This bug was fixed in the package cron - 3.0pl1-133ubuntu1 --------------- cron (3.0pl1-133ubuntu1) eoan; urgency=low * Merge from Debian unstable. Remaining changes: - debian/control: + Move MTA to Suggests field. - d/cron.default: change to a deprecated message to make it clear that the file is no longer in use. * Dropped changes, no longer needed: - Drop upstart system jobs; transition completed as of 18.04. - Handle /etc/init.d/cron symlink→ real file transition; completed as of 18.04. cron (3.0pl1-133) unstable; urgency=medium * SECURITY: Fix bypass of /etc/cron.{allow,deny} on failure to open If these files exist, then they must be readable by the user executing crontab(1). Users will now be denied by default if they aren't. (LP: #1813833) * SECURITY: Fix for possible DoS by use-after-free A user reported a use-after-free condition in the cron daemon, leading to a possible Denial-of-Service scenario by crashing the daemon. (Closes: #809167) * SECURITY: DoS: Fix unchecked return of calloc() Florian Weimer discovered that a missing check for the return value of calloc() could crash the daemon, which could be triggered by a very large crontab created by a user. * Enforce maximum crontab line count of 1000 to prevent a malicious user from creating an excessivly large crontab. The daemon will log a warning for existing files, and crontab(1) will refuse to create new ones. * Add d/NEWS altering to the new 1000 lines limit. * Move /var/run/crond.reboot to /run/crond.reboot. * crontab.5: Reverse the info on tilde expansion. When setting PATH, most shells will not expand a tilde. Thanks, Tim Landscheidt, for the analysis. (Closes: #801328) * Fixes for numerous man page issues. Remove trailing whitespace, use proper escapes, etc. Thanks, Bjarni Ingi Gislason! (Closes: #893575, #893579) * crontab.1: Drop duplicate DIAGNOSTICS header. * daemon: Only support the 'x' debug option in debug builds. cron (3.0pl1-132) unstable; urgency=medium [ Christian Kastner ] * postinst: Properly test for regular file cron.postinst checked for a regular file by parsing the stat output, instead of simply relying on test(1) * Mark package cron as Multi-Arch: foreign (Closes: #878363) [ Stéphane Blondon ] * Add forgotten '\n' to a line in the crontab header (Closes: #898119) cron (3.0pl1-131) unstable; urgency=medium [ Boyuan Yang ] * debian/control: - Merge duplicated build-dependency entry for debhelper - Update Vcs-* fields and use git repo under Salsa Debian group (Closes: #913484) - Add dependency to sensible-utils (Closes: #913483) * debian/rules: Do not explicitly invoke dpkg-architecture for architecture variables. Instead we are now using /usr/share/dpkg/architecture.mk to provide them [ Bjarni Ingi Gislason ] * crontab.1: Some format fixes in the manual. (Closes: #893576) [ Christian Kastner ] * d/control: - Switch Build-Depends from debhelper to debhelper-compat - Add Rules-Requires-Root: no We don't need (fake)root for building the package - Drop ancient dpkg Pre-Depends and Breaks The versioned dependencies are older than oldoldstable - Bump debhelper compatibility level to 12 - Switch to https in Homepage field - Bump Standards-Version to 4.3.0 - binary package cron: + Add Pre-Depends: ${misc:Pre-Depends} for init-system-helpers + Switch cron MTA Recommends to default-mta | mail-transport-agent Recommend these virtual packages rather than specific MTAs + Move unqualified debhelper control files to from * to cron.* * Remove now obsolete d/compat * d/rules: - systemd sequence has been removed in compatibility level 11 - Drop override_dh_compress Examples are no longer compressed in compatibility level 12 * d/copyright: - Switch URL to official MRCF 1.0 policy - Ustream-Contact -> Upstream-Contact * Remove ancient cruft from maintainer scripts This cruft dealt with conffile tasks from before oldoldstable. As we don't provide a direct upgrade path from older releases, this is just maintenance overhead * Drop empty preinst maintainer script, as a result of the cruft removal * d/watch - Update to format version 4 - Switch to https * Remove trailing whitespace from changelog * Remove trailing whitespace from debian/control cron (3.0pl1-130) unstable; urgency=medium * debian/postinst: Do not do check if /var/spool/cron/crontabs if empty (Closes: 892720, 892721, 892724) * debian/cron.service: - Add dependency on nss-user-lookup.target in the definition which properly fixes the issues when cron is started before centralised user repositories are available (e.g. LDAP or Active Directory). This should avoid errors in syslog similar to the following: "crond[PID]: (CRON) bad username (/etc/cron.d/JOBNAME)" (Closes: #767016, #801384, #783665) (LP: #1593317) - Also remove Type=idle change added in previous upload, which was not the correct fix to apply. - Add automatic restart on failure (Closes: #834728) * debian/cron.init: Revert previous change - instead of adding $all, add sssd to the services that should be started/stopped before/after cron. * crontab.5: - Add improvements and fixes to manpage provided by Philip Hands (Closes: #792572) - Document that system wide defaults run from 6 am to 7 am. (Closes: #757191) - Document how asterisks are processed in dom and dow fields using patch provided by Christian Pekeler (Closes: #840601) Also see https://treats.wdt.io/cron-bug.html * debian/crontab.main, crontab.5: Add documentation comments similarly as to how Fedora / Red Hat Enterprise Linux documents (crontab package). This comments more descriptive and provides inexperienced users with a better understanding of the syntax. (Closes: #705570) cron (3.0pl1-129) unstable; urgency=medium * Acknowledge NMU * debian/cron.init, debian/cron.service: Make sure cron is started last and stopped first, with patch provided by Harald Dunke (Closes: #767016, #801384, #783665) (LP: #1593317) * crontab.1: Document limitation due to account renaming as described in Ubuntu's bug 73398 * crontab.5: Document the need to set the DISPLAY environment when running scheduled tasks that interact with the user's desktop environment (LP: #891869) * cron.8: Fix typo (Closes: 819832) * debian/control: Replace dh-systemd dependency with debhelper (lintian fix) * debian/README.Debian: Update maintainer address [ Christian Kastner ] * debian/postinst: Fix for CVE-2017-9525: group crontab to root escalation via postinst as described by Alexander Peslyak (Solar Designer) in http://www.openwall.com/lists/oss-security/2017/06/08/3 (Closes: 864466) -- Steve Langasek