|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [VOTE] MOREVOTES-1999-A: Candidates from 1999 needing 1 more vote
Each of the following 23 candidates needs just one more ACCEPT vote. If you can help out, it is appreciated. There are 4 other messages similar to this one, with different candidates. Feel free to pick one at random if you don't have the time to vote on them all. It is strongly preferred that you get your votes in by October 9. Thanks, - Steve Summary of votes to use (in ascending order of "severity") ---------------------------------------------------------- ACCEPT - voter accepts the candidate as proposed NOOP - voter has no opinion on the candidate MODIFY - voter wants to change some MINOR detail (e.g. reference/description) REVIEWING - voter is reviewing/researching the candidate, or needs more info RECAST - candidate must be significantly modified, e.g. split or merged REJECT - candidate is "not a vulnerability", or a duplicate, etc. 1) Please write your vote on the line that starts with "VOTE: ". If you want to add comments or details, add them to lines after the VOTE: line. 2) If you see any missing references, please mention them so that they can be included. References help greatly during mapping. 3) Note that a "MODIFY" is treated as an "ACCEPT" when counting votes. So if you don't have sufficient information for a candidate but you don't want to NOOP, use a REVIEWING. ********** NOTE ********** NOTE ********** NOTE ********** NOTE ********** Please keep in mind that your vote and comments will be recorded and publicly viewable in the mailing list archives or in other formats. KEY FOR INFERRED ACTIONS ------------------------ Inferred actions capture the voting status of a candidate. They may be used by the Editor to determine whether or not a candidate is added to CVE. Where there is disagreement, the Editor must resolve the issue and achieve consensus, or make the final decision if consensus cannot be reached. - ACCEPT = 3 non-MITRE votes to ACCEPT/MODIFY, and no REVIEWING or REJECT - ACCEPT_ACK = 2 non-MITRE ACCEPT/MODIFY, and vendor acknowledgement - MOREVOTES = needs more votes - ACCEPT_REV = 3 non-MITRE ACCEPT's but is delayed due to a REVIEWING - SMC_REJECT = REJECT by Steve Christey; likely to be rejected outright - SMC_REVIEW = REVIEWING by Steve Christey; likely related to CD's - REVIEWING = at least one member is REVIEWING - REJECT = at least one member REJECTed - REVOTE = members should review their vote on this candidate ====================================================== Candidate: CAN-1999-0114 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0114 Final-Decision: Interim-Decision: Modified: 20000106-01 Proposed: 19990714 Assigned: 19990607 Category: SF Reference: BUGTRAQ:19990912 elm filter program Reference: BUGTRAQ:19951226 filter (elm package) security hole Reference: XF:elm-filter2 Local users can execute commands as other users, and read other users' files, through the filter command in the Elm elm-2.4 mail package using a symlink attack. Modifications: ADDREF XF:elm-filter2 ADDREF BUGTRAQ:19951226 filter (elm package) security hole ADDREF BUGTRAQ:19990912 elm filter program INFERRED ACTION: CAN-1999-0114 MOREVOTES-1 (2 accept, 0 ack, 0 review) Current Votes: ACCEPT(1) Shostack MODIFY(1) Frech NOOP(2) Wall, Northcutt Comments: Frech> XF:elm-filter2 VOTE: ====================================================== Candidate: CAN-1999-0193 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0193 Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: SF Denial of service in Ascend and 3com routers, which can be rebooted by sending a zero length TCP option. INFERRED ACTION: CAN-1999-0193 MOREVOTES-1 (2 accept, 0 ack, 0 review) Current Votes: ACCEPT(2) Shostack, Northcutt NOOP(1) Frech Comments: Frech> possibly XF:ascend-kill I can't find a reference that lists both routers in the same reference. CHANGE> [Frech changed vote from REVIEWING to NOOP] Frech> Cannot reconcile to our database without further references. VOTE: ====================================================== Candidate: CAN-1999-0213 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0213 Final-Decision: Interim-Decision: Modified: Proposed: 19990630 Assigned: 19990607 Category: SF libnsl in Solaris allowed an attacker to perform a denial of service of rpcbind. INFERRED ACTION: CAN-1999-0213 MOREVOTES-1 (2 accept, 0 ack, 0 review) Current Votes: ACCEPT(1) Hill MODIFY(1) Frech NOOP(1) Meunier Comments: Frech> XF:sun-libnsl VOTE: ====================================================== Candidate: CAN-1999-0248 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0248 Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF sshd 1.2.17 can be compromised through the SSH protocol. INFERRED ACTION: CAN-1999-0248 MOREVOTES-1 (2 accept, 0 ack, 0 review) Current Votes: ACCEPT(1) Northcutt MODIFY(1) Shostack NOOP(1) Frech Comments: Shostack> http://oliver.efri.hr/~crv/security/bugs/mUNIXes/ssh2.html looks to me to be about the correct message that came from Tatu. There are comments in changelog: * Improved the security of auth_input_request_forwarding(). I'm not in favor of moving this forward without additional detail, but thought I'd add a confirming URL and comment. We have insufficient detail to accept it as a CVE. Frech> Try http://www.uni-karlsruhe.de/~ig25/ssh-faq/ssh-faq-6.html#ss6.1; to wit (see asterisked section): ... ***** Versions of ssh prior to 1.2.17 had problems with authentication agent handling on some machines. There is a chance (a race condition) that a malicious user could steal another user's credentials. This should be fixed in 1.2.17. ***** VOTE: ====================================================== Candidate: CAN-1999-0253 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0253 Final-Decision: Interim-Decision: Modified: 2000106-01 Proposed: 19990623 Assigned: 19990607 Category: SF Reference: XF:http-iis-2e Reference: L0PHT:19970319 IIS 3.0 with the iis-fix hotfix installed allows remote intruders to read source code for ASP programs by using a %2e instead of a . (dot) in the URL. INFERRED ACTION: CAN-1999-0253 MOREVOTES-1 (2 accept, 0 ack, 0 review) Current Votes: ACCEPT(2) Frech, Northcutt NOOP(2) Prosser, Christey Comments: Christey> This is a problem that was introduced after patching a previous dot bug with the iis-fix hotfix (see CAN-1999-0154). Since the hotfix introduced the problem, this should be treated as a seaprate issue. VOTE: ====================================================== Candidate: CAN-1999-0283 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0283 Final-Decision: Interim-Decision: Modified: 19991203-01 Proposed: 19990623 Assigned: 19990607 Category: SF Reference: BUGTRAQ:19970716 Viewable .jhtml source with JavaWebServer The Java Web Server would allow remote users to obtain the source code for CGI programs. Modifications: ADDREF BUGTRAQ:19970716 Viewable .jhtml source with JavaWebServer DESC Augment the description to include .jhtml INFERRED ACTION: CAN-1999-0283 MOREVOTES-1 (2 accept, 0 ack, 1 review) Current Votes: ACCEPT(2) Blake, Northcutt NOOP(1) Prosser REVIEWING(1) Frech VOTE: ====================================================== Candidate: CAN-1999-0286 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0286 Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: SF In some NT web servers, appending a space at the end of a URL may allow attackers to read source code for active pages. INFERRED ACTION: CAN-1999-0286 MOREVOTES-1 (2 accept, 0 ack, 1 review) Current Votes: ACCEPT(1) Shostack MODIFY(1) Wall NOOP(2) Christey, Northcutt REVIEWING(1) Frech Comments: Wall> In some NT web servers, appending a dot at the end of a URL may allows attackers to read source code for active pages. Source: MS Knowledge Base Article Q163485 - "Active Server Pages Script Appears in Browser" Frech> In the meantime, reword description as 'Windows NT' (trademark issue) Christey> Q163485 does not refer to a space, it refers to a dot. However, I don't have other references. Reading source code with a dot appended is in CAN-1999-0154, which will be proposed. A subsequent bug similar to the dot bug is CAN-1999-0253. VOTE: ====================================================== Candidate: CAN-1999-0345 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0345 Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Jolt ICMP attack causes a denial of service in Windows 95 and Windows NT systems. INFERRED ACTION: CAN-1999-0345 MOREVOTES-1 (2 accept, 0 ack, 0 review) Current Votes: MODIFY(2) Frech, Wall NOOP(2) Northcutt, Christey Comments: Wall> Invalid ICMP datagram fragments causes a denial of service in Windows 95 and Windows NT systems. Reference: Q154174. Jolt is also known as sPING, ICMP bug, Icenewk, and Ping of Death. It is a modified teardrop 2 attack. Frech> XF:nt-ssping ADDREF XF:ping-death ADDREF XF:teardrop-mod ADDREF XF:mpeix-echo-request-dos Christey> I can't tell whether the Jolt exploit at: http://www.securityfocus.com/templates/archive.pike?list=1&date=1997-06-28&msg=Pine.BSF.3.95q.970629163422.3264A-200000@apollo.tomco.net is exploiting any different flaw than teardrop does. VOTE: ====================================================== Candidate: CAN-1999-0360 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0360 Final-Decision: Interim-Decision: Modified: 20000530-01 Proposed: 19990623 Assigned: 19990607 Category: SF Reference: BUGTRAQ:19990130 Security Advisory for Internet Information Server 4 with Site Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91763097004101&w=2 Reference: NTBUGTRAQ:Jan29,1999 MS Site Server 2.0 with IIS 4 can allow users to upload content, including ASP, to the target web site, thus allowing them to execute commands remotely. Modifications: CHANGEREF BUGTRAQ [canonicalize] INFERRED ACTION: CAN-1999-0360 MOREVOTES-1 (2 accept, 0 ack, 1 review) Current Votes: ACCEPT(2) Northcutt, Wall NOOP(2) Prosser, Christey REVIEWING(1) Frech Comments: Christey> I can't find the original Bugtraq posting (it appears that mnemonix discovered the problem). VOTE: ====================================================== Candidate: CAN-1999-0380 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0380 Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: SF Reference: BUGTRAQ:19990225 ALERT: SLMail 3.2 (and 3.1) with the Remote Administration Service Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91996412724720&w=2 Reference: BID:497 Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=497 SLMail 3.2 or 3.1 allows local users to access any file in the NTFS file system when the Remote Administration Service (RAS) is enabled. INFERRED ACTION: CAN-1999-0380 MOREVOTES-1 (2 accept, 0 ack, 1 review) Current Votes: ACCEPT(2) Ozancin, Wall REVIEWING(1) Frech VOTE: ====================================================== Candidate: CAN-1999-0381 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0381 Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: SF Reference: BUGTRAQ:19990225 SUPER buffer overflow Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.3.96.990225011801.12757A-100000@eleet Reference: XF:linux-super-logging-bo Reference: BID:342 Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=342 super 3.11.6 and other versions have a buffer overflow in the syslog utility which allows a local user to gain root access. Modifications: DELREF SEKURE [obsolete] CHANGEREF BUGTRAQ [canonicalize] INFERRED ACTION: CAN-1999-0381 MOREVOTES-1 (2 accept, 0 ack, 0 review) Current Votes: ACCEPT(2) Ozancin, Frech NOOP(2) Christey, Wall Comments: Christey> Is this the same as CVE-1999-0373? They both have the same X-Force reference. BID:342 suggests that there are two. http://www.debian.org/security/1999/19990215a suggests that there are two. However, CVE-1999-0373 is written up in a fashion that is too general; and both XF:linux-super-bo and XF:linux-super-logging-bo refer to CVE-1999-0373. CVE-1999-0373 may need to be split. Frech> From what I can surmise, ISS released the original advisory (attached to linux-super-bo), and Sekure SDI expanded on it by releasing another related overflow in syslog (which is linux-super-logging-bo). When I was originally assigning these issues, I placed both XF references and the ISS advisory on the -0373 candidate, since there was nothing else available. Based on the information above, I'd request that XF:linux-super-logging-bo be removed from CVE-1999-0373. Christey> Given Andre's feedback, these are different issues. CVE-1999-0373 does not need to be split because the ISS reference is sufficient to distinguish that CVE from this candidate; however, the CVE-1999-0373 description should probably be modified slightly. VOTE: ====================================================== Candidate: CAN-1999-0393 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0393 Final-Decision: Interim-Decision: Modified: 20000106-01 Proposed: 19990728 Assigned: 19990607 Category: SF Reference: BUGTRAQ:19981212 ** Sendmail 8.9.2 DoS - exploit ** get what you want! Reference: XF:sendmail-parsing-redirection Remote attackers can cause a denial of service in Sendmail 8.8.x and 8.9.2 by sending messages with a large number of headers. Modifications: ADDREF XF:sendmail-parsing-redirection CHANGEREF BUGTRAQ [change date to 19981212] ADDREF BUGTRAQ:19990121 Sendmail 8.8.x/8.9.x bugware INFERRED ACTION: CAN-1999-0393 MOREVOTES-1 (1 accept, 1 ack, 0 review) Current Votes: MODIFY(1) Frech NOOP(1) Christey Comments: Frech> I assume that Reference: BUGTRAQ:Dec12,1999 is not attesting to the power of CVE to foresee events in the future. This reference should be 12/12/98. ADDREF XF:sendmail-parsing-redirection Christey> This issue is acknowledged in BUGTRAQ:19990121 Sendmail 8.8.x/8.9.x bugware URL: http://marc.theaimsgroup.com/?l=bugtraq&m=91694391227372&w=2 VOTE: ====================================================== Candidate: CAN-1999-0429 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0429 Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: CF Reference: BUGTRAQ:Mar23,1999 Reference: XF:lotus-client-encryption The Lotus Notes 4.5 client may send a copy of encrypted mail in the clear across the network if the user does not set the "Encrypt Saved Mail" preference. INFERRED ACTION: CAN-1999-0429 MOREVOTES-1 (2 accept, 0 ack, 0 review) Current Votes: ACCEPT(2) Ozancin, Frech NOOP(1) Wall VOTE: ====================================================== Candidate: CAN-1999-0440 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0440 Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Apr4,1999 Reference: XF:java-unverified-code The byte code verifier component of the Java Virtual Machine (JVM) allows remote execution through malicious web pages. INFERRED ACTION: CAN-1999-0440 MOREVOTES-1 (2 accept, 0 ack, 1 review) Current Votes: ACCEPT(2) Ozancin, Frech REVIEWING(1) Wall VOTE: ====================================================== Candidate: CAN-1999-0492 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0492 Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Apr23,1999 The ffingerd 1.19 allows remote attackers to identify users on the target system based on its responses. INFERRED ACTION: CAN-1999-0492 MOREVOTES-1 (2 accept, 0 ack, 1 review) Current Votes: ACCEPT(1) Northcutt MODIFY(1) Shostack REVIEWING(1) Frech Comments: Shostack> isn't that what finger is supposed to do? VOTE: ====================================================== Candidate: CAN-1999-0495 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0495 Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF A remote attacker can gain access to a file system using .. (dot dot) when accessing SMB shares. INFERRED ACTION: CAN-1999-0495 MOREVOTES-1 (2 accept, 0 ack, 0 review) Current Votes: ACCEPT(1) Northcutt MODIFY(1) Frech Comments: Frech> XF:nb-dotdotknown(837) References would be appreciated. We've got no reference for this issue; confidence rating is consequently low. VOTE: ====================================================== Candidate: CAN-1999-0671 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0671 Final-Decision: Interim-Decision: Modified: Proposed: 19991222 Assigned: 19991125 Category: SF Reference: BID:572 Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=572 Buffer overflow in ToxSoft NextFTP client through CWD command. INFERRED ACTION: CAN-1999-0671 MOREVOTES-1 (2 accept, 0 ack, 0 review) Current Votes: MODIFY(2) Frech, Stracener Comments: Stracener> AddRef: ShadowPenguinSecurity:PenguinToolbox,No.035 Frech> XF:toxsoft-nextftp-cwd-bo VOTE: ====================================================== Candidate: CAN-1999-0672 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0672 Final-Decision: Interim-Decision: Modified: Proposed: 19991222 Assigned: 19991125 Category: SF Reference: BID:573 Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=573 Buffer overflow in Fujitsu Chocoa IRC client via IRC channel topics. INFERRED ACTION: CAN-1999-0672 MOREVOTES-1 (2 accept, 0 ack, 0 review) Current Votes: MODIFY(2) Frech, Stracener Comments: Stracener> AddRef: ShadowPenguinSecurity:PenguinToolbox,No.036 Frech> XF:fujitsu-topic-bo VOTE: ====================================================== Candidate: CAN-1999-0673 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0673 Final-Decision: Interim-Decision: Modified: Proposed: 19991222 Assigned: 19991125 Category: SF Reference: BID:574 Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=574 Buffer overflow in ALMail32 POP3 client via From: or To: headers. INFERRED ACTION: CAN-1999-0673 MOREVOTES-1 (2 accept, 0 ack, 0 review) Current Votes: MODIFY(2) Frech, Stracener Comments: Stracener> AddRef: ShadowPenguinSecurity:PenguinToolbox,No.037 Frech> XF:almail-bo VOTE: ====================================================== Candidate: CAN-1999-0675 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0675 Final-Decision: Interim-Decision: Modified: Proposed: 19991222 Assigned: 19991125 Category: SF Reference: BID:576 Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=576 Firewall-1 can be subjected to a denial of service via UDP packets that are sent through VPN-1 to port 0 of a host. INFERRED ACTION: CAN-1999-0675 MOREVOTES-1 (2 accept, 0 ack, 1 review) Current Votes: MODIFY(2) Frech, Cole NOOP(1) Christey REVIEWING(1) Stracener Comments: Cole> This only occurs when the VPN being used for the transport of the packet supports ISAKMP encryption. Frech> XF:checkpoint-port Modify description to read "Check Point Firewall-1 ..." Christey> http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.10.9908051851320.8871-100000@area51 VOTE: ====================================================== Candidate: CAN-1999-0679 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0679 Final-Decision: Interim-Decision: Modified: Proposed: 19991222 Assigned: 19991125 Category: SF Reference: BUGTRAQ:19990813 w00w00's efnet ircd advisory (exploit included) Reference: BID:581 Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=581 Buffer overflow in hybrid-6 IRC server commonly used on EFnet allows remote attackers to execute commands via m_invite invite option. INFERRED ACTION: CAN-1999-0679 MOREVOTES-1 (2 accept, 0 ack, 0 review) Current Votes: ACCEPT(1) Stracener MODIFY(1) Frech Comments: Frech> XF:hybrid-ircd-minvite-bo VOTE: ====================================================== Candidate: CAN-1999-0697 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0697 Final-Decision: Interim-Decision: Modified: Proposed: 19991222 Assigned: 19991125 Category: SF Reference: BUGTRAQ:19990908 SCO 5.0.5 /bin/doctor nightmare Reference: BID:621 Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=621 SCO Doctor allows local users to gain root privileges through a Tools option. INFERRED ACTION: CAN-1999-0697 MOREVOTES-1 (2 accept, 0 ack, 0 review) Current Votes: ACCEPT(1) Stracener MODIFY(1) Frech NOOP(1) Ozancin Comments: Frech> XF:sco-doctor-execute VOTE: ====================================================== Candidate: CAN-1999-0698 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0698 Final-Decision: Interim-Decision: Modified: Proposed: 19991222 Assigned: 19991125 Category: SF Denial of service in IP protocol logger (ippl) on Red Hat and Debian Linux. INFERRED ACTION: CAN-1999-0698 MOREVOTES-1 (2 accept, 0 ack, 1 review) Current Votes: ACCEPT(1) Ozancin MODIFY(1) Frech NOOP(1) Christey REVIEWING(1) Stracener Comments: Stracener> Is the candidate referring to the denial of service problem mentioned in the changelogs for versions previous to 1.4.3-1 or does it pertain to some problem with or 1.4.8-1? Frech> Depending on the version, this could be any number of DoSes related to ippl. From http://www.larve.net/ippl/: 9 April 1999: version 1.4.3 released, correctly fixing a potential denial of service attack. 7 April 1999: version 1.4.2 released, fixing a potential denial of service attack. XF:linux-ippl-dos Christey> Changelog: http://pltplp.net/ippl/docs/HISTORY See comments for version 1.4.2 and 1.4.3 Another source: http://freshmeat.net/news/1999/04/08/923586598.html VOTE:
|
||||
