This bug was fixed in the package cron - 3.0pl1-106ubuntu1 --------------- cron (3.0pl1-106ubuntu1) karmic; urgency=low
* Merge from debian unstable, remaining changes: - debian/control: Depend on lsb-base >= 3.2-12ubuntu4 - debian/control: Drop MTA and lockfile-args to Suggests - pathnames.h: use sensible-editor * New Debian release fixes LP: #46649 cron (3.0pl1-106) unstable; urgency=high * SECURITY UPDATE: cron does not check the return code of setgid() and initgroups(), which under certain circumstances could cause applications to run with elevated group privileges. Note that the more serious issue of not checking the return code of setuid() was fixed already in 3.0pl1-64. (Closes: #528434) - do_command.c: check return code of setgid() and initgroups() - This fixes (hopefully completely) CVE-2006-2607 * crontab.c: - close the temporary file after it is edited and before calling cleanup_tmp_crontab() to behave properly on NFS mounted / (Closes: #413962) - if crontab is run without argument then it will read stdin to replace the users crontab. This way it is POSIXLY_CORRECT. More information at http://www.opengroup.org/onlinepubs/9699919799/utilities/crontab.html (Closes: #514062) * crontab.5 : - Add details about multiple recipients in MAILTO (LP: #235464) (Closes: #502650) - Indicate that it also reads environment from /etc/environment - Substitute ATT for AT&T (Closes: #405474) * Proper fix for PAM configuration to make cron read the system environment (Closes: #511684) * debian/cron.init: - Add support for 'status' in the init.d (Closes: #514721) - Use 'cron' instead of 'crond' (Closes: #497699) * Change lockfile-progs from Suggests: to Recommends: and remove wording related to dselect, which is no longer relevant (Closes: #452460, #468262) * Change the (outdated) wording of the description based on an example provided by Justin B Rye (Closes: 485452) * Change the postinst so that update-rc.d is only run if /etc/init.d/cron is executable (Closes: #500610) -- Jamie Strandboge <ja...@ubuntu.com> Thu, 14 May 2009 09:53:08 -0500 ** Changed in: cron (Ubuntu Karmic) Status: In Progress => Fix Released ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2006-2607 -- Cron not checking setgid return value https://bugs.launchpad.net/bugs/46649 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs