Debian: DLA-1723-1 Moderate: Cron Scheduler Security Issues
debian lts
March 21, 2019
Various security problems have been discovered in Debian's CRON scheduler
Topics Covered
Summary
CVE-2017-9525
Fix group crontab to root escalation via the Debian package's
postinst script as described by Alexander Peslyak (Solar Designer) in
https://www.openwall.com/lists/oss-security/2017/06/08/3
CVE-2019-9704
DoS: Fix unchecked return of calloc(). Florian Weimer discovered that
a missing check for the return value of calloc() could crash the
daemon, which could be triggered by a very large crontab created by a
user.
CVE-2019-9705
Enforce maximum crontab line count of 1000 to prevent a malicious
user from creating an excessivly large crontab. The daemon will log a
warning for existing files, and crontab(1) will refuse to create new
ones.
CVE-2019-9706
A user reported a use-after-free condition in the cron daemon,
leading to a possible Denial-of-Service scenario by crashing the
daemon.
For Debian 8 "Jessie", these problems have been fixed in version
3.0pl1-127+deb8u2.
We recommend that you upgrade your cron packages.
PREVIOUS
NEXT
<pre><font face="Courier">Package: cron
Version: 3.0pl1-127+deb8u2
CVE ID: CVE-2017-9525 CVE-2019-9704 CVE-2019-9705 CVE-2019-9706
Debian Bug: 809167
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!