customization
guide specific to your system:

    http://www.redhat.com/docs/manuals/enterprise/

5. Bug IDs fixed (http://bugzilla.redhat.com/):

147636 - cron fails to run user jobs and gives vague error message
154920 - CAN-2005-1038 vixie-cron information leak
159216 - vixie-cron updates for new audit system
163881 - Cron no longer allows read-only crontabs, enforces write access
163882 - cron fails with pam_access
163885 - crontab truncates file names greater than 100 characters.
163888 - CAN-2005-1038 vixie-cron information leak
163889 - [PATCH] List corruption when items are removed from /etc/cron.d


6. RPMs required:

Red Hat Enterprise Linux AS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/vixie-cron-4.1-36.EL4.src.rpm
e3fd76e5ba9887c8e11e1bc82d5fd485  vixie-cron-4.1-36.EL4.src.rpm

i386:
e8243ed213f8cfa5b50ac8f42a7ec9c7  vixie-cron-4.1-36.EL4.i386.rpm

ia64:
97380fd176e344f7df2d40d8e47f954c  vixie-cron-4.1-36.EL4.ia64.rpm

ppc:
2388e466c3e485de7b9e0a340d55d3b2  vixie-cron-4.1-36.EL4.ppc.rpm

s390:
85d62715dd6471e87b7bfbc14463c8bd  vixie-cron-4.1-36.EL4.s390.rpm

s390x:
14772968639ea37dc713e2f73e3292e0  vixie-cron-4.1-36.EL4.s390x.rpm

x86_64:
b3e6bbc02843e4e09d6488ab9c962cc2  vixie-cron-4.1-36.EL4.x86_64.rpm

Red Hat Enterprise Linux Desktop version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/vixie-cron-4.1-36.EL4.src.rpm
e3fd76e5ba9887c8e11e1bc82d5fd485  vixie-cron-4.1-36.EL4.src.rpm

i386:
e8243ed213f8cfa5b50ac8f42a7ec9c7  vixie-cron-4.1-36.EL4.i386.rpm

x86_64:
b3e6bbc02843e4e09d6488ab9c962cc2  vixie-cron-4.1-36.EL4.x86_64.rpm

Red Hat Enterprise Linux ES version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/vixie-cron-4.1-36.EL4.src.rpm
e3fd76e5ba9887c8e11e1bc82d5fd485  vixie-cron-4.1-36.EL4.src.rpm

i386:
e8243ed213f8cfa5b50ac8f42a7ec9c7  vixie-cron-4.1-36.EL4.i386.rpm

ia64:
97380fd176e344f7df2d40d8e47f954c  vixie-cron-4.1-36.EL4.ia64.rpm

x86_64:
b3e6bbc02843e4e09d6488ab9c962cc2  vixie-cron-4.1-36.EL4.x86_64.rpm

Red Hat Enterprise Linux WS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/vixie-cron-4.1-36.EL4.src.rpm
e3fd76e5ba9887c8e11e1bc82d5fd485  vixie-cron-4.1-36.EL4.src.rpm

i386:
e8243ed213f8cfa5b50ac8f42a7ec9c7  vixie-cron-4.1-36.EL4.i386.rpm

ia64:
97380fd176e344f7df2d40d8e47f954c  vixie-cron-4.1-36.EL4.ia64.rpm

x86_64:
b3e6bbc02843e4e09d6488ab9c962cc2  vixie-cron-4.1-36.EL4.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and 
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://www.securityfocus.com/archive/1/395093
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1038

8. Contact:

The Red Hat security contact is <secalert at redhat.com>.  More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2005 Red Hat, Inc.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFDQ9hwXlSAg2UNWIIRAjroAKCyeh8njyEyB/GBDud6szkiac+ItwCggqhX
aDQ6U+fTO6Q9AmTm1sstUVk=
=GQzs
-----END PGP SIGNATURE-----

More information about the Enterprise-watch-list mailing list