Re: Debian not vulnerable to recent cron buffer overflow

[joey () FINLANDIA INFODROM NORTH DE (Martin Schulze)]

Marc Merlin wrote:
> On Thu, Aug 26, 1999 at 09:47:22AM -0700, Aleph One wrote:
> > ----------------------------------------------------------------------------
> > Debian Security Advisory                                 security () debian org
> > http://www.debian.org/security/                               Martin Schulze
> > August 26, 1999
> > ----------------------------------------------------------------------------
> >
> > Red Hat has recently released a Security Advisory (RHSA-1999:030-01)
> > covering a buffer overflow in the vixie cron package.  Debian has
> > discovered this bug two years ago and fixed it.  Therefore versions in
> > both, the stable and the unstable, distributions of Debian are not
> > vulnerable to this problem..
>
> Does anyone know  if Debian never sent the  fix to Paul Vixie, or  if it was
> sent and Paul "missed it"?
>
> Even in the second case, unless Paul repeatedly refused the patch, it'd have
> been  nice  for the  Debian  maintainer  to make  sure  that  the patch  was
> incorporated in the main source code, not just in Debian...

The upstream source of Vixie Cron hasn't been maintained for years.
I remember working on the same code before I joined Debian, trying
to send him patches.

The patch wasn't hidden, Caldera knew it and Caldera immediately
reacted to the advisory from Red Hat, stating that it's an old
- and fixed - bug.

Regards,

        Joey

--
The good thing about standards is that there are so many to choose from.
        -- Andrew S. Tanenbaum