On Fri, Nov 17, 2000 at 06:24:33AM -0900, Ethan Benson wrote:
>
> On Fri, Nov 17, 2000 at 07:54:26AM -0600, An Thi-Nguyen Le wrote:
> > On Fri, Nov 17, 2000 at 03:46:19AM -0900, Ethan Benson typed:
> > } On Fri, Nov 17, 2000 at 12:36:54PM +0000, thomas lakofski wrote:
> > } > fyi -- i've not tried it.
> > }
> > } i have, it does not work, i tried several different variations and
> > } failed to create any files in /var/spool/cron.
> > }
> > } i do not believe debian is vulnerable.
> >
> > Wrong, we *are* vulnerable. Take a look /var/spool/cron/crontabs
> > instead.
>
> ah, your right, however this is not exploitable since
> /var/spool/cron/crontabs is mode 700.
>
> still should be fixed though.
Wrong again :) In most clean Debian installs it is not mode 0700.
There will be a security advisory shortly.
Dan
/--------------------------------\ /--------------------------------\
| Daniel Jacobowitz |__| SCS Class of 2002 |
| Debian GNU/Linux Developer __ Carnegie Mellon University |
| [EMAIL PROTECTED] | | [EMAIL PROTECTED] |
\--------------------------------/ \--------------------------------/
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
