|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [INTERIM] ACCEPT 17 candidates from UNIX-VEN (Final 1/3/2000)
I have made an Interim Decision to ACCEPT the following 17 candidates from the UNIX-VEN cluster. I will make a Final Decision on January 3, 2000. Voters: Frech ACCEPT(8) MODIFY(9) Christey NOOP(2) Cole ACCEPT(12) MODIFY(1) NOOP(4) Prosser ACCEPT(15) MODIFY(2) Stracener ACCEPT(13) MODIFY(4) Blake ACCEPT(17) - Steve ================================= Candidate: CAN-1999-0674 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991228-01 Proposed: 19991214 Assigned: 19991125 Category: SF Reference: NetBSD:1999-011 Reference: OPENBSD:Aug 9,1999 Reference: FREEBSD:FreeBSD-SA-99:02 Reference: BUGTRAQ:19990809 profil(2) bug, a simple test program Reference: BID:570 Reference: CIAC:J-067 Reference: XF:netbsd-profil The BSD profil system call allows a local user to modify the internal data space of a program via profiling and execve. Modifications: ADDREF FREEBSD:FreeBSD-SA-99:02 ADDREF CIAC:J-067 INFERRED VOTE: CAN-1999-0674 ACCEPT (5 accept, 0 review) VOTES: ACCEPT(4) Cole, Blake, Frech, Prosser MODIFY(1) Stracener COMMENTS: Stracener> Add Ref: FreeBSD-SA-99:02 Stracener> Add Ref: CIAC: J-067 ================================= Candidate: CAN-1999-0686 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991228-01 Proposed: 19991214 Assigned: 19991125 Category: SF Reference: BUGTRAQ:19990514 TGAD DoS Reference: BUGTRAQ:19990610 Re: VVOS/Netscape Bug Reference: HP:HPSBUX9906-098 Reference: CIAC:J-046 Reference: XF:hp-tgad-dos Denial of service in Netscape Enterprise Server (NES) in HP Virtual Vault (VVOS) via a long URL. Modifications: ADDREF BUGTRAQ:19990514 TGAD DoS ADDREF BUGTRAQ:19990610 Re: VVOS/Netscape Bug CHANGEREF HP:00098 HP:HPSBUX9906-098 ADDREF CIAC:J-046 ADDREF XF:hp-tgad-dos DESC modify details based on Bugtraq postings INFERRED VOTE: CAN-1999-0686 ACCEPT (5 accept, 0 review) VOTES: ACCEPT(2) Blake, Prosser MODIFY(3) Cole, Stracener, Frech NOOP(1) Christey COMMENTS: Cole> I would be a little more specific. Stracener> The full document ID for the reference above is HPSBUX9906-098. Also, Add Stracener> Ref: CIAC: J-046 Frech> XF:hp-tgad-dos Christey> I dug up a Bugtraq reference that provides some more details Christey> than the HP advisory. ================================= Candidate: CAN-1999-0688 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991228-01 Proposed: 19991214 Assigned: 19991125 Category: SF Reference: HP:HPSBUX9907-101 Reference: XF:hp-sd-bo Buffer overflows in HP Software Distributor (SD) for HPUX 10.x and 11.x. Modifications: ADDREF XF:hp-sd-bo INFERRED VOTE: CAN-1999-0688 ACCEPT (5 accept, 0 review) VOTES: ACCEPT(4) Cole, Blake, Stracener, Prosser MODIFY(1) Frech COMMENTS: Frech> XF:hp-sd-bo ================================= Candidate: CAN-1999-0690 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991228-01 Proposed: 19991214 Assigned: 19991125 Category: SF Reference: HP:HPSBUX9907-100 Reference: CIAC:J-053 Reference: XF:hp-cde-directory HP CDE program includes the current directory in root's PATH variable. Modifications: ADDREF XF:hp-cde-directory INFERRED VOTE: CAN-1999-0690 ACCEPT (5 accept, 0 review) VOTES: ACCEPT(4) Cole, Blake, Stracener, Prosser MODIFY(1) Frech COMMENTS: Frech> XF:hp-cde-directory ================================= Candidate: CAN-1999-0703 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991228-01 Proposed: 19991214 Assigned: 19991125 Category: SF Reference: BUGTRAQ:19990805 4.4 BSD issue -- chflags Reference: OPENBSD:Jul30,1999 Reference: FREEBSD:FreeBSD-SA-99:01 Reference: CIAC:J-066 Reference: XF:openbsd-chflags-fchflags-permitted OpenBSD, BSDI, and other Unix operating systems allow users to set chflags and fchflags on character and block devices. Modifications: ADDREF CIAC:J-066 ADDREF XF:openbsd-chflags-fchflags-permitted INFERRED VOTE: CAN-1999-0703 ACCEPT (5 accept, 0 review) VOTES: ACCEPT(3) Cole, Blake, Prosser MODIFY(2) Stracener, Frech COMMENTS: Stracener> Add Ref: CIAC: J-066 Frech> XF:openbsd-chflags-fchflags-permitted ================================= Candidate: CAN-1999-0707 Published: Final-Decision: Interim-Decision: 19991229 Modified: Proposed: 19991214 Assigned: 19991125 Category: CF Reference: HP:HPSBUX9906-099 Reference: XF:hp-visualize-conference-ftp Reference: CIAC:J-050 The default FTP configuration in HP Visualize Conference allows conference users to send a file to other participants without authorization. INFERRED VOTE: CAN-1999-0707 ACCEPT (5 accept, 0 review) VOTES: ACCEPT(5) Cole, Blake, Stracener, Frech, Prosser ================================= Candidate: CAN-1999-0713 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991228-01 Proposed: 19991214 Assigned: 19991125 Category: SF Reference: BUGTRAQ:19990404 Digital Unix 4.0E /var permission Reference: CIAC:J-044 Reference: XF:cde-dtlogin Reference: COMPAQ:SSRT0600U The dtlogin program in Compaq Tru64 UNIX allows local users to gain root privileges. Modifications: ADDREF CIAC:J-044 ADDREF BUGTRAQ:19990404 Digital Unix 4.0E /var permission INFERRED VOTE: CAN-1999-0713 ACCEPT (4 accept, 0 review) VOTES: ACCEPT(2) Blake, Frech MODIFY(2) Stracener, Prosser NOOP(2) Cole, Christey COMMENTS: Stracener> Add Ref: CIAC: J-044 Prosser> reference: Bugtraq archives "Digital Unix 4.0E /var permissions "Harhalakis Prosser> Stefanos" Christey> Can't seem to find XF:cde-dtlogin ================================= Candidate: CAN-1999-0714 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991228-01 Proposed: 19991214 Assigned: 19991125 Category: SF Reference: COMPAQ:SSRT0588U Reference: XF:du-edauth Vulnerability in Compaq Tru64 UNIX edauth command. Modifications: CHANGEREF COMPAQ:SSRT0600U COMPAQ:SSRT0588U ADDREF XF:du-edauth INFERRED VOTE: CAN-1999-0714 ACCEPT (4 accept, 0 review) VOTES: ACCEPT(2) Blake, Stracener MODIFY(2) Frech, Prosser NOOP(1) Cole COMMENTS: Frech> XF:du-edauth Frech> The COMPAQ reference does not reference edauth, and may be a paste artifact Frech> from CAN-1999-0713 above. Correct or remove. Prosser> The Compaq advisory reference for this vulnerability is SSRT0588U vice 0600U ================================= Candidate: CAN-1999-0724 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991228-01 Proposed: 19991214 Assigned: 19991125 Category: SF Reference: OPENBSD:Aug12,1999 Reference: XF:openbsd-uio_offset-bo Buffer overflow in OpenBSD procfs and fdescfs file systems via uio_offset in the readdir() function. Modifications: ADDREF XF:openbsd-uio_offset-bo INFERRED VOTE: CAN-1999-0724 ACCEPT (5 accept, 0 review) VOTES: ACCEPT(4) Cole, Blake, Stracener, Prosser MODIFY(1) Frech COMMENTS: Frech> XF:openbsd-uio_offset-bo ================================= Candidate: CAN-1999-0745 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991228-01 Proposed: 19991214 Assigned: 19991125 Category: SF Reference: IBM:ERS-SVA-E01-1999:003.1 Reference: CIAC:J-059 Reference: BID:590 Reference: XF:aix-pdnsd-bo Buffer overflow in Source Code Browser Program Database Name Server Daemon (pdnsd) for the IBM AIX C Set ++ compiler. Modifications: CHANGEREF IBM:ERS-SVA-E01-1999:0031 IBM:ERS-SVA-E01-1999:003.1 INFERRED VOTE: CAN-1999-0745 ACCEPT (5 accept, 0 review) VOTES: ACCEPT(4) Cole, Blake, Stracener, Prosser MODIFY(1) Frech COMMENTS: Frech> IBM reference should be IBM:ERS-SVA-E01-1999:003.1 ================================= Candidate: CAN-1999-0761 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991228-01 Proposed: 19991214 Assigned: 19991125 Category: SF Reference: FREEBSD:FreeBSD-SA-99:05 Reference: XF:freebsd-fts-lib-bo Reference: BID:644 Buffer overflow in FreeBSD fts library routines allows local user to modify arbitrary files via the periodic program. Modifications: ADDREF XF:freebsd-fts-lib-bo INFERRED VOTE: CAN-1999-0761 ACCEPT (5 accept, 0 review) VOTES: ACCEPT(4) Cole, Blake, Stracener, Prosser MODIFY(1) Frech COMMENTS: Frech> XF:freebsd-fts-lib-bo ================================= Candidate: CAN-1999-0763 Published: Final-Decision: Interim-Decision: 19991229 Modified: Proposed: 19991214 Assigned: 19991125 Category: SF Reference: NETBSD:1999-010 Reference: XF:netbsd-arp NetBSD on a multi-homed host allows ARP packets on one network to modify ARP entries on another connected network. INFERRED VOTE: CAN-1999-0763 ACCEPT (5 accept, 0 review) VOTES: ACCEPT(5) Cole, Blake, Stracener, Frech, Prosser ================================= Candidate: CAN-1999-0764 Published: Final-Decision: Interim-Decision: 19991229 Modified: Proposed: 19991214 Assigned: 19991125 Category: SF Reference: NETBSD:1999-010 Reference: XF:netbsd-arp NetBSD allows ARP packets to overwrite static ARP entries. INFERRED VOTE: CAN-1999-0764 ACCEPT (5 accept, 0 review) VOTES: ACCEPT(5) Cole, Blake, Stracener, Frech, Prosser ================================= Candidate: CAN-1999-0765 Published: Final-Decision: Interim-Decision: 19991229 Modified: Proposed: 19991214 Assigned: 19991125 Category: SF Reference: BUGTRAQ:19990619 IRIX midikeys root exploit. Reference: SGI:19990501-01-A Reference: XF:irix-midikeys SGI IRIX midikeys program allows local users to modify arbitrary files via a text editor. INFERRED VOTE: CAN-1999-0765 ACCEPT (4 accept, 0 review) VOTES: ACCEPT(4) Blake, Stracener, Frech, Prosser NOOP(1) Cole ================================= Candidate: CAN-1999-0771 Published: Final-Decision: Interim-Decision: 19991229 Modified: Proposed: 19991214 Assigned: 19991125 Category: SF Reference: BUGTRAQ:19990526 Infosec.19990526.compaq-im.a Reference: COMPAQ:SSRT0612U Reference: XF:management-agent-file-read The web components of Compaq Management Agents and the Compaq Survey Utility allow a remote attacker to read arbitrary files via a .. (dot dot) attack. INFERRED VOTE: CAN-1999-0771 ACCEPT (5 accept, 0 review) VOTES: ACCEPT(5) Cole, Blake, Stracener, Frech, Prosser ================================= Candidate: CAN-1999-0772 Published: Final-Decision: Interim-Decision: 19991229 Modified: Proposed: 19991214 Assigned: 19991125 Category: SF Reference: BUGTRAQ:19990527 Re: Infosec.19990526.compaq-im.a (New DoS and correction to my previous post) Reference: COMPAQ:SSRT0612U Reference: XF:management-agent-dos Denial of service in Compaq Management Agents and the Compaq Survey Utility via a long string sent to port 2301. INFERRED VOTE: CAN-1999-0772 ACCEPT (5 accept, 0 review) VOTES: ACCEPT(5) Cole, Blake, Stracener, Frech, Prosser ================================= Candidate: CAN-1999-0779 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991228-01 Proposed: 19991214 Assigned: 19991125 Category: SF Reference: HP:HPSBUX9810-086 Reference: XF:hp-sharedx Denial of service in HP-UX SharedX recserv program. Modifications: ADDREF XF:hp-sharedx INFERRED VOTE: CAN-1999-0779 ACCEPT (4 accept, 0 review) VOTES: ACCEPT(3) Blake, Stracener, Prosser MODIFY(1) Frech NOOP(1) Cole COMMENTS: Frech> XF:hp-sharedx
|
||||
