I hope this has not already been fixed, because I would feel like an idiot. I just upgraded my vixie-cron package from the standard 5.2 install version (I'm sorry, I don't have the version number handy) to vixie-cron-3.0.1-37. Supposedly, the recently-released exploit(s) for this have been fixed. The "Michal Zalewski" exploit still works, and works perfectly on this release of vixie-cron. This was the latest version on updates.redhat.com that I saw. It handed me a rootshell within about 20 seconds. I thought that this vulnerability was fixed? Benny benny
Did you restart the cron daemon after upgrading to the errata package?
After further review, the -37 package is OK.