| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 25 May 2006 16:12:30 -0400
From: "Justin M. Forbes" <jmforbes@...th.com>
To: security-announce@...ts.rpath.com, update-announce@...ts.rpath.com
Cc: lwn@....net, full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: rPSA-2006-0082-2 vixie-cron
rPath Security Advisory: 2006-0082-2
Published: 2006-05-25
Updated:
2006-05-25 Reference the assigned CVE number
Products: rPath Linux 1
Rating: Critical
Exposure Level Classification:
Local Root Deterministic Privilege Escalation
Updated Versions:
vixie-cron=/conary.rpath.com@rpl:devel//1/4.1-5.2-1
References:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2607
http://bugs.rpath.com/show_bug.cgi?id=1166
Description:
In previous versions of the vixie-cron package, when the
/etc/security/limits.conf file has been set up with limits for
any user, and that user has permission to use the cron facility,
that user can use vixie-cron to run arbitrary programs as root by
exceeding the limits set in /etc/security/limits.conf.
By default, rPath Linux does not include any limits configured
in the /etc/security/limits.conf file. The /etc/security/limits.conf
file is provided by the pam:data component, so to determine whether
it has been changed in any way, run the command:
# conary verify pam:data | grep /etc/security/limits.conf
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists