|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [VOTES] Vote details for RECENT-XX clusters
This "ALL-NEW" meta-cluster contains voting details for all clusters related to the "live" candidate assignment that has been taking place in recent weeks. RECENT-04 RECENT-03 RECENT-02 RECENT-01 - Steve --------------------- CLUSTER RECENT-04 --------------------- RECENT-04 (43 candidates) -------------------- Proposed: 1/10/00 Scheduled Interim Decision: 1/24/00 Scheduled Final Decision: 1/28/00 Recent problems announced between 12/20/1999 and 1/1/2000 Voters: <PROPOSED> --> 43 ================================= Candidate: CAN-2000-0001 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000111 Assigned: 20000111 Category: SF Reference: BUGTRAQ:19991222 RealMedia Server 5.0 Crasher (rmscrash.c) RealMedia server allows remote attackers to cause a denial of service via a long ramgen request. INFERRED ACTION: CAN-2000-0001 MOREVOTES (0 accept, 0 ack, 0 review) Current Votes: ================================= Candidate: CAN-2000-0002 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000111 Assigned: 20000111 Category: SF Reference: NTBUGTRAQ:19991223 Local / Remote GET Buffer Overflow Vulnerability in ZBServer 1.5 Pro Edition for Win98/NT Reference: BUGTRAQ:19991223 Local / Remote GET Buffer Overflow Vulnerability in ZBServer 1.5 Pro Edition for Win98/NT Buffer overflow in ZBServer Pro allows remote attackers to execute commands via a long GET request. INFERRED ACTION: CAN-2000-0002 MOREVOTES (0 accept, 0 ack, 0 review) Current Votes: ================================= Candidate: CAN-2000-0003 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000111 Assigned: 20000111 Category: SF Reference: BUGTRAQ:19991230 UnixWare rtpm exploit + discussion Buffer overflow in UnixWare rtpm program allows local users to gain privileges via a long environmental variable. INFERRED ACTION: CAN-2000-0003 MOREVOTES (0 accept, 0 ack, 0 review) Current Votes: ================================= Candidate: CAN-2000-0004 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000111 Assigned: 20000111 Category: SF Reference: NTBUGTRAQ:19991223 Local / Remote GET Buffer Overflow Vulnerability in ZBServer 1.5 Pro Edition for Win98/NT Reference: BUGTRAQ:19991223 Local / Remote GET Buffer Overflow Vulnerability in ZBServer 1.5 Pro Edition for Win98/NT ZBServer Pro allows remote attackers to read source code for executable files by inserting a . (dot) into the URL. INFERRED ACTION: CAN-2000-0004 MOREVOTES (0 accept, 0 ack, 0 review) Current Votes: ================================= Candidate: CAN-2000-0005 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000111 Assigned: 20000111 Category: SF Reference: BUGTRAQ:19991230 aserver.sh Reference: BUGTRAQ:20000102 HPUX Aserver revisited. Reference: HP:HPSBUX0001-108 HP-UX aserver program allows local users to gain privileges via a symlink attack. INFERRED ACTION: CAN-2000-0005 MOREVOTES (0 accept, 2 ack, 0 review) Current Votes: ================================= Candidate: CAN-2000-0006 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000111 Assigned: 20000111 Category: SF Reference: BUGTRAQ:19991225 strace can lie strace allows local users to read arbitrary files via memory mapped file names. INFERRED ACTION: CAN-2000-0006 MOREVOTES (0 accept, 0 ack, 0 review) Current Votes: ================================= Candidate: CAN-2000-0007 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000111 Assigned: 20000111 Category: SF Reference: BUGTRAQ:19991230 PC-Cillin 6.x DoS Attack Trend Micro PC-Cillin does not restrict access to its to its internal proxy port, allowing remote attackers to conduct a denial of service. INFERRED ACTION: CAN-2000-0007 MOREVOTES (0 accept, 0 ack, 0 review) Current Votes: ================================= Candidate: CAN-2000-0008 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000111 Assigned: 20000111 Category: SF/CF/MP/SA/AN/unknown Reference: BUGTRAQ:19991227 FTPPro insecuities FTPPro allows local users to read sensitive information, which is stored in plain text. INFERRED ACTION: CAN-2000-0008 MOREVOTES (0 accept, 0 ack, 0 review) Current Votes: ================================= Candidate: CAN-2000-0009 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000111 Assigned: 20000111 Category: SF Reference: BUGTRAQ:19991230 bna,sh Reference: BID:907 bna_pass program in Optivity NETarchitect allows local users to gain privileges via a symlink attack. INFERRED ACTION: CAN-2000-0009 MOREVOTES (0 accept, 0 ack, 0 review) Current Votes: ================================= Candidate: CAN-2000-0010 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000111 Assigned: 20000111 Category: SF Reference: BUGTRAQ:19991226 WebWho+ ADVISORY WebWho+ whois.cgi program allows remote attackers to execute commands via shell metacharacters in the TLD parameter. INFERRED ACTION: CAN-2000-0010 MOREVOTES (0 accept, 0 ack, 0 review) Current Votes: ================================= Candidate: CAN-2000-0011 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000111 Assigned: 20000111 Category: SF Reference: BUGTRAQ:19991231 Local / Remote GET Buffer Overflow Vulnerability in AnalogX SimpleServer:WWW HTTP Server v1.1 Reference: BID:906 Buffer overflow in AnalogX SimpleServer:WWW allows remote attackers to execute commands via a long GET request. INFERRED ACTION: CAN-2000-0011 MOREVOTES (0 accept, 0 ack, 0 review) Current Votes: ================================= Candidate: CAN-2000-0012 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000111 Assigned: 20000111 Category: SF Reference: BUGTRAQ:19991227 remote buffer overflow in miniSQL Reference: BID:898 Buffer overflow in w3-msql CGI program in miniSQL package allows remote attackers to execute commands. INFERRED ACTION: CAN-2000-0012 MOREVOTES (0 accept, 0 ack, 0 review) Current Votes: ================================= Candidate: CAN-2000-0013 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000111 Assigned: 20000111 Category: SF Reference: BUGTRAQ:19991231 irix-soundplayer.sh Reference: BID:909 IRIX midikeys program allows local users to gain privileges via a symlink attack. INFERRED ACTION: CAN-2000-0013 MOREVOTES (0 accept, 0 ack, 0 review) Current Votes: ================================= Candidate: CAN-2000-0014 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000111 Assigned: 20000111 Category: SF Reference: BUGTRAQ:19991228 Local / Remote D.o.S Attack in Savant Web Server V2.0 WIN9X / NT / 2K Reference: BID:897 Denial of service in Savant web server via a null character in the requested URL. INFERRED ACTION: CAN-2000-0014 MOREVOTES (0 accept, 0 ack, 0 review) Current Votes: ================================= Candidate: CAN-2000-0015 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000111 Assigned: 20000111 Category: SF Reference: BUGTRAQ:19991231 tftpserv.sh Reference: BID:910 CascadeView TFTP server allows local users to gain privileges via a symlink attack. INFERRED ACTION: CAN-2000-0015 MOREVOTES (0 accept, 0 ack, 0 review) Current Votes: ================================= Candidate: CAN-2000-0016 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000111 Assigned: 20000111 Category: SF Reference: NTBUGTRAQ:19991001 Vulnerabilities in the Internet Anywhere Mail Server Reference: BUGTRAQ:19991227 Remote DoS/Access Attack in Internet Anywhere Mail Server(POP 3) v2.3.1 Reference: BID:730 Buffer overflow in Internet Anywhere POP3 Mail Server allows remote attackers to cause a denial of service or execute commands via a long username. INFERRED ACTION: CAN-2000-0016 MOREVOTES (0 accept, 0 ack, 0 review) Current Votes: ================================= Candidate: CAN-2000-0017 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000111 Assigned: 20000111 Category: SF Reference: BUGTRAQ:19991221 (Possible) Linuxconf Remote Buffer Overflow Vulnerability Buffer overflow in Linux linuxconf package allows remote attackers to gain root privileges via a long parameter. INFERRED ACTION: CAN-2000-0017 MOREVOTES (0 accept, 0 ack, 0 review) Current Votes: ================================= Candidate: CAN-2000-0018 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000111 Assigned: 20000111 Category: SF Reference: BUGTRAQ:19991221 Wmmon under FreeBSD wmmon in FreeBSD allows local users to gain privileges via the .wmmonrc configuration file. INFERRED ACTION: CAN-2000-0018 MOREVOTES (0 accept, 0 ack, 0 review) Current Votes: ================================= Candidate: CAN-2000-0019 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000111 Assigned: 20000111 Category: SF Reference: BUGTRAQ:19991221 [w00giving '99 #11] IMail's password encryption scheme IMail POP3 daemon uses weak encryption, which allows local users to read files. CONTENT-DECISIONS: DESIGN-WEAK-ENCRYPTION INFERRED ACTION: CAN-2000-0019 MOREVOTES (0 accept, 0 ack, 0 review) HAS_CDS Current Votes: ================================= Candidate: CAN-2000-0020 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000111 Assigned: 20000111 Category: SF Reference: NTBUGTRAQ:19991221 Remote D.o.S Attack in DNS PRO v5.7 WinNT From FBLI Software Vulnerability Reference: BUGTRAQ:19991221 Remote D.o.S Attack in DNS PRO v5.7 WinNT From FBLI Software Vulnerability DNS PRO allows remote attackers to conduct a denial of service via a large number of connections. INFERRED ACTION: CAN-2000-0020 MOREVOTES (0 accept, 0 ack, 0 review) Current Votes: ================================= Candidate: CAN-2000-0021 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000111 Assigned: 20000111 Category: SF/CF/MP/SA/AN/unknown Reference: BUGTRAQ:19991221 serious Lotus Domino HTTP denial of service Reference: BUGTRAQ:19991227 Re: Lotus Domino HTTP denial of service attack Lotus Domino HTTP server allows remote attackers to determine the real path of the server via a request to a non-existent script in /cgi-bin. CONTENT-DECISIONS: DESIGN-REAL-PATH INFERRED ACTION: CAN-2000-0021 MOREVOTES (0 accept, 1 ack, 0 review) HAS_CDS Current Votes: ================================= Candidate: CAN-2000-0022 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000111 Assigned: 20000111 Category: SF Reference: BUGTRAQ:19991221 serious Lotus Domino HTTP denial of service Reference: BUGTRAQ:19991227 Re: Lotus Domino HTTP denial of service attack Lotus Domino HTTP server does not properly disable anonymous access for the cgi-bin directory. INFERRED ACTION: CAN-2000-0022 MOREVOTES (0 accept, 1 ack, 0 review) Current Votes: ================================= Candidate: CAN-2000-0023 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000111 Assigned: 20000111 Category: SF Reference: BUGTRAQ:19991221 serious Lotus Domino HTTP denial of service Reference: BUGTRAQ:19991222 Lotus Notes HTTP cgi-bin vulnerability: possible workaround Reference: BUGTRAQ:19991227 Re: Lotus Domino HTTP denial of service attack Buffer overflow in Lotus Domino HTTP server allows remote attackers to cause a denial of service via a long URL. INFERRED ACTION: CAN-2000-0023 MOREVOTES (0 accept, 1 ack, 0 review) Current Votes: ================================= Candidate: CAN-2000-0024 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000111 Assigned: 20000111 Category: SF Reference: MS:MS99-061 Reference: BUGTRAQ:19991228 Third Party Software Affected by IIS "Escape Character Parsing" Vulnerability Reference: BUGTRAQ:19991229 More info on MS99-061 (IIS escape character vulnerability) IIS does not properly canonicalize URLs, potentially allowing remote attackers to bypass access restrictions in third-party software via escape characters, aka the "Escape Character Parsing" vulnerability. INFERRED ACTION: CAN-2000-0024 MOREVOTES (0 accept, 2 ack, 0 review) Current Votes: ================================= Candidate: CAN-2000-0025 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000111 Assigned: 20000111 Category: SF Reference: MS:MS99-058 IIS 4.0 and Site Server 3.0 allow remote attackers to read source code for ASP files if the file is in a virtual directory whose name includes extensions such as .com, .exe, .sh, .cgi, or .dll, aka the "Virtual Directory Naming" vulnerability. INFERRED ACTION: CAN-2000-0025 MOREVOTES (0 accept, 2 ack, 0 review) Current Votes: ================================= Candidate: CAN-2000-0026 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000111 Assigned: 20000111 Category: SF Reference: BUGTRAQ:19991222 UnixWare i2odialogd remote root exploit Buffer overflow in UnixWare i2odialogd daemon allows remote attackers to gain root access via a long username/password authorization string. INFERRED ACTION: CAN-2000-0026 MOREVOTES (0 accept, 0 ack, 0 review) Current Votes: ================================= Candidate: CAN-2000-0027 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000111 Assigned: 20000111 Category: SF Reference: BUGTRAQ:19991227 IBM NetStation/UnixWare local root exploit Reference: BID:900 IBM Network Station Manager NetStation allows local users to gain privileges via a symlink attack. INFERRED ACTION: CAN-2000-0027 MOREVOTES (0 accept, 0 ack, 0 review) Current Votes: ================================= Candidate: CAN-2000-0028 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000111 Assigned: 20000111 Category: SF Reference: BUGTRAQ:19991222 IE 5.01 vulnerabilities in external.NavigateAndFind() Internet Explorer 5.0 and 5.01 allows remote attackers to bypass the cross frame security policy and read files via the external.NavigateAndFind function. INFERRED ACTION: CAN-2000-0028 MOREVOTES (0 accept, 0 ack, 0 review) Current Votes: ================================= Candidate: CAN-2000-0029 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000111 Assigned: 20000111 Category: SF Reference: BUGTRAQ:19991227 UnixWare local pis exploit Reference: BID:901 UnixWare pis and mkpis commands allow local users to gain privileges via a symlink attack. INFERRED ACTION: CAN-2000-0029 MOREVOTES (0 accept, 0 ack, 0 review) Current Votes: ================================= Candidate: CAN-2000-0030 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000111 Assigned: 20000111 Category: SF Reference: BUGTRAQ:19991222 Solaris 2.7 dmispd local/remote problems Solaris dmispd dmi_cmd allows local users to fill up restricted disk space by adding files to the /var/dmi/db database. INFERRED ACTION: CAN-2000-0030 MOREVOTES (0 accept, 0 ack, 0 review) Current Votes: ================================= Candidate: CAN-2000-0031 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000111 Assigned: 20000111 Category: SF Reference: L0PHT:19991227 initscripts-4.48-1 RedHat Linux 6.1 Reference: REDHAT:RHSA-1999:052-04 The initscripts package in Red Hat Linux allows local users to gain privileges via a symlink attack. INFERRED ACTION: CAN-2000-0031 MOREVOTES (0 accept, 2 ack, 0 review) Current Votes: ================================= Candidate: CAN-2000-0032 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000111 Assigned: 20000111 Category: SF Reference: BUGTRAQ:19991222 Solaris 2.7 dmispd local/remote problems Solaris dmi_cmd allows local users to crash the dmispd daemon by adding a malformed file to the /var/dmi/db database. INFERRED ACTION: CAN-2000-0032 MOREVOTES (0 accept, 0 ack, 0 review) Current Votes: ================================= Candidate: CAN-2000-0033 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000111 Assigned: 20000111 Category: SF Reference: BUGTRAQ:19991227 Trend Micro InterScan VirusWall SMTP bug Reference: BID:899 InterScan VirusWall SMTP scanner does not properly scan messages with malformed attachments. INFERRED ACTION: CAN-2000-0033 MOREVOTES (0 accept, 0 ack, 0 review) Current Votes: ================================= Candidate: CAN-2000-0034 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000111 Assigned: 20000111 Category: SF Reference: BUGTRAQ:19991222 More Netscape Passwords Available. Netscape 4.7 records user passwords in the preferences.js file during an IMAP or POP session, even if the user has not enabled "remember passwords." INFERRED ACTION: CAN-2000-0034 MOREVOTES (0 accept, 0 ack, 0 review) Current Votes: ================================= Candidate: CAN-2000-0035 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000111 Assigned: 20000111 Category: SF Reference: BUGTRAQ:19991228 majordomo local exploit Reference: BID:902 resend command in Majordomo allows local users to gain privileges via shell metacharacters. INFERRED ACTION: CAN-2000-0035 MOREVOTES (0 accept, 0 ack, 0 review) Current Votes: ================================= Candidate: CAN-2000-0036 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000111 Assigned: 20000111 Category: SF Reference: MS:MS99-060 Reference: MSKB:Q249082 Outlook Express 5 for Macintosh downloads attachments to HTML mail without prompting the user, aka the "HTML Mail Attachment" vulnerability. INFERRED ACTION: CAN-2000-0036 MOREVOTES (0 accept, 3 ack, 0 review) Current Votes: ================================= Candidate: CAN-2000-0037 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000111 Assigned: 20000111 Category: SF Reference: BUGTRAQ:19991228 majordomo local exploit Reference: BID:903 Majordomo wrapper allows local users to gain privileges by specifying an alternate configuration file. INFERRED ACTION: CAN-2000-0037 MOREVOTES (0 accept, 0 ack, 0 review) Current Votes: ================================= Candidate: CAN-2000-0038 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000111 Assigned: 20000111 Category: CF Reference: BUGTRAQ:19991223 Multiple vulnerabilites in glFtpD (current versions) glFtpD includes a default glftpd user account with a default password and a UID of 0. CONTENT-DECISIONS: CF-PASS INFERRED ACTION: CAN-2000-0038 MOREVOTES (0 accept, 0 ack, 0 review) HAS_CDS Current Votes: ================================= Candidate: CAN-2000-0039 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000111 Assigned: 20000111 Category: SF Reference: BUGTRAQ:19991229 AltaVista Reference: BUGTRAQ:19991230 Follow UP AltaVista Reference: BUGTRAQ:19991229 AltaVista followup and monitor script Reference: BUGTRAQ:20000103 FW: Patch issued for AltaVista Search Engine Directory TraversalVulnerability Reference: BUGTRAQ:20000109 Altavista followup Reference: BID:896 AltaVista search engine allows remote attackers to read files above the document root via a .. (dot dot) in the query program. INFERRED ACTION: CAN-2000-0039 MOREVOTES (0 accept, 1 ack, 0 review) Current Votes: ================================= Candidate: CAN-2000-0040 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000111 Assigned: 20000111 Category: SF Reference: BUGTRAQ:19991223 Multiple vulnerabilites in glFtpD (current versions) glFtpD allows local users to gain privileges via metacharacters in the SITE ZIPCHK command. INFERRED ACTION: CAN-2000-0040 MOREVOTES (0 accept, 1 ack, 0 review) Current Votes: ================================= Candidate: CAN-2000-0041 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000111 Assigned: 20000111 Category: SF Reference: BUGTRAQ:19991229 The "Mac DoS Attack," a Scheme for Blocking Internet Connections Reference: BID:890 Macintosh systems generate large ICMP datagrams in response to malformed datagrams, allowing them to be used as amplifiers in a flood attack. INFERRED ACTION: CAN-2000-0041 MOREVOTES (0 accept, 1 ack, 0 review) Current Votes: ================================= Candidate: CAN-2000-0042 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000111 Assigned: 20000111 Category: SF Reference: BUGTRAQ:19991229 Local / Remote D.o.S Attack in CSM Mail Server for Windows 95/NT v.2000.08.A Reference: BID:895 Buffer overflow in CSM mail server allows remote attackers to cause a denial of service or execute commands via a long HELO command. INFERRED ACTION: CAN-2000-0042 MOREVOTES (0 accept, 0 ack, 0 review) Current Votes: ================================= Candidate: CAN-2000-0043 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000111 Assigned: 20000111 Category: SF Reference: BUGTRAQ:19991230 Local / Remote GET Buffer Overflow Vulnerability in CamShot WebCam HTTP Server v2.5 for Win9x/NT Reference: BID:905 Buffer overflow in CamShot WebCam HTTP server allows remote attackers to execute commands via a long GET request. INFERRED ACTION: CAN-2000-0043 MOREVOTES (0 accept, 0 ack, 0 review) Current Votes: --------------------- CLUSTER RECENT-03 --------------------- RECENT-03 (19 candidates) -------------------- Proposed: 12/21 Scheduled Proposed: 12/20 Scheduled Interim Decision: 1/3 Scheduled Final Decision: 1/7 Recent problems announced between 12/13/1999 and 12/20/1999 Voters: Wall ACCEPT(6) MODIFY(1) NOOP(12) Christey NOOP(1) Cole ACCEPT(14) MODIFY(2) NOOP(3) Stracener ACCEPT(18) NOOP(1) <INTERIM> --> 5 <PROPOSED> --> 14 ACCEPT --> 15 MODIFY --> 3 NOOP --> 1 ================================= Candidate: CAN-1999-0992 Published: Final-Decision: Interim-Decision: 20000111 Modified: Proposed: 19991222 Assigned: 19991221 Category: SF Reference: HP:HPSBUX9912-107 HP VirtualVault with the PHSS_17692 patch allows unprivileged processes to bypass access restrictions via the Trusted Gateway Proxy (TGP). INFERRED ACTION: CAN-1999-0992 ACCEPT_ACK (2 accept, 2 ack, 0 review) Current Votes: ACCEPT(2) Cole, Stracener NOOP(1) Wall ================================= Candidate: CAN-1999-0993 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991222 Assigned: 19991221 Category: unknown Reference: NTBUGTRAQ:19991213 Changing ACL's in Exchange Server Modifications to ACLs (Access Control Lists) in Microsoft Exchange 5.5 do not take effect until the directory store cache is refreshed. CONTENT-DECISIONS: NOVULN INFERRED ACTION: CAN-1999-0993 MOREVOTES (2 accept, 0 ack, 0 review) HAS_CDS Current Votes: ACCEPT(2) Wall, Stracener NOOP(1) Cole ================================= Candidate: CAN-1999-0994 Published: Final-Decision: Interim-Decision: 20000111 Modified: Proposed: 19991222 Assigned: 19991221 Category: SF Reference: BINDVIEW:19991216 Windows NT's SYSKEY feature Reference: MS:MS99-056 Reference: MSKB:Q248183 Reference: BID:873 Windows NT with SYSKEY reuses the keystream that is used for encrypting SAM password hashes, allowing an attacker to crack passwords. INFERRED ACTION: CAN-1999-0994 ACCEPT (3 accept, 4 ack, 0 review) Current Votes: ACCEPT(3) Wall, Cole, Stracener ================================= Candidate: CAN-1999-0995 Published: Final-Decision: Interim-Decision: 20000111 Modified: 20000111-01 Proposed: 19991222 Assigned: 19991221 Category: SF Reference: NAI:19991216 Windows NT LSA Remote Denial of Service Reference: MS:MS99-057 Reference: MSKB:Q248185 Reference: BID:875 Windows NT Local Security Authority (LSA) allows remote attackers to cause a denial of service via malformed arguments to the LsaLookupSids function which looks up the SID, aka "Malformed Security Identifier Request." Modifications: ADDREF BID:875 INFERRED ACTION: CAN-1999-0995 ACCEPT (3 accept, 4 ack, 0 review) Current Votes: ACCEPT(3) Wall, Cole, Stracener ================================= Candidate: CAN-1999-0996 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991222 Assigned: 19991221 Category: SF Reference: EEYE:AD19991215 Reference: BUGTRAQ:19991216 Infoseek Ultraseek Remote Buffer Overflow Reference: NTBUGTRAQ:19991216 Infoseek Ultraseek Remote Buffer Overflow Buffer overflow in Infoseek Ultraseek search engine allows remote attackers to execute commands via a long GET request. INFERRED ACTION: CAN-1999-0996 ACCEPT_ACK (2 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Cole, Stracener NOOP(1) Wall ================================= Candidate: CAN-1999-0997 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991222 Assigned: 19991221 Category: unknown Reference: BUGTRAQ:19991220 Security vulnerability in certain wu-ftpd (and derivitives) configurations (fwd) wu-ftp with FTP conversion enabled allows an attacker to execute commands via a malformed file name that is interpreted as an argument to the program that does the conversion, e.g. tar or uncompress. INFERRED ACTION: CAN-1999-0997 ACCEPT (3 accept, 0 ack, 0 review) Current Votes: ACCEPT(3) Wall, Cole, Stracener ================================= Candidate: CAN-1999-0998 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991222 Assigned: 19991221 Category: SF Reference: CISCO:19991216 Cisco Cache Engine Authentication Vulnerabilities Reference: BUGTRAQ:19991216 Cisco Security Advisory: Cisco Cache Engine Authentication Vulnerabilities Cisco Cache Engine allows an attacker to replace content in the cache. INFERRED ACTION: CAN-1999-0998 ACCEPT_ACK (2 accept, 2 ack, 0 review) Current Votes: ACCEPT(1) Stracener MODIFY(1) Cole NOOP(1) Wall Comments: Cole> This vulnerability exists in PPP CHAP authentication. Also the BID is 693. Cole> If I have the right vulnerability. The description is not that clear. ================================= Candidate: CAN-1999-0999 Published: Final-Decision: Interim-Decision: 20000111 Modified: 20000111-01 Proposed: 19991222 Assigned: 19991221 Category: SF Reference: MS:MS99-059 Reference: MSKB:Q248749 Reference: BID:817 Microsoft SQL 7.0 server allows a remote attacker to cause a denial of service via a malformed TDS packet. Modifications: DESC Add version ADDREF BID:817 INFERRED ACTION: CAN-1999-0999 ACCEPT (3 accept, 3 ack, 0 review) Current Votes: ACCEPT(2) Cole, Stracener MODIFY(1) Wall Comments: Wall> Microsoft SQL 7.0 server allows a remote attacker to cause a denial of Wall> service via a malformed TDS packet. ================================= Candidate: CAN-1999-1000 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991222 Assigned: 19991221 Category: SF Reference: CISCO:19991216 Cisco Cache Engine Authentication Vulnerabilities Reference: BUGTRAQ:19991216 Cisco Security Advisory: Cisco Cache Engine Authentication Vulnerabilities The web administration interface for Cisco Cache Engine allows remote attackers to view performance statistics. INFERRED ACTION: CAN-1999-1000 ACCEPT_ACK (2 accept, 2 ack, 0 review) Current Votes: ACCEPT(2) Cole, Stracener NOOP(1) Wall ================================= Candidate: CAN-1999-1001 Published: Final-Decision: Interim-Decision: 20000111 Modified: Proposed: 19991222 Assigned: 19991221 Category: SF Reference: CISCO:19991216 Cisco Cache Engine Authentication Vulnerabilities Reference: BUGTRAQ:19991216 Cisco Security Advisory: Cisco Cache Engine Authentication Vulnerabilities Cisco Cache Engine allows a remote attacker to gain access via a null username and password. INFERRED ACTION: CAN-1999-1001 ACCEPT_ACK (2 accept, 2 ack, 0 review) Current Votes: ACCEPT(1) Stracener MODIFY(1) Cole NOOP(2) Wall, Christey Comments: Cole> The references are not that clear. Christey> While vendor-supplied advisories sometimes aren't clear, they Christey> have acknowledged the problem and provided enough information Christey> to attach a CVE name to them. ================================= Candidate: CAN-1999-1002 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991222 Assigned: 19991221 Category: SF Reference: http://www.rstcorp.com/news/bad-crypto.html Reference: BUGTRAQ:19991216 Reinventing the wheel (aka "Decoding Netscape Mail passwords") Reference: BUGTRAQ:19991220 Netscape password scrambling Netscape Navigator uses weak encryption for storing a user's Netscape mail password. CONTENT-DECISIONS: DESIGN-WEAK-ENCRYPTION INFERRED ACTION: CAN-1999-1002 ACCEPT (3 accept, 1 ack, 0 review) HAS_CDS Current Votes: ACCEPT(3) Wall, Cole, Stracener ================================= Candidate: CAN-1999-1003 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991222 Assigned: 19991221 Category: SF Reference: BUGTRAQ:19991214 Local / Remote D.o.S Attack in War FTP Daemon 1.70 Vulnerability Reference: BUGTRAQ:19991216 Statement: Local / Remote D.o.S Attack in War FTP Daemon 1.70 War FTP Daemon 1.70 allows remote attackers to cause a denial of service by flooding it with connections. CONTENT-DECISIONS: BETA INFERRED ACTION: CAN-1999-1003 ACCEPT_ACK (2 accept, 1 ack, 0 review) HAS_CDS Current Votes: ACCEPT(2) Cole, Stracener NOOP(1) Wall ================================= Candidate: CAN-1999-1004 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991222 Assigned: 19991221 Category: SF Reference: BUGTRAQ:19991217 NAV2000 Email Protection DoS Reference: BUGTRAQ:19991220 Norton Email Protection Remote Overflow (Addendum) Buffer overflow in the POP server POProxy for the Norton Anti-Virus protection NAV2000 program via a large USER command. INFERRED ACTION: CAN-1999-1004 MOREVOTES (1 accept, 0 ack, 0 review) Current Votes: ACCEPT(1) Stracener NOOP(2) Wall, Cole ================================= Candidate: CAN-1999-1005 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991222 Assigned: 19991221 Category: SF Reference: BUGTRAQ:19991219 Groupewise Web Interface Groupwise web server GWWEB.EXE allows remote attackers to read arbitrary files with .htm extensions via a .. (dot dot) attack using the HELP parameter. INFERRED ACTION: CAN-1999-1005 MOREVOTES (2 accept, 0 ack, 0 review) Current Votes: ACCEPT(2) Cole, Stracener NOOP(1) Wall ================================= Candidate: CAN-1999-1006 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991222 Assigned: 19991221 Category: SF Reference: BUGTRAQ:19991219 Groupewise Web Interface Groupwise web server GWWEB.EXE allows remote attackers to determine the real path of the web server via the HELP parameter. CONTENT-DECISIONS: DESIGN-REAL-PATH INFERRED ACTION: CAN-1999-1006 MOREVOTES (2 accept, 0 ack, 0 review) HAS_CDS Current Votes: ACCEPT(2) Cole, Stracener NOOP(1) Wall ================================= Candidate: CAN-1999-1007 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991222 Assigned: 19991221 Category: SF Reference: BUGTRAQ:19991213 VDO Live Player 3.02 Buffer Overflow Reference: BID:872 Buffer overflow in VDO Live Player allows remote attackers to execute commands on the VDO client via a malformed .vdo file. INFERRED ACTION: CAN-1999-1007 ACCEPT (3 accept, 0 ack, 0 review) Current Votes: ACCEPT(3) Wall, Cole, Stracener ================================= Candidate: CAN-1999-1008 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991222 Assigned: 19991221 Category: SF Reference: BUGTRAQ:19991215 FreeBSD 3.3 xsoldier root exploit Reference: BID:871 xsoldier program allows local users to gain root access via a long argument. INFERRED ACTION: CAN-1999-1008 MOREVOTES (2 accept, 0 ack, 0 review) Current Votes: ACCEPT(2) Cole, Stracener NOOP(1) Wall ================================= Candidate: CAN-1999-1009 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991222 Assigned: 19991221 Category: unknown Reference: BUGTRAQ:19991213 Privacy hole in Go Express Search The Disney Go Express Search allows remote attackers to access and modify search information for users by connecting to an HTTP server on the user's system. CONTENT-DECISIONS: PRIVACY INFERRED ACTION: CAN-1999-1009 MOREVOTES (0 accept, 0 ack, 0 review) HAS_CDS Current Votes: NOOP(3) Wall, Cole, Stracener ================================= Candidate: CAN-1999-1010 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991222 Assigned: 19991221 Category: SF Reference: BUGTRAQ:19991214 sshd1 allows unencrypted sessions regardless of server policy An SSH 1.2.27 server allows a client to use the "none" cipher, even if it is not allowed by the server policy. INFERRED ACTION: CAN-1999-1010 MOREVOTES (2 accept, 0 ack, 0 review) Current Votes: ACCEPT(2) Cole, Stracener NOOP(1) Wall --------------------- CLUSTER RECENT-02 --------------------- RECENT-02 (20 candidates) -------------------- Proposed: 12/13 Scheduled Proposed: 12/13 Scheduled Interim Decision: 12/27 Scheduled Final Decision: 12/31 Recent problems announced between 12/04/1999 and 12/12/1999 Voters: Christey REVIEWING(4) Cole ACCEPT(4) NOOP(2) Stracener ACCEPT(5) RECAST(1) Blake ACCEPT(5) RECAST(1) <FINAL> --> 14 <INTERIM> --> 1 <PROPOSED> --> 5 ACCEPT --> 1 RECAST --> 2 REVIEWING --> 3 ================================= Candidate: CAN-1999-0972 Published: Final-Decision: 20000104 Interim-Decision: 19991229 Modified: Proposed: 19991214 Assigned: 19991214 Category: SF Reference: BUGTRAQ:19991209 xsw 1.24 remote buffer overflow Reference: BID:863 Buffer overflow in Xshipwars xsw program. INFERRED ACTION: CAN-1999-0972 MOREVOTES (0 accept, 0 ack, 0 review) Current Votes: ================================= Candidate: CAN-1999-0973 Published: Final-Decision: 20000104 Interim-Decision: 19991229 Modified: Proposed: 19991214 Assigned: 19991214 Category: SF Reference: BUGTRAQ:19991206 [w00giving #8] Solaris 2.7's snoop Reference: BUGTRAQ:19991209 Clarification needed on the snoop vuln(s) (fwd) Reference: BID:858 Buffer overflow in Solaris snoop program allows remote attackers to gain root privileges via a long domain name when snoop is running in verbose mode. INFERRED ACTION: CAN-1999-0973 MOREVOTES (0 accept, 1 ack, 0 review) Current Votes: ================================= Candidate: CAN-1999-0974 Published: Final-Decision: 20000104 Interim-Decision: 19991229 Modified: Proposed: 19991214 Assigned: 19991214 Category: SF Reference: ISS:19991209 Buffer Overflow in Solaris Snoop Reference: SUN:00190 Reference: BUGTRAQ:19991209 Clarification needed on the snoop vuln(s) (fwd) Reference: BID:864 Buffer overflow in Solaris snoop allows remote attackers to gain root privileges via GETQUOTA requests to the rpc.rquotad service. INFERRED ACTION: CAN-1999-0974 MOREVOTES (0 accept, 3 ack, 0 review) Current Votes: ================================= Candidate: CAN-1999-0975 Published: Final-Decision: 20000104 Interim-Decision: 19991229 Modified: Proposed: 19991214 Assigned: 19991214 Category: SF Reference: BUGTRAQ:19991207 Local user can fool another to run executable. .CNT/.GID/.HLP M$WINNT Reference: BID:868 The Windows help system can allow a local user to execute commands as another user by editing a table of contents metafile with a .CNT extension and modifying the topic action to include the commands to be executed when the .hlp file is accessed. INFERRED ACTION: CAN-1999-0975 MOREVOTES (0 accept, 0 ack, 0 review) Current Votes: ================================= Candidate: CAN-1999-0976 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991214 Assigned: 19991214 Category: SF Reference: BUGTRAQ:19991207 [Debian] New version of sendmail released Reference: BID:857 Sendmail in Debian GNU/Linux 2.1 allows local users to reinitialize the aliases database, then cause a denial of service by interrupting Sendmail. INFERRED ACTION: CAN-1999-0976 RECAST (1 recast, 2 accept, 0 review) Current Votes: ACCEPT(2) Cole, Stracener RECAST(1) Blake Comments: Blake> *This issue is insufficiently defined. I can't see why it should be Blake> restricted to Debian, in fact, I just ran newaliases on FreeBSD-3.2 as a Blake> regular user and is ran. Perhaps the entry can be broadened to include Blake> incorrect permissions on the newaliases binary... ================================= Candidate: CAN-1999-0977 Published: Final-Decision: 20000104 Interim-Decision: 19991229 Modified: Proposed: 19991214 Assigned: 19991214 Category: SF Reference: SF-INCIDENTS:19991209 sadmind Reference: BUGTRAQ:19991210 Solaris sadmind Buffer Overflow Vulnerability Reference: CERT:CA-99-16 Reference: BID:866 Buffer overflow in Solaris sadmind allows remote attackers to gain root privileges using a NETMGT_PROC_SERVICE request. INFERRED ACTION: CAN-1999-0977 MOREVOTES (0 accept, 2 ack, 0 review) Current Votes: ================================= Candidate: CAN-1999-0978 Published: Final-Decision: 20000104 Interim-Decision: 19991229 Modified: 19991228-01 Proposed: 19991214 Assigned: 19991214 Category: SF Reference: DEBIAN:19991209 Reference: BID:867 htdig allows remote attackers to execute commands via filenames with shell metacharacters. Modifications: DESC exclude Debian INFERRED ACTION: CAN-1999-0978 MOREVOTES (0 accept, 2 ack, 0 review) Current Votes: ================================= Candidate: CAN-1999-0979 Published: Final-Decision: 20000104 Interim-Decision: 19991229 Modified: Proposed: 19991214 Assigned: 19991214 Category: SF Reference: BUGTRAQ:19991209 Fundamental flaw in UnixWare 7 security Reference: BUGTRAQ:19991215 Recent postings about SCO UnixWare 7 Reference: BID:869 The SCO UnixWare privileged process system allows local users to gain root privileges by using a debugger such as gdb to insert traps into _init before the privileged process is executed. INFERRED ACTION: CAN-1999-0979 MOREVOTES (0 accept, 1 ack, 0 review) Current Votes: ================================= Candidate: CAN-1999-0980 Published: Final-Decision: 20000104 Interim-Decision: 19991229 Modified: Proposed: 19991214 Assigned: 19991214 Category: SF Reference: MS:MS99-055 Reference: MSKB:Q246045 Windows NT Service Control Manager (SCM) allows remote attackers to cause a denial of service via a malformed argument in a resource enumeration request. INFERRED ACTION: CAN-1999-0980 MOREVOTES (0 accept, 3 ack, 0 review) Current Votes: ================================= Candidate: CAN-1999-0981 Published: Final-Decision: 20000104 Interim-Decision: 19991229 Modified: Proposed: 19991214 Assigned: 19991214 Category: SF Reference: MS:MS99-050 Reference: MSKB:Q246094 Internet Explorer 5.01 and earlier allows a remote attacker to create a reference to a client window and use a server-side redirect to access local files via that window, aka "Server-side Page Reference Redirect." INFERRED ACTION: CAN-1999-0981 MOREVOTES (0 accept, 3 ack, 0 review) Current Votes: ================================= Candidate: CAN-1999-0982 Published: Final-Decision: 20000104 Interim-Decision: 19991229 Modified: Proposed: 19991214 Assigned: 19991214 Category: unknown Reference: BUGTRAQ:19991206 Solaris WBEM 1.0: plaintext password stored in world readable file The Sun Web-Based Enterprise Management (WBEM) installation script stores a password in plaintext in a world readable file. INFERRED ACTION: CAN-1999-0982 MOREVOTES (0 accept, 0 ack, 0 review) Current Votes: ================================= Candidate: CAN-1999-0983 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991214 Assigned: 19991214 Category: SF Reference: BUGTRAQ:19991109 Whois.cgi - ADVISORY. Whois Internic Lookup program whois.cgi allows remote attackers to execute commands via shell metacharacters in the domain entry. CONTENT-DECISIONS: SF-CODEBASE INFERRED ACTION: CAN-1999-0983 SMC_REVIEW (3 accept, 1 review) HAS_CDS Current Votes: ACCEPT(3) Cole, Blake, Stracener REVIEWING(1) Christey Comments: Christey> More examination is required to determine if CAN-1999-0983, Christey> CAN-1999-0984, or CAN-1999-0985 are the same codebase. ================================= Candidate: CAN-1999-0984 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991214 Assigned: 19991214 Category: SF Reference: BUGTRAQ:19991109 Whois.cgi - ADVISORY. Matt's Whois program whois.cgi allows remote attackers to execute commands via shell metacharacters in the domain entry. CONTENT-DECISIONS: SF-CODEBASE INFERRED ACTION: CAN-1999-0984 SMC_REVIEW (2 accept, 1 review) HAS_CDS Current Votes: ACCEPT(2) Blake, Stracener NOOP(1) Cole REVIEWING(1) Christey Comments: Cole> How is this different than the previous? Christey> More examination is required to determine if CAN-1999-0983, Christey> CAN-1999-0984, or CAN-1999-0985 are the same codebase. ================================= Candidate: CAN-1999-0985 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991214 Assigned: 19991214 Category: SF Reference: BUGTRAQ:19991109 Whois.cgi - ADVISORY. CC Whois program whois.cgi allows remote attackers to execute commands via shell metacharacters in the domain entry. CONTENT-DECISIONS: SF-CODEBASE INFERRED ACTION: CAN-1999-0985 SMC_REVIEW (2 accept, 1 review) HAS_CDS Current Votes: ACCEPT(2) Blake, Stracener NOOP(1) Cole REVIEWING(1) Christey Comments: Cole> I would combine all of these. Christey> More examination is required to determine if CAN-1999-0983, Christey> CAN-1999-0984, or CAN-1999-0985 are the same codebase. ================================= Candidate: CAN-1999-0986 Published: Final-Decision: 20000104 Interim-Decision: 19991229 Modified: Proposed: 19991214 Assigned: 19991214 Category: SF Reference: BUGTRAQ:19991209 Big problem on 2.0.x? Reference: BID:870 The ping command in Linux 2.0.3x allows local users to cause a denial of service by sending large packets with the -R (record route) option. INFERRED ACTION: CAN-1999-0986 MOREVOTES (0 accept, 0 ack, 0 review) Current Votes: ================================= Candidate: CAN-1999-0987 Published: Final-Decision: 20000104 Interim-Decision: 19991229 Modified: Proposed: 19991214 Assigned: 19991214 Category: SF Reference: NTBUGTRAQ:19991118 NT System Policy for Win95 Not downloaded when adding a space after domain name Reference: MSKB:Q237923 Windows NT does not properly download a system policy if the domain user logs into the domain with a space at the end of the domain name. INFERRED ACTION: CAN-1999-0987 MOREVOTES (0 accept, 2 ack, 0 review) Current Votes: ================================= Candidate: CAN-1999-0988 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991214 Assigned: 19991214 Category: SF Reference: BUGTRAQ:19991204 UnixWare pkg* command exploits Reference: BUGTRAQ:19991215 Recent postings about SCO UnixWare 7 UnixWare pkgtrans allows local users to read arbitrary files via a symlink attack. INFERRED ACTION: CAN-1999-0988 RECAST (1 recast, 2 accept, 1 review) Current Votes: ACCEPT(2) Cole, Blake RECAST(1) Stracener REVIEWING(1) Christey Comments: Stracener> The pkg* programs pkgtrans, pkginfo, pkgcat, pkginstall, and pkgparam Stracener> can be used to mount etc/shadow printing attacks as a result of the Stracener> "dacread" permission (cf. /etc/security/tcb/privs). The procedural Stracener> differences between the individual exploits for each of these utilities Stracener> are therefore inconsequential. CAN-1999-0988 should be merged with Stracener> CAN-1999-0828. From the standpoint of maintaining consistency of the Stracener> level of abstraction used in CVE, the co-existence of CANS Stracener> 1999-0988/1999-0828 present two choices: either merge 0988 with 0828, or Stracener> split 0828 into 4 distinct candidates, keeping 0988 intact. Due to the Stracener> very small differences (in principle) between the exploits subsumed by Stracener> 0828 and 0988 and the shared dacread permissions of the pkg* suite, I Stracener> suggest a merge. Below is a summary of the data upon which my decision Stracener> was based. Stracener> utility exploit Stracener> -------- ---------------------------------- Stracener> pkgtrans --> symlink + dacread permission prob Stracener> pkginfo --> truss (debugging utility) in conjunction with pkginfio -d Stracener> etc/shadow. In this case, it captures the interaction between Stracener> pkginfo the shadow file. Once again: dacread. Stracener> pkgcat --> buffer overflow + dacread permission prob Stracener> pkginstall -> buffer overflow + dacread permission prob Stracener> pkgparam --> -f etc/shadow (works because of dacread). Christey> This is a tough one. While there are few procedural Christey> differences, one could view "assignment of an improper Christey> permission" as a "class" of problems along the lines of Christey> buffer overflows and the like. Just like some programs Christey> were fine until they got turned into CGI scripts, this Christey> could be an emerging pattern which should be given Christey> consideration. Consider the Eyedog and scriptlet.typelib Christey> ActiveX utilities being marked as safe for scripting Christey> (CAN-1999-0668 and 0669). ================================= Candidate: CAN-1999-0989 Published: Final-Decision: 20000104 Interim-Decision: 19991229 Modified: Proposed: 19991214 Assigned: 19991214 Category: SF Reference: NTBUGTRAQ:19991205 new IE5 remote exploit Reference: BUGTRAQ:19991205 new IE5 remote exploit Reference: BID:861 Buffer overflow in Internet Explorer 5 directshow filter (MSDXM.OCX) allows remote attackers to execute commands via the vnd.ms.radio protocol. INFERRED ACTION: CAN-1999-0989 MOREVOTES (0 accept, 0 ack, 0 review) Current Votes: ================================= Candidate: CAN-1999-0990 Published: Final-Decision: Interim-Decision: 19991229 Modified: Proposed: 19991214 Assigned: 19991214 Category: SF Reference: BUGTRAQ:19991205 gdm thing Error messages generated by gdm with the VerboseAuth setting allows an attacker to identify valid users on a system. CONTENT-DECISIONS: SA-INFO INFERRED ACTION: CAN-1999-0990 ACCEPT (3 accept, 0 ack, 0 review) HAS_CDS Current Votes: ACCEPT(3) Cole, Blake, Stracener ================================= Candidate: CAN-1999-0991 Published: Final-Decision: 20000104 Interim-Decision: 19991229 Modified: Proposed: 19991214 Assigned: 19991214 Category: SF Reference: NTBUGTRAQ:19991206 Remote DoS Attack in GoodTech Telnet Server NT v2.2.1 Vulnerability Reference: BUGTRAQ:19991206 Remote DoS Attack in GoodTech Telnet Server NT v2.2.1 Vulnerability Reference: BID:862 Buffer overflow in GoodTech Telnet Server NT allows remote users to cause a denial of service via a long login name. INFERRED ACTION: CAN-1999-0991 MOREVOTES (0 accept, 0 ack, 0 review) Current Votes: --------------------- CLUSTER RECENT-01 --------------------- RECENT-01 (40 candidates) -------------------- Proposed: 12/8 Scheduled Proposed: 12/6 Scheduled Interim Decision: 12/20 Scheduled Final Decision: 12/24 Recent problems announced between 11/24/1999 and 12/03/1999 Voters: Frech MODIFY(40) Christey NOOP(1) RECAST(1) REVIEWING(3) Cole ACCEPT(20) MODIFY(14) NOOP(4) REJECT(2) Armstrong ACCEPT(34) NOOP(4) REVIEWING(2) Prosser ACCEPT(8) MODIFY(1) NOOP(1) REVIEWING(30) Stracener ACCEPT(37) MODIFY(2) NOOP(1) <INTERIM> --> 4 <PROPOSED> --> 36 MODIFY --> 7 RECAST --> 1 REJECT --> 2 REVIEWING --> 30 ================================= Candidate: CAN-1999-0818 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991208 Assigned: 19991207 Category: SF Reference: BUGTRAQ:19991130 another hole of Solaris7 kcms_configure Reference: BID:831 Buffer overflow in Solaris kcms_configure via a long NETPATH environmental variable. INFERRED ACTION: CAN-1999-0818 ACCEPT_REV (4 accept, 0 ack, 1 review) Current Votes: ACCEPT(2) Armstrong, Stracener MODIFY(2) Cole, Frech REVIEWING(1) Prosser Comments: Cole> This can cause code to be executed. Frech> XF:sol-kcms-conf-netpath-bo ================================= Candidate: CAN-1999-0819 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991208 Assigned: 19991207 Category: SF Reference: NTBUGTRAQ:19991130 NTmail and VRFY Reference: BUGTRAQ:19991130 NTmail and VRFY NTMail does not disable the VRFY command, even if the administrator has explicitly disabled it. INFERRED ACTION: CAN-1999-0819 ACCEPT_REV (3 accept, 1 ack, 1 review) Current Votes: ACCEPT(1) Stracener MODIFY(2) Cole, Frech NOOP(1) Armstrong REVIEWING(1) Prosser Comments: Cole> The references are wrong. The BID is 856 and the full ID is Cole> 19991129 not 30. Cole> I would add that NTMail does not disable the VRFY command on ESMTP Cole> servers, even ... This can be used to gather information about users email Cole> addresses. Frech> XF:nt-mail-vrfy ================================= Candidate: CAN-1999-0820 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991208 Assigned: 19991207 Category: SF Reference: BUGTRAQ:19991130 Several FreeBSD-3.3 vulnerabilities Reference: BID:838 FreeBSD seyon allows users to gain privileges via a modified PATH variable for finding the xterm and seyon-emu commands. INFERRED ACTION: CAN-1999-0820 ACCEPT_REV (4 accept, 0 ack, 1 review) Current Votes: ACCEPT(2) Armstrong, Stracener MODIFY(2) Cole, Frech REVIEWING(1) Prosser Comments: Cole> There are actually several vulenrabilities with seyon which allow Cole> users to elevate priviliges Frech> XF:freebsd-seyon-dir-add ================================= Candidate: CAN-1999-0821 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991208 Assigned: 19991207 Category: SF Reference: BUGTRAQ:19991130 Several FreeBSD-3.3 vulnerabilities Reference: BID:838 FreeBSD seyon allows local users to gain privileges by providing a malicious program in the -emulator argument. INFERRED ACTION: CAN-1999-0821 REJECT (1 reject, 3 accept, 1 review) Current Votes: ACCEPT(2) Armstrong, Stracener MODIFY(1) Frech REJECT(1) Cole REVIEWING(1) Prosser Comments: Cole> I would combine this with the previous. To me the general Cole> vulnerabilities are similar it is just the end result that changes. Frech> XF:freebsd-seyon-setgid ================================= Candidate: CAN-1999-0822 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991208 Assigned: 19991207 Category: SF Reference: BUGTRAQ:19991130 serious Qpopper 3.0 vulnerability Reference: BUGTRAQ:19991130 qpop3.0b20 and below - notes and exploit Reference: BID:830 Buffer overflow in Qpopper (qpop) 3.0 allows remote root access via AUTH command. INFERRED ACTION: CAN-1999-0822 ACCEPT_REV (4 accept, 1 ack, 1 review) Current Votes: ACCEPT(3) Armstrong, Cole, Stracener MODIFY(1) Frech REVIEWING(1) Prosser Comments: Frech> XF:qpopper-auth-bo ================================= Candidate: CAN-1999-0823 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991208 Assigned: 19991207 Category: SF Reference: BID:839 Reference: BUGTRAQ:19991130 Several FreeBSD-3.3 vulnerabilities Buffer overflow in FreeBSD xmindpath allows local users to gain privileges via -f argument. INFERRED ACTION: CAN-1999-0823 ACCEPT_REV (4 accept, 0 ack, 1 review) Current Votes: ACCEPT(2) Armstrong, Stracener MODIFY(2) Cole, Frech REVIEWING(1) Prosser Comments: Cole> This is via a buffer overflow attack. Frech> XF:freebsd-xmindpath ================================= Candidate: CAN-1999-0824 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991208 Assigned: 19991207 Category: SF Reference: BID:833 Reference: NTBUGTRAQ:19991130 SUBST problem Reference: BUGTRAQ:19991130 Subst.exe carelessness (fwd) A Windows NT user can use SUBST to map a drive letter to a folder, which is not unmapped after the user logs off, potentially allowing that user to modify the location of folders accessed by later users. INFERRED ACTION: CAN-1999-0824 ACCEPT_REV (3 accept, 0 ack, 1 review) Current Votes: ACCEPT(2) Stracener, Prosser MODIFY(1) Frech NOOP(1) Cole REVIEWING(1) Armstrong Comments: Frech> XF:nt-subst ================================= Candidate: CAN-1999-0825 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991208 Assigned: 19991207 Category: CF Reference: BUGTRAQ:19991203 UnixWare read/modify users' mail Reference: BUGTRAQ:19991215 Recent postings about SCO UnixWare 7 Reference: BID:849 The default permissions for UnixWare /var/mail allow local users to read and modify other users' mail. CONTENT-DECISIONS: CF-PERMS INFERRED ACTION: CAN-1999-0825 ACCEPT_REV (4 accept, 1 ack, 1 review) HAS_CDS Current Votes: ACCEPT(3) Armstrong, Cole, Stracener MODIFY(1) Frech REVIEWING(1) Prosser Comments: Frech> XF:sco-mail-permissions ================================= Candidate: CAN-1999-0826 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991208 Assigned: 19991207 Category: SF Reference: BID:840 Reference: BUGTRAQ:19991130 Several FreeBSD-3.3 vulnerabilities Buffer overflow in FreeBSD angband allows local users to gain privileges. INFERRED ACTION: CAN-1999-0826 ACCEPT_REV (4 accept, 0 ack, 1 review) Current Votes: ACCEPT(3) Armstrong, Cole, Stracener MODIFY(1) Frech REVIEWING(1) Prosser Comments: Frech> XF:angband-bo ================================= Candidate: CAN-1999-0827 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991208 Assigned: 19991207 Category: SF Reference: BUGTRAQ:19991130 Default IE 5.0 security settings allow frame spoofing By default, Internet Explorer 5.0 and other versions enables the "Navigate sub-frames across different domains" option, which allows frame spoofing. CONTENT-DECISIONS: CF-CHECKBOX INFERRED ACTION: CAN-1999-0827 ACCEPT_REV (4 accept, 0 ack, 1 review) HAS_CDS Current Votes: ACCEPT(2) Armstrong, Stracener MODIFY(2) Cole, Frech REVIEWING(1) Prosser Comments: Cole> The BID is 855. If I have the right vulnerability, this allows an Cole> attacker to access URL's of there choosing which could lead to a compromise Cole> of private information. Frech> XF:http-frame-spoof Frech> Question: Similar vulnerability to MS98-020 / CAN-1999-0869? ================================= Candidate: CAN-1999-0828 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991208 Assigned: 19991207 Category: unknown Reference: BUGTRAQ:19991203 UnixWare and the dacread permission Reference: BUGTRAQ:19991204 UnixWare pkg* command exploits Reference: BID:853 UnixWare pkg commands such as pkginfo, pkgcat, and pkgparam allow local users to read arbitrary files via the dacread permission. CONTENT-DECISIONS: CF-PERMS, SF-EXEC, SF-LOC INFERRED ACTION: CAN-1999-0828 SMC_REVIEW (4 accept, 2 review) HAS_CDS Current Votes: ACCEPT(2) Armstrong, Stracener MODIFY(2) Cole, Frech REVIEWING(2) Prosser, Christey Comments: Cole> This is BID 850. Christey> See comments on CAN-1999-0988. Perhaps these two should be Christey> merged. Frech> XF:sco-pkg-dacread-fileread ================================= Candidate: CAN-1999-0829 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991208 Assigned: 19991207 Category: SF Reference: BUGTRAQ:19991201 HP Secure Web Console HP Secure Web Console uses weak encryption. CONTENT-DECISIONS: DESIGN-WEAK-ENCRYPTION INFERRED ACTION: CAN-1999-0829 ACCEPT_REV (3 accept, 0 ack, 1 review) HAS_CDS Current Votes: ACCEPT(2) Armstrong, Stracener MODIFY(1) Frech NOOP(1) Cole REVIEWING(1) Prosser Comments: Cole> I could not find details on this using the above references. Frech> XF:hp-secure-console ================================= Candidate: CAN-1999-0830 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991208 Assigned: 19991207 Category: SF Reference: BUGTRAQ:19991126 [w00giving '99 #6]: UnixWare 7's Xsco Buffer overflow in SCO UnixWare Xsco command via a long argument. INFERRED ACTION: CAN-1999-0830 ACCEPT_REV (4 accept, 0 ack, 1 review) Current Votes: ACCEPT(2) Armstrong, Stracener MODIFY(2) Cole, Frech REVIEWING(1) Prosser Comments: Cole> This is BID 824 and the BUGTRAQ reference is 19991125. Frech> XF:sco-unixware-xsco ================================= Candidate: CAN-1999-0831 Published: Final-Decision: Interim-Decision: 20000111 Modified: 20000111-01 Proposed: 19991208 Assigned: 19991207 Category: SF Reference: CALDERA:CSSA-1999-035.0 Reference: REDHAT:RHSA1999055-01 Reference: SUSE:19991118 syslogd-1.3.33 (a1) Reference: BUGTRAQ:19991130 [david@slackware.com: New Patches for Slackware 4.0 Available] Reference: BID:809 Reference: XF:slackware-syslogd-dos Denial of service in Linux syslogd via a large number of connections. Modifications: ADDREF CALDERA:CSSA-1999-035.0 ADDREF REDHAT:RHSA1999055-01 ADDREF SUSE:19991118 syslogd-1.3.33 (a1) DESC Change description to apply to all Linux ADDREF XF:slackware-syslogd-dos ADDREF BID:809 INFERRED ACTION: CAN-1999-0831 ACCEPT (5 accept, 4 ack, 0 review) Current Votes: ACCEPT(3) Armstrong, Cole, Prosser MODIFY(2) Stracener, Frech NOOP(1) Christey Comments: Christey> ADDREF CALDERA:CSSA-1999-035.0 Christey> ADDREF REDHAT:RHSA1999055-01 Christey> ADDREF SUSE:19991118 syslogd-1.3.33 (a1) Christey> Change description to apply to all Linux Stracener> Given that this issue is not slackware-specific, the description should Stracener> be made more generic, possibly: "Denial of service in syslogd via a Stracener> large number of connections" Stracener> Add Ref: CSSA-1999-035.0 Stracener> Add Ref: RHSA1999055-01 Stracener> Add Ref: SuSE Security Announcement - syslogd (a1) Stracener> Add Ref: Cobalt Networks -- Security Advisory -- 11.20.1999 (syslog) Frech> XF:slackware-syslogd-dos ================================= Candidate: CAN-1999-0832 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991208 Assigned: 19991207 Category: SF Reference: BUGTRAQ:19991130 [david@slackware.com: New Patches for Slackware 4.0 Available] Buffer overflow in Slackware 7.0 NFS server allows attackers to execute commands via a long pathname. INFERRED ACTION: CAN-1999-0832 ACCEPT_REV (4 accept, 1 ack, 1 review) Current Votes: ACCEPT(2) Armstrong, Cole MODIFY(2) Stracener, Frech REVIEWING(1) Prosser Comments: Stracener> Suggest removing "Slackware 7.0" from the description Stracener> Add Ref: CSSA-1999-033.0 Stracener> Add Ref: DEBIAN: nfs-server: buffer overflow in nfs server 11/11/99 Stracener> Add Ref: SuSE Security Announcement "nfs-server < 2.2beta47 within Stracener> nkita" 11/12/99 Frech> XF:linux-nfs-maxpath-bo ================================= Candidate: CAN-1999-0834 Published: Final-Decision: Interim-Decision: 20000111 Modified: 20000111-01 Proposed: 19991208 Assigned: 19991207 Category: SF Reference: BUGTRAQ:19991201 Security Advisory: Buffer overflow in RSAREF2 Reference: BUGTRAQ:19991202 OpenBSD sslUSA26 advisory (Re: CORE-SDI: Buffer overflow in RSAREF2) Reference: CERT:CA-99-15 Reference: BID:843 Reference: XF:rsaref-bo Buffer overflow in RSAREF2 via the encryption and decryption functions in the RSAREF library. Modifications: ADDREF XF:rsaref-bo INFERRED ACTION: CAN-1999-0834 ACCEPT (5 accept, 2 ack, 0 review) Current Votes: ACCEPT(3) Armstrong, Cole, Stracener MODIFY(2) Prosser, Frech Comments: Prosser> Ref: CERT Ca-99-15, Buffer Overflows in SSH Daemon and RSAREF2 Library Prosser> SecuriTeam.com, SSH1.2.27 is vulnerable to a remote buffer overflow (RSAREF) Frech> XF:rsaref-bo ================================= Candidate: CAN-1999-0836 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991208 Assigned: 19991207 Category: SF Reference: BUGTRAQ:19991202 UnixWare 7 uidadmin exploit + discussion UnixWare uidadmin allows local users to modify arbitrary files via a symlink attack. INFERRED ACTION: CAN-1999-0836 ACCEPT_REV (3 accept, 1 ack, 2 review) Current Votes: ACCEPT(1) Stracener MODIFY(2) Cole, Frech REVIEWING(2) Armstrong, Prosser Comments: Cole> The BID is 842. Frech> unixware-uid-admin ================================= Candidate: CAN-1999-0838 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991208 Assigned: 19991207 Category: SF Reference: BUGTRAQ:19991202 Remote DoS Attack in Serv-U FTP-Server v2.5a Vulnerability Buffer overflow in Serv-U FTP 2.5 allows remote users to conduct a denial of service via the SITE command. INFERRED ACTION: CAN-1999-0838 SMC_REVIEW (5 accept, 1 review) Current Votes: ACCEPT(4) Armstrong, Cole, Stracener, Prosser MODIFY(1) Frech REVIEWING(1) Christey Comments: Christey> DUPE CVE-1999-0219? Frech> XF:servu-ftp-site-bo ================================= Candidate: CAN-1999-0840 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991208 Assigned: 19991207 Category: SF Reference: BID:832 Reference: BUGTRAQ:19991129 Solaris7 dtmail/dtmailpr/mailtool Buffer Overflow Buffer overflow in CDE dtmail and dtmailpr programs via the -f option. CONTENT-DECISIONS: SF-CODEBASE, SF-LOC INFERRED ACTION: CAN-1999-0840 ACCEPT_REV (3 accept, 0 ack, 1 review) HAS_CDS Current Votes: ACCEPT(2) Armstrong, Stracener MODIFY(1) Frech NOOP(1) Cole REVIEWING(1) Prosser Comments: Cole> I went to 1129 and it looks like a reference for a different Cole> vulnerability. Frech> In the description, should dtmailptr be dtmailpr? Frech> XF:solaris-dtmailpr-overflow Frech> XF:solaris-dtmail-overflow ================================= Candidate: CAN-1999-0841 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991208 Assigned: 19991207 Category: SF Reference: BID:832 Reference: BUGTRAQ:19991129 Solaris7 dtmail/dtmailpr/mailtool Buffer Overflow Buffer overflow in CDE mailtool allows local users to gain root privilege via a long MIME Content-Type. CONTENT-DECISIONS: SF-CODEBASE, SF-LOC INFERRED ACTION: CAN-1999-0841 ACCEPT_REV (4 accept, 0 ack, 1 review) HAS_CDS Current Votes: ACCEPT(3) Armstrong, Cole, Stracener MODIFY(1) Frech REVIEWING(1) Prosser Comments: Frech> XF:cde-mailtool-bo ================================= Candidate: CAN-1999-0842 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991208 Assigned: 19991207 Category: SF Reference: BID:827 Reference: NTBUGTRAQ:19991129 Symantec Mail-Gear 1.0 Web interface Server Directory Traversal Vulnerability Reference: BUGTRAQ:19991129 Symantec Mail-Gear 1.0 Web interface Server Directory Traversal Vulnerability Symantec Mail-Gear 1.0 web interface server allows remote users to read arbitrary files via a .. (dot dot) attack. INFERRED ACTION: CAN-1999-0842 ACCEPT_REV (4 accept, 0 ack, 1 review) Current Votes: ACCEPT(3) Armstrong, Cole, Stracener MODIFY(1) Frech REVIEWING(1) Prosser Comments: Frech> XF:symantec-mail-dir-traversal ================================= Candidate: CAN-1999-0843 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991208 Assigned: 19991207 Category: SF Reference: BUGTRAQ:19991104 Cisco NAT DoS (VD#1) Reference: BUGTRAQ:19991128 Re: Cisco NAT DoS (VD#1) Denial of service in Cisco routers running NAT via a PORT command from an FTP client to a Telnet port. INFERRED ACTION: CAN-1999-0843 ACCEPT_REV (3 accept, 0 ack, 1 review) Current Votes: ACCEPT(2) Cole, Stracener MODIFY(1) Frech NOOP(1) Armstrong REVIEWING(1) Prosser Comments: Frech> XF:cisco-nat-dos ================================= Candidate: CAN-1999-0844 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991208 Assigned: 19991207 Category: SF Reference: NTBUGTRAQ:19991124 Remote DoS Attack in WorldClient Server v2.0.0.0 Vulnerability Reference: BUGTRAQ:19991130 Fwd: RE: Multiples Remotes DoS Attacks in MDaemon Server v2.8.5.0 Vulnerability Reference: BID:823 Reference: BID:820 Denial of service in MDaemon WorldClient and WebConfig services via a long URL. CONTENT-DECISIONS: SF-EXEC, SF-LOC INFERRED ACTION: CAN-1999-0844 RECAST (1 recast, 3 accept, 1 review) HAS_CDS Current Votes: ACCEPT(1) Stracener MODIFY(2) Cole, Frech NOOP(1) Armstrong RECAST(1) Christey REVIEWING(1) Prosser Comments: Cole> 823 and 820 are two different vulnerabilities and should be Cole> separated out. They are both buffer overflows but accomplish it in a Cole> different fashion and the end exploit is different. Frech> (RECAST?) Frech> XF:mdaemon-worldclient-dos Frech> XF:mdaemon-webconfig-dos Frech> Recast request: This is really two services exhibiting the same problem. Christey> as suggested by others. ================================= Candidate: CAN-1999-0845 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991208 Assigned: 19991207 Category: SF Reference: BUGTRAQ:19991126 [w00giving '99 #5 and w00news]: UnixWare 7's su Reference: SCO:99.19 Reference: BUGTRAQ:19991128 SCO su patches Buffer overflow in SCO su program allows local users to gain root access via a long username. CONTENT-DECISIONS: CAN-1999-0317, DISCOVERY-DATE, SF-CODEBASE INFERRED ACTION: CAN-1999-0845 SMC_REVIEW (5 accept, 1 review) HAS_CDS Current Votes: ACCEPT(4) Armstrong, Cole, Stracener, Prosser MODIFY(1) Frech REVIEWING(1) Christey Comments: Christey> DUPE CAN-1999-0317? Frech> XF:sco-su-username-bo ================================= Candidate: CAN-1999-0846 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991208 Assigned: 19991207 Category: SF Reference: BUGTRAQ:19991129 MDaemon 2.7 J DoS Reference: BUGTRAQ:19991130 Fwd: RE: Multiples Remotes DoS Attacks in MDaemon Server v2.8.5.0 Vulnerability Denial of service in MDaemon 2.7 via a large number of connection attempts. INFERRED ACTION: CAN-1999-0846 ACCEPT_REV (4 accept, 1 ack, 1 review) Current Votes: ACCEPT(3) Armstrong, Cole, Stracener MODIFY(1) Frech REVIEWING(1) Prosser Comments: Frech> XF:mdaemon-dos ================================= Candidate: CAN-1999-0847 Published: Final-Decision: Interim-Decision: 20000111 Modified: 20000111-01 Proposed: 19991208 Assigned: 19991207 Category: SF Reference: BUGTRAQ:19991129 FICS buffer overflow Reference: XF:fics-board-bo Buffer overflow in free internet chess server (FICS) program, xboard. Modifications: ADDREF XF:fics-board-bo INFERRED ACTION: CAN-1999-0847 ACCEPT (3 accept, 0 ack, 0 review) Current Votes: ACCEPT(2) Armstrong, Stracener MODIFY(1) Frech NOOP(2) Cole, Prosser Comments: Frech> XF:fics-board-bo ================================= Candidate: CAN-1999-0850 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991208 Assigned: 19991207 Category: CF Reference: BID:845 Reference: BUGTRAQ:19991202 Insecure default permissions for MailMan Professional Edition, version 3.0.18 The default permissions for Endymion MailMan allow local users to read email or modify files. CONTENT-DECISIONS: CF-PERMS INFERRED ACTION: CAN-1999-0850 ACCEPT_REV (3 accept, 0 ack, 1 review) HAS_CDS Current Votes: ACCEPT(2) Cole, Stracener MODIFY(1) Frech NOOP(1) Armstrong REVIEWING(1) Prosser Comments: Frech> XF:endymion-mailman-perms ================================= Candidate: CAN-1999-0852 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991208 Assigned: 19991207 Category: CF Reference: BID:844 Reference: BUGTRAQ:19991202 WebSphere protections from installation IBM WebSphere sets permissions that allow a local user to modify a deinstallation script or its data files stored in /usr/bin. CONTENT-DECISIONS: CF-PERMS INFERRED ACTION: CAN-1999-0852 ACCEPT_REV (4 accept, 0 ack, 1 review) HAS_CDS Current Votes: ACCEPT(3) Armstrong, Cole, Stracener MODIFY(1) Frech REVIEWING(1) Prosser Comments: Frech> XF:websphere-protect ================================= Candidate: CAN-1999-0853 Published: Final-Decision: Interim-Decision: 20000111 Modified: 20000111-01 Proposed: 19991208 Assigned: 19991207 Category: SF Reference: BID:847 Reference: ISS:19991201 Buffer Overflow in Netscape Enterprise and FastTrack Authentication Procedure Reference: XF:netscape-fasttrack-auth-bo Buffer overflow in Netscape Enterprise Server and Netscape FastTrack Server allows remote attackers to gain privileges via the HTTP Basic Authentication procedure. Modifications: ADDREF XF:netscape-fasttrack-auth-bo INFERRED ACTION: CAN-1999-0853 ACCEPT (5 accept, 2 ack, 0 review) Current Votes: ACCEPT(3) Armstrong, Stracener, Prosser MODIFY(2) Cole, Frech Comments: Cole> I would add that this is a remote buffer overflow... Frech> XF:netscape-fasttrack-auth-bo ================================= Candidate: CAN-1999-0854 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991208 Assigned: 19991207 Category: unknown Reference: BUGTRAQ:19991130 Ultimate Bulletin Board v5.3x? Bug Ultimate Bulletin Board stores data files in the cgi-bin directory, allowing remote attackers to view the data if an error occurs when the HTTP server attempts to execute the file. INFERRED ACTION: CAN-1999-0854 ACCEPT_REV (3 accept, 0 ack, 1 review) Current Votes: ACCEPT(2) Armstrong, Cole MODIFY(1) Frech NOOP(1) Stracener REVIEWING(1) Prosser Comments: Frech> XF:http-ultimate-bbs ================================= Candidate: CAN-1999-0855 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991208 Assigned: 19991207 Category: SF Reference: BID:834 Reference: BUGTRAQ:19991130 FreeBSD 3.3 gated-3.1.5 local exploit Buffer overflow in FreeBSD gdc program. CONTENT-DECISIONS: SF-LOC INFERRED ACTION: CAN-1999-0855 ACCEPT (5 accept, 0 ack, 0 review) HAS_CDS Current Votes: ACCEPT(3) Armstrong, Stracener, Prosser MODIFY(2) Cole, Frech Comments: Cole> The BID is 834 and the reference is 19991201 not 1130. Frech> XF:freebsd-gdc-bo ================================= Candidate: CAN-1999-0856 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991208 Assigned: 19991207 Category: SF Reference: BUGTRAQ:19991202 Slackware 7.0 - login bug login in Slackware 7.0 allows remote attackers to identify valid users on the system by reporting an encryption error when an account is locked or does not exist. INFERRED ACTION: CAN-1999-0856 ACCEPT_REV (4 accept, 0 ack, 1 review) Current Votes: ACCEPT(3) Armstrong, Cole, Stracener MODIFY(1) Frech REVIEWING(1) Prosser Comments: Frech> XF:slackware-remote-login ================================= Candidate: CAN-1999-0857 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991208 Assigned: 19991207 Category: SF Reference: BUGTRAQ:19991130 FreeBSD 3.3 gated-3.1.5 local exploit Reference: BID:835 FreeBSD gdc program allows local users to modify files via a symlink attack. CONTENT-DECISIONS: SF-LOC INFERRED ACTION: CAN-1999-0857 ACCEPT (5 accept, 0 ack, 0 review) HAS_CDS Current Votes: ACCEPT(3) Armstrong, Stracener, Prosser MODIFY(2) Cole, Frech Comments: Cole> This is via debug output. Frech> XF:freebsd-gdc ================================= Candidate: CAN-1999-0859 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991208 Assigned: 19991207 Category: SF Reference: BUGTRAQ:19991130 Solaris 2.x chkperm/arp vulnerabilities Reference: BID:837 Solaris arp allows local users to read files via the -f parameter, which lists lines in the file that do not parse properly. INFERRED ACTION: CAN-1999-0859 ACCEPT_REV (4 accept, 1 ack, 1 review) Current Votes: ACCEPT(2) Armstrong, Stracener MODIFY(2) Cole, Frech REVIEWING(1) Prosser Comments: Cole> This attack makes it possible to read bin and owned files to which Cole> read access is not permitted to local users through exploiting subtle Cole> vulenrabilties in arp and chkperm. Frech> XF:sol-arp-parse ================================= Candidate: CAN-1999-0860 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991208 Assigned: 19991207 Category: SF Reference: BUGTRAQ:19991130 Solaris 2.x chkperm/arp vulnerabilities Reference: BID:837 Solaris chkperm allows local users to read files owned by bin via the VMSYS environmental variable and a symlink attack. INFERRED ACTION: CAN-1999-0860 REJECT (1 reject, 3 accept, 1 review) Current Votes: ACCEPT(2) Armstrong, Stracener MODIFY(1) Frech REJECT(1) Cole REVIEWING(1) Prosser Comments: Cole> This is the same as the pervious. Frech> XF:sol-chkperm-vmsys ================================= Candidate: CAN-1999-0862 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991208 Assigned: 19991207 Category: CF Reference: BUGTRAQ:19991202 PostgreSQL RPM's permission problems Insecure directory permissions in RPM distribution for PostgreSQL allows local users to gain privileges by reading a plaintext password file. CONTENT-DECISIONS: CF-PERMS INFERRED ACTION: CAN-1999-0862 ACCEPT_REV (4 accept, 0 ack, 1 review) HAS_CDS Current Votes: ACCEPT(3) Armstrong, Cole, Stracener MODIFY(1) Frech REVIEWING(1) Prosser Comments: Frech> XF:postgresql-insecure-perms ================================= Candidate: CAN-1999-0863 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991208 Assigned: 19991207 Category: SF Reference: BUGTRAQ:19970617 Seyon vulnerability - IRIX Reference: BUGTRAQ:19991108 FreeBSD 3.3's seyon vulnerability Reference: BUGTRAQ:19991130 Several FreeBSD-3.3 vulnerabilities Buffer overflow in FreeBSD seyon via HOME environmental variable, -emulator argument, -modems argument, or the GUI. CONTENT-DECISIONS: SF-LOC INFERRED ACTION: CAN-1999-0863 ACCEPT (5 accept, 0 ack, 0 review) HAS_CDS Current Votes: ACCEPT(4) Armstrong, Cole, Stracener, Prosser MODIFY(1) Frech Comments: Frech> XF:freebsd-seyon-bo ================================= Candidate: CAN-1999-0864 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991208 Assigned: 19991207 Category: SF Reference: BUGTRAQ:19991202 UnixWare coredumps follow symlinks Reference: BUGTRAQ:19991215 Recent postings about SCO UnixWare 7 Reference: BID:851 UnixWare programs that dump core allow a local user to modify files via a symlink attack on the ./core.pid file. INFERRED ACTION: CAN-1999-0864 ACCEPT_REV (4 accept, 1 ack, 1 review) Current Votes: ACCEPT(3) Armstrong, Cole, Stracener MODIFY(1) Frech REVIEWING(1) Prosser Comments: Frech> XF:sco-coredump-symlink ================================= Candidate: CAN-1999-0865 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991208 Assigned: 19991207 Category: SF Reference: BUGTRAQ:19991203 CommuniGatePro 3.1 for NT DoS Reference: NTBUGTRAQ:19991203 CommuniGatePro 3.1 for NT Buffer Overflow Buffer overflow in CommuniGatePro via a long string to the HTTP configuration port. INFERRED ACTION: CAN-1999-0865 ACCEPT_REV (4 accept, 1 ack, 1 review) Current Votes: ACCEPT(3) Armstrong, Cole, Stracener MODIFY(1) Frech REVIEWING(1) Prosser Comments: Frech> XF:communigate-pro-bo ================================= Candidate: CAN-1999-0866 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19991208 Assigned: 19991207 Category: SF Reference: BUGTRAQ:19991203 UnixWare gain root with non-su/gid binaries Reference: BUGTRAQ:19991215 Recent postings about SCO UnixWare 7 Reference: BID:848 Buffer overflow in UnixWare xauto program allows local users to gain root privilege. INFERRED ACTION: CAN-1999-0866 ACCEPT_REV (4 accept, 1 ack, 1 review) Current Votes: ACCEPT(2) Armstrong, Stracener MODIFY(2) Cole, Frech REVIEWING(1) Prosser Comments: Cole> I would take out the word local. Frech> XF:sco-xauto-bo
|
||||
