Red Hat Bugzilla – Bug 5616
vixie-cron exploit, revisited
Last modified: 2008-05-01 11:37:52 EDT
I hope this has not already been fixed, because I would
feel like an idiot.
I just upgraded my vixie-cron package from the standard
5.2 install version (I'm sorry, I don't have the version
number handy) to vixie-cron-3.0.1-37. Supposedly, the
recently-released exploit(s) for this have been fixed.
The "Michal Zalewski" exploit still works, and works
perfectly on this release of vixie-cron.
This was the latest version on updates.redhat.com that I
It handed me a rootshell within about 20 seconds. I
thought that this vulnerability was fixed?
Did you restart the cron daemon after upgrading to the errata
After further review, the -37 package is OK.