-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 29 Oct 2021 23:04:48 +0300 Source: cron Binary: cron Architecture: source Version: 3.0pl1-128+deb9u2 Distribution: stretch-security Urgency: medium Maintainer: Javier Fernández-Sanguino Peña <jfs@debian.org> Changed-By: Adrian Bunk <bunk@debian.org> Description: cron - process scheduling daemon Closes: 809167 Changes: cron (3.0pl1-128+deb9u2) stretch-security; urgency=medium . * Non-maintainer upload by the LTS team. . [ Christian Kastner ] * SECURITY: Fix bypass of /etc/cron.{allow,deny} on failure to open If these files exist, then they must be readable by the user executing crontab(1). Users will now be denied by default if they aren't. (LP: #1813833) * SECURITY: Fix for possible DoS by use-after-free A user reported a use-after-free condition in the cron daemon, leading to a possible Denial-of-Service scenario by crashing the daemon. (CVE-2019-9706) (Closes: #809167) * SECURITY: DoS: Fix unchecked return of calloc() Florian Weimer discovered that a missing check for the return value of calloc() could crash the daemon, which could be triggered by a very large crontab created by a user. (CVE-2019-9704) * Enforce maximum crontab line count of 10000 to prevent a malicious user from creating an excessivly large crontab. The daemon will log a warning for existing files, and crontab(1) will refuse to create new ones. (CVE-2019-9705) * SECURITY: group crontab to root escalation via postinst as described by Alexander Peslyak (Solar Designer) in http://www.openwall.com/lists/oss-security/2017/06/08/3 (CVE-2017-9525) * Add d/NEWS altering to the new 10000 lines limit. Checksums-Sha1: 207db001fedf1d56c457b747edd44fc85af1645a 1964 cron_3.0pl1-128+deb9u2.dsc f8d00de4c7c0eae97bedb4a3ec10ea21d43ece84 59245 cron_3.0pl1.orig.tar.gz cee0591afb635b164126e87bf3815f3920294cb3 100473 cron_3.0pl1-128+deb9u2.diff.gz Checksums-Sha256: 7bacb25a665702d5dc68fa91d2026867c61ce4f8ee33303bf9e3c51db147dd38 1964 cron_3.0pl1-128+deb9u2.dsc d931e0688005dfa85cfdb60e19bf0a3848ebfa3ee3415bf2a6ea3ea9e5bcfd21 59245 cron_3.0pl1.orig.tar.gz a46ee89b66eb06ad11ae8a68cc97c0c52fa50ba4f3ef37302c84923025be9a2f 100473 cron_3.0pl1-128+deb9u2.diff.gz Files: 3a5aca62864ee1f053379d75fc609d63 1964 admin important cron_3.0pl1-128+deb9u2.dsc 4c64aece846f8483daf440f8e3dd210f 59245 admin important cron_3.0pl1.orig.tar.gz 5c1aec24f9071ecfffac1c43229c30f0 100473 admin important cron_3.0pl1-128+deb9u2.diff.gz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmF9MWMACgkQiNJCh6LY mLGJNBAAsPKoehx5IiCl6Lnxk4mMX/8SiokJQoC7WjSwM5lExJwsGG3K8YwC4AyA cBCLcg3LIaOzVRSNwOvnZwR6juawYf5jl/OuaNnAMHaDZ/mqcePbR4LgrvD63ET9 MF8WgJ2SEmgKCRbrpv74IrAbNR3j/mRZmbeKGE9p4Xlwx9I2lOAj1jcV8cMZyqCu KEnAuLERWlwrvf2rcPoU5H0cUXkPQxT3YbZhjfL7N5zF9V0z7FmZkLN4ibKFsaFs XxfDNXsA/0jibFeSWnZMS5Ptjq2BGsSVoY82tQSkf/btPcUs0/wYwIf3Br2N2H4I eMGP6ZluHYc3mUEw+OjGdPA7+v00/rRpUE/JV0jxYXB61WL7Qq7lkjsCjJTb/ep/ faSTeeIE9e7shB96xfRZHVZJRwIlay/A7x1nCBnJiHBDeCLJLYTYJ3LFCFJcJuHx 0UahwqQF4HSM1pxVrmhgCCO6K8SidvyTn+mGS3JpKq/EvlMvSpUC0YFQSnk+dqTO a36cv5on6nIZ4TIuvJoIIkzqzc2fX/4+aEWng4eqLzdHA9YSDXZTBVJBe0GD8b3l OlR9Ntg4pigT1ag1L9I2FCmQPe6y2cXCYtpySbg0ecHvaAIrctXWqW/sb+nEC/y7 5RsoHTIT8SvidRL4AAEf9+hZB5jmU6NaGUHqre9RwjYwX229FLY= =HMbp -----END PGP SIGNATURE-----
