Hi Christian, hi all, On So 17 Mär 2019 21:40:24 CET, Christian Kastner wrote:
On 17.03.19 21:31, Christian Kastner wrote:debdiff attached.Sorry, I noticed too late that the fix for CVE-2017-9525 was incomplete, it needed another cherry-pick. Corrected debdiff attached, and commit pushed to wip/jessie. Regards, Christian
I just uploaded this second .debdiff with some slight changes to jessie-security. DLAnnouncement will come in a minute.
Thanks for your work on cron for Debian jessie LTS. Mike ``` --- cron.deb8u2.debdiff 2019-03-21 20:36:41.432413610 +0100 +++ cron_3.0pl1-127+deb8u1_deb8u2.debdiff 2019-03-21 20:47:11.121917940 +0100 @@ -108,7 +108,7 @@ --- cron-3.0pl1/debian/NEWS +++ cron-3.0pl1/debian/NEWS @@ -1,3 +1,13 @@ -+cron (3.0pl1-127+deb8u2) unstable; urgency=medium ++cron (3.0pl1-127+deb8u2) jessie-security; urgency=medium ++ * As a reasonable protective measure, crontabs are now limited to 1000 lines
+ in length per crontab. @@ -124,9 +124,10 @@ diff -u cron-3.0pl1/debian/changelog cron-3.0pl1/debian/changelog --- cron-3.0pl1/debian/changelog +++ cron-3.0pl1/debian/changelog -@@ -1,3 +1,29 @@ +@@ -1,3 +1,33 @@ +cron (3.0pl1-127+deb8u2) jessie-security; urgency=medium + ++ [ Christian Kastner ] + * SECURITY: Fix bypass of /etc/cron.{allow,deny} on failure to open + If these files exist, then they must be readable by the user executing + crontab(1). Users will now be denied by default if they aren't. @@ -149,7 +150,10 @@ + (CVE-2017-9525) + * Add d/NEWS altering to the new 1000 lines limit. + -+ -- Christian Kastner <ckk@debian.org> Sun, 17 Mar 2019 14:12:24 +0100 ++ [ Mike Gabriel ] ++ * debian/NEWS: Fix <distribution> from unstable to jessie-security. ++ ++ -- Mike Gabriel <sunweaver@debian.org> Thu, 21 Mar 2019 20:43:10 +0100 + cron (3.0pl1-127+deb8u1) jessie; urgency=medium ``` -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunweaver@debian.org, http://sunweavers.net
--- cron.deb8u2.debdiff 2019-03-21 20:36:41.432413610 +0100 +++ cron_3.0pl1-127+deb8u1_deb8u2.debdiff 2019-03-21 20:47:11.121917940 +0100 @@ -108,7 +108,7 @@ --- cron-3.0pl1/debian/NEWS +++ cron-3.0pl1/debian/NEWS @@ -1,3 +1,13 @@ -+cron (3.0pl1-127+deb8u2) unstable; urgency=medium ++cron (3.0pl1-127+deb8u2) jessie-security; urgency=medium + + * As a reasonable protective measure, crontabs are now limited to 1000 lines + in length per crontab. @@ -124,9 +124,10 @@ diff -u cron-3.0pl1/debian/changelog cron-3.0pl1/debian/changelog --- cron-3.0pl1/debian/changelog +++ cron-3.0pl1/debian/changelog -@@ -1,3 +1,29 @@ +@@ -1,3 +1,33 @@ +cron (3.0pl1-127+deb8u2) jessie-security; urgency=medium + ++ [ Christian Kastner ] + * SECURITY: Fix bypass of /etc/cron.{allow,deny} on failure to open + If these files exist, then they must be readable by the user executing + crontab(1). Users will now be denied by default if they aren't. @@ -149,7 +150,10 @@ + (CVE-2017-9525) + * Add d/NEWS altering to the new 1000 lines limit. + -+ -- Christian Kastner <ckk@debian.org> Sun, 17 Mar 2019 14:12:24 +0100 ++ [ Mike Gabriel ] ++ * debian/NEWS: Fix <distribution> from unstable to jessie-security. ++ ++ -- Mike Gabriel <sunweaver@debian.org> Thu, 21 Mar 2019 20:43:10 +0100 + cron (3.0pl1-127+deb8u1) jessie; urgency=medium
Attachment:
pgpL6fHBGfyhE.pgp
Description: Digitale PGP-Signatur