code [3] in our own cron fork (based on the 3.0 codebase, not the 4.1) I''m inclined to think that the CVE reference is not correct and our cron package is NOT affected. The problem seems to be related to the fact that in version 4.1, after copying the crontab to the temporary file, the utime is modified and set to 0 (as root). However, in version 3: the utime is not modified but, rather, the utime of the temporary file is obtained when the temporary file with the crontab is generated and then compared with the utime of the crontab temporary file *after* being edited to determine if something has changed. Consequently, there is no operation there (no call to utime()) which could be abused before cron drops its privileges to call the editor. I would say that Debian is not affected by this issue, although I would appreciate somebody to review the code and ratify that this is correct. Regards Javier [1] http://security-tracker.debian.org/tracker/CVE-2010-0424 [2] http://git.fedorahosted.org/git/cronie.git?p=cronie.git;a=commitdiff;h=9e4a8fa5f9171fb724981f53879c9b20264aeb61 [3] http://svn.debian.org/wsvn/pkg-cron/trunk/crontab.c