cron 3.0pl1-20: URGENT SECURITY FIX

To: Debian package announcements <debian-changes@Pixar.com>
Subject: cron 3.0pl1-20: URGENT SECURITY FIX
From: Ian Jackson <iwj10@cus.cam.ac.uk>
Date: Thu, 21 Sep 95 01:58 BST
Message-id: <[🔎] m0svZyU-0002ZbA@chiark.al.cl.cam.ac.uk>

There is a major security hole in cron 3.0pl1-19 and earlier, allowing
any user to gain access to the `root' group.  On many (most?) systems
this will quickly allow them to gain superuser access.

I am currently uploading cron-3.0pl1-20.deb using my 2400-baud modem.
In the meantime, please disable your cron daemon:

 # killall cron
 # chmod 400 /usr/sbin/cron

Ian M.: please replace the cron in the binary directory with this one
immediately.  The source will arrive tomorrow - my modem is too slow
to get it uploaded today.

If you download from Incoming, please check the file size - the binary
package file is 27737 bytes.

cron (3.0pl1-20); priority=URGENT

  * cron now uses initgroups when running jobs.  Bug#1400.  AARGH!

 -- Ian Jackson <iwj10@cus.cam.ac.uk>  Thu, 21 Sep 1995 01:44:11 +0100

169cec1ee4387c994798608385826363  cron-3.0pl1-20.deb
e9b26cb21aac62dcee5d443ce6dd7ab4  cron-3.0pl1-20.diff.gz
29655e14fff95cd477f1b3775d85d8d2  cron-3.0pl1-20.tar.gz
-rw-r--r--   1 root     root        27737 Sep 21 01:52 cron-3.0pl1-20.deb
-rw-rw-r--   1 ian      ian         10093 Sep 21 01:50 cron-3.0pl1-20.diff.gz
-rw-rw-r--   1 ian      ian         66738 Sep 21 01:50 cron-3.0pl1-20.tar.gz

Reply to:

Follow-Ups:
- Re: cron 3.0pl1-20: URGENT SECURITY FIX
  - From: Ian Murdock <imurdock@debian.org>

Prev by Date: dpkg 0.93.77: minor bugfixes, mainly cosmetic
Next by Date: Re: cron 3.0pl1-20: URGENT SECURITY FIX
Previous by thread: dpkg 0.93.77: minor bugfixes, mainly cosmetic
Next by thread: Re: cron 3.0pl1-20: URGENT SECURITY FIX
Index(es):
- Date
- Thread