Conectiva Local Security Checks : Conectiva Security Advisory CLA-2003:757

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 145615 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.51467

Categoría: Conectiva Local Security Checks

Título: Conectiva Security Advisory CLA-2003:757

Resumen: NOSUMMARY

Descripción: Description:

The remote host is missing updates announced in
advisory CLA-2003:757.

The vixie-cron package contains the Vixie version of cron. Cron is a
standard UNIX daemon that runs specified programs at scheduled
times.

[Update 2003-Oct-03]
This advisory is an update for the CLSA-2003:628[] one. The packages
released for Conectiva Linux 8 (vixie-cron-3.0.1-50U80_1cl) did not
contain the corresponding fixes.

The ISS X-Force team found a local vulnerability[1] in vixie-cron
that may allow users to obtain root privileges in a system running
it. The crontab utility, which is part of the vixie-cron package and
is suid root, is used by local users to schedule their jobs. Due to a
failure in the dropping of root privileges in certain circumstances,
it is possible for an attacker to gain root privileges by exploiting
this vulnerability.

The Common Vulnerabilities and Exposures (CVE) project has assigned
the name CVE-2001-0559 to this issue[2].

This update corrects this vulnerability and adds a fix[3] for a
problem regarding a leak of read-only file descriptors of the
/etc/cron.allow and /etc/cron.deny files to the users' text editor
during crontab modifications. Although these files are not
distributed with Conectiva Linux, the system administrator can create
them to restrict access to the cron service.

Solution:
The apt tool can be used to perform RPM package upgrades
by running 'apt-get update' followed by 'apt-get upgrade'

http://www.iss.net/security_center/static/6508.php
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0559
http://distro2.conectiva.com.br/bugzilla/show_bug.cgi?id=7852
http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000628&idioma=en
http://www.securityspace.com/smysecure/catid.html?in=CLA-2003:757
http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=002003

Risk factor : High

CVSS Score:
7.2

Referencia Cruzada: BugTraq ID: 2687
Common Vulnerability Exposure (CVE) ID: CVE-2001-0559
http://www.securityfocus.com/bid/2687
Bugtraq: 20010507 Vixie cron vulnerability (Google Search)
http://www.securityfocus.com/archive/1/183029
Debian Security Information: DSA-054 (Google Search)
http://www.debian.org/security/2001/dsa-054
http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-050.php3
SuSE Security Announcement: SuSE-SA:2001:17 (Google Search)
http://www.novell.com/linux/security/advisories/2001_017_cron_txt.html
XForce ISS Database: vixie-cron-gain-privileges(6508)
https://exchange.xforce.ibmcloud.com/vulnerabilities/6508

Copyright Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com

Esta es sólo una de 145615 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.51467
Categoría:	Conectiva Local Security Checks
Título:	Conectiva Security Advisory CLA-2003:757
Resumen:	NOSUMMARY
Descripción:	Description: The remote host is missing updates announced in advisory CLA-2003:757. The vixie-cron package contains the Vixie version of cron. Cron is a standard UNIX daemon that runs specified programs at scheduled times. [Update 2003-Oct-03] This advisory is an update for the CLSA-2003:628[] one. The packages released for Conectiva Linux 8 (vixie-cron-3.0.1-50U80_1cl) did not contain the corresponding fixes. The ISS X-Force team found a local vulnerability[1] in vixie-cron that may allow users to obtain root privileges in a system running it. The crontab utility, which is part of the vixie-cron package and is suid root, is used by local users to schedule their jobs. Due to a failure in the dropping of root privileges in certain circumstances, it is possible for an attacker to gain root privileges by exploiting this vulnerability. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2001-0559 to this issue[2]. This update corrects this vulnerability and adds a fix[3] for a problem regarding a leak of read-only file descriptors of the /etc/cron.allow and /etc/cron.deny files to the users' text editor during crontab modifications. Although these files are not distributed with Conectiva Linux, the system administrator can create them to restrict access to the cron service. Solution: The apt tool can be used to perform RPM package upgrades by running 'apt-get update' followed by 'apt-get upgrade' http://www.iss.net/security_center/static/6508.php http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0559 http://distro2.conectiva.com.br/bugzilla/show_bug.cgi?id=7852 http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000628&idioma=en http://www.securityspace.com/smysecure/catid.html?in=CLA-2003:757 http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=002003 Risk factor : High CVSS Score: 7.2
Referencia Cruzada:	BugTraq ID: 2687 Common Vulnerability Exposure (CVE) ID: CVE-2001-0559 http://www.securityfocus.com/bid/2687 Bugtraq: 20010507 Vixie cron vulnerability (Google Search) http://www.securityfocus.com/archive/1/183029 Debian Security Information: DSA-054 (Google Search) http://www.debian.org/security/2001/dsa-054 http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-050.php3 SuSE Security Announcement: SuSE-SA:2001:17 (Google Search) http://www.novell.com/linux/security/advisories/2001_017_cron_txt.html XForce ISS Database: vixie-cron-gain-privileges(6508) https://exchange.xforce.ibmcloud.com/vulnerabilities/6508
Copyright	Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com