Please merge cron(3.0pl1-106)(main) from debian unstable(main)

Bug #376327 reported by Bhavani Shankar on 2009-05-14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cron (Ubuntu)

Bug Description

Binary package hint: cron

Debian has a new version to be merged

cron (3.0pl1-106) unstable; urgency=high

   * SECURITY UPDATE: cron does not check the return code of setgid() and
   initgroups(), which under certain circumstances could cause
   applications to run with elevated group privileges. Note that the more
   serious issue of not checking the return code of setuid() was fixed already
   in 3.0pl1-64. (Closes: #528434)
    - do_command.c: check return code of setgid() and initgroups()
    - This fixes (hopefully completely) CVE-2006-2607
   * crontab.c:
      - close the temporary file after it is edited and
        before calling cleanup_tmp_crontab() to behave properly on NFS
        mounted / (Closes: #413962)
      - if crontab is run without argument then it will read stdin to replace
        the users crontab. This way it is POSIXLY_CORRECT. More information at
        (Closes: #514062)
   * crontab.5 :
      - Add details about multiple recipients in MAILTO (LP: #235464)
        (Closes: #502650)
      - Indicate that it also reads environment from /etc/environment
      - Substitute ATT for AT&T (Closes: #405474)
   * Proper fix for PAM configuration to make cron read the system
     environment (Closes: #511684)
   * debian/cron.init:
       - Add support for 'status' in the init.d (Closes: #514721)
       - Use 'cron' instead of 'crond' (Closes: #497699)
   * Change lockfile-progs from Suggests: to Recommends: and remove wording
     related to dselect, which is no longer relevant (Closes: #452460, #468262)
   * Change the (outdated) wording of the description based on an example
     provided by Justin B Rye (Closes: 485452)
   * Change the postinst so that update-rc.d is only run if /etc/init.d/cron is
     executable (Closes: #500610)

 -- Javier Fernandez-Sanguino Pen~a <email address hidden> Wed, 13 May 2009 01:05:41 +0200

CVE References

Bhavani Shankar (bhavi) wrote :
Changed in cron (Ubuntu):
status: New → Confirmed
Daniel Holbach (dholbach) wrote :

Sorry, James Strandboge already merged this one.

Changed in cron (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers