Updated vixie-cron packages that fix a privilege escalation issue are now
This update has been rated as having important security impact by the CentOS
Security Response Team.
The vixie-cron package contains the Vixie version of cron. Cron is a
standard UNIX daemon that runs specified programs at scheduled times.
A privilege escalation flaw was found in the way Vixie Cron runs programs;
vixie-cron does not properly verify an attempt to set the current process
user id succeeded. It was possible for a malicious local users who
exhausted certain limits to execute arbitrary commands as root via cron.
All users of vixie-cron should upgrade to these updated packages, which
contain a backported patch to correct this issue.