RHEL 4 : vixie-cron (RHSA-2006:0539)
High Nessus Plugin ID 22043
SynopsisThe remote Red Hat host is missing a security update.
DescriptionUpdated vixie-cron packages that fix a privilege escalation issue are now available.
This update has been rated as having important security impact by the Red Hat Security Response Team.
The vixie-cron package contains the Vixie version of cron. Cron is a standard UNIX daemon that runs specified programs at scheduled times.
A privilege escalation flaw was found in the way Vixie Cron runs programs; vixie-cron does not properly verify an attempt to set the current process user id succeeded. It was possible for a malicious local users who exhausted certain limits to execute arbitrary commands as root via cron. (CVE-2006-2607)
All users of vixie-cron should upgrade to these updated packages, which contain a backported patch to correct this issue.
SolutionUpdate the affected vixie-cron package.