On Thu, 04 Mar 2010, Moritz Muehlenhoff wrote: > Package: fcron > Severity: important > Tags: security > > The following was posted to full-disclosure. Since Debian's fcron > package seems to use a fcron system group (correct me if I'm > wrong) we don't need to fix this in a DSA. Feel free to update > this in a point release, though.
We need to forward-port SELinux support to 3.0.5 in order to package it, and preferably get that stuff upstream once and for all :( > unauthorized files. On systems where fcrontab is installed with its > own "fcron" group, this allows an attacker to read other non-root > users' crontabs and fcron configuration files. On systems where Debian runs fcrontab suid "fcron", sgid "fcron", so it boils down to loss of privacy on fcron config and fcrontabs. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
