English | Deutsch | Español | Português
 UserID:
 Passwd:
new user
 About:   Dedicated  | Advanced  | Standard  | Recurring  | No Risk  | Desktop  | Basic  | Single  | Security Seal  | FAQ
  Price/Feature Summary  | Order  | New Vulnerabilities  | Confidentiality  | Vulnerability Search
 Vulnerability   
Search   
    Search 72151 CVE descriptions
and 38907 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.51467
Category:Conectiva Local Security Checks
Title:Conectiva Security Advisory CLA-2003:757
Summary:Conectiva Security Advisory CLA-2003:757
Description:
The remote host is missing updates announced in
advisory CLA-2003:757.

The vixie-cron package contains the Vixie version of cron. Cron is a
standard UNIX daemon that runs specified programs at scheduled
times.

[Update 2003-Oct-03]
This advisory is an update for the CLSA-2003:628[] one. The packages
released for Conectiva Linux 8 (vixie-cron-3.0.1-50U80_1cl) did not
contain the corresponding fixes.

The ISS X-Force team found a local vulnerability[1] in vixie-cron
that may allow users to obtain root privileges in a system running
it. The crontab utility, which is part of the vixie-cron package and
is suid root, is used by local users to schedule their jobs. Due to a
failure in the dropping of root privileges in certain circumstances,
it is possible for an attacker to gain root privileges by exploiting
this vulnerability.

The Common Vulnerabilities and Exposures (CVE) project has assigned
the name CVE-2001-0559 to this issue[2].

This update corrects this vulnerability and adds a fix[3] for a
problem regarding a leak of read-only file descriptors of the
/etc/cron.allow and /etc/cron.deny files to the users' text editor
during crontab modifications. Although these files are not
distributed with Conectiva Linux, the system administrator can create
them to restrict access to the cron service.


Solution:
The apt tool can be used to perform RPM package upgrades
by running 'apt-get update' followed by 'apt-get upgrade'

http://www.iss.net/security_center/static/6508.php
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0559
http://distro2.conectiva.com.br/bugzilla/show_bug.cgi?id=7852
http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000628&idioma=en
http://www.securityspace.com/smysecure/catid.html?in=CLA-2003:757
http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=002003

Risk factor : High
Cross-Ref: BugTraq ID: 2687
Common Vulnerability Exposure (CVE) ID: CVE-2001-0559
Bugtraq: 20010507 Vixie cron vulnerability (Google Search)
http://www.securityfocus.com/archive/1/183029
Debian Security Information: DSA-054 (Google Search)
http://www.debian.org/security/2001/dsa-054
http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-050.php3
SuSE Security Announcement: SuSE-SA:2001:17 (Google Search)
http://www.novell.com/linux/security/advisories/2001_017_cron_txt.html
http://www.securityfocus.com/bid/2687
XForce ISS Database: vixie-cron-gain-privileges(6508)
http://xforce.iss.net/static/6508.php
CopyrightCopyright (c) 2005 E-Soft Inc. http://www.securityspace.com

This is only one of 38907 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.

New User Registration
Email:
UserID:
Passwd:
Please email me your monthly newsletters, informing the latest services, improvements & surveys.
Please email me a vulnerability test announcement whenever a new test is added.
   Privacy
Registered User Login
 
UserID:   
Passwd:  

 Forgot userid or passwd?
Email/Userid:




Home | About Us | Contact Us | Partner Programs | Privacy | Mailing Lists | Abuse
Security Audits | Managed DNS | Network Monitoring | Site Analyzer | Internet Research Reports
Web Probe | Whois

© 1998-2014 E-Soft Inc. All rights reserved.