Raphael Marichez of Gentoo reported a denial of service flaw in vixie-cron. By creating a hardlink to /etc/crontab, cron will stop executing the /etc/crontab file and deposit an error message in /var/log/cron. This can be easily tested by running: ln /etc/crontab /tmp/crontab tail -f /var/log/cron Here is the patch from Open Wall Linux: http://cvsweb.openwall.com/cgi/cvsweb.cgi/~checkout~/Owl/packages/vixie-cron/vixie-cron-4.1.20060426-owl-st_nlink.diff?rev=1.1;content-type=text%2Fplain This flaw also affects RHEL 3 and 4.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
vixie-cron-4.1-68 was built to solve this issue.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2007-0345.html