-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 21 Mar 2019 20:43:10 +0100 Source: cron Binary: cron Architecture: source amd64 Version: 3.0pl1-127+deb8u2 Distribution: jessie-security Urgency: medium Maintainer: Javier Fernández-Sanguino Peña <jfs@debian.org> Changed-By: Mike Gabriel <sunweaver@debian.org> Description: cron - process scheduling daemon Closes: 809167 Changes: cron (3.0pl1-127+deb8u2) jessie-security; urgency=medium . [ Christian Kastner ] * SECURITY: Fix bypass of /etc/cron.{allow,deny} on failure to open If these files exist, then they must be readable by the user executing crontab(1). Users will now be denied by default if they aren't. (LP: #1813833) * SECURITY: Fix for possible DoS by use-after-free A user reported a use-after-free condition in the cron daemon, leading to a possible Denial-of-Service scenario by crashing the daemon. (CVE-2019-9706) (Closes: #809167) * SECURITY: DoS: Fix unchecked return of calloc() Florian Weimer discovered that a missing check for the return value of calloc() could crash the daemon, which could be triggered by a very large crontab created by a user. (CVE-2019-9704) * Enforce maximum crontab line count of 1000 to prevent a malicious user from creating an excessivly large crontab. The daemon will log a warning for existing files, and crontab(1) will refuse to create new ones. (CVE-2019-9705) * SECURITY: group crontab to root escalation via postinst as described by Alexander Peslyak (Solar Designer) in http://www.openwall.com/lists/oss-security/2017/06/08/3 (CVE-2017-9525) * Add d/NEWS altering to the new 1000 lines limit. . [ Mike Gabriel ] * debian/NEWS: Fix <distribution> from unstable to jessie-security. Checksums-Sha1: ef8dabee455aa707bfafd588ffea15ce74e6f2c1 1993 cron_3.0pl1-127+deb8u2.dsc f8d00de4c7c0eae97bedb4a3ec10ea21d43ece84 59245 cron_3.0pl1.orig.tar.gz 909154e27ae136a9648f782671f084bce89dcafd 100476 cron_3.0pl1-127+deb8u2.diff.gz 9276b853cf9d3a7e71dccd84e8b352a92da491f0 95630 cron_3.0pl1-127+deb8u2_amd64.deb Checksums-Sha256: 2a9ad9124749494a3c535a0817bdf4be7eab963982d4cba69012376d4099eb0c 1993 cron_3.0pl1-127+deb8u2.dsc d931e0688005dfa85cfdb60e19bf0a3848ebfa3ee3415bf2a6ea3ea9e5bcfd21 59245 cron_3.0pl1.orig.tar.gz f92312cad57d320307a384f6ad3b1cdd40231e0d8e3f7734a02a145d11ea17ba 100476 cron_3.0pl1-127+deb8u2.diff.gz 96fc4923835c8cda716bc2fe3e39e359b8520027ebbbcb5c4a36d1207eddd7ed 95630 cron_3.0pl1-127+deb8u2_amd64.deb Files: 940ab100cad242fd068221c935e7477c 1993 admin important cron_3.0pl1-127+deb8u2.dsc 4c64aece846f8483daf440f8e3dd210f 59245 admin important cron_3.0pl1.orig.tar.gz fb57621114fac390e3207d90f4040230 100476 admin important cron_3.0pl1-127+deb8u2.diff.gz 7023dc126d9ea06b98099b32e62a235a 95630 admin important cron_3.0pl1-127+deb8u2_amd64.deb -----BEGIN PGP SIGNATURE----- iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAlyT6iAVHHN1bndlYXZl ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxVRsP/Re9BBFY+wtrQuLYY2Px6MgNT3H7 FbkqdZcQaUHv8HS2XHwGdrXjmUHj9DLNIe6XUgrIu2BGvASWW4UQzaZzRA+GWdOj 9Ky8rYWO2ozlRwO4jYJGs7pXRlwdYkPhvxztKlivZwJJjTWqC1EM092bfbZ3G9Jo tRStJeiM5cWEv45wghO6/vNJxms0UiSf8/4IvxAFrZPHQrj5KC9dpq5WPPGlO8+9 fi/ybrsWx/90ZVEN6lJIqGE/yb4WwAY+WdDp8h4dTmgpcsyH6Y0DMAV0RaHz9dKi n0VjP3rbusAvXYRVAxOXN1R4IwACzyxHamj277qiysnLqDydK4MmeVDG7NxIzsF4 zkk+Sa31QWH37DAok5MwZXo22qzS4d7LuIrY7MDypo3B/etFdZGdizWrvlzrcW7g zNoFPjsBSOvg+SRwTO2sifvwJ0VLXS/w3Xv+MEog2PIC8G88z5R8c3vNKuDFlr64 X/jGRgkeAg3m1h5dVNE3JEP3BIKc0DekcDBaCmcU0AmFeXKIatY0V/QDdHrHmc/Q WJENGn6h+HqvuufUyFKuUawn5SmUDQEMI6bZYtGyuCx9LMycFOdJ/vVTKNZFBmH/ YwGAVwQelhQjr8oOWdyuf/IuBfjXo74mC381RXlUo6Lr6QYumzsLtbxVnDeMROxL dXgMSUXLEXg2Rrs4 =gJmJ -----END PGP SIGNATURE-----
