UbuntuUpdates.org

Package "cron"

Name: cron

Description:

process scheduling daemon
Latest version: 3.0pl1-128.1ubuntu1.2
Release: bionic (18.04)
Level: updates
Repository: main
Homepage: http://ftp.isc.org/isc/cron/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "cron"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "cron" in Bionic

Repository Area Version
base main 3.0pl1-128.1ubuntu1
security main 3.0pl1-128.1ubuntu1.2

Changelog

Version: 3.0pl1-128.1ubuntu1.2 2022-05-11 01:06:25 UTC

  cron (3.0pl1-128.1ubuntu1.2) bionic-security; urgency=medium

  * SECURITY REGRESSION: CVE-2017-9525 regression (LP: #1971895)
    - debian/postinst: add tab_name emptiness check
    - https://salsa.debian.org/debian/cron/-/commit/23047851

 -- Rodrigo Figueiredo Zaiden <email address hidden> Tue, 10 May 2022 17:59:19 -0300
Source diff to previous version
1971895 Warning messages from stat printed on installation with no user crontabs
CVE-2017-9525 In the cron package through 3.0pl1-128 on Debian, and through 3.0pl1-128ubuntu2 on Ubuntu, the postinst maintainer script allows for group-crontab-to

Version: 3.0pl1-128.1ubuntu1.1 2022-05-05 15:06:23 UTC

  cron (3.0pl1-128.1ubuntu1.1) bionic-security; urgency=medium

  * SECURITY UPDATE: privilege escalation in postinst script
    - Add sanity checks over the entries in spool directory and
      set up owner and group accordingly in debian/postinst
    - CVE-2017-9525
  * SECURITY UPDATE: denial of service via large file
    - Add sanity check in case of running out of memory when
      parsing the file in entry.c
    - CVE-2019-9704
  * SECURITY UPDATE: denial of service via large file
    - Add sanity check to ensure that no more than 1000 lines of
      length are allowed in crontabs in cron.h, crontab.c and
      user.c.
    - CVE-2019-9705
  * SECURITY UPDATE: denial of service by use-after-free
    - Add return values when there is no memory available
      in database.c
    - CVE-2019-9706

 -- David Fernandez Gonzalez <email address hidden> Fri, 29 Apr 2022 11:16:53 +0200
CVE-2017-9525 In the cron package through 3.0pl1-128 on Debian, and through 3.0pl1-128ubuntu2 on Ubuntu, the postinst maintainer script allows for group-crontab-to
CVE-2019-9704 Vixie Cron before the 3.0pl1-133 Debian package allows local users to cause a denial of service (daemon crash) via a large crontab file because the c
CVE-2019-9705 Vixie Cron before the 3.0pl1-133 Debian package allows local users to cause a denial of service (memory consumption) via a large crontab file because
CVE-2019-9706 Vixie Cron before the 3.0pl1-133 Debian package allows local users to cause a denial of service (use-after-free and daemon crash) because of a force_


About   -   Send Feedback to @ubuntu_updates