Date: Sun, 2 Jan 2000 22:09:23 +0100 (MET) From: Ole Pahl <op@pahl.net> To: bugtraq@securityfocus.com, submission@rootshell.com, cert@cert.org, cert@cert.dfn.de, freebsd-bugs@freebsd.org, info@suse.de, paul@vix.com, info@vix.com Subject: Bug in recent versions of Vixie cron - Sorry! Message-ID: <Pine.LNX.4.05.10001022152440.12566-100000@muschel.global-phun.net>
next in thread | raw e-mail | index | archive | help
The problem described in my previous message was already present in the BugTraq vulnerability database with a slightly different description considering this vulnerability a bug validating the user-specified MAILTO value. However, as Sendmail is executable by anyone, describing this bug as a missing setuid() before starting Sendmail makes a lot more sense. Most Linux distribution vendors (including SuSE, RedHat and Debian) have prepared appropriate update packages, but I was unable to find a security advisory addressing this issue on www.freebsd.org although it could be reproduced on a FreeBSD 3.4-RC system (as already mentioned). Information concerning other operating systems using Vixie cron is appreciated. Regards, Ole Pahl -- Ole Pahl <op@pahl.net> Hamburg / Germany Fon: +49 40 7807 2601 PAHL.NET Network Solutions Mail: info@pahl.net Fax: +49 40 7807 2602 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.05.10001022152440.12566-100000>