Security Advisory Moderate: vixie-cron security update

Advisory: RHSA-2007:0345-3
Type: Security Advisory
Severity: Moderate
Issued on: 2007-05-17
Last updated on: 2007-05-17
Affected Products: Red Hat Desktop (v. 3)
Red Hat Desktop (v. 4)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux AS (v. 3)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux ES (v. 3)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux WS (v. 3)
Red Hat Enterprise Linux WS (v. 4)
OVAL: N/A
CVEs (cve.mitre.org): CVE-2007-1856

Details

Updated vixie-cron packages that fix a denial of service issue are now
available.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

The vixie-cron package contains the Vixie version of cron. Cron is a
standard UNIX daemon that runs specified programs at scheduled times.

Raphael Marichez discovered a denial of service bug in the way vixie-cron
verifies crontab file integrity. A local user with the ability to create a
hardlink to /etc/crontab can prevent vixie-cron from executing certain
system cron jobs. (CVE-2007-1856)

All users of vixie-cron should upgrade to these updated packages, which
contain a backported patch to correct this issue.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Updated packages

Red Hat Desktop (v. 3)
SRPMS:
vixie-cron-4.1-19.EL3.src.rpm
File outdated by:  RHBA-2007:1001		     7c765917fa13d34ca705284d0a51d16e
 
IA-32:
vixie-cron-4.1-19.EL3.i386.rpm
File outdated by:  RHBA-2007:1001		     ea525e4a8c8dc818b9e113c02a7e4c48
 
x86_64:
vixie-cron-4.1-19.EL3.x86_64.rpm
File outdated by:  RHBA-2007:1001		     c2440f24a81ded632ef8ce71c5f379a6
 
Red Hat Desktop (v. 4)
SRPMS:
vixie-cron-4.1-47.EL4.src.rpm
File outdated by:  RHBA-2008:0115		     c963050603bd83341aa5512719bcd6e1
 
IA-32:
vixie-cron-4.1-47.EL4.i386.rpm
File outdated by:  RHBA-2008:0115		     e50b7208f6e67ef36a941a9d53dd4ecd
 
x86_64:
vixie-cron-4.1-47.EL4.x86_64.rpm
File outdated by:  RHBA-2008:0115		     9cdec79f5fd5c4daaec883aa70bb6432
 
Red Hat Enterprise Linux (v. 5 server)
SRPMS:
vixie-cron-4.1-70.el5.src.rpm
File outdated by:  RHBA-2007:0564		     91b16cc530bd52916de05ebf3a291ec3
 
IA-32:
vixie-cron-4.1-70.el5.i386.rpm
File outdated by:  RHBA-2007:0564		     bf66188eda08c4e4410854a118448fce
 
IA-64:
vixie-cron-4.1-70.el5.ia64.rpm
File outdated by:  RHBA-2007:0564		     4bd5c5c644d7cae8a7a35ee8a8db1fe3
 
PPC:
vixie-cron-4.1-70.el5.ppc.rpm
File outdated by:  RHBA-2007:0564		     ccd2a860b388dcf0b8174ac301813692
 
s390x:
vixie-cron-4.1-70.el5.s390x.rpm
File outdated by:  RHBA-2007:0564		     308a141f06dcf269d3fcbf80d464cd9d
 
x86_64:
vixie-cron-4.1-70.el5.x86_64.rpm
File outdated by:  RHBA-2007:0564		     2d9c6bdffb703c8ecdfb5bbac74a193e
 
Red Hat Enterprise Linux AS (v. 3)
SRPMS:
vixie-cron-4.1-19.EL3.src.rpm
File outdated by:  RHBA-2007:1001		     7c765917fa13d34ca705284d0a51d16e
 
IA-32:
vixie-cron-4.1-19.EL3.i386.rpm
File outdated by:  RHBA-2007:1001		     ea525e4a8c8dc818b9e113c02a7e4c48
 
IA-64:
vixie-cron-4.1-19.EL3.ia64.rpm
File outdated by:  RHBA-2007:1001		     dbd7433ff15f0aaf005cd1bbed789112
 
PPC:
vixie-cron-4.1-19.EL3.ppc.rpm
File outdated by:  RHBA-2007:1001		     097b5ff35bfae9dc80600b1c5c625b28
 
s390:
vixie-cron-4.1-19.EL3.s390.rpm
File outdated by:  RHBA-2007:1001		     825a473c9476f6c4c0998c9b37c87584
 
s390x:
vixie-cron-4.1-19.EL3.s390x.rpm
File outdated by:  RHBA-2007:1001		     a69ee247f2c81ef9baa7636c8f695ab5
 
x86_64:
vixie-cron-4.1-19.EL3.x86_64.rpm
File outdated by:  RHBA-2007:1001		     c2440f24a81ded632ef8ce71c5f379a6
 
Red Hat Enterprise Linux AS (v. 4)
SRPMS:
vixie-cron-4.1-47.EL4.src.rpm
File outdated by:  RHBA-2008:0115		     c963050603bd83341aa5512719bcd6e1
 
IA-32:
vixie-cron-4.1-47.EL4.i386.rpm
File outdated by:  RHBA-2008:0115		     e50b7208f6e67ef36a941a9d53dd4ecd
 
IA-64:
vixie-cron-4.1-47.EL4.ia64.rpm
File outdated by:  RHBA-2008:0115		     2a8acdc3387f80b88b05d3caf37494b4
 
PPC:
vixie-cron-4.1-47.EL4.ppc.rpm
File outdated by:  RHBA-2008:0115		     68741ea68b37363dc302345cc3bf2209
 
s390:
vixie-cron-4.1-47.EL4.s390.rpm
File outdated by:  RHBA-2008:0115		     4bcc729825cd7622cc9cf2ce317f641f
 
s390x:
vixie-cron-4.1-47.EL4.s390x.rpm
File outdated by:  RHBA-2008:0115		     903f1dbd19ee18070d02b659d8d8ba83
 
x86_64:
vixie-cron-4.1-47.EL4.x86_64.rpm
File outdated by:  RHBA-2008:0115		     9cdec79f5fd5c4daaec883aa70bb6432
 
Red Hat Enterprise Linux Desktop (v. 5 client)
SRPMS:
vixie-cron-4.1-70.el5.src.rpm
File outdated by:  RHBA-2007:0564		     91b16cc530bd52916de05ebf3a291ec3
 
IA-32:
vixie-cron-4.1-70.el5.i386.rpm
File outdated by:  RHBA-2007:0564		     bf66188eda08c4e4410854a118448fce
 
x86_64:
vixie-cron-4.1-70.el5.x86_64.rpm
File outdated by:  RHBA-2007:0564		     2d9c6bdffb703c8ecdfb5bbac74a193e
 
Red Hat Enterprise Linux ES (v. 3)
SRPMS:
vixie-cron-4.1-19.EL3.src.rpm
File outdated by:  RHBA-2007:1001		     7c765917fa13d34ca705284d0a51d16e
 
IA-32:
vixie-cron-4.1-19.EL3.i386.rpm
File outdated by:  RHBA-2007:1001		     ea525e4a8c8dc818b9e113c02a7e4c48
 
IA-64:
vixie-cron-4.1-19.EL3.ia64.rpm
File outdated by:  RHBA-2007:1001		     dbd7433ff15f0aaf005cd1bbed789112
 
x86_64:
vixie-cron-4.1-19.EL3.x86_64.rpm
File outdated by:  RHBA-2007:1001		     c2440f24a81ded632ef8ce71c5f379a6
 
Red Hat Enterprise Linux ES (v. 4)
SRPMS:
vixie-cron-4.1-47.EL4.src.rpm
File outdated by:  RHBA-2008:0115		     c963050603bd83341aa5512719bcd6e1
 
IA-32:
vixie-cron-4.1-47.EL4.i386.rpm
File outdated by:  RHBA-2008:0115		     e50b7208f6e67ef36a941a9d53dd4ecd
 
IA-64:
vixie-cron-4.1-47.EL4.ia64.rpm
File outdated by:  RHBA-2008:0115		     2a8acdc3387f80b88b05d3caf37494b4
 
x86_64:
vixie-cron-4.1-47.EL4.x86_64.rpm
File outdated by:  RHBA-2008:0115		     9cdec79f5fd5c4daaec883aa70bb6432
 
Red Hat Enterprise Linux WS (v. 3)
SRPMS:
vixie-cron-4.1-19.EL3.src.rpm
File outdated by:  RHBA-2007:1001		     7c765917fa13d34ca705284d0a51d16e
 
IA-32:
vixie-cron-4.1-19.EL3.i386.rpm
File outdated by:  RHBA-2007:1001		     ea525e4a8c8dc818b9e113c02a7e4c48
 
IA-64:
vixie-cron-4.1-19.EL3.ia64.rpm
File outdated by:  RHBA-2007:1001		     dbd7433ff15f0aaf005cd1bbed789112
 
x86_64:
vixie-cron-4.1-19.EL3.x86_64.rpm
File outdated by:  RHBA-2007:1001		     c2440f24a81ded632ef8ce71c5f379a6
 
Red Hat Enterprise Linux WS (v. 4)
SRPMS:
vixie-cron-4.1-47.EL4.src.rpm
File outdated by:  RHBA-2008:0115		     c963050603bd83341aa5512719bcd6e1
 
IA-32:
vixie-cron-4.1-47.EL4.i386.rpm
File outdated by:  RHBA-2008:0115		     e50b7208f6e67ef36a941a9d53dd4ecd
 
IA-64:
vixie-cron-4.1-47.EL4.ia64.rpm
File outdated by:  RHBA-2008:0115		     2a8acdc3387f80b88b05d3caf37494b4
 
x86_64:
vixie-cron-4.1-47.EL4.x86_64.rpm
File outdated by:  RHBA-2008:0115		     9cdec79f5fd5c4daaec883aa70bb6432
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

223662 - crond failed "Days of week" after a few hours on 1st/Jan
235880 - CVE-2007-1856 crontab denial of service


References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1856
http://www.redhat.com/security/updates/classification/#moderate

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/