Bugtraq mailing list archives
Re: Debian not vulnerable to recent cron buffer overflow
From: peter () NETPLEX COM AU (Peter Wemm)
Date: Wed, 1 Sep 1999 15:25:52 +0800
Marc Merlin wrote: [..]
Red Hat has recently released a Security Advisory (RHSA-1999:030-01) covering a buffer overflow in the vixie cron package. Debian has discovered this bug two years ago and fixed it. Therefore versions in both, the stable and the unstable, distributions of Debian are not vulnerable to this problem..Does anyone know if Debian never sent the fix to Paul Vixie, or if it was sent and Paul "missed it"?
I'm not sure what or how it happened, but in FreeBSD at least this problem was solved differently, and quite some time ago. FreeBSD's cron doesn't supply the arguments to sendmail, it uses sendmail -t and prints the recipient name in the To: header, letting sendmail decide if it's a valid recipient address or not. revision 1.3 date: 1995/04/14 21:54:16; author: ache; state: Exp; lines: +3 -2 Fix MAILTO hole by passing -t to sendmail Submitted by: Mike Pritchard <pritc003 () maroon tc umn edu> Cheers, -Peter -- Peter Wemm - peter () FreeBSD org; peter () yahoo-inc com; peter () netplex com au
Current thread:
- Re: Debian not vulnerable to recent cron buffer overflow Peter Wemm (Sep 01)
- <Possible follow-ups>
- Re: Debian not vulnerable to recent cron buffer overflow Ethan King (Sep 03)