Conectiva Local Security Checks : Conectiva Security Advisory CLA-2003:628

Anfälligkeitssuche		Suche in 324607 CVE Beschreibungen und 145615 Test Beschreibungen, Zugriff auf 10,000+ Quellverweise.
	Tests CVE Alle

Test Kennung: 1.3.6.1.4.1.25623.1.0.51412

Kategorie: Conectiva Local Security Checks

Titel: Conectiva Security Advisory CLA-2003:628

Zusammenfassung: NOSUMMARY

Beschreibung: Description:

The remote host is missing updates announced in
advisory CLA-2003:628.

The vixie-cron package contains the Vixie version of cron. Cron is a
standard UNIX daemon that runs specified programs at scheduled
times.

The ISS X-Force team found a local vulnerability[1] in vixie-cron
that may allow users to obtain root privileges in a system running
it. The crontab utility, which is part of the vixie-cron package and
is suid root, is used by local users to schedule their jobs. Due to a
failure in the dropping of root privileges in certain circumstances,
it is possible for an attacker to gain root privileges by exploiting
this vulnerability.

The Common Vulnerabilities and Exposures (CVE) project has assigned
the name CVE-2001-0559 to this issue[2].

This update corrects this vulnerability and adds a fix[3] for a
problem regarding a leak of read-only file descriptors of the
/etc/cron.allow and /etc/cron.deny files to the users' text editor
during crontab modifications. Although these files are not
distributed with Conectiva Linux, the system administrator can create
them to restrict access to the cron service.

Conectiva Linux 6.0 users are also vulnerable to some buffer overflow
vulnerabilities[3] that can be exploited by local users. This update
also fixes these issues.

Solution:
The apt tool can be used to perform RPM package upgrades
by running 'apt-get update' followed by 'apt-get upgrade'

http://www.iss.net/security_center/static/6508.php
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0559
http://distro2.conectiva.com.br/bugzilla/show_bug.cgi?id=7852
http://www.securityspace.com/smysecure/catid.html?in=CLA-2003:628
http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=002003

Risk factor : High

CVSS Score:
7.2

Querverweis: BugTraq ID: 2687
Common Vulnerability Exposure (CVE) ID: CVE-2001-0559
http://www.securityfocus.com/bid/2687
Bugtraq: 20010507 Vixie cron vulnerability (Google Search)
http://www.securityfocus.com/archive/1/183029
Debian Security Information: DSA-054 (Google Search)
http://www.debian.org/security/2001/dsa-054
http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-050.php3
SuSE Security Announcement: SuSE-SA:2001:17 (Google Search)
http://www.novell.com/linux/security/advisories/2001_017_cron_txt.html
XForce ISS Database: vixie-cron-gain-privileges(6508)
https://exchange.xforce.ibmcloud.com/vulnerabilities/6508

Copyright Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com

Dies ist nur einer von 145615 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus.
Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten.

Test Kennung:	1.3.6.1.4.1.25623.1.0.51412
Kategorie:	Conectiva Local Security Checks
Titel:	Conectiva Security Advisory CLA-2003:628
Zusammenfassung:	NOSUMMARY
Beschreibung:	Description: The remote host is missing updates announced in advisory CLA-2003:628. The vixie-cron package contains the Vixie version of cron. Cron is a standard UNIX daemon that runs specified programs at scheduled times. The ISS X-Force team found a local vulnerability[1] in vixie-cron that may allow users to obtain root privileges in a system running it. The crontab utility, which is part of the vixie-cron package and is suid root, is used by local users to schedule their jobs. Due to a failure in the dropping of root privileges in certain circumstances, it is possible for an attacker to gain root privileges by exploiting this vulnerability. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2001-0559 to this issue[2]. This update corrects this vulnerability and adds a fix[3] for a problem regarding a leak of read-only file descriptors of the /etc/cron.allow and /etc/cron.deny files to the users' text editor during crontab modifications. Although these files are not distributed with Conectiva Linux, the system administrator can create them to restrict access to the cron service. Conectiva Linux 6.0 users are also vulnerable to some buffer overflow vulnerabilities[3] that can be exploited by local users. This update also fixes these issues. Solution: The apt tool can be used to perform RPM package upgrades by running 'apt-get update' followed by 'apt-get upgrade' http://www.iss.net/security_center/static/6508.php http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0559 http://distro2.conectiva.com.br/bugzilla/show_bug.cgi?id=7852 http://www.securityspace.com/smysecure/catid.html?in=CLA-2003:628 http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=002003 Risk factor : High CVSS Score: 7.2
Querverweis:	BugTraq ID: 2687 Common Vulnerability Exposure (CVE) ID: CVE-2001-0559 http://www.securityfocus.com/bid/2687 Bugtraq: 20010507 Vixie cron vulnerability (Google Search) http://www.securityfocus.com/archive/1/183029 Debian Security Information: DSA-054 (Google Search) http://www.debian.org/security/2001/dsa-054 http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-050.php3 SuSE Security Announcement: SuSE-SA:2001:17 (Google Search) http://www.novell.com/linux/security/advisories/2001_017_cron_txt.html XForce ISS Database: vixie-cron-gain-privileges(6508) https://exchange.xforce.ibmcloud.com/vulnerabilities/6508
Copyright	Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com