|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FINAL] ACCEPT 22 legacy candidates from various clusters
I have made a Final Decision to ACCEPT the following candidates. These candidates are now assigned CVE names as noted below. The resulting CVE entries will be published in the near future in a new version of CVE. Voting details and comments are provided at the end of this report. - Steve Candidate CVE Name --------- ---------- CAN-1999-0203 CVE-1999-0203 CAN-1999-0780 CVE-1999-0780 CAN-1999-0781 CVE-1999-0781 CAN-1999-0782 CVE-1999-0782 CAN-1999-0803 CVE-1999-0803 CAN-1999-0824 CVE-1999-0824 CAN-1999-0889 CVE-1999-0889 CAN-1999-0895 CVE-1999-0895 CAN-1999-0897 CVE-1999-0897 CAN-1999-0950 CVE-1999-0950 CAN-1999-0957 CVE-1999-0957 CAN-1999-0997 CVE-1999-0997 CAN-1999-1005 CVE-1999-1005 CAN-1999-1007 CVE-1999-1007 CAN-1999-1010 CVE-1999-1010 CAN-2000-0010 CVE-2000-0010 CAN-2000-0012 CVE-2000-0012 CAN-2000-0014 CVE-2000-0014 CAN-2000-0020 CVE-2000-0020 CAN-2000-0024 CVE-2000-0024 CAN-2000-0033 CVE-2000-0033 CAN-2000-0042 CVE-2000-0042 CAN-2000-0043 CVE-2000-0043 CAN-2000-0050 CVE-2000-0050 CAN-2000-0051 CVE-2000-0051 CAN-2000-0070 CVE-2000-0070 CAN-2000-0112 CVE-2000-0112 CAN-2000-0165 CVE-2000-0165 CAN-2000-0181 CVE-2000-0181 CAN-2000-0184 CVE-2000-0184 CAN-2000-0185 CVE-2000-0185 CAN-2000-0192 CVE-2000-0192 CAN-2000-0206 CVE-2000-0206 CAN-2000-0223 CVE-2000-0223 ================================= Candidate: CAN-1999-0031 Published: Final-Decision: 20000602 Interim-Decision: 20000530 Modified: 20000526-01 Proposed: 19990728 Assigned: 19990607 Category: SF Reference: CERT:CA-97.20.javascript Reference: HP:HPSBUX9707-065 Reference: URL:http://www.codetalker.com/advisories/vendor/hp/hpsbux9707-065.html JavaScript in Internet Explorer 3.x and 4.x, and Netscape 2.x, 3.x and 4.x, allows remote attackers to monitor a user's web activities, aka the Bell Labs vulnerability. Modifications: ADDREF HP:HPSBUX9707-065 DESC add affected browsers and versions, mentioned Bell Labs INFERRED ACTION: CAN-1999-0031 FINAL (Final Decision 20000602) Current Votes: ACCEPT(1) Cole MODIFY(2) Levy, Wall NOOP(2) Northcutt, Christey Comments: Christey> The CERT advisory is at http://www.cert.org/advisories/CA-97.20.javascript.html Christey> Christey> ADDREF HP:HPSBUX9707-065 Christey> http://www.codetalker.com/advisories/vendor/hp/hpsbux9707-065.html Christey> Christey> According to the CERT advisory, this issue affects Internet Christey> Explorer 3.x and 4.x, and Netscape 2.x, 3.x, and 4.x. Christey> Include this in the description. Levy> Need a better description of the vulnerability there were several JS Levy> vulnerabilities in the same time frame that had similar results but Levy> were porly documented. This, the Bell Labs vulnerability, was one of them. Levy> This is one of the other ones: Levy> http://www.securityfocus.com/templates/archive.pike?list=1&msg=c%3dDE%25a%3dDBP%25p%3dSCN%25l%3dMCHH9EEA-970711140700Z-21724@de-mch-he01a.exchange.pn.siemens.de Wall> Add Internet Explorer 5 also. See Wall> http://www.microsoft.com/technet/security/bulletin/ms99-043.asp which allows Wall> JavaScript to read files on other computers. Christey> MS:MS99-043 is already handled by CVE-1999-0793. This one is Christey> different because IE 3.x and 4.x are affected; for Christey> CVE-1999-0793, it affected 4.x and 5.x. Also, this one Christey> just allows someone to read cookies, HTML form data, and Christey> what URLs were visited. CVE-1999-0793 allows the attacker Christey> to read files on the target's computer. Thus this one is Christey> different than CVE-1999-0793, and MS:MS99-043 should not be Christey> added. Christey> Christey> The reference that Elias provided describes 2 bugs, neither Christey> of which is the "Bell Labs" bug, i.e. this candidate (just to Christey> confirm what Elias said; the CERT advisory explicitly thanks Christey> Bell Labs). The first bug *sounds* a lot like this candidate, but Christey> didn't need Javascript. Refer to this as the "Danish bug" Christey> since it was "discovered by a Danish IS consultant company." Christey> Christey> The second bug describes the same symptoms as CVE-1999-0793. Christey> However, this reference only describes the problem for Christey> Netscape Nagivator; CVE-1999-0793 only mentions IE. Christey> Thus it's possible that the problem was identified and fixed Christey> for Netscape, and later "rediscovered" by Microsoft and Christey> addressed for Internet Explorer. (The CD:DISCOVERY-DATE content Christey> decision, when reviewed by the Board, will dictate what to Christey> do in these sorts of cases). But then again, they could be Christey> different bugs entirely, but they just happen to have the same Christey> symptoms. If the bug is more in the Javascript model than in Christey> the implementation, then maybe CD:SF-CODEBASE won't apply. Christey> We might be able to roll this second bug in with Christey> CVE-1999-0793; thus we may need to REASSESS CVE-1999-0793 in Christey> the future. Christey> Christey> It is possible that this second bug is the same as the Christey> "Singapore privacy bug" described here: Christey> http://www.securityfocus.com/templates/archive.pike?list=1&date=1997-07-28&msg=Pine.SUN.3.94.970728112219.25473B-100000@dfw.dfw.net Christey> http://www.securityfocus.com/templates/archive.pike?list=1&date=1997-07-22&msg=Pine.SUN.3.94.970726193056.27668B-100000@dfw.dfw.net Christey> Christey> These posts were on July 22 and 28. Singapore is dated after Christey> the initial CERT advisory and references LiveConnect, which Christey> "enables communication between JavaScript and Java applets." Christey> Kuo Chiang, the person referenced in the above posts as the Christey> discovered, sent a followup a week later on August 1: Christey> Christey> http://marc.theaimsgroup.com/?l=bugtraq&m=87602746719458&w=2 Christey> But this is merely a clarification of the earlier problem, as Christey> his post includes a reference to a ZDNet article written Christey> on July 25. Christey> Christey> The poster referred to by Elias, Matthias Dominick, sent a Christey> followup to the CERT advisory saying that the Danish bug Christey> appeared to be fixed, but the Bell Labs bug wasn't. Christey> Christey> http://www.securityfocus.com/templates/archive.pike?list=1&date=1997-07-8&msg=c%3dDE%25a%3dDBP%25p%3dSCN%25l%3dMCHH9EEA-970710145437Z-20375@de-mch-he01a.exchange.pn.siemens.de Christey> Christey> Two legacy candidates will eventually be created to handle Christey> these 2 other bugs, i.e. Singapore and Danish. Christey> Christey> In the meantime, the description for this one can be extended Christey> to mention the Bell Labs bug and include pointers back to some Christey> of the related posts. Christey> Christey> If this mess isn't an argument for a naming standard, I don't Christey> know what is :-) :-) On a more serious note, this is an Christey> indicator of why it may be important for CVE to provide a way Christey> of distinguishing between different bugs discovered in the Christey> same software at around the same time (CD:SF-LOC will address this, Christey> and is one of the first CD's we will discuss when I reintroduce Christey> them). Levy> Add "Bell Labs" to the description or name. ================================= Candidate: CAN-1999-0118 Published: Final-Decision: 20000602 Interim-Decision: 20000530 Modified: 20000106-02 Proposed: 19990714 Assigned: 19990607 Category: SF Reference: BUGTRAQ:19981119 RSI.0011.11-09-98.AIX.INFOD Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91158980826979&w=2 Reference: XF:aix-infod AIX infod allows local users to gain root access through an X display. Modifications: ADDREF XF:aix-infod ADDREF BUGTRAQ:19981119 RSI.0011.11-09-98.AIX.INFOD INFERRED ACTION: CAN-1999-0118 FINAL (Final Decision 20000602) Current Votes: ACCEPT(2) Stracener, Northcutt MODIFY(1) Frech NOOP(6) Shostack, Wall, Christey, LeBlanc, Cole, Armstrong Comments: Frech> XF:aix-infod Christey> See BUGTRAQ:19981119 RSI.0011.11-09-98.AIX.INFOD Christey> AIX APAR's confirm this problem: IX84642, IX89281, and IX84642 ================================= Candidate: CAN-1999-0124 Published: Final-Decision: 20000602 Interim-Decision: 20000530 Modified: 20000526-01 Proposed: 19990623 Assigned: 19990607 Category: SF Reference: CERT:CA-93:11.UMN.UNIX.gopher.vulnerability Reference: XF:gopher-vuln Vulnerabilities in UMN gopher and gopher+ versions 1.12 and 2.0x allow an intruder to read any files that can be accessed by the gopher daemon. Modifications: DESC Add versions INFERRED ACTION: CAN-1999-0124 FINAL (Final Decision 20000602) Current Votes: ACCEPT(2) Frech, Levy NOOP(3) Christey, Wall, Cole Comments: Christey> Modify the description to include the version numbers Christey> 1.12 and 2.0x Christey> Christey> The advisory is at Christey> http://www.cert.org/advisories/CA-93.11.UMN.UNIX.gopher.vulnerability.html Christey> ================================= Candidate: CAN-1999-0142 Published: Final-Decision: 20000602 Interim-Decision: 20000530 Modified: 20000526-02 Proposed: 19990607 Assigned: 19990607 Category: SF Reference: CERT:CA-96.05.java_applet_security_mgr Reference: XF:http-java-appletsecmgr The Java Applet Security Manager implementation in Netscape Navigator 2.0 and Java Developer's Kit 1.0 allows an applet to connect to arbitrary hosts. Modifications: DESC include Netscape and JDK, with version numbers ADDREF XF:http-java-appletsecmgr INFERRED ACTION: CAN-1999-0142 FINAL (Final Decision 20000602) Current Votes: ACCEPT(3) Hill, Shostack, Wall MODIFY(1) Frech NOOP(1) Christey RECAST(1) Northcutt Comments: Northcutt> Please note I am not a Java expert, but I think jdk 2.0 and Northcutt> so forth do not have a sandbox notion and applets (perhaps trusted Northcutt> applets) can connect to arbitrary hosts as a matter of course. You Northcutt> might want to contact Li Gong (li.gong@sun.com) or a similar Northcutt> expert before issuing this one. NOTE: another reason to consider Northcutt> the original date!!! Christey> Noting Steve Northcutt's comments, perhaps we would need to modify the Christey> description somewhat to distinguish between current Java versions and Christey> the one that had this vulnerability. However, the CERT reference Christey> associates a general place and time for where this vulnerability Christey> arose, so I don't think it's too big of a deal. Frech> Reference: XF:http-java-appletsecmgr ================================= Candidate: CAN-1999-0210 Published: Final-Decision: 20000602 Interim-Decision: 20000530 Modified: 20000526-02 Proposed: 19990714 Assigned: 19990607 Category: SF Reference: BUGTRAQ:19971126 Solaris 2.5.1 automountd exploit (fwd) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88053459921223&w=2 Reference: BUGTRAQ:19990103 SUN almost has a clue! (automountd) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91547759121289&w=2 Reference: HP:HPSBUX9910-104 Reference: CERT:CA-99-05 Reference: BID:235 Automount daemon automountd allows local or remote users to gain privileges via shell metacharacters. Modifications: Changed description and added references. ADDREF BID:235 INFERRED ACTION: CAN-1999-0210 FINAL (Final Decision 20000602) Current Votes: ACCEPT(2) Levy, Cole MODIFY(2) Shostack, Frech NOOP(3) Northcutt, Christey, Wall Comments: Shostack> I think there was an SNI advisory on this Frech> Not enough information; POSSIBLY XF:sun-automountd (changing mount options) Christey> Christey> SNI did not publish an advisory; however, Oliver Friedrichs Christey> sent a post saying that SNI's security tool tested for it. Christey> See http://marc.theaimsgroup.com/?l=bugtraq&m=91553343311719&w=2 Christey> Christey> This is a tough one. There's an old automount bug that's Christey> only locally exploitable, then a newer rpc.statd bug allows Christey> it to be remotely exploitable. There's at least two bugs, Christey> but should there be three? Christey> Christey> Also see CAN-1999-0493 Levy> ADDREF: BID:235 Levy> The are three vulns. BID 235, BID 729, and BID 450. ================================= Candidate: CAN-1999-0225 Published: Final-Decision: 20000602 Interim-Decision: 20000530 Modified: 20000524-02 Proposed: 19990630 Assigned: 19990607 Category: SF Reference: NAI:19980214 Windows NT Logon Denial of Service Reference: URL:http://www.nai.com/nai_labs/asp_set/advisory/25_windows_nt_dos_adv.asp Reference: MSKB:Q180963 Reference: URL:http://www.microsoft.com/technet/support/kb.asp?ID=180963 Reference: XF:nt-logondos Windows NT 4.0 allows remote attackers to cause a denial of service via a malformed SMB logon request in which the actual data size does not match the specified size. Modifications: ADDREF MSKB:Q180963 ADDREF XF:nt-logondos reword description Canonicalize NAI advisory INFERRED ACTION: CAN-1999-0225 FINAL (Final Decision 20000602) Current Votes: ACCEPT(7) Hill, Magdych, Stracener, LeBlanc, Northcutt, Cole, Armstrong MODIFY(1) Frech NOOP(1) Wall Comments: Frech> XF:nt-logondos ================================= Candidate: CAN-1999-0323 Published: Final-Decision: 20000602 Interim-Decision: 20000530 Modified: 20000524-01 Proposed: 19990630 Assigned: 19990607 Category: SF Reference: FreeBSD:FreeBSD-SA-98:04 Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-98:04.mmap.asc Reference: NETBSD:1998-003 Reference: URL:ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA1998-003.txt.asc Reference: XF:bsd-mmap FreeBSD mmap function allows users to modify append-only or immutable files. Modifications: ADDREF NETBSD:1998-003 ADDREF XF:bsd-mmap INFERRED ACTION: CAN-1999-0323 FINAL (Final Decision 20000602) Current Votes: ACCEPT(5) Hill, Stracener, Northcutt, Cole, Armstrong MODIFY(1) Frech NOOP(1) LeBlanc Comments: Frech> ADDREF XF:bsd-mmap (was REVIEWING) ================================= Candidate: CAN-1999-0407 Published: Final-Decision: 20000602 Interim-Decision: 20000530 Modified: 20000526-01 Proposed: 19990728 Assigned: 19990607 Category: SF Reference: BUGTRAQ:19990209 ALERT: IIS4 allows proxied password attacks over NetBIOS Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91983486431506&w=2 Reference: BUGTRAQ:19990209 Re: IIS4 allows proxied password attacks over NetBIOS Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92000623021036&w=2 Reference: XF:iis-iisadmpwd By default, IIS 4.0 has a virtual directory /IISADMPWD which contains files that can be used as proxies for brute force password attacks, or to identify valid users on the system. Modifications: Modified Bugtraq ref, added KB article and ISS ref DELREF MSKB:Q184619 - doesn't refer to this problem INFERRED ACTION: CAN-1999-0407 FINAL (Final Decision 20000602) Current Votes: ACCEPT(4) Stracener, LeBlanc, Northcutt, Cole MODIFY(1) Frech NOOP(2) Christey, Armstrong Comments: Frech> ADDREF XF:iis-iisadmpwd Christey> Q184619 doesn't appear to describe this problem. However, Christey> Russ Cooper confirms it in a followup email. ================================= Candidate: CAN-1999-0464 Published: Final-Decision: 20000602 Interim-Decision: 20000530 Modified: 19991205-01 Proposed: 19990728 Assigned: 19990607 Category: SF Reference: BUGTRAQ:19990104 Tripwire mess.. Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91553066310826&w=2 Reference: CONFIRM:http://marc.theaimsgroup.com/?l=bugtraq&m=91592136122066&w=2 Local users can perform a denial of service in Tripwire 1.2 and earlier using long filenames. Modifications: ADDREF BUGTRAQ:19990104 Tripwire mess.. INFERRED ACTION: CAN-1999-0464 FINAL (Final Decision 20000602) Current Votes: ACCEPT(2) Stracener, Northcutt MODIFY(1) Frech NOOP(4) Christey, LeBlanc, Cole, Armstrong Comments: Frech> XF:tripwire-long-filename-dos Christey> XF:tripwire-long-filename-dos doesn't exist. ================================= Candidate: CAN-1999-0491 Published: Final-Decision: 20000602 Interim-Decision: 20000530 Modified: 20000418-02 Proposed: 19990728 Assigned: 19990607 Category: SF Reference: BUGTRAQ:19990420 Bash Bug Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.10.9904202114070.6623-100000@smooth.Operator.org Reference: CALDERA:CSSA-1999-008.0 Reference: URL:ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-1999-008.0.txt Reference: BID:119 Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=119 The prompt parsing in bash allows a local user to execute commands as another user by creating a directory with the name of the command to execute. Modifications: CHANGEREF BUGTRAQ [title] ADDREF CALDERA:CSSA-1999-008.0 INFERRED ACTION: CAN-1999-0491 FINAL (Final Decision 20000602) Current Votes: ACCEPT(1) Levy MODIFY(1) Frech NOOP(3) Christey, Wall, Cole Comments: Frech> bash-prompt-pars-dir Christey> XF:bash-prompt-pars-dir doesn't exist. Christey> Christey> ADDREF CALDERA:CSSA-1999-008.0 ================================= Candidate: CAN-1999-0493 Published: Final-Decision: 20000602 Interim-Decision: 20000530 Modified: 20000526-01 Proposed: 19990728 Assigned: 19990607 Category: SF Reference: CERT:CA-99-05 Reference: URL:http://www.cert.org/advisories/CA-99-05-statd-automountd.html Reference: SUN:00186 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/186&type=0&nav=sec.sba Reference: CIAC:J-045 Reference: BUGTRAQ:19990103 SUN almost has a clue! (automountd) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91547759121289&w=2 Reference: BID:450 rpc.statd allows remote attackers to forward RPC calls to the local operating system via the SM_MON and SM_NOTIFY commands, which in turn could be used to remotely exploit other bugs such as in automountd. Modifications: Added numerous references ADDREF BID:450 ADDREF CIAC:J-045 INFERRED ACTION: CAN-1999-0493 FINAL (Final Decision 20000602) Current Votes: ACCEPT(3) Northcutt, Levy, Cole NOOP(2) Christey, Wall Comments: Christey> This candidate has been modified heavily. Levy> ADDREF: BID:450 Christey> ADDREF CIAC:J-045 ================================= Candidate: CAN-1999-0668 Published: Final-Decision: 20000602 Interim-Decision: 20000530 Modified: 19991227-01 Proposed: 19991208 Assigned: 19991123 Category: SF Reference: BUGTRAQ:19990821 IE 5.0 allows executing programs Reference: MS:MS99-032 Reference: CIAC:J-064 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/j-064.shtml Reference: BID:598 Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=598 Reference: XF:ms-scriptlet-eyedog-unsafe Reference: MSKB:Q240308 The scriptlet.typelib ActiveX control is marked as "safe for scripting" for Internet Explorer, which allows a remote attacker to execute arbitrary commands as demonstrated by Bubbleboy. Modifications: ADDREF XF:ms-scriptlet-eyedog-unsafe ADDREF MSKB:Q240308 INFERRED ACTION: CAN-1999-0668 FINAL (Final Decision 20000602) Current Votes: ACCEPT(4) Cole, Wall, Prosser, Ozancin MODIFY(2) Frech, Stracener REVIEWING(1) Christey Comments: Frech> XF:ms-scriptlet-eyedog-unsafe Wall> Note: Was this not CVE 199-0376? Stracener> Add Ref: MSKB Q240308 Christey> Should CAN-1999-0669 and 668 be merged? If not, then this is Christey> a reason for not merging CAN-1999-0988 and CAN-1999-0828. ================================= Candidate: CAN-1999-0696 Published: Final-Decision: 20000602 Interim-Decision: 20000530 Modified: 20000526-01 Proposed: 19991208 Assigned: 19991125 Category: SF Reference: BUGTRAQ:19990709 Exploit of rpc.cmsd Reference: SCO:SB-99.12 Reference: SUN:00188 Reference: SUNBUG:4230754 Reference: HP:HPSBUX9908-102 Reference: COMPAQ:SSRT0614U_RPC_CMSD Reference: CERT:CA-99-08 Reference: CIAC:J-051 Reference: XF:sun-cmsd-bo Buffer overflow in CDE Calendar Manager Service Daemon (rpc.cmsd) Modifications: ADDREF XF:sun-cmsd-bo ADDREF SUNBUG:4230754 ADDREF BUGTRAQ:19990709 Exploit of rpc.cmsd ADDREF SCO:SB-99.12 CHANGEREF HP:00102 HP:HPSBUX9908-102 INFERRED ACTION: CAN-1999-0696 FINAL (Final Decision 20000602) Current Votes: ACCEPT(3) Cole, Armstrong, Ozancin MODIFY(3) Frech, Stracener, Dik NOOP(1) Christey RECAST(1) Prosser Comments: Frech> XF:sun-cmsd-bo Prosser> Correct me if I am wrong as I don't have the facilities to test this, but Prosser> Sun originally reported this vulnerability in Sun Bulletin 0166, Mar 1998. Prosser> The CVE Board accepted it as CVE-1999-0320. The 00188 Sun Bulletin in July Prosser> 1999 is an exact dupe of the 98 bulletin with the exception of some Prosser> additional patches for CDE on later versions of SunOS/Solaris. The CERT and Prosser> other vendor alerts are additional information on this BO for other vendor's Prosser> systems(why it took over a year?), but we already have a CVE number Prosser> outstanding for this vulnerability. Are these seperate vulnerabilities? Or Prosser> the same one just found to affect more than originally thought? If so, Prosser> recommend merging this CAN into the existing CVE, and just adjust the Prosser> description in the existing CVE to reflect the additional vulnerable vendor Prosser> systems. Prosser> Additional reference: BID 486 and 524 Stracener> Redundant references to J-051. Christey> The confusion appears to be related to patch versions; 104976-03 is Christey> recommended for SUN:00166, and 104976-04 is recommended for SUN:00188. Christey> Did Sun create a new version, with the same patch ID, for the new bug? Christey> Or was there an error in the patch for the older bug? Dik> #166 addresses Sun bug 1265008: a file overwrite/remove vulnerability Dik> #188 addresses Sun bug 4230754: buffer overflows. Dik> Dik> (I.e., the reverse from what you state) Dik> Dik> These are two separate problems: first one is lack of checking the Dik> names of calendars for reserved characters (/) the second is lack Dik> of bounds checking. Dik> Dik> Sun typically assigns only one patchid to patch a certain part Dik> of Solaris. When more problems are found, the patch gets rev'ed. Dik> Dik> The #166 problem was addressed, e.g., w/ patch 104976-03; subsequently, Dik> we address the #188 problem w/ 104976-04. Dik> Dik> The history is recorded in the README file of each patch. Dik> Dik> ADDREF SUNBUG 4230754 Christey> ADDREF SCO:SB-99.12 Christey> URL:ftp://ftp.sco.com/SSE/security_bulletins/SB-99.12a Christey> Christey> ADDREF BUGTRAQ:19990709 Exploit of rpc.cmsd Christey> http://marc.theaimsgroup.com/?l=bugtraq&m=93154214531199&w=2 Christey> Christey> CHANGEREF HP:00102 HP:HPSBUX9908-102 ================================= Candidate: CAN-1999-0719 Published: Final-Decision: 20000602 Interim-Decision: 20000530 Modified: 20000526-01 Proposed: 19991222 Assigned: 19991125 Category: SF Reference: BUGTRAQ:19990802 Gnumeric potential security hole. Reference: REDHAT:RHSA-1999:023-01 Reference: XF:gnu-guile-plugin-export Reference: BID:563 Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=563 The Guile plugin for the Gnumeric spreadsheet package allows attackers to execute arbitrary code. Modifications: ADDREF BUGTRAQ:19990802 Gnumeric potential security hole. ADDREF XF:gnu-guile-plugin-export ADDREF REDHAT:RHSA-1999:023-01 DESC include "gnumeric spreadsheet package" INFERRED ACTION: CAN-1999-0719 FINAL (Final Decision 20000602) Current Votes: MODIFY(3) Stracener, Frech, Christey Comments: Stracener> Add Ref: BUGTRAQ:19990803 Gnumeric Potential Security Hole Stracener> Add Ref: REDHAT:RHSA-1999:023-01 Frech> XF:gnu-guile-plugin-export Christey> BUGTRAQ:19990802 Gnumeric potential security hole. Christey> http://www.securityfocus.com/templates/archive.pike?list=1&msg=199908031423.JAA12210@erandi.nuclecu.unam.mx Christey> Christey> Change desc to include "gnumeric spreadsheet package" ================================= Candidate: CAN-1999-0754 Published: Final-Decision: 20000602 Interim-Decision: 20000530 Modified: 20000418-01 Proposed: 19991222 Assigned: 19991125 Category: SF Reference: BUGTRAQ:19990511 INN 2.0 and higher. Root compromise potential Reference: CALDERA:CSSA-1999-011.0 Reference: SUSE:19990518 Security hole in INN Reference: MISC:http://www.redhat.com/corp/support/errata/inn99_05_22.html Reference: BID:255 Reference: XF:inn-innconf-env The INN inndstart program allows local users to gain privileges by specifying an alternate configuration file using the INNCONF environmental variable. Modifications: ADDREF CALDERA:CSSA-1999-011.0 ADDREF SUSE:19990518 Security hole in INN ADDREF MISC:http://www.redhat.com/corp/support/errata/inn99_05_22.html ADDREF BID:255 INFERRED ACTION: CAN-1999-0754 FINAL (Final Decision 20000602) Current Votes: ACCEPT(2) Stracener, Frech NOOP(2) Ozancin, Christey Comments: Christey> BID:255 and BID:254 have a good explanation for why this is Christey> different than CAN-1999-0785 Christey> Christey> ADDREF CALDERA:CSSA-1999-011.0 Christey> ADDREF SUSE:19990518 Security hole in INN Christey> Also see http://www.redhat.com/corp/support/errata/inn99_05_22.html ================================= Candidate: CAN-1999-0874 Published: Final-Decision: 20000602 Interim-Decision: 20000530 Modified: 20000526-01 Proposed: 19991208 Assigned: 19991208 Category: SF Reference: MS:MS99-019 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-019.asp Reference: MSKB:Q234905 Reference: EEYE:AD06081999 Reference: CERT:CA-99-07 Reference: CIAC:J-048 Reference: XF:iis-htr-overflow Buffer overflow in IIS 4.0 allows remote attackers to cause a denial of service via a malformed request for files with .HTR, .IDC, or .STM extensions. Modifications: ADDREF XF:iis-htr-overflow DESC Add version number, remote, DoS INFERRED ACTION: CAN-1999-0874 FINAL (Final Decision 20000602) Current Votes: ACCEPT(4) Wall, Prosser, Ozancin, Stracener MODIFY(1) Frech RECAST(1) Cole Comments: Frech> XF:iis-htr-overflow Cole> This description is very general and covers about 5 different Cole> exploits with IIS. Cole> The thing to remember is that with Microsoft there are so many Cole> vulenrabilities that Cole> you must be very specific. I would add the following: Cole> Microsoft has released a patch that eliminates a vulnerability in Cole> the Taskpads feature, which is provided as Cole> part of the Microsoft® Windows® 98 Resource Kit, Windows 98 Cole> Resource Kit Sampler, and BackOffice® Cole> Resource Kit, second edition. The vulnerability could allow a Cole> malicious web site operator to run executables Cole> on the computer of a visiting user. Only customers who have Cole> installed one of the affected products and who Cole> surf the web using the machines on which they are installed are at Cole> risk from this vulnerability. ================================= Candidate: CAN-1999-1011 Published: Final-Decision: 20000602 Interim-Decision: 20000530 Modified: 20000526-01 Proposed: 20000518 Assigned: 19991221 Category: SF Reference: MS:MS98-004 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms98-004.asp Reference: MS:MS99-025 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-025.asp Reference: CIAC:J-054 Reference: ISS:19990809 Vulnerabilities in Microsoft Remote Data Service Reference: BID:529 Reference: URL:http://www.ciac.org/ciac/bulletins/j-054.shtml Reference: XF:nt-iis-rds The Remote Data Service (RDS) DataFactory component of Microsoft Data Access Components (MDAC) in IIS 3.x and 4.x exposes unsafe methods, which allows remote attackers to execute arbitrary commands. Modifications: ADDREF XF:nt-iis-rds ADDREF BID:529 ADDREF ISS:19990809 Vulnerabilities in Microsoft Remote Data Service INFERRED ACTION: CAN-1999-1011 FINAL (Final Decision 20000602) Current Votes: ACCEPT(4) LeBlanc, Cole, Prosser, Wall MODIFY(1) Frech NOOP(2) Christey, Armstrong Comments: Frech> XF:nt-iis-rds Frech> ISS:ISS Security Advisory #32, Vulnerabilities in Microsoft Remote Data Frech> Service, http://xforce.iss.net/alerts/advise32.php3 Christey> ADDREF BID:529 ================================= Candidate: CAN-2000-0323 Published: Final-Decision: 20000602 Interim-Decision: 20000530 Modified: 20000526-01 Proposed: 20000518 Assigned: 20000511 Category: SF Reference: BUGTRAQ:19990728 Alert : MS Office 97 Vulnerability Reference: http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-08-22&msg=19990729195531.25108.qmail@underground.org Reference: http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-08-22&msg=D1A11CCE78ADD111A35500805FD43F58019792A3@RED-MSG-04 Reference: MS:MS99-030 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-030.asp Reference: XF:jet-text-isam Reference: BID:595 Reference: URL:http://www.securityfocus.com/level2/?go=vulnerabilities&id=595 The Microsoft Jet database engine allows an attacker to modify text files via a database query, aka the "Text I-ISAM" vulnerability. Modifications: ADDREF XF:jet-text-isam INFERRED ACTION: CAN-2000-0323 FINAL (Final Decision 20000602) Current Votes: ACCEPT(5) LeBlanc, Cole, Prosser, Wall, Armstrong MODIFY(1) Frech Comments: Frech> XF:jet-text-isam ================================= Candidate: CAN-2000-0327 Published: Final-Decision: 20000602 Interim-Decision: 20000530 Modified: 20000526-01 Proposed: 20000518 Assigned: 20000511 Category: SF Reference: BUGTRAQ:19991014 Another Microsoft Java Flaw Disovered Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93993545118416&w=2 Reference: MS:MS99-045 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-045.asp Reference: XF:msvm-verifier-java Microsoft Virtual Machine (VM) allows remote attackers to escape the Java sandbox and execute commands via an applet containing an illegal cast operation, aka the "Virtual Machine Verifier" vulnerability. Modifications: ADDREF XF:msvm-verifier-java INFERRED ACTION: CAN-2000-0327 FINAL (Final Decision 20000602) Current Votes: ACCEPT(4) LeBlanc, Cole, Prosser, Wall MODIFY(1) Frech NOOP(1) Armstrong Comments: Frech> XF:msvm-verifier-java Frech> (Note: this XF tag is also assigned to "CVE-1999-0766: The Microsoft Java Frech> Virtual Machine allows a malicious Java applet to execute arbitrary commands Frech> outside of the sandbox environment." Reason: MS99-031 is vague and refers to Frech> the same Java issue.) ================================= Candidate: CAN-2000-0328 Published: Final-Decision: 20000602 Interim-Decision: 20000530 Modified: 20000526-01 Proposed: 20000518 Assigned: 20000511 Category: SF Reference: BUGTRAQ:19990824 NT Predictable Initial TCP Sequence numbers - changes observed with SP4 Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=4.1.19990824165629.00abcb40@192.168.124.1 Reference: MS:MS99-046 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-046.asp Reference: BID:604 Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=604 Reference: XF:nt-sequence-prediction-sp4 Reference: XF:tcp-seq-predict Windows NT 4.0 generates predictable random TCP initial sequence numbers (ISN), which allows remote attackers to perform spoofing and session hijacking. Modifications: ADDREF XF:nt-sequence-prediction-sp4 ADDREF XF:tcp-seq-predict INFERRED ACTION: CAN-2000-0328 FINAL (Final Decision 20000602) Current Votes: ACCEPT(5) LeBlanc, Cole, Prosser, Wall, Armstrong MODIFY(1) Frech Comments: Frech> XF:nt-sequence-prediction-sp4 Frech> XF:tcp-seq-predict Cole> ACTUALLY A DOUBLE ACCEPT:) ================================= Candidate: CAN-2000-0329 Published: Final-Decision: 20000602 Interim-Decision: 20000530 Modified: 20000526-01 Proposed: 20000518 Assigned: 20000511 Category: SF Reference: MS:MS99-048 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-048.asp Reference: XF:ie-active-setup-control A Microsoft ActiveX control allows a remote attacker to execute a malicious cabinet file via an attachment and an embedded script in an HTML mail, aka the "Active Setup Control" vulnerability. Modifications: ADDREF XF:ie-active-setup-control INFERRED ACTION: CAN-2000-0329 FINAL (Final Decision 20000602) Current Votes: ACCEPT(3) LeBlanc, Prosser, Wall MODIFY(1) Frech NOOP(2) Cole, Armstrong Comments: Frech> XF:ie-active-setup-control ================================= Candidate: CAN-2000-0330 Published: Final-Decision: 20000602 Interim-Decision: 20000530 Modified: 20000526-01 Proposed: 20000518 Assigned: 20000511 Category: SF Reference: MS:MS99-049 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-049.asp Reference: XF:win-fileurl-overflow The networking software in Windows 95 and Windows 98 allows remote attackers to execute commands via a long file name string, aka the "File Access URL" vulnerability. Modifications: ADDREF XF:win-fileurl-overflow INFERRED ACTION: CAN-2000-0330 FINAL (Final Decision 20000602) Current Votes: ACCEPT(5) LeBlanc, Cole, Prosser, Wall, Armstrong MODIFY(1) Frech Comments: Frech> XF:win-fileurl-overflow
|
||||
