USN-5259-3: Cron regression
11 May 2022
USN-5259-1 and USN-5259-2 introduced a regression in Cron.
Releases
Packages
- cron - process scheduling daemon
Details
USN-5259-1 and USN-5259-2 fixed vulnerabilities in Cron. Unfortunately
that update was incomplete and could introduce a regression. This update
fixes the problem.
We apologize for the inconvenience.
Original advisory details:
It was discovered that the postinst maintainer script in Cron unsafely
handled file permissions during package install or update operations.
An attacker could possibly use this issue to perform a privilege
escalation attack. (CVE-2017-9525)
Florian Weimer discovered that Cron incorrectly handled certain memory
operations during crontab file creation. An attacker could possibly use
this issue to cause a denial of service. (CVE-2019-9704)
It was discovered that Cron incorrectly handled user input during crontab
file creation. An attacker could possibly use this issue to cause a denial
of service. (CVE-2019-9705)
It was discovered that Cron contained a use-after-free vulnerability in
its force_rescan_user function. An attacker could possibly use this issue
to cause a denial of service. (CVE-2019-9706)
Update instructions
The problem can be corrected by updating your system to the following package versions:
Ubuntu 18.04
Ubuntu 16.04
-
cron
-
3.0pl1-128ubuntu2+esm2
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.