[PROPOSAL] Cluster 44 - RECENT-01 (40 candidates)

To: cve-editorial-board-list@lists.mitre.org
Subject: [PROPOSAL] Cluster 44 - RECENT-01 (40 candidates)
From: "Steven M. Christey" <coley@linus.mitre.org>
Date: Wed, 8 Dec 1999 19:35:55 -0500 (EST)
Delivery-Date: Wed Dec 8 19:39:07 1999
Sender: owner-cve-editorial-board-list@lists.mitre.org
This cluster covers recently announced problems from November 24
through December 3.  "Recent" clusters will be proposed on a weekly
basis for the foreseeable future as we consider issues related to
going live with candidate assignment.

You are strongly encouraged to ensure that your database is kept
up-to-date with respect to RECENT candidates; otherwise, you will face
the same amount of effort it's already taken for you to bring your
database up to speed with respect to legacy problems.

Content decisions such as SF-LOC (multiple bugs in same code),
SF-CODEBASE (same bug in multiple codebases), and SF-EXEC (same
apparent bug in different executables from the same vendor)
contributed to making this a larger number of candidates than one
might usually encounter during a 2-week period.  These CDs will be
revisited and voted on once we've truly gone live with candidate
assignment.  They were originally scheduled for discussion in August,
but we were handling larger questions then :-) See
http://cve.mitre.org/archives/msg00366.html for a mostly-up-to-date
summary of content decisions.

- Steve

Proposed: 12/8
Scheduled Proposed: 12/6
Scheduled Interim Decision: 12/20
Scheduled Final Decision: 12/24


Summary of votes to use (in ascending order of "severity"):

ACCEPT - voter accepts the candidate as proposed
NOOP - voter has no opinion on the candidate
MODIFY - voter wants to change some MINOR detail (e.g. reference/description)
REVIEWING - voter is reviewing/researching the candidate, or needs more info
RECAST - candidate must be significantly modified, e.g. split or merged
REJECT - candidate is "not a vulnerability", or a duplicate, etc.

1) Please write your vote on the line that starts with "VOTE: ".  If
   you want to add comments or details, add them to lines after the
   VOTE: line.

2) If you see any missing references, please mention them so that they
   can be included.  References help greatly during mapping.

3) Note that a "MODIFY" is treated as an "ACCEPT" when counting votes.
   So if you don't have sufficient information for a candidate but you
   don't want to NOOP, use a REVIEWING.

=================================
Candidate: CAN-1999-0818
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991130 another hole of Solaris7 kcms_configure
Reference: BID:831

Buffer overflow in Solaris kcms_configure via a long NETPATH
environmental variable.

VOTE:

=================================
Candidate: CAN-1999-0819
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: NTBUGTRAQ:19991130 NTmail and VRFY
Reference: BUGTRAQ:19991130 NTmail and VRFY

NTMail does not disable the VRFY command, even if the administrator
has explicitly disabled it.

VOTE:

=================================
Candidate: CAN-1999-0820
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991130 Several FreeBSD-3.3 vulnerabilities
Reference: BID:838

FreeBSD seyon allows users to gain privileges via a modified PATH
variable for finding the xterm and seyon-emu commands.

VOTE:

=================================
Candidate: CAN-1999-0821
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991130 Several FreeBSD-3.3 vulnerabilities
Reference: BID:838

FreeBSD seyon allows local users to gain privileges by providing a
malicious program in the -emulator argument.

VOTE:

=================================
Candidate: CAN-1999-0822
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991130 serious Qpopper 3.0 vulnerability
Reference: BUGTRAQ:19991130 qpop3.0b20 and below - notes and exploit
Reference: BID:830

Buffer overflow in Qpopper (qpop) 3.0 allows remote root access via
AUTH command.

VOTE:

=================================
Candidate: CAN-1999-0823
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BID:839
Reference: BUGTRAQ:19991130 Several FreeBSD-3.3 vulnerabilities

Buffer overflow in FreeBSD xmindpath allows local users to gain
privileges via -f argument.

VOTE:

=================================
Candidate: CAN-1999-0824
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BID:833
Reference: NTBUGTRAQ:19991130 SUBST problem
Reference: BUGTRAQ:19991130 Subst.exe carelessness (fwd)

A Windows NT user can use SUBST to map a drive letter to a folder,
which is not unmapped after the user logs off, potentially allowing
that user to modify the location of folders accessed by later users.

VOTE:

=================================
Candidate: CAN-1999-0825
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: CF
Reference: BID:849
Reference: BUGTRAQ:19991203 UnixWare read/modify users' mail

The default permissions for UnixWare /var/mail allow local users to
read and modify other users' mail.

VOTE:

=================================
Candidate: CAN-1999-0826
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BID:840
Reference: BUGTRAQ:19991130 Several FreeBSD-3.3 vulnerabilities

Buffer overflow in FreeBSD angband allows local users to gain
privileges.

VOTE:

=================================
Candidate: CAN-1999-0827
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991130 Default IE 5.0 security settings allow frame spoofing

By default, Internet Explorer 5.0 and other versions enables the
"Navigate sub-frames across different domains" option, which allows
frame spoofing.

VOTE:

=================================
Candidate: CAN-1999-0828
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: unknown
Reference: BUGTRAQ:19991203 UnixWare and the dacread permission
Reference: BUGTRAQ:19991204 UnixWare pkg* command exploits

UnixWare pkg commands such as pkginfo, pkgcat, and pkgparam
allow local users to read arbitrary files via the dacread permission.

VOTE:

=================================
Candidate: CAN-1999-0829
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991201 HP Secure Web Console

HP Secure Web Console uses weak encryption.

VOTE:

=================================
Candidate: CAN-1999-0830
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991126 [w00giving '99 #6]: UnixWare 7's Xsco

Buffer overflow in SCO UnixWare Xsco command via a long argument.

VOTE:

=================================
Candidate: CAN-1999-0831
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991130 [david@slackware.com: New Patches for Slackware 4.0 Available]

Denial of service in Slackware 4.0 syslogd via a large number of
connections.

VOTE:

=================================
Candidate: CAN-1999-0832
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991130 [david@slackware.com: New Patches for Slackware 4.0 Available]

Buffer overflow in Slackware 7.0 NFS server allows attackers to
execute commands via a long pathname.

VOTE:

=================================
Candidate: CAN-1999-0834
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991201 Security Advisory: Buffer overflow in RSAREF2
Reference: BUGTRAQ:19991202 OpenBSD sslUSA26 advisory (Re: CORE-SDI: Buffer overflow in RSAREF2)
Reference: BID:843

Buffer overflow in RSAREF2 via the encryption and decryption functions
in the RSAREF library.

VOTE:

=================================
Candidate: CAN-1999-0836
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991202 UnixWare 7 uidadmin exploit + discussion

UnixWare uidadmin allows local users to modify arbitrary files via
a symlink attack.

VOTE:

=================================
Candidate: CAN-1999-0838
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991202 Remote DoS Attack in Serv-U FTP-Server v2.5a Vulnerability

Buffer overflow in Serv-U FTP 2.5 allows remote users to conduct a
denial of service via the SITE command.

VOTE:

=================================
Candidate: CAN-1999-0840
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BID:832
Reference: BUGTRAQ:19991129 Solaris7 dtmail/dtmailpr/mailtool Buffer Overflow

Buffer overflow in CDE dtmail and dtmailptr programs via the -f
option.

VOTE:

=================================
Candidate: CAN-1999-0841
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BID:832
Reference: BUGTRAQ:19991129 Solaris7 dtmail/dtmailpr/mailtool Buffer Overflow

Buffer overflow in CDE mailtool allows local users to gain root
privilege via a long MIME Content-Type.

VOTE:

=================================
Candidate: CAN-1999-0842
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BID:827
Reference: NTBUGTRAQ:19991129 Symantec Mail-Gear 1.0 Web interface Server Directory Traversal Vulnerability
Reference: BUGTRAQ:19991129 Symantec Mail-Gear 1.0 Web interface Server Directory Traversal Vulnerability

Symantec Mail-Gear 1.0 web interface server allows remote users to
read arbitrary files via a .. (dot dot) attack.

VOTE:

=================================
Candidate: CAN-1999-0843
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991104 Cisco NAT DoS (VD#1)
Reference: BUGTRAQ:19991128 Re: Cisco NAT DoS (VD#1)

Denial of service in Cisco routers running NAT via a PORT command from
an FTP client to a Telnet port.

VOTE:

=================================
Candidate: CAN-1999-0844
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: NTBUGTRAQ:19991124 Remote DoS Attack in WorldClient Server v2.0.0.0 Vulnerability
Reference: BUGTRAQ:19991130 Fwd: RE: Multiples Remotes DoS Attacks in MDaemon Server v2.8.5.0 Vulnerability
Reference: BID:823
Reference: BID:820

Denial of service in MDaemon WorldClient and WebConfig services via
a long URL.

VOTE:

=================================
Candidate: CAN-1999-0845
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991126 [w00giving '99 #5 and w00news]: UnixWare 7's su
Reference: SCO:99.19
Reference: BUGTRAQ:19991128 SCO su patches

Buffer overflow in SCO su program allows local users to gain root
access via a long username.

VOTE:

=================================
Candidate: CAN-1999-0846
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991129 MDaemon 2.7 J DoS
Reference: BUGTRAQ:19991130 Fwd: RE: Multiples Remotes DoS Attacks in MDaemon Server v2.8.5.0 Vulnerability

Denial of service in MDaemon 2.7 via a large number of connection
attempts.

VOTE:

=================================
Candidate: CAN-1999-0847
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991129 FICS buffer overflow

Buffer overflow in free internet chess server (FICS) program, xboard.

VOTE:

=================================
Candidate: CAN-1999-0850
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: CF
Reference: BID:845
Reference: BUGTRAQ:19991202 Insecure default permissions for MailMan Professional Edition, version 3.0.18

The default permissions for Endymion MailMan allow local users to read
email or modify files.

VOTE:

=================================
Candidate: CAN-1999-0852
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: CF
Reference: BID:844
Reference: BUGTRAQ:19991202 WebSphere protections from installation

IBM WebSphere sets permissions that allow a local user to modify a
deinstallation script or its data files stored in /usr/bin.

VOTE:

=================================
Candidate: CAN-1999-0853
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BID:847
Reference: ISS:Buffer Overflow in Netscape Enterprise and FastTrack Authentication Procedure

Buffer overflow in Netscape Enterprise Server and Netscape
FastTrack Server allows remote attackers to gain privileges via the
HTTP Basic Authentication procedure.

VOTE:

=================================
Candidate: CAN-1999-0854
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: unknown
Reference: BUGTRAQ:19991130 Ultimate Bulletin Board v5.3x? Bug

Ultimate Bulletin Board stores data files in the cgi-bin directory,
allowing remote attackers to view the data if an error occurs when the
HTTP server attempts to execute the file.

VOTE:

=================================
Candidate: CAN-1999-0855
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BID:834
Reference: BUGTRAQ:19991130 FreeBSD 3.3 gated-3.1.5 local exploit

Buffer overflow in FreeBSD gdc program.

VOTE:

=================================
Candidate: CAN-1999-0856
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991202 Slackware 7.0 - login bug

login in Slackware 7.0 allows remote attackers to identify valid users
on the system by reporting an encryption error when an account is
locked or does not exist.

VOTE:

=================================
Candidate: CAN-1999-0857
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991130 FreeBSD 3.3 gated-3.1.5 local exploit
Reference: BID:835

FreeBSD gdc program allows local users to modify files via a symlink
attack.

VOTE:

=================================
Candidate: CAN-1999-0859
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991130 Solaris 2.x chkperm/arp vulnerabilities
Reference: BID:837

Solaris arp allows local users to read files via the -f parameter,
which lists lines in the file that do not parse properly.

VOTE:

=================================
Candidate: CAN-1999-0860
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991130 Solaris 2.x chkperm/arp vulnerabilities
Reference: BID:837

Solaris chkperm allows local users to read files owned by bin via
the VMSYS environmental variable and a symlink attack.

VOTE:

=================================
Candidate: CAN-1999-0862
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: CF
Reference: BUGTRAQ:19991202 PostgreSQL RPM's permission problems

Insecure directory permissions in RPM distribution for PostgreSQL
allows local users to gain privileges by reading a plaintext password
file.

VOTE:

=================================
Candidate: CAN-1999-0863
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19970617 Seyon vulnerability - IRIX
Reference: BUGTRAQ:19991108 FreeBSD 3.3's seyon vulnerability
Reference: BUGTRAQ:19991130 Several FreeBSD-3.3 vulnerabilities

Buffer overflow in FreeBSD seyon via HOME environmental variable,
-emulator argument, -modems argument, or the GUI.

VOTE:

=================================
Candidate: CAN-1999-0864
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991202 UnixWare coredumps follow symlinks
Reference: BID:851

UnixWare programs that dump core allow a local user to
modify files via a symlink attack on the ./core.pid file.

VOTE:

=================================
Candidate: CAN-1999-0865
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991203 CommuniGatePro 3.1 for NT DoS

Buffer overflow in CommuniGatePro via a long string to the HTTP
configuration port.

VOTE:

=================================
Candidate: CAN-1999-0866
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BID:848
Reference: BUGTRAQ:19991203 UnixWare gain root with non-su/gid binaries

Buffer overflow in UnixWare xauto program allows local users to gain
root privilege.

VOTE:
Prev by Date: [PROPOSAL] Cluster 43 - CERT2 (26 candidates)
Next by Date: [CVEPRI] Board teleconference December 15, 1999
Prev by thread: [PROPOSAL] Cluster 43 - CERT2 (26 candidates)
Next by thread: [CVEPRI] Board teleconference December 15, 1999
Index(es):
- Date
- Thread
Page Last Updated: May 22, 2007
Common Vulnerabilities and Exposures

[PROPOSAL] Cluster 44 - RECENT-01 (40 candidates)
