Accepted cron 3.0pl1-127+deb8u2 (source amd64) into oldstable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 21 Mar 2019 20:43:10 +0100
Source: cron
Binary: cron
Architecture: source amd64
Version: 3.0pl1-127+deb8u2
Distribution: jessie-security
Urgency: medium
Maintainer: Javier Fernández-Sanguino Peña <jfs@debian.org>
Changed-By: Mike Gabriel <sunweaver@debian.org>
Description:
cron - process scheduling daemon
Closes: 809167
Changes:
cron (3.0pl1-127+deb8u2) jessie-security; urgency=medium
.
[ Christian Kastner ]
* SECURITY: Fix bypass of /etc/cron.{allow,deny} on failure to open
If these files exist, then they must be readable by the user executing
crontab(1). Users will now be denied by default if they aren't.
(LP: #1813833)
* SECURITY: Fix for possible DoS by use-after-free
A user reported a use-after-free condition in the cron daemon, leading to a
possible Denial-of-Service scenario by crashing the daemon.
(CVE-2019-9706) (Closes: #809167)
* SECURITY: DoS: Fix unchecked return of calloc()
Florian Weimer discovered that a missing check for the return value of
calloc() could crash the daemon, which could be triggered by a very
large crontab created by a user. (CVE-2019-9704)
* Enforce maximum crontab line count of 1000 to prevent a malicious user
from creating an excessivly large crontab. The daemon will log a warning
for existing files, and crontab(1) will refuse to create new ones.
(CVE-2019-9705)
* SECURITY: group crontab to root escalation
via postinst as described by Alexander Peslyak (Solar Designer) in
http://www.openwall.com/lists/oss-security/2017/06/08/3
(CVE-2017-9525)
* Add d/NEWS altering to the new 1000 lines limit.
.
[ Mike Gabriel ]
* debian/NEWS: Fix <distribution> from unstable to jessie-security.
Checksums-Sha1:
ef8dabee455aa707bfafd588ffea15ce74e6f2c1 1993 cron_3.0pl1-127+deb8u2.dsc
f8d00de4c7c0eae97bedb4a3ec10ea21d43ece84 59245 cron_3.0pl1.orig.tar.gz
909154e27ae136a9648f782671f084bce89dcafd 100476 cron_3.0pl1-127+deb8u2.diff.gz
9276b853cf9d3a7e71dccd84e8b352a92da491f0 95630 cron_3.0pl1-127+deb8u2_amd64.deb
Checksums-Sha256:
2a9ad9124749494a3c535a0817bdf4be7eab963982d4cba69012376d4099eb0c 1993 cron_3.0pl1-127+deb8u2.dsc
d931e0688005dfa85cfdb60e19bf0a3848ebfa3ee3415bf2a6ea3ea9e5bcfd21 59245 cron_3.0pl1.orig.tar.gz
f92312cad57d320307a384f6ad3b1cdd40231e0d8e3f7734a02a145d11ea17ba 100476 cron_3.0pl1-127+deb8u2.diff.gz
96fc4923835c8cda716bc2fe3e39e359b8520027ebbbcb5c4a36d1207eddd7ed 95630 cron_3.0pl1-127+deb8u2_amd64.deb
Files:
940ab100cad242fd068221c935e7477c 1993 admin important cron_3.0pl1-127+deb8u2.dsc
4c64aece846f8483daf440f8e3dd210f 59245 admin important cron_3.0pl1.orig.tar.gz
fb57621114fac390e3207d90f4040230 100476 admin important cron_3.0pl1-127+deb8u2.diff.gz
7023dc126d9ea06b98099b32e62a235a 95630 admin important cron_3.0pl1-127+deb8u2_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAlyT6iAVHHN1bndlYXZl
ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxVRsP/Re9BBFY+wtrQuLYY2Px6MgNT3H7
FbkqdZcQaUHv8HS2XHwGdrXjmUHj9DLNIe6XUgrIu2BGvASWW4UQzaZzRA+GWdOj
9Ky8rYWO2ozlRwO4jYJGs7pXRlwdYkPhvxztKlivZwJJjTWqC1EM092bfbZ3G9Jo
tRStJeiM5cWEv45wghO6/vNJxms0UiSf8/4IvxAFrZPHQrj5KC9dpq5WPPGlO8+9
fi/ybrsWx/90ZVEN6lJIqGE/yb4WwAY+WdDp8h4dTmgpcsyH6Y0DMAV0RaHz9dKi
n0VjP3rbusAvXYRVAxOXN1R4IwACzyxHamj277qiysnLqDydK4MmeVDG7NxIzsF4
zkk+Sa31QWH37DAok5MwZXo22qzS4d7LuIrY7MDypo3B/etFdZGdizWrvlzrcW7g
zNoFPjsBSOvg+SRwTO2sifvwJ0VLXS/w3Xv+MEog2PIC8G88z5R8c3vNKuDFlr64
X/jGRgkeAg3m1h5dVNE3JEP3BIKc0DekcDBaCmcU0AmFeXKIatY0V/QDdHrHmc/Q
WJENGn6h+HqvuufUyFKuUawn5SmUDQEMI6bZYtGyuCx9LMycFOdJ/vVTKNZFBmH/
YwGAVwQelhQjr8oOWdyuf/IuBfjXo74mC381RXlUo6Lr6QYumzsLtbxVnDeMROxL
dXgMSUXLEXg2Rrs4
=gJmJ
-----END PGP SIGNATURE-----