Re: Vulnerability in vixie cron?
Oliver Fromme <olli@lurza.secnetix.de> writes:
> Recently there have been advisories and patches for
> SuSE and RedHat (and probably a few others) regarding
> a vulnerability in Vixie Cron. The details say that
> there's insufficient checking of the return value of
> setuid, which can lead to priviledge escalation and
> lets users run cron jobs with root priviledges.
>
> As far as I know, FreBSD also uses Vixie Cron (at least
> the cron(8) manpage says so). However, I haven't seen
> any FreeBSD advisory regarding this, so I wonder if
> FreeBSD's cron isn't affected for some reason?
>
> Any information would be appreciated.
It looks to me like this wasn't exploitable in a default configuration
anyway, but it was fixed on 1 June in HEAD and on 1 July in RELENG_6.
http://www.freebsd.org/cgi/cvsweb.cgi/src/usr.sbin/cron/cron/do_command.c
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)