Debian Security Advisory
DSA-024-1 cron -- local insecure crontab handling
- Date Reported:
- 27 Jan 2001
- Affected Packages:
- cron
- Vulnerable:
- Yes
- Security database references:
- In the Bugtraq database (at SecurityFocus): BugTraq ID 2332.
In Mitre's CVE dictionary: CVE-2001-0235. - More information:
- The FreeBSD team has found a bug in the way new crontabs were handled which allowed malicious users to display arbitrary crontab files on the local system. This only affects valid crontab files so it can't be used to get access to /etc/shadow or something. crontab files are not especially secure anyway, as there are other ways they can leak. No passwords or similar sensitive data should be in there. We recommend you upgrade your cron packages.
- Fixed in:
-
Debian 2.2 (potato)
- Source:
-
http://security.debian.org/dists/stable/updates/main/source/cron_3.0pl1.orig.tar.gz
-
http://security.debian.org/dists/stable/updates/main/source/cron_3.0pl1-57.2.diff.gz
-
http://security.debian.org/dists/stable/updates/main/source/cron_3.0pl1-57.2.dsc
- alpha:
-
http://security.debian.org/dists/stable/updates/main/binary-alpha/cron_3.0pl1-57.2_alpha.deb
- arm:
-
http://security.debian.org/dists/stable/updates/main/binary-arm/cron_3.0pl1-57.2_arm.deb
- i386:
-
http://security.debian.org/dists/stable/updates/main/binary-i386/cron_3.0pl1-57.2_i386.deb
- m68k:
-
http://security.debian.org/dists/stable/updates/main/binary-m68k/cron_3.0pl1-57.2_m68k.deb
- powerpc:
-
http://security.debian.org/dists/stable/updates/main/binary-powerpc/cron_3.0pl1-57.2_powerpc.deb
- sparc:
-
http://security.debian.org/dists/stable/updates/main/binary-sparc/cron_3.0pl1-57.2_sparc.deb