Ubuntu
cron package

Comment 5 for bug 46649

Revision history for this message

Launchpad Janitor (janitor) wrote on 2009-05-14:

This bug was fixed in the package cron - 3.0pl1-106ubuntu1

---------------
cron (3.0pl1-106ubuntu1) karmic; urgency=low

  * Merge from debian unstable, remaining changes:
    - debian/control: Depend on lsb-base >= 3.2-12ubuntu4
    - debian/control: Drop MTA and lockfile-args to Suggests
    - pathnames.h: use sensible-editor
  * New Debian release fixes LP: #46649

cron (3.0pl1-106) unstable; urgency=high

   * SECURITY UPDATE: cron does not check the return code of setgid() and
   initgroups(), which under certain circumstances could cause
   applications to run with elevated group privileges. Note that the more
   serious issue of not checking the return code of setuid() was fixed already
   in 3.0pl1-64. (Closes: #528434)
    - do_command.c: check return code of setgid() and initgroups()
    - This fixes (hopefully completely) CVE-2006-2607
   * crontab.c:
      - close the temporary file after it is edited and
        before calling cleanup_tmp_crontab() to behave properly on NFS
        mounted / (Closes: #413962)
      - if crontab is run without argument then it will read stdin to replace
        the users crontab. This way it is POSIXLY_CORRECT. More information at
        http://www.opengroup.org/onlinepubs/9699919799/utilities/crontab.html
        (Closes: #514062)
   * crontab.5 :
      - Add details about multiple recipients in MAILTO (LP: #235464)
        (Closes: #502650)
      - Indicate that it also reads environment from /etc/environment
      - Substitute ATT for AT&T (Closes: #405474)
   * Proper fix for PAM configuration to make cron read the system
     environment (Closes: #511684)
   * debian/cron.init:
       - Add support for 'status' in the init.d (Closes: #514721)
       - Use 'cron' instead of 'crond' (Closes: #497699)
   * Change lockfile-progs from Suggests: to Recommends: and remove wording
     related to dselect, which is no longer relevant (Closes: #452460, #468262)
   * Change the (outdated) wording of the description based on an example
     provided by Justin B Rye (Closes: 485452)
   * Change the postinst so that update-rc.d is only run if /etc/init.d/cron is
     executable (Closes: #500610)

-- Jamie Strandboge <email address hidden> Thu, 14 May 2009 09:53:08 -0500

This bug was fixed in the package cron - 3.0pl1-106ubuntu1

---------------
cron (3.0pl1-106ubuntu1) karmic; urgency=low

cron (3.0pl1-106) unstable; urgency=high

* SECURITY UPDATE: cron does not check the return code of setgid() and
   initgroups(), which under certain circumstances could cause
   applications to run with elevated group privileges. Note that the more
   serious issue of not checking the return code of setuid() was fixed already
   in 3.0pl1-64.  (Closes: #528434)
    - do_command.c: check return code of setgid() and initgroups()
    - This fixes (hopefully completely) CVE-2006-2607
   * crontab.c:
      - close the temporary file after it is edited and
        before calling cleanup_tmp_crontab() to behave properly on NFS
        mounted / (Closes: #413962)
      - if crontab is run without argument then it will read stdin to replace
        the users crontab. This way it is POSIXLY_CORRECT. More information at
        http://www.opengroup.org/onlinepubs/9699919799/utilities/crontab.html
        (Closes: #514062)
   * crontab.5 :
      - Add details about multiple recipients in MAILTO (LP: #235464)
        (Closes: #502650)
      - Indicate that it also reads environment from /etc/environment
      - Substitute ATT for AT&T (Closes: #405474)
   * Proper fix for PAM configuration to make cron read the system
     environment (Closes: #511684)
   * debian/cron.init:
       - Add support for 'status' in the init.d (Closes: #514721)
       - Use 'cron' instead of 'crond' (Closes: #497699)
   * Change lockfile-progs from Suggests: to Recommends: and remove wording
     related to dselect, which is no longer relevant (Closes: #452460, #468262)
   * Change the (outdated) wording of the description based on an example
     provided by Justin B Rye (Closes: 485452)
   * Change the postinst so that update-rc.d is only run if /etc/init.d/cron is
     executable (Closes: #500610)

-- Jamie Strandboge <jamie@ubuntu.com>   Thu, 14 May 2009 09:53:08 -0500

Ubuntucron package

Comment 5 for bug 46649

Ubuntu
cron package