Date: Sat, 23 Sep 1995 10:08:04 +0000 () From: Yen-Wei Liu <mighty.hoffmann@psi.wsl.sinica.edu.tw> To: security@freebsd.org Subject: cron 3.0pl1-20: URGENT SECURITY FIX (fwd) from Linux-security Message-ID: <199509231008.KAA19544@psi.wsl.sinica.edu.tw>
next in thread | raw e-mail | index | archive | help
Hi, The following message comes from linux-security mailing list. Actually this message just reminds me of two issues : 1) That mailing list has a fairly high traffic. Compared with it, FreeBSD security is much more silent. Does this mean FreeBSD is more secure, or Linux is more vulnerable ? (Didn't mean to offend any OS.) 2) Is there anybody subscribing to the mailing list too ? They have discussed several security issues, such as this cron vulnerability. Does FreeBSD suffer the same vulnerabilities as Linux does? Yen-Wei Liu Forwarded message: > From owner-linux-security@tarsier.cv.nrao.edu Fri Sep 22 07:49:39 1995 > Date: Wed, 20 Sep 1995 20:43:25 -0500 (CDT) > From: Aleph One <aleph1@dfw.net> > To: linux-security@tarsier.cv.nrao.edu > Subject: cron 3.0pl1-20: URGENT SECURITY FIX (fwd) > Message-Id: <Pine.SUN.3.90.950920204255.15987A-100000@dfw.net> > Mime-Version: 1.0 > Content-Type: TEXT/PLAIN; charset=US-ASCII > Sender: owner-linux-security@tarsier.cv.nrao.edu > Precedence: list > > Anyone know anything more? > > Aleph One / aleph1@dfw.net > http://underground.org/ > KeyID 1024/948FD6B5 > Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 > > ---------- Forwarded message ---------- > Date: Thu, 21 Sep 95 01:58 BST > From: Ian Jackson <iwj10@cus.cam.ac.uk> > To: Debian package announcements <debian-changes@pixar.com> > Subject: cron 3.0pl1-20: URGENT SECURITY FIX > > There is a major security hole in cron 3.0pl1-19 and earlier, allowing > any user to gain access to the `root' group. On many (most?) systems > this will quickly allow them to gain superuser access. > > I am currently uploading cron-3.0pl1-20.deb using my 2400-baud modem. > In the meantime, please disable your cron daemon: > > # killall cron > # chmod 400 /usr/sbin/cron > > Ian M.: please replace the cron in the binary directory with this one > immediately. The source will arrive tomorrow - my modem is too slow > to get it uploaded today. > > If you download from Incoming, please check the file size - the binary > package file is 27737 bytes. > > cron (3.0pl1-20); priority=URGENT > > * cron now uses initgroups when running jobs. Bug#1400. AARGH! > > -- Ian Jackson <iwj10@cus.cam.ac.uk> Thu, 21 Sep 1995 01:44:11 +0100 > > 169cec1ee4387c994798608385826363 cron-3.0pl1-20.deb > e9b26cb21aac62dcee5d443ce6dd7ab4 cron-3.0pl1-20.diff.gz > 29655e14fff95cd477f1b3775d85d8d2 cron-3.0pl1-20.tar.gz > -rw-r--r-- 1 root root 27737 Sep 21 01:52 cron-3.0pl1-20.deb > -rw-rw-r-- 1 ian ian 10093 Sep 21 01:50 cron-3.0pl1-20.diff.gz > -rw-rw-r-- 1 ian ian 66738 Sep 21 01:50 cron-3.0pl1-20.tar.gz >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199509231008.KAA19544>