Stay Secure with the Latest Linux Advisories

security advisorymoderateFedora

Fedora Core 3: CAN-2005-1038 Moderate: vixie-cron Security Fix

Updated package.. ---------------------------------------------------------------------Fedora Update Notification FEDORA-2005-320 2005-04-15 ---------------------------------------------------------------------Product : Fedora Core 3 Name : vixie-cron Version : 4.1 Release : 33_FC3 Summary : The Vixie cron daemon for executing specified programs at set times. Description : The vixie-cron package contains the Vixie version of cron. Cron is a standard UNIX daemon that runs specified programs at scheduled times. Vixie cron adds better security and more powerful configuration options to the standard version of cron. --------------------------------------------------------------------- o Fixes security vulnerability CAN-2005-1038 ( ) o Makes filename and command line length constraints correspond to system limits o Improved PAM support ---------------------------------------------------------------------* Thu Apr 14 2005 Jason Vas Dias - 4.1-33_FC3 - fix bug 154922 / CAN-2005-1038: check that new crontab is regular file after editor session ends. - fix bug 154575: use PATH_MAX (4096) as max filename length; also make limits on command line and env.var. lengths sensible (131072). * Fri Apr 8 2005 Jason Vas Dias - 4.1-33_FC3 - do pam_close_session and pam_setcred(pamh, PAM_DELETE_CRED) - if fork fails * Thu Apr 7 2005 Jason Vas Dias - 4.1-33_FC3 - fix bug 154065: crontab's job control broken: by - xpid = waitpid(pid,&waiter,WUNTRACED);... - if( WIFSTOPPED(waiter) )... kill(getpid(),WSTOPSIG(waiter)); - crontab should not kill itself with SIGSTOP if its child - gets SIGSTOP; hence it does not need the waitpid WUNTRACED flag. * Tue Apr 5 2005 Jason Vas Dias - 4.1-33_FC3 - Required for EAL Audit certification: - If pam_setcred should fail, the pam_session could fail to be - closed, leaving autofs user directories still mounted. * Tue Mar 15 2005 JasonVas Dias - 4.1-33_FC3 - fix bug 151145: segfault if cronjob runs without any SELinux user - security context (eg. in a broken chroot environment) * Fri Feb 25 2005 Jason Vas Dias - 4.1-24_FC3 - Add an /etc/sysconfig/crond file for containing CRONDARGS and - settings like CRON_VALIDATE_MAILRCPTS . * Fri Feb 25 2005 Jason Vas Dias - 4.1-24_FC3 - Fix bug 147636 - disable silly mail recipient name checking - (do_command.c's safe_p()) by default . Can be enabled by - presence of CRON_VALIDATE_MAILRCPTS variable in crond's - environment - also '_'s in MAILTOs are allowed. * Tue Jan 25 2005 Jason Vas Dias - 4.1-21_FC3 - Fix bug 146073 - allow the 'pam_access' module to be used with - cron - set 'PAM_TTY' item to 'cron' . * Mon Dec 20 2004 Jason Vas Dias - 4.1-20_FC3 - fix bug 142953 : allow read-only crontabs + provide -p - 'permit all crontabs' option to disable mode checking. - bug 135845 fix required 'ch' to be initialized in crontab.c line 322 - (bug 141760) * Mon Dec 20 2004 Jason Vas Dias - 4.1-20_FC3 - fixed all uninitialized variable warnings * Fri Oct 15 2004 Jason Vas Dias - 4.1-19 - crontab -e should only strip NHEADER_LINES comments - (NHEADER_LINES==0), not at least one header comment line. - (bug 135845) * Sat Oct 9 2004 Florian La Roche - 4.1-18 - no need to make user installed crontabs readable * Thu Sep 30 2004 Jason Vas Dias - 4.1-17 - Users not allowed to use 'crontab mycrontab', while - 'crontab < mycrontab' allowed; this is because misc.c's - swap_uids_back() was not using save_euid / save_egid . - Thanks to Mads Martin Joergensen for pointing this out. * Wed Sep 29 2004 Jason Vas Dias - 4.1-16 - Just found out in testing that if neither /etc/cron.{deny,allow} - exist, root is unable to use crontab - I'm sure root could before, - but is in any case meant to be able to. Allowing root to use crontab. * Wed Sep 29 2004 Jason Vas Dias - 4.1-14 - Fix for bug 130102 got dropped somehow fromlatest CVS. - This is now restored - in %post, if neither /etc/cron.{deny,allow} - exist, touch /etc/cron.deny, to allow all users to use crontab, - as was previous default vixie-cron behaviour. * Fri Sep 17 2004 Jason Vas Dias - 4.1-12 - Merged Dan's patch with vixie-cron-4.1-11 which was not - latest version according to new CVS ?!?! * Fri Sep 17 2004 Dan Walsh - 4.1-12 - Updated SELinux patch to use checkPasswdAccess * Tue Aug 31 2004 Jason Vas Dias - 4.1-11 - Fixed SIGSEGV in free_user when !is_selinux_enabled() and crontab - has no valid jobs (bug 131390). * Wed Aug 18 2004 Jason Vas Dias - 4.1.10 - Fixed bug 130102: Restored default behaviour if neither - /etc/cron.deny nor /etc/cron.allow exist - 'touch /etc/cron.deny' - in %post * Wed Aug 11 2004 Jason Vas Dias - 4.1.9 - Removed 0600 mode enforcement as per Florian La Roche's request * Tue Aug 10 2004 Jason Vas Dias - 4.1.8 - Allowed editors such as 'gedit' which do not modify original - file, but which rename(2) a temp file to original, to be used - by crontab -e (bug 129170). * Tue Aug 10 2004 Jason Vas Dias - 4.1.8 - Added '-i' option to crontab to prompt the user before deleting - crontab with '-r'. * Tue Aug 10 2004 Jason Vas Dias - 4.1.8 - Added documentation for '@' nicknames to crontab.5 - (bugs 107542, 89899). Also removed 'second when' (bug 59802). * Sun Aug 1 2004 Jason Vas Dias - 4.1.7 - fixed bug 128924: 'cron' log facility not being used * Fri Jul 30 2004 Jason Vas Dias - 4.1.6 - Added PAM 'auth sufficient pam_rootok.so' to /etc/pam.d/crond - (fixes bug 128843) - on dwalsh's advice. * Thu Jul 29 2004 Jason Vas Dias - 4.1-5 - Added Buildrequires: pam-devel * Wed Jul 28 2004 Dan Walsh - 4.1-4 - Fix crontab to do SELinux checkaccess * Wed Jul 28 2004 Jason Vas Dias - 4.1-3 - Fixed bug 128701: cron fails to parse user 6th field in - system crontabs (patch15) * Tue Jul 27 2004 Jason Vas Dias - 4.1-2 -Changed 'Requires' dependency from 'pam-devel' to 'pam'. * Mon Jul 26 2004 Jason Vas Dias - 4.1-1 - Added PAM access control support. * Thu Jul 22 2004 Jason Vas Dias - 4.1-1 - Changed post-install to change mode of existing crontabs to - 0600 to allow run by new ISC cron 4.1 * Thu Jul 22 2004 Jason Vas Dias - 4.1-1 - Upgraded to ISC cron 4.1 * Thu Jul 1 2004 Jens Petersen - 3.0.1-94 - add vixie-cron-3.0.1-cron-descriptors-125110.patch to close std descriptors when forking (Bernd Schmidt, 121280) - add vixie-cron-3.0.1-no-crontab-header-89809.patch to not prepend header to crontab files (Damian Menscher, 103899) - fix use of RETVAL in init.d script (Enrico Scholz, 97784) - add safer malloc call to vixie-cron-3.0.1-sprintf.patch - add cron-3.0.1-crontab-syntax-error-114386.patch to fix looping on crontab syntax error (Miloslav Trmac, 89937) * Fri Jun 25 2004 Dan Walsh - 3.0.1-93 - Add fixes from NSA * Tue Jun 22 2004 Dan Walsh - 3.0.1-92 - Add fixes from NSA * Tue Jun 15 2004 Dan Walsh - 3.0.1-91 - Change patch to check SElinux properly, go back to using fname instead of uname * Tue Jun 15 2004 Elliot Lee - rebuilt * Fri Jun 4 2004 Dan Walsh - 3.0.1-89 - Fix patch * Fri Jun 4 2004 Dan Walsh - 3.0.1-88 - Add patch to allow it to run in permissive mode. * Fri Feb 13 2004 Elliot Lee - rebuilt * Wed Feb 4 2004 Dan Walsh - 3.0.1-86 - Add security_getenforce check. * Mon Jan 26 2004 Dan Walsh - 3.0.1-85 - Fix call to is_selinux_enabled() * Mon Dec 8 2003 Dan Walsh - 3.0.1-84 - change daemon flag to 1 * Wed Dec 3 2003 Dan Walsh - 3.0.1-83 - Add daemon to make sure child is clean * Fri Nov 7 2003 Jens Petersen - 3.0.1-82 - add vixie-cron-3.0.1-pie.patch to build crond as pie (#108414) [Ulrich Drepper] - require libselinux and buildrequire libselinux-devel * Thu Oct 30 2003 Dan Walsh - 3.0.1-81.sel - turn on selinux * Tue Sep 30 2003 Jens Petersen -3.0.1-80 - add vixie-cron-3.0.1-vfork-105616.patch to use fork instead of vfork (#105616) [report and patch from This email address is being protected from spambots. You need JavaScript enabled to view it.] - update vixie-cron-3.0.1-redhat.patch not to change DESTMAN redundantly (it is overrriden in the spec file anyway) * Fri Sep 5 2003 Dan Walsh - 3.0.1-79 - turn off selinux * Fri Sep 5 2003 Dan Walsh - 3.0.1-78.sel - turn on selinux * Tue Jul 29 2003 Dan Walsh - 3.0.1-77 - Patch to run on SELinux * Wed Jun 4 2003 Elliot Lee - rebuilt * Wed Mar 19 2003 Jens Petersen - 3.0.1-75 - add vixie-cron-3.0.1-root_-u-85879.patch from Valdis Kletnieks to allow root to run "crontab -u " even for users that aren't allowed to * Wed Feb 19 2003 Jens Petersen - 3.0.1-74 - fix preun script typo (#75137) [reported by Peter Bieringer] * Tue Feb 11 2003 Bill Nottingham 3.0.1-73 - don't set SIGCHLD to SIG_IGN and then try and wait... (#84046) * Fri Feb 7 2003 Nalin Dahyabhai 3.0.1-72 - adjust cron.d patch so that it ignores file with names that begin with '#' or end with '~', '.rpmorig', '.rpmsave', or '.rpmnew' - merge hunk of buffer overflow patch into the cron.d patch * Wed Jan 22 2003 Tim Powers - rebuilt * Wed Dec 11 2002 Tim Powers 3.0.1-70 - rebuild on all arches * Sat Jul 20 2002 Akira TAGOH 3.0.1-69 - vixie-cron-3.0.1-nonstrip.patch: applied to fix the stripped binary issue. * Fri Jun 21 2002 Tim Powers - automated rebuild * Mon Jun 10 2002 Bill Huang - Fix preun bugs.(#55340) - Fix fprintf bugs.(#65209) * Thu May 23 2002 Tim Powers - automated rebuild * Mon Apr 15 2002 Bill Huang - Fixed #62963. * Thu Apr 4 2002 James McDermott - Alter behavior of crontab to take stdin as the default behavior if no options are specified. * Sun Jun 24 2001 Elliot Lee - Bump release + rebuild. * Thu Mar 8 2001 Bill Nottingham - add patch from Alan Eldridge to fix double execution of jobs (#29868) * Sun Feb 11 2001 Bill Nottingham -fix buffer overflow in crontab * Wed Feb 7 2001 Trond Eivind Glomsrød - fix usage string in initscript (#26533) * Tue Feb 6 2001 Bill Nottingham - fix build with new glibc (#25931) * Tue Jan 23 2001 Bill Nottingham - change i18n mechanism * Fri Jan 19 2001 Bill Nottingham - log as 'crond', not 'CROND' (#19410) - account for shifts in system clock (#23230, patch from ) - i18n-ize initscript * Thu Aug 24 2000 Than Ngo - fix to set startup position correct at update * Thu Aug 24 2000 Than Ngo - add /sbin/service to Prereq - call /sbin/service instead service - fix startup position (Bug #13353) * Mon Aug 7 2000 Bill Nottingham - fix crond logging patch (This email address is being protected from spambots. You need JavaScript enabled to view it.) - log via syslog (suggestion from This email address is being protected from spambots. You need JavaScript enabled to view it.) - put system crontab location in crontab(5) (#14842) * Fri Jul 28 2000 Bill Nottingham - fix condrestart * Fri Jul 21 2000 Bill Nottingham - fix reload bug (#14065) * Fri Jul 14 2000 Bill Nottingham - move initscript back * Thu Jul 13 2000 Prospector - automatic rebuild * Thu Jul 6 2000 Bill Nottingham - prereq /etc/init.d * Mon Jul 3 2000 Bill Nottingham - fix %post; we do condrestart in %postun * Thu Jun 29 2000 Bill Nottingham - oops, fix init script * Tue Jun 27 2000 Bill Nottingham - require new initscripts, not prereq * Mon Jun 26 2000 Bill Nottingham - initscript hacks * Wed Jun 14 2000 Nalin Dahyabhai - tweak logrotate config * Sun Jun 11 2000 Bill Nottingham - rebuild in new env. - FHS fixes - don't ship chkconfig links * Fri Mar 31 2000 Bill Nottingham - fix non-root builds (#10490) * Sun Mar 26 2000 Florian La Roche - do not remove log files * Thu Feb 3 2000 Bill Nottingham - handle compressed man pages * Fri Sep 10 1999 Bill Nottingham - chkconfig --del in %preun, not %postun * Wed Aug 25 1999 Bill Nottingham - fix buffer overflow * Mon Aug 16 1999 Bill Nottingham - initscriptmunging * Fri Jul 30 1999 Michael K. Johnson - dayofmonth and month can't be 0 * Thu Jun 3 1999 Jeff Johnson - in cron.log use "kill -HUP pid" not killall to preserve errors (#2241). * Wed Apr 14 1999 Michael K. Johnson - add note to man page about DST conversion causing strangeness - documented cron.d patch * Tue Apr 13 1999 Michael K. Johnson - improved cron.d patch * Mon Apr 12 1999 Erik Troan - added cron.d patch * Tue Mar 23 1999 Bill Nottingham - logrotate changes * Tue Mar 23 1999 Preston Brown - clean up log files on deinstallation * Sun Mar 21 1999 Cristian Gafton - auto rebuild in the new build environment (release 28) * Wed Dec 30 1998 Cristian Gafton - build for glibc 2.1 * Wed Jun 10 1998 Prospector System - translations modified for de * Wed Jun 10 1998 Jeff Johnson - reset SIGCHLD before grandchild execle (problem #732) * Sat May 2 1998 Cristian Gafton - enhanced initscript * Mon Apr 27 1998 Prospector System - translations modified for de, fr, tr * Thu Dec 11 1997 Cristian Gafton - added a patch to get rid of the dangerous sprintf() calls - added BuildRoot and Prereq: /sbin/chkconfig * Sun Nov 9 1997 Michael K. Johnson - fixed cron/crond dichotomy in init file. * Wed Oct 29 1997 Donnie Barnes - fixed bad init symlinks * Thu Oct 23 1997 Erik Troan - force it to use SIGCHLD instead of defunct SIGCLD * Mon Oct 20 1997 Erik Troan - updated for chkconfig - added status, restart options to init script * Tue Jun 17 1997 Erik Troan - built against glibc * Wed Feb 19 1997 Erik Troan - Switch conditional from "axp" to "alpha" ---------------------------------------------------------------------This update can be downloaded from: fbc4cd5b0250e100d7248a8918db3db2 SRPMS/vixie-cron-4.1-33_FC3.src.rpm 61dabc38f4d172c9324e1e5325967477 x86_64/vixie-cron-4.1-33_FC3.x86_64.rpm 97a09afc99217befd111ff3b6ec807d7 x86_64/debug/vixie-cron-debuginfo-4.1-33_FC3.x86_64.rpm 007fbd960d6905a8371cc30a11cbed93 i386/vixie-cron-4.1-33_FC3.i386.rpm fa82ed54e99044febcfbaa00c8215763 i386/debug/vixie-cron-debuginfo-4.1-33_FC3.i386.rpm This update can also be installed with the Update Agent; you can launch the Update Agent with the 'up2date' command. -----------------------------------------------------------------------fedora-announce-list mailing list This email address is being protected from spambots. You need JavaScript enabled to view it. . The latest vixie-cron update in Fedora Core 3 fixes security issues and enhances scheduled task management, boosting cron job reliability and performance.. vixie-cron Update,Fedora Security,Cron Daemon. . Severity: Important. LinuxSecurity.com Team

Apr 15, 2005 •Important Fedora