Debian Security Advisory
DLA-1723-1 cron -- LTS security update
- Date Reported:
- 21 Mar 2019
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 809167.
In Mitre's CVE dictionary: CVE-2017-9525, CVE-2019-9704, CVE-2019-9705, CVE-2019-9706.
- More information:
Various security problems have been discovered in Debian's CRON scheduler.
Fix group crontab to root escalation via the Debian package's postinst script as described by Alexander Peslyak (Solar Designer) in http://www.openwall.com/lists/oss-security/2017/06/08/3
DoS: Fix unchecked return of calloc(). Florian Weimer discovered that a missing check for the return value of calloc() could crash the daemon, which could be triggered by a very large crontab created by a user.
Enforce maximum crontab line count of 1000 to prevent a malicious user from creating an excessivly large crontab. The daemon will log a warning for existing files, and crontab(1) will refuse to create new ones.
A user reported a use-after-free condition in the cron daemon, leading to a possible Denial-of-Service scenario by crashing the daemon.
For Debian 8
Jessie, these problems have been fixed in version 3.0pl1-127+deb8u2.
We recommend that you upgrade your cron packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS