[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[INTERIM] ACCEPT 191 candidates (Final June 21)



I have made an Interim Decision to ACCEPT the following 191
candidates.

I will make a Final Decision on June 21.

The candidates came from the following clusters:

   1 RECENT-66
   1 RECENT-68
   1 LEGACY-MS-ADV
   1 LEGACY-MISC-1999-B
   1 OLD-2000-A
   2 RECENT-69
  12 RECENT-75
   5 RECENT-76
   5 RECENT-77
  15 RECENT-78
  20 RECENT-79
  20 RECENT-80
  17 RECENT-81
   7 RECENT-82
  11 RECENT-83
  21 RECENT-84
   7 MISC-2001-001
   5 MISC-2001-002
   7 MISC-2001-003
   7 RECENT-85
   2 RECENT-86
  18 RECENT-88
   3 RECENT-05
   1 RECENT-41
   1 RECENT-46


Voters:
  Green ACCEPT(159) NOOP(3)
  Cole ACCEPT(172) NOOP(16)
  Balinsky NOOP(2)
  Foat ACCEPT(48) NOOP(138)
  Cox ACCEPT(10) MODIFY(3) NOOP(27)
  Williams ACCEPT(3) MODIFY(1)
  Christey MODIFY(1) NOOP(60)
  Wall ACCEPT(75) NOOP(112)
  Ziese ACCEPT(72) NOOP(4)
  Dik ACCEPT(2)
  Frech ACCEPT(70) MODIFY(44)
  Mell ACCEPT(1)
  Stracener ACCEPT(1) NOOP(1)
  Bollinger ACCEPT(2) MODIFY(1)
  Baker ACCEPT(79)
  Bishop ACCEPT(1)
  Armstrong ACCEPT(63) NOOP(9)



======================================================
Candidate: CAN-1999-1080
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1080
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20010912
Assigned: 20010831
Category: SF
Reference: BUGTRAQ:19990510 SunOS 5.7 rmmount, no nosuid.
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92633694100270&w=2
Reference: BUGTRAQ:19991011
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93971288323395&w=2
Reference: BID:250
Reference: URL:http://www.securityfocus.com/bid/250
Reference: SUNBUG:4205437
Reference: XF:solaris-rmmount-gain-root(8350)

rmmount in SunOS 5.7 may mount file systems without the nosuid flag
set, contrary to the documentation and its use in previous versions of
SunOS, which could allow local users with physical access to gain root
privileges by mounting a floppy or CD-ROM that contains a setuid
program and running volcheck, when the file systems do not have the
nosuid option specified in rmmount.conf.


Modifications:
  ADDREF SUNBUG:4205437
  ADDREF XF:solaris-rmmount-gain-root(8350)

Analysis
--------
Vendor Acknowledgement: yes

INFERRED ACTION: CAN-1999-1080 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Dik
   MODIFY(1) Frech
   NOOP(2) Wall, Foat

Voter Comments:
 Dik> sun bug: 4205437
 Frech> XF:solaris-rmmount-gain-root(8350)


======================================================
Candidate: CAN-1999-1362
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1362
Final-Decision:
Interim-Decision: 20020617
Modified: 20020218-01
Proposed: 20010912
Assigned: 20010831
Category: SF
Reference: MSKB:Q160601
Reference: URL:http://support.microsoft.com/support/kb/articles/q160/6/01.asp
Reference: XF:nt-win32k-dos(7403)
Reference: URL:http://www.iss.net/security_center/static/7403.php

Win32k.sys in Windows NT 4.0 before SP2 allows local users to cause a
denial of service (crash) by calling certain WIN32K functions with
incorrect parameters.


Modifications:
  ADDREF XF:nt-win32k-dos(7403)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-1999-1362 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Wall, Foat, Cole
   MODIFY(1) Frech

Voter Comments:
 Frech> XF:nt-win32k-dos(7403)


======================================================
Candidate: CAN-2000-0060
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0060
Final-Decision:
Interim-Decision: 20020617
Modified: 20020218-01
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: NTBUGTRAQ:19991227 Local / Remote Remote DoS Attack in Rover POP3 Server V1.1 NT From aVirt
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=94647711311057&w=2
Reference: BUGTRAQ:19991227 Local / Remote Remote DoS Attack in Rover POP3 Server V1.1 NT From aVirt
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94633851427858&w=2
Reference: BID:894
Reference: URL:http://www.securityfocus.com/bid/894
Reference: XF:avirt-rover-pop3-dos(3765)
Reference: URL:http://www.iss.net/security_center/static/3765.php

Buffer overflow in aVirt Rover POP3 server 1.1 allows remote attackers
to cause a denial of service via a long user name.


Modifications:
  ADDREF XF:avirt-rover-pop3-dos
  DESC add version
  ADDREF NTBUGTRAQ:19991227 Local / Remote Remote DoS Attack in Rover POP3 Server V1.1 NT From aVirt

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2000-0060 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Williams, Baker
   MODIFY(1) Frech
   NOOP(1) Balinsky

Voter Comments:
 Frech> XF:avirt-rover-pop3-dos
 Balinsky> No mention of the problem or relevant patch on vendor website.
 Williams> Balinsky - this product is no longer supported by vendor.

   should include v1.1 for NT in title


======================================================
Candidate: CAN-2000-0072
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0072
Final-Decision:
Interim-Decision: 20020617
Modified: 20020218-01
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: BUGTRAQ:20000118 Warning: VCasel security hole.
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94823061421676&w=2
Reference: BID:937
Reference: URL:http://www.securityfocus.com/bid/937
Reference: XF:vcasel-filename-trusting(3867)
Reference: URL:http://www.iss.net/security_center/static/3867.php

Visual Casel (Vcasel) does not properly prevent users from executing
files, which allows local users to use a relative pathname to specify
an alternate file which has an approved name and possibly gain
privileges.


Modifications:
  ADDREF XF:vcasel-filename-trusting(3867)

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2000-0072 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Williams, Baker
   MODIFY(1) Frech

Voter Comments:
 Frech> XF:vcasel-filename-trusting(3867)


======================================================
Candidate: CAN-2000-0087
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0087
Final-Decision:
Interim-Decision: 20020617
Modified: 20020218-01
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: BUGTRAQ:20000113 Misleading sense of security in Netscape
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94790377622943&w=2
Reference: XF:netscape-mail-notify-plaintext(4385)
Reference: URL:http://www.iss.net/security_center/static/4385.php

Netscape Mail Notification (nsnotify) utility in Netscape Communicator
uses IMAP without SSL, even if the user has set a preference for
Communicator to use an SSL connection, allowing a remote attacker to
sniff usernames and passwords in plaintext.


Modifications:
  ADDREF XF:netscape-mail-notify-plaintext(4385)

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2000-0087 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Williams, Baker
   MODIFY(1) Frech

Voter Comments:
 Frech> XF:netscape-mail-notify-plaintext


======================================================
Candidate: CAN-2000-0976
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0976
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20001129
Assigned: 20001124
Category: SF
Reference: BUGTRAQ:20001012 another Xlib buffer overflow
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0211.html
Reference: SGI:20020502-01-I
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020502-01-I
Reference: BID:1805
Reference: URL:http://www.securityfocus.com/bid/1805
Reference: XF:xfree-xlib-bo(5751)
Reference: URL:http://www.iss.net/security_center/static/5751.php

Buffer overflow in xlib in XFree 3.3.x possibly allows local users to
execute arbitrary commands via a long DISPLAY environment variable or
a -display command line parameter.


Modifications:
  ADDREF XF:xfree-xlib-bo(5751)
  ADDREF SGI:20020502-01-I

Analysis
--------
Vendor Acknowledgement: yes advisory

INCLUSION:
This might not be exploitable, as a post by Robert van der Meulen says
that "the display number can only contain numeric values."  See
http://archives.neohapsis.com/archives/bugtraq/2000-10/0237.html

INFERRED ACTION: CAN-2000-0976 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Mell, Baker
   MODIFY(1) Frech
   NOOP(2) Christey, Cole

Voter Comments:
 Frech> XF:xfree-xlib-bo(5751)
 Christey> This might not be exploitable; see followups
 CHANGE> [Christey changed vote from REVIEWING to NOOP]
 Christey> SGI:20020502-01-I


======================================================
Candidate: CAN-2000-1166
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1166
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20001219
Assigned: 20001214
Category: SF
Reference: BUGTRAQ:20001124 Security problems with TWIG webmail system
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0351.html
Reference: CONFIRM:http://twig.screwdriver.net/file.php3?file=CHANGELOG
Reference: BID:1998
Reference: URL:http://www.securityfocus.com/bid/1998
Reference: XF:twig-php3-script-execute(5581)

Twig webmail system does not properly set the "vhosts" variable if it
is not configured on the site, which allows remote attackers to insert
arbitrary PHP (PHP3) code by specifying an alternate vhosts as an
argument to the index.php3 program.


Modifications:
  ADDREF XF:twig-php3-script-execute(5581)
  ADDREF CONFIRM:http://twig.screwdriver.net/file.php3?file=CHANGELOG

Analysis
--------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: The entry in the vendor changelog dated December 18,
2000, says ""Fixed security hole with respect to vhosts."

INFERRED ACTION: CAN-2000-1166 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(3) Wall, Cole, Christey

Voter Comments:
 Frech> XF:twig-php3-script-execute(5581)
 Christey> CONFIRM:http://twig.screwdriver.net/file.php3?file=CHANGELOG
   Dated December 18, 2000: "Fixed security hole with respect to
   vhosts."


======================================================
Candidate: CAN-2000-1193
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1193
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20010912
Assigned: 20010831
Category: SF
Reference: BUGTRAQ:20000412 Performance Copilot for IRIX 6.5
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0056.html
Reference: XF:irix-pcp-pmcd-dos(4284)
Reference: URL:http://xforce.iss.net/static/4284.php
Reference: SGI:20020407-01-I
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020407-01-I

Performance Metrics Collector Daemon (PMCD) in Performance Copilot in
IRIX 6.x allows remote attackers to cause a denial of service
(resource exhaustion) via an extremely long string to the PMCD port.


Modifications:
  CHANGEREF XF:irix-pcp-pmcd-dos(4284)
  ADDREF SGI:20020407-01-I

Analysis
--------
Vendor Acknowledgement: yes advisory

CVE-2000-0283 is a different bug that was discovered and announced at
the same time.

INFERRED ACTION: CAN-2000-1193 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   MODIFY(2) Frech, Williams
   NOOP(5) Wall, Foat, Cole, Stracener, Christey

Voter Comments:
 Frech> XF:irix-pcp-pmcd-dos(4284)
   (same XF:ID number, but slightly different name)
 Williams> not just a DoS.  also involves information gathering vuln.
 Christey> ADDREF SGI:20020407-01-I


======================================================
Candidate: CAN-2001-0508
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0508
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20010829
Assigned: 20010608
Category: SF
Reference: BUGTRAQ:20010506 IIS 5.0 PROPFIND DOS #2
Reference: URL:http://online.securityfocus.com/archive/1/182579
Reference: MS:MS01-044
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms01-044.asp
Reference: XF:iis-webdav-long-request-dos(6982)
Reference: URL:http://www.iss.net/security_center/static/6982.php
Reference: BID:2690
Reference: URL:http://www.securityfocus.com/bid/2690

Vulnerability in IIS 5.0 allows remote attackers to cause a denial of
service (restart) via a long, invalid WebDAV request.


Modifications:
  ADDREF XF:iis-webdav-long-request-dos(6982)
  ADDREF BUGTRAQ:20010506 IIS 5.0 PROPFIND DOS #2
  ADDREF BID:2690

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-0508 ACCEPT (8 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(7) Wall, Baker, Foat, Cole, Armstrong, Bishop, Ziese
   MODIFY(1) Frech
   NOOP(1) Christey

Voter Comments:
 Frech> XF:iis-webdav-long-request-dos(6982)
 Christey> Need to determine whether this CAN is fixing this problem:
   BUGTRAQ:20010506 IIS 5.0 PROPFIND DOS #2
   URL:http://www.securityfocus.com/archive/1/3AF56057.1CB06CBC@guninski.com
   If so, then ADDREF BID:2690 as well.
 Christey> Yes, these are the same issue
 Christey> BUGTRAQ:20010506 IIS 5.0 PROPFIND DOS #2
   URL:http://online.securityfocus.com/archive/1/182579
   (confirmed w/Microsoft)


======================================================
Candidate: CAN-2001-0550
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0550
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20010718
Category: SF
Reference: VULN-DEV:20010430 some ftpd implementations mishandle CWD ~{
Reference: URL:http://www.securityfocus.com/archive/82/180823
Reference: BUGTRAQ:20011128 CORE-20011001: Wu-FTP glob heap corruption vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100700363414799&w=2
Reference: CERT:CA-2001-33
Reference: URL:http://www.cert.org/advisories/CA-2001-33.html
Reference: CERT-VN:VU#886083
Reference: URL:http://www.kb.cert.org/vuls/id/886083
Reference: REDHAT:RHSA-2001-157
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-157.html
Reference: CALDERA:CSSA-2001-041.0
Reference: URL:http://www.caldera.com/support/security/advisories/CSSA-2001-041.0.txt
Reference: CALDERA:CSSA-2001-SCO.36
Reference: MANDRAKE:MDKSA-2001:090
Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-090.php3
Reference: HP:HPSBUX0107-162
Reference: ISS:20011129 WU-FTPD Heap Corruption Vulnerability
Reference: BID:3581
Reference: URL:http://www.securityfocus.com/bid/3581
Reference: XF:wuftp-glob-heap-corruption(7611)

wu-ftpd 2.6.1 allows remote attackers to execute arbitrary commands
via a "~{" argument to commands such as CWD, which is not properly
handled by the glob function (ftpglob).


Modifications:
  ADDREF XF:wuftp-glob-heap-corruption(7611)
  ADDREF CALDERA:CSSA-2001-SCO.36

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-0550 ACCEPT (5 accept, 6 ack, 0 review)

Current Votes:
   ACCEPT(5) Wall, Baker, Cole, Armstrong, Green
   MODIFY(1) Frech
   NOOP(2) Christey, Foat

Voter Comments:
 Frech> XF:wuftp-glob-heap-corruption(7611)
 Christey> CALDERA:CSSA-2001-SCO.36


======================================================
Candidate: CAN-2001-0553
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0553
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20010727
Assigned: 20010724
Category: SF
Reference: BUGTRAQ:20010720 URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-07/0486.html
Reference: CONFIRM:http://www.ssh.com/products/ssh/exploit.cfm
Reference: CERT-VN:VU#737451
Reference: URL:http://www.kb.cert.org/vuls/id/737451
Reference: CIAC:L-121
Reference: URL:http://www.ciac.org/ciac/bulletins/l-121.shtml
Reference: BID:3078
Reference: URL:http://www.securityfocus.com/bid/3078
Reference: XF:ssh-password-length-unauth-access(6868)

SSH Secure Shell 3.0.0 on Unix systems does not properly perform
password authentication to the sshd2 daemon, which allows local users
to gain access to accounts with short password fields, such as locked
accounts that use "NP" in the password field.


Modifications:
  ADDREF XF:ssh-password-length-unauth-access(6868)
  ADDREF CONFIRM:http://www.ssh.com/products/ssh/exploit.cfm
  ADDREF CERT-VN:VU#737451
  ADDREF BID:3078
  ADDREF CIAC:L-121

Analysis
--------
Vendor Acknowledgement: yes

INFERRED ACTION: CAN-2001-0553 ACCEPT_ACK (2 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(1) Stracener
   MODIFY(1) Frech
   NOOP(5) Christey, Wall, Foat, Cole, Ziese

Voter Comments:
 Frech> XF:ssh-password-length-unauth-access(6868)
 Christey> CONFIRM:http://www.ssh.com/products/ssh/exploit.cfm
   CERT-VN:VU#737451
   URL:http://www.kb.cert.org/vuls/id/737451
   BID:3078
   URL:http://www.securityfocus.com/bid/3078
   CIAC:L-121
   URL:http://www.ciac.org/ciac/bulletins/l-121.shtml


======================================================
Candidate: CAN-2001-0726
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0726
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20010927
Category: SF
Reference: MS:MS01-057
Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS01-057.asp
Reference: XF:exchange-owa-embedded-script-execution(7663)
Reference: BID:3650
Reference: URL:http://online.securityfocus.com/bid/3650

Outlook Web Access (OWA) in Microsoft Exchange 5.5 Server, when used
with Internet Explorer, does not properly detect certain inline
script, which can allow remote attackers to perform arbitrary actions
on a user's Exchange mailbox via an HTML e-mail message.


Modifications:
  ADDREF XF:exchange-owa-embedded-script-execution(7663)
  ADDREF BID:3650

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-0726 ACCEPT (6 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Wall, Baker, Foat, Cole, Green
   MODIFY(1) Frech
   NOOP(1) Christey

Voter Comments:
 Frech> XF:exchange-owa-embedded-script-execution(7663)
 Christey> Consider adding BID:3650


======================================================
Candidate: CAN-2001-0727
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0727
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20010927
Category: SF
Reference: BUGTRAQ:20011214 MSIE may download and run progams automatically
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100835204509262&w=2
Reference: BUGTRAQ:20011216 Re: MSIE may download and run progams automatically - NOT SO FAST
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100861273114437&w=2
Reference: MS:MS01-058
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms01-058.asp
Reference: CERT:CA-2001-36
Reference: URL:http://www.cert.org/advisories/CA-2001-36.html
Reference: XF:ie-file-download-execution(7703)
Reference: BID:3578

Internet Explorer 6.0 allows remote attackers to execute arbitrary
code by modifying the Content-Disposition and Content-Type header
fields in a way that causes Internet Explorer to believe that the file
is safe to open without prompting the user, aka the "File Execution
Vulnerability."


Modifications:
  ADDREF XF:ie-file-download-execution(7703)
  ADDREF BID:3578

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-0727 ACCEPT (6 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(5) Wall, Baker, Foat, Cole, Green
   MODIFY(1) Frech
   NOOP(1) Christey

Voter Comments:
 Frech> XF:ie-file-download-execution(7703)
 Christey> Consider adding BID:3578


======================================================
Candidate: CAN-2001-0731
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0731
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020315
Assigned: 20011008
Category: SF
Reference: BUGTRAQ:20010709 How Google indexed a file with no external link
Reference: URL:http://www.securityfocus.com/archive/1/20010709214744.A28765@brasscannon.net
Reference: CONFIRM:http://www.apacheweek.com/issues/01-10-05#security
Reference: MANDRAKE:MDKSA-2001:077
Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-077-1.php3
Reference: BID:3009
Reference: URL:http://www.securityfocus.com/bid/3009
Reference: XF:apache-multiviews-directory-listing(8275)
Reference: SGI:20020301-01-P
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020301-01-P

Apache 1.3.20 with Multiviews enabled allows remote attackers to view
directory contents and bypass the index page via a URL containing the
"M=D" query string.


Modifications:
  ADDREF XF:apache-multiviews-directory-listing(8275)
  ADDREF SGI:20020301-01-P

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-0731 ACCEPT (8 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(7) Wall, Baker, Foat, Cole, Armstrong, Ziese, Green
   MODIFY(1) Frech
   NOOP(1) Christey

Voter Comments:
 Christey> SGI:20020301-01-P
   URL:ftp://patches.sgi.com/support/free/security/advisories/20020301-01-P
 Frech> XF:apache-multiviews-directory-listing(8275)


======================================================
Candidate: CAN-2001-0769
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0769
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20011012
Assigned: 20011012
Category: SF
Reference: BUGTRAQ:20010527 def-2001-27: GuildFTPD Buffer Overflow and Memory Leak DoS
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-05/0254.html
Reference: XF:guildftpd-null-memory-leak(6613)
Reference: URL:http://xforce.iss.net/static/6613.php

Memory leak in GuildFTPd Server 0.97 allows remote attackers to cause
a denial of service via a request containing a null character.

Analysis
--------
Vendor Acknowledgement: yes via-email

ACKNOWLEDGEMENT: the vendor acknowledged the problem via email on
3/8/2002.

INFERRED ACTION: CAN-2001-0769 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Foat, Frech
   NOOP(4) Christey, Wall, Cole, Armstrong

Voter Comments:
 Christey> Email ack received from guildftpd@nitrolic.com on 3/8/2002


======================================================
Candidate: CAN-2001-0770
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0770
Final-Decision:
Interim-Decision: 20020617
Modified: 20020308-01
Proposed: 20011012
Assigned: 20011012
Category: SF
Reference: BUGTRAQ:20010527 def-2001-27: GuildFTPD Buffer Overflow and Memory Leak DoS
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-05/0254.html
Reference: XF:guildftpd-site-bo(6612)
Reference: URL:http://xforce.iss.net/static/6612.php
Reference: CONFIRM:http://www.nitrolic.com/help/history.htm

Buffer overflow in GuildFTPd Server 0.97 allows remote attacker to
execute arbitrary code via a long SITE command.


Modifications:
  ADDREF CONFIRM:http://www.nitrolic.com/help/history.htm

Analysis
--------
Vendor Acknowledgement: yes via-email

ACKNOWLEDGEMENT: The history file says "Fixed some problems with the
SITE commands."  This by itself is not sufficient to prove
acknowledgement of *this* issue, but the vendor verified this via
email on 3/8/2002.

INFERRED ACTION: CAN-2001-0770 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Foat, Armstrong, Frech
   NOOP(3) Christey, Wall, Cole

Voter Comments:
 Christey> Possible ACK at http://www.nitrolic.com/help/history.htm
   Inquiry sent to guildftpd@nitrolic.com on 2/25/2002
 Christey> Email ack received from guildftpd@nitrolic.com on 3/8/2002


======================================================
Candidate: CAN-2001-0797
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0797
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20011024
Category: SF
Reference: ISS:20011212 Buffer Overflow in /bin/login
Reference: URL:http://xforce.iss.net/alerts/advise105.php
Reference: BUGTRAQ:20011219 Linux distributions and /bin/login overflow
Reference: URL:http://www.securityfocus.com/archive/1/246487
Reference: CERT:CA-2001-34
Reference: URL:http://www.cert.org/advisories/CA-2001-34.html
Reference: CERT-VN:VU#569272
Reference: URL:http://www.kb.cert.org/vuls/id/569272
Reference: CALDERA:CSSA-2001-SCO.40
Reference: URL:ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.40/CSSA-2001-SCO.40.txt
Reference: SUN:00213
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/213
Reference: AIXAPAR:IY26221
Reference: SGI:20011201-01-I
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20011201-01-I
Reference: SUNBUG:4516885
Reference: BUGTRAQ:20011214 Sun Solaris login bug patches out
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100844757228307&w=2
Reference: XF:telnet-tab-bo(7284)
Reference: URL:http://xforce.iss.net/static/7284.php
Reference: BID:3681
Reference: URL:http://www.securityfocus.com/bid/3681

Buffer overflow in login in various System V based operating systems
allows remote attackers to execute arbitrary commands via a large
number of arguments through services such as telnet and rlogin.


Modifications:
  ADDREF SUNBUG:4516885
  ADDREF BUGTRAQ:20011214 Sun Solaris login bug patches out

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-0797 ACCEPT (3 accept, 8 ack, 0 review)

Current Votes:
   ACCEPT(5) Baker, Cole, Frech, Dik, Green
   NOOP(3) Christey, Wall, Foat

Voter Comments:
 Dik> Sun bugid: 4516885
 Christey> BUGTRAQ:20011214 Sun Solaris login bug patches out
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100844757228307&w=2


======================================================
Candidate: CAN-2001-0869
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0869
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20011129
Category: SF
Reference: SUSE:SuSE-SA:2001:042
Reference: URL:http://lwn.net/alerts/SuSE/SuSE-SA%3A2001%3A042.php3
Reference: CALDERA:CSSA-2001-040.0
Reference: URL:http://www.caldera.com/support/security/advisories/CSSA-2001-040.0.txt
Reference: REDHAT:RHSA-2001-150
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-150.html
Reference: REDHAT:RHSA-2001-151
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-151.html
Reference: MANDRAKE:MDKSA-2002:018
Reference: XF:cyrus-sasl-format-string(7443)
Reference: URL:http://xforce.iss.net/static/7443.php
Reference: FREEBSD:FreeBSD-SA-02:15
Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:15.cyrus-sasl.asc

Format string vulnerability in the default logging callback function
in Cyrus SASL library (cyrus-sasl) may allow remote attackers to
execute arbitrary commands.


Modifications:
  ADDREF MANDRAKE:MDKSA-2002:018
  ADDREF FREEBSD:FreeBSD-SA-02:15

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-0869 ACCEPT (5 accept, 4 ack, 0 review)

Current Votes:
   ACCEPT(5) Baker, Foat, Cole, Armstrong, Frech
   NOOP(2) Christey, Wall

Voter Comments:
 Christey> MANDRAKE:MDKSA-2002:018
 Christey> ADDREF FREEBSD:FreeBSD-SA-02:15
   URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:15.cyrus-sasl.asc


======================================================
Candidate: CAN-2001-0872
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0872
Final-Decision:
Interim-Decision: 20020617
Modified: 20020228-01
Proposed: 20020131
Assigned: 20011203
Category: SF
Reference: BUGTRAQ:20011204 [Fwd: OpenSSH 3.0.2 fixes UseLogin vulnerability]
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100749779131514&w=2
Reference: CONFIRM:http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=100747128105913&w=2
Reference: REDHAT:RHSA-2001:161
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-161.html
Reference: SUSE:SuSE-SA:2001:045
Reference: URL:http://lists.suse.com/archives/suse-security-announce/2001-Dec/0001.html
Reference: DEBIAN:DSA-091
Reference: URL:http://www.debian.org/security/2001/dsa-091
Reference: XF:openssh-uselogin-execute-code(7647)
Reference: URL:http://xforce.iss.net/static/7647.php

OpenSSH 3.0.1 and earlier with UseLogin enabled does not properly
cleanse critical environment variables such as LD_PRELOAD, which
allows local users to gain root privileges.


Modifications:
  ADDREF DEBIAN:DSA-091

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-0872 ACCEPT (6 accept, 4 ack, 0 review)

Current Votes:
   ACCEPT(6) Green, Wall, Baker, Foat, Cole, Frech


======================================================
Candidate: CAN-2001-0884
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0884
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020131
Assigned: 20011213
Category: SF
Reference: BUGTRAQ:20011128 Cgisecurity.com Advisory #7: Mailman Email Archive Cross Site Scripting
Reference: URL:http://www.securityfocus.com/archive/1/242839
Reference: CONECTIVA:CLA-2001:445
Reference: URL:http://www.securityfocus.com/advisories/3721
Reference: REDHAT:RHSA-2001:168
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-168.html
Reference: REDHAT:RHSA-2001:170
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-170.html
Reference: XF:mailman-java-css(7617)
Reference: URL:http://xforce.iss.net/static/7617.php
Reference: BID:3602
Reference: URL:http://www.securityfocus.com/bid/3602

Cross-site scripting vulnerability in Mailman email archiver before
2.08 allows attackers to obtain sensitive information or
authentication credentials via a malicious link that is accessed by
other web users.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-0884 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Cole, Armstrong, Frech
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-0886
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0886
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020131
Assigned: 20011214
Category: SF
Reference: MISC:http://sources.redhat.com/ml/bug-glibc/2001-11/msg00109.html
Reference: BUGTRAQ:20011217 [Global InterSec 2001121001] glibc globbing issues.
Reference: URL:http://www.securityfocus.com/archive/1/245956
Reference: REDHAT:RHSA-2001-160
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-160.html
Reference: MANDRAKE:MDKSA-2001:095
Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-095.php3
Reference: ENGARDE:ESA-20011217-01
Reference: URL:http://www.linuxsecurity.com/advisories/other_advisory-1752.html
Reference: XF:glibc-glob-bo(7705)
Reference: URL:http://xforce.iss.net/static/7705.php
Reference: BID:3707
Reference: URL:http://www.securityfocus.com/bid/3707

Buffer overflow in glob function of glibc allows attackers to cause a
denial of service (crash) and possibly execute arbitrary code via a
glob pattern that ends in a brace "{" character.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-0886 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Green, Wall, Baker, Cole, Frech
   NOOP(1) Foat


======================================================
Candidate: CAN-2001-0887
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0887
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020131
Assigned: 20011219
Category: SF
Reference: FREEBSD:FreeBSD-SA-01:68
Reference: URL:http://www.securityfocus.com/advisories/3734
Reference: BID:3700
Reference: URL:http://www.securityfocus.com/bid/3700
Reference: XF:xsane-temp-symlink(7714)
Reference: URL:http://xforce.iss.net/static/7714.php

xSANE 0.81 and earlier allows local users to modify files of other
xSANE users via a symlink attack on temporary files.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-0887 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Green, Baker, Cole, Frech
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-0888
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0888
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020131
Assigned: 20011219
Category: SF
Reference: BUGTRAQ:20011221 VIGILANTe advisory 2001003 : Atmel SNMP Non Public Community String DoS Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100895903202798&w=2
Reference: XF:atmel-snmp-community-dos(7734)
Reference: URL:http://xforce.iss.net/static/7734.php
Reference: BID:3734
Reference: URL:http://www.securityfocus.com/bid/3734

Atmel Firmware 1.3 Wireless Access Point (WAP) allows remote attackers
to cause a denial of service via a SNMP request with (1) a community
string other than "public" or (2) an unknown OID, which causes the WAP
to deny subsequent SNMP requests.

Analysis
--------
Vendor Acknowledgement: yes advisory/yes followup/yes changelog/yes/unknown discloser-claimed/unknown vague/unknown/no disputed/no

INFERRED ACTION: CAN-2001-0888 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Green, Baker, Cole, Frech
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-0889
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0889
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20011221
Category: SF
Reference: BUGTRAQ:20011219 [ph10@cus.cam.ac.uk: [Exim] Potential security problem]
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100877978506387&w=2
Reference: REDHAT:RHSA-2001:176
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-176.html
Reference: XF:exim-pipe-hostname-commands(7738)

Exim 3.22 and earlier, in some configurations, does not properly
verify the local part of an address when redirecting the address to a
pipe, which could allow remote attackers to execute arbitrary commands
via shell metacharacters.


Modifications:
  ADDREF XF:exim-pipe-hostname-commands(7738)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-0889 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Baker, Cole
   MODIFY(1) Frech
   NOOP(2) Wall, Foat

Voter Comments:
 Frech> XF:exim-pipe-hostname-commands(7738)


======================================================
Candidate: CAN-2001-0894
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0894
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20011115 Postfix session log memory exhaustion bugfix
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100584160110303&w=2
Reference: MANDRAKE:MDKSA-2001:089
Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-089.php3?dis=8.1
Reference: DEBIAN:DSA-093
Reference: URL:http://www.debian.org/security/2001/dsa-093
Reference: REDHAT:RHSA-2001:156
Reference: BID:3544
Reference: URL:http://www.securityfocus.com/bid/3544
Reference: XF:postfix-smtp-log-dos(7568)
Reference: URL:http://xforce.iss.net/static/7568.php

Vulnerability in Postfix SMTP server before 20010228-pl07, when
configured to email the postmaster when SMTP errors cause the session
to terminate, allows remote attackers to cause a denial of service
(memory exhaustion) by generating a large number of SMTP errors, which
forces the SMTP session log to grow too large.


Modifications:
  ADDREF REDHAT:RHSA-2001:156

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-0894 ACCEPT (6 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(5) Baker, Foat, Cole, Armstrong, Frech
   MODIFY(1) Cox
   NOOP(1) Wall

Voter Comments:
 Cox> ADDREF REDHAT:RHSA-2001:156


======================================================
Candidate: CAN-2001-0895
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0895
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: CISCO:20011115 Cisco IOS ARP Table Overwrite Vulnerability
Reference: URL:http://www.cisco.com/warp/public/707/IOS-arp-overwrite-vuln-pub.shtml
Reference: XF:cisco-arp-overwrite-table(7547)

Multiple Cisco networking products allow remote attackers to cause a
denial of service on the local network via a series of ARP packets
sent to the router's interface that contains a different MAC address
for the router, which eventually causes the router to overwrite the
MAC address in its ARP table.


Modifications:
  ADDREF XF:cisco-arp-overwrite-table(7547)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-0895 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Foat, Cole, Armstrong
   MODIFY(1) Frech
   NOOP(1) Wall

Voter Comments:
 Frech> XF:cisco-arp-overwrite-table(7547)


======================================================
Candidate: CAN-2001-0896
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0896
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: CALDERA:CSSA-2001-SCO.33
Reference: URL:ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.33/CSSA-2001-SCO.33.txt
Reference: BUGTRAQ:20020201 RE: DoS bug on Tru64
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101284101228656&w=2
Reference: BUGTRAQ:20020205 nmap vs. inetd on Caldera (ex-SCO) OpenServer, Re: DoS bug on Tru64
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101303877215098&w=2
Reference: XF:openserver-nmap-po-option(7571)

Inetd in OpenServer 5.0.5 allows remote attackers to cause a denial of
service (crash) via a port scan, e.g. with nmap -PO.


Modifications:
  ADDREF BUGTRAQ:20020205 nmap vs. inetd on Caldera (ex-SCO) OpenServer, Re: DoS bug on Tru64
  ADDREF BUGTRAQ:20020201 RE: DoS bug on Tru64
  ADDREF XF:openserver-nmap-po-option(7571)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-0896 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Cole, Armstrong
   MODIFY(1) Frech
   NOOP(3) Christey, Wall, Foat

Voter Comments:
 Christey> A rediscovery of this issue was reported in:
   BUGTRAQ:20020205 nmap vs. inetd on Caldera (ex-SCO) OpenServer, Re: DoS bug on Tru64
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101303877215098&w=2
   BUGTRAQ:20020201 RE: DoS bug on Tru64
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101284101228656&w=2
 Frech> XF:openserver-nmap-po-option(7571)


======================================================
Candidate: CAN-2001-0899
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0899
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20011116 Network Tool 0.2 Addon for PHPNuke vulnerable to remote command execution
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100593523104176&w=2
Reference: CONFIRM:http://phpnukerz.org/modules.php?name=Downloads&d_op=viewsdownload&sid=32
Reference: XF:phpnuke-nettools-command-execution(7578)

Network Tools 0.2 for PHP-Nuke allows remote attackers to execute
commands on the server via shell metacharacters in the $hostinput
variable.


Modifications:
  ADDREF XF:phpnuke-nettools-command-execution(7578)

Analysis
--------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: The comment for version 0.3, dated November 26, says
"This version is a bug fix to the remote command execution security
hole in version 0.2" A look at the source code shows that all calls to
system() are now quoted.

INFERRED ACTION: CAN-2001-0899 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Cole, Armstrong
   MODIFY(1) Frech
   NOOP(2) Wall, Foat

Voter Comments:
 Frech> XF:phpnuke-nettools-command-execution(7578)


======================================================
Candidate: CAN-2001-0900
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0900
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20011118 Gallery Addon for PhpNuke remote file viewing vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100619599000590&w=2
Reference: CONFIRM:http://www.menalto.com/projects/gallery/article.php?sid=33&mode=&order=
Reference: XF:phpnuke-gallery-directory-traversal(7580)

Directory traversal vulnerability in modules.php in Gallery before
1.2.3 allows remote attackers to read arbitrary files via a .. (dot
dot) in the include parameter.


Modifications:
  ADDREF XF:phpnuke-gallery-directory-traversal(7580)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-0900 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Cole, Armstrong
   MODIFY(1) Frech
   NOOP(2) Wall, Foat

Voter Comments:
 Frech> XF:phpnuke-gallery-directory-traversal(7580)


======================================================
Candidate: CAN-2001-0901
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0901
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20011119 Hypermail SSI Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100626603407639&w=2
Reference: CONFIRM:http://www.hypermail.org/dist/hypermail-2.1.4.tar.gz
Reference: XF:hypermail-ssi-execute-commands(7576)

Hypermail allows remote attackers to execute arbitrary commands on a
server supporting SSI via an attachment with a .shtml extension, which
is archived on the server and can then be executed by requesting the
URL for the attachment.


Modifications:
  ADDREF XF:hypermail-ssi-execute-commands(7576)

Analysis
--------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: In the ChangeLog in HyperMail 2.1.4, the entry for
Nov 14, 2001 says "Changes relevant to security...  attachment
filenames ending in .shtml get changed to .html."

INFERRED ACTION: CAN-2001-0901 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Cole, Armstrong
   MODIFY(1) Frech
   NOOP(2) Wall, Foat

Voter Comments:
 Frech> XF:hypermail-ssi-execute-commands(7576)


======================================================
Candidate: CAN-2001-0905
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0905
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: DEBIAN:DSA-083
Reference: URL:http://www.debian.org/security/2001/dsa-083
Reference: REDHAT:RHSA-2001:093
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-093.html
Reference: MANDRAKE:MDKSA-2001:085
Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-085.php3
Reference: FREEBSD:FreeBSD-SA-01:60
Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:60.procmail.asc
Reference: CONECTIVA:CLA-2001:433
Reference: BID:3071
Reference: URL:http://www.securityfocus.com/bid/3071
Reference: XF:procmail-signal-handling-race(6872)

Race condition in signal handling of procmail 3.20 and earlier, when
running setuid, allows local users to cause a denial of service or
gain root privileges by sending a signal while a signal handling
routine is already running.


Modifications:
  ADDREF CONECTIVA:CLA-2001:433
  ADDREF XF:procmail-signal-handling-race(6872)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-0905 ACCEPT (6 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(5) Green, Wall, Baker, Cole, Armstrong
   MODIFY(2) Christey, Frech
   NOOP(1) Foat

Voter Comments:
 Frech> XF:procmail-signal-handling-race(6872)
 Christey> ADDREF CONECTIVA:CLA-2001:433


======================================================
Candidate: CAN-2001-0906
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0906
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010622 LPRng + tetex tmpfile race - uid lp exploit
Reference: URL:http://www.securityfocus.com/archive/1/192647
Reference: REDHAT:RHSA-2001:102
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-102.html
Reference: MANDRAKE:MDKSA-2001:086
Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-086.php3
Reference: IMMUNIX:IMNX-2001-70-030-01
Reference: URL:http://download.immunix.org/ImmunixOS/7.0/updates/IMNX-2001-70-030-01
Reference: BID:2974
Reference: URL:http://www.securityfocus.com/bid/2974
Reference: XF:tetex-lprng-tmp-race(6785)
Reference: URL:http://xforce.iss.net/static/6785.php

teTeX filter before 1.0.7 allows local users to gain privileges via a
symlink attack on temporary files that are produced when printing .dvi
files using lpr.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-0906 ACCEPT (6 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(6) Green, Wall, Baker, Cole, Armstrong, Frech
   NOOP(1) Foat


======================================================
Candidate: CAN-2001-0912
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0912
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020131
Assigned: 20020131
Category: CF
Reference: MANDRAKE:MDKSA-2001:087
Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-087.php3?dis=8.1
Reference: XF:linux-expect-unauth-root(7604)
Reference: URL:http://xforce.iss.net/static/7604.php

Packaging error for expect 8.3.3 in Mandrake Linux 8.1 causes expect
to search for its libraries in the /home/snailtalk directory before
other directories, which could allow a local user to gain root
privileges.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-0912 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Cole, Armstrong, Frech
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-0917
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0917
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20011122 Hi
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100654722925155&w=2
Reference: CONFIRM:http://marc.theaimsgroup.com/?l=tomcat-dev&m=100658457507305&w=2
Reference: XF:tomcat-reveal-install-path(7599)

Jakarta Tomcat 4.0.1 allows remote attackers to reveal physical path
information by requesting a long URL with a .JSP extension.


Modifications:
  ADDREF XF:tomcat-reveal-install-path(7599)

Analysis
--------
Vendor Acknowledgement: yes followup

INFERRED ACTION: CAN-2001-0917 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Cole, Armstrong
   MODIFY(1) Frech
   NOOP(2) Wall, Foat

Voter Comments:
 Frech> XF:tomcat-reveal-install-path(7599)


======================================================
Candidate: CAN-2001-0918
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0918
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: SUSE:SuSE-SA:2001:041
Reference: URL:http://www.suse.de/de/support/security/2001_041_susehelp_txt.txt
Reference: XF:susehelp-cgi-command-execution(7583)
Reference: URL:http://xforce.iss.net/static/7583.php
Reference: BID:3576
Reference: URL:http://www.securityfocus.com/bid/3576

Vulnerabilities in CGI scripts in susehelp in SuSE 7.2 and 7.3 allow
remote attackers to execute arbitrary commands by not opening files
securely.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-0918 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Cole, Armstrong, Frech
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-0920
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0920
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20011126 [CERT-intexxia] Auto Nice Daemon Format String Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100680319004162&w=2
Reference: CONFIRM:http://and.sourceforge.net/
Reference: XF:and-format-string(7606)
Reference: URL:http://xforce.iss.net/static/7606.php
Reference: BID:3580
Reference: URL:http://www.securityfocus.com/bid/3580

Format string vulnerability in auto nice daemon (AND) 1.0.4 and
earlier allows a local user to possibly execute arbitrary code via a
process name containing a format string.

Analysis
--------
Vendor Acknowledgement: yes advisory

The home page for AND states "Security Alert!  A format string
vulnerability has been found in AND 1.0.4 and before.  Update to 1.0.5
or newer NOW!" and references the author of the Bugtraq post.

INFERRED ACTION: CAN-2001-0920 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Cole, Armstrong, Frech
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-0929
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0929
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: CISCO:20011128 A Vulnerability in IOS Firewall Feature Set
Reference: URL:http://www.cisco.com/warp/public/707/IOS-cbac-dynacl-pub.shtml
Reference: XF:ios-cbac-bypass-acl(7614)

Cisco IOS Firewall Feature set, aka Context Based Access Control
(CBAC) or Cisco Secure Integrated Software, for IOS 11.2P through
12.2T does not properly check the IP protocol type, which could allow
remote attackers to bypass access control lists.


Modifications:
  ADDREF XF:ios-cbac-bypass-acl(7614)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-0929 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Cole, Armstrong
   MODIFY(1) Frech
   NOOP(2) Wall, Foat

Voter Comments:
 Frech> XF:ios-cbac-bypass-acl(7614)


======================================================
Candidate: CAN-2001-0936
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0936
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020131
Assigned: 20020131
Category: CF
Reference: BUGTRAQ:20011130 Alert: Vulnerability in frox transparent ftp proxy.
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100713367307799&w=2
Reference: CONFIRM:http://frox.sourceforge.net/security.txt
Reference: XF:frox-ftp-proxy-bo(7632)
Reference: URL:http://xforce.iss.net/static/7632.php
Reference: BID:3606
Reference: URL:http://www.securityfocus.com/bid/3606

Buffer overflow in Frox transparent FTP proxy 0.6.6 and earlier, with
the local caching method selected, allows remote FTP servers to run
arbitrary code via a long response to an MDTM request.

Analysis
--------
Vendor Acknowledgement: yes advisory

ACKNOWLEDGEMENT: The vendor advisory is a verbatim copy of the
advisory that was sent to Bugtraq.

INFERRED ACTION: CAN-2001-0936 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Cole, Armstrong, Frech
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-0939
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0939
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20020131
Category: CF
Reference: BUGTRAQ:20011130 Denial of Service in Lotus Domino 5.08 and earlier HTTP Server
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100715316426817&w=2
Reference: CONFIRM:http://www-1.ibm.com/support/manager.wss?rs=0&rt=0&org=sims&doc=4C8E450DBF2E7F1885256B200079FA88
Reference: BID:3607
Reference: URL:http://www.securityfocus.com/bid/3607
Reference: XF:lotus-domino-nhttp-dos(7631)

Lotus Domino 5.08 and earlier allows remote attackers to cause a
denial of service (crash) via a SunRPC NULL command to port 443.


Modifications:
  ADDREF XF:lotus-domino-nhttp-dos(7631)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-0939 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Baker, Foat, Cole, Armstrong, Frech
   NOOP(1) Wall

Voter Comments:
 Frech> XF:lotus-domino-nhttp-dos(7631)
 CHANGE> [Frech changed vote from MODIFY to ACCEPT]


======================================================
Candidate: CAN-2001-0940
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0940
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: WIN2KSEC:20010921 Check Point FireWall-1 GUI Buffer Overflow
Reference: URL:http://archives.neohapsis.com/archives/win2ksecadvice/2001-q3/0151.html
Reference: BUGTRAQ:20011128 Firewall-1 remote SYSTEM shell buffer overflow
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100698954308436&w=2
Reference: BUGTRAQ:20010919 Check Point FireWall-1 GUI Log Viewer vulnerability (vuldb 3336)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100094268017271&w=2
Reference: BUGTRAQ:20011130 Fw: Firewall-1 remote SYSTEM shell buffer overflow
Reference: URL:http://cert.uni-stuttgart.de/archive/bugtraq/2001/11/msg00291.html
Reference: CHECKPOINT:20010919 GUI Buffer Overflow
Reference: URL:http://www.checkpoint.com/techsupport/alerts/buffer_overflow.html
Reference: BID:3336
Reference: URL:http://www.securityfocus.com/bid/3336
Reference: XF:fw1-log-viewer-bo(7145)
Reference: URL:http://xforce.iss.net/static/7145.php

Buffer overflow in the GUI authentication code of Check Point
VPN-1/FireWall-1 Management Server 4.0 and 4.1 allows remote attackers
to execute arbitrary code via a long user name.


Modifications:
  ADDREF BUGTRAQ:20010919 Check Point FireWall-1 GUI Log Viewer vulnerability (vuldb 3336)
  ADDREF BID:3336
  ADDREF XF:fw1-log-viewer-bo(7145)
  ADDREF BUGTRAQ:20011130 Fw: Firewall-1 remote SYSTEM shell buffer overflow

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-0940 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Baker, Cole
   MODIFY(1) Frech
   NOOP(3) Christey, Wall, Foat

Voter Comments:
 Christey> BUGTRAQ:20010919 Check Point FireWall-1 GUI Log Viewer vulnerability (vuldb 3336)
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100094268017271&w=2
   BID:3336
   URL:http://www.securityfocus.com/bid/3336
   XF:fw1-log-viewer-bo(7145)
   URL:http://xforce.iss.net/static/7145.php
   BUGTRAQ:20011130 Fw: Firewall-1 remote SYSTEM shell buffer overflow
   URL:http://cert.uni-stuttgart.de/archive/bugtraq/2001/11/msg00291.html
 Frech> XF:fw1-log-viewer-bo(7145)


======================================================
Candidate: CAN-2001-0946
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0946
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20011204 Symlink attack with apmd of RH 7.2
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100743394701962&w=2
Reference: MISC:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=56389
Reference: XF:apmd-apmscript-symlink(8268)

apmscript in Apmd in Red Hat 7.2 "Enigma" allows local users to create
or change the modification dates of arbitrary files via a symlink
attack on the LOW_POWER temporary file, which could be used to cause a
denial of service, e.g. by creating /etc/nologin and disabling logins.


Modifications:
  ADDREF XF:apmd-apmscript-symlink(8268)

Analysis
--------
Vendor Acknowledgement: yes changelog

INFERRED ACTION: CAN-2001-0946 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Green, Wall, Baker, Cole
   MODIFY(1) Frech
   NOOP(1) Foat

Voter Comments:
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:apmd-apmscript-symlink(8268)


======================================================
Candidate: CAN-2001-0961
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0961
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: DEBIAN:DSA-076
Reference: URL:http://www.debian.org/security/2001/dsa-076
Reference: XF:most-file-create-bo(7149)
Reference: URL:http://xforce.iss.net/static/7149.php
Reference: BID:3347
Reference: URL:http://www.securityfocus.com/bid/3347

Buffer overflow in tab expansion capability of the most program allows
local or remote attackers to execute arbitrary code via a malformed
file that is viewed with most.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-0961 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Green, Baker, Cole, Frech
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-0962
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0962
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010919 Websphere cookie/sessionid predictable
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-09/0234.html
Reference: BUGTRAQ:20010928 Re: Websphere cookie/sessionid predictable
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-09/0234.html
Reference: CONFIRM:http://www14.software.ibm.com/webapp/download/postconfig.jsp?id=4000805&pf=Multi-Platform&v=3.0.2&e=Standard+%26+Advanced+Editions&cat=&s=p
Reference: XF:ibm-websphere-seq-predict(7153)
Reference: URL:http://xforce.iss.net/static/7153.php

IBM WebSphere Application Server 3.02 through 3.53 uses predictable
session IDs for cookies, which allows remote attackers to gain
privileges of WebSphere users via brute force guessing.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-0962 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Green, Frech
   NOOP(3) Wall, Foat, Cole


======================================================
Candidate: CAN-2001-0977
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0977
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: CERT:CA-2001-18
Reference: URL:http://www.cert.org/advisories/CA-2001-18.html
Reference: CERT-VN:VU#935800
Reference: URL:http://www.kb.cert.org/vuls/id/935800
Reference: DEBIAN:DSA-068
Reference: URL:http://www.debian.org/security/2001/dsa-068
Reference: REDHAT:RHSA-2001:098
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-098.html
Reference: CONECTIVA:CLA-2001:417
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000417
Reference: MANDRAKE:MDKSA-2001:069
Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-069.php3
Reference: BID:3049
Reference: URL:http://www.securityfocus.com/bid/3049
Reference: XF:openldap-ldap-protos-dos(6904)
Reference: URL:http://xforce.iss.net/static/6904.php

slapd in OpenLDAP 1.x before 1.2.12, and 2.x before 2.0.8, allows
remote attackers to cause a denial of service (crash) via an invalid
Basic Encoding Rules (BER) length field.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-0977 ACCEPT (6 accept, 4 ack, 0 review)

Current Votes:
   ACCEPT(6) Green, Wall, Baker, Cole, Armstrong, Frech
   NOOP(1) Foat


======================================================
Candidate: CAN-2001-0981
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0981
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: HP:HPSBUX0108-164
Reference: URL:http://archives.neohapsis.com/archives/hp/2001-q3/0048.html
Reference: XF:hp-cifs-change-passwords(7051)

HP CIFS/9000 Server (SAMBA) A.01.07 and earlier with the "unix
password sync" option enabled calls the passwd program without
specifying the username of the user making the request, which could
cause the server to change the password of a different user.


Modifications:
  ADDREF XF:hp-cifs-change-passwords(7051)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-0981 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Green, Baker, Cole, Armstrong
   MODIFY(1) Frech
   NOOP(2) Wall, Foat

Voter Comments:
 Frech> XF:hp-cifs-change-passwords(7051)


======================================================
Candidate: CAN-2001-1002
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1002
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010827 LPRng/rhs-printfilters - remote execution of commands
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=99892644616749&w=2
Reference: REDHAT:RHSA-2001:102
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-102.html
Reference: BID:3241
Reference: URL:http://www.securityfocus.com/bid/3241
Reference: XF:tetex-lprng-tmp-race(6785)

The default configuration of the DVI print filter (dvips) in Red Hat
Linux 7.0 and earlier does not run dvips in secure mode when dvips is
executed by lpd, which could allow remote attackers to gain privileges
by printing a DVI file that contains malicious commands.


Modifications:
  ADDREF XF:tetex-lprng-tmp-race(6785)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1002 ACCEPT (6 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Wall, Baker, Cole, Armstrong, Green
   MODIFY(1) Frech
   NOOP(2) Foat, Christey

Voter Comments:
 Frech> XF:tetex-lprng-tmp-race(6785)
   Similar to CAN-2001-0906?
 Christey> Similar in the sense that lprng/lpd uses Tetex, or something
   like that.


======================================================
Candidate: CAN-2001-1022
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1022
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010727 ADV/EXP:pic/lpd remote exploit - RH 7.0
Reference: URL:http://www.securityfocus.com/archive/1/199706
Reference: DEBIAN:DSA-072
Reference: URL:http://www.debian.org/security/2001/dsa-072
Reference: CONECTIVA:CLA-2001:428
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000428
Reference: XF:linux-groff-format-string(6918)
Reference: URL:http://xforce.iss.net/static/6918.php
Reference: BID:3103
Reference: URL:http://www.securityfocus.com/bid/3103

Format string vulnerability in pic utility in groff 1.16.1 and other
versions allows remote attackers to bypass the -S option and execute
arbitrary commands via format string specifiers in the plot command.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1022 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Baker, Cole, Armstrong, Frech, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-1027
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1027
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: CONFIRM:http://www.windowmaker.org/src/ChangeLog
Reference: DEBIAN:DSA-074
Reference: URL:http://www.debian.org/security/2001/dsa-074
Reference: CONECTIVA:CLA-2001:411
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000411
Reference: SUSE:SuSE-SA:2001:032
Reference: URL:http://www.suse.de/de/support/security/2001_032_wmaker_txt.txt
Reference: MANDRAKE:MDKSA-2001:074
Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-074.php3
Reference: BID:3177
Reference: URL:http://www.securityfocus.com/bid/3177
Reference: XF:windowmaker-title-bo(6969)

Buffer overflow in WindowMaker (aka wmaker) 0.64 and earlier allows
remote attackers to execute arbitrary code via a long window title.


Modifications:
  ADDREF XF:windowmaker-title-bo(6969)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1027 ACCEPT (5 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Cole, Armstrong, Green
   MODIFY(1) Frech
   NOOP(2) Wall, Foat

Voter Comments:
 Frech> XF:windowmaker-title-bo(6969)


======================================================
Candidate: CAN-2001-1030
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1030
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010718 Squid httpd acceleration acl bug enables portscanning
Reference: URL:http://www.securityfocus.com/archive/1/197727
Reference: BUGTRAQ:20010719 TSLSA-2001-0013 - Squid
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-07/0362.html
Reference: IMMUNIX:IMNX-2001-70-031-01
Reference: URL:http://download.immunix.org/ImmunixOS/7.0/updates/IMNX-2001-70-031-01
Reference: CALDERA:CSSA-2001-029.0
Reference: URL:http://www.calderasystems.com/support/security/advisories/CSSA-2001-029.0.txt
Reference: MANDRAKE:MDKSA-2001:066
Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-066.php3
Reference: REDHAT:RHSA-2001:097
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-097.html
Reference: XF:squid-http-accelerator-portscanning(6862)
Reference: URL:http://xforce.iss.net/static/6862.php

Squid before 2.3STABLE5 in HTTP accelerator mode does not enable
access control lists (ACLs) when the httpd_accel_host and
http_accel_with_proxy off settings are used, which allows attackers to
bypass the ACLs and conduct unauthorized activities such as port
scanning.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1030 ACCEPT (5 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(5) Baker, Cole, Armstrong, Frech, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-1032
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1032
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010924 twlc advisory: all versions of php nuke are vulnerable...
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-09/0203.html
Reference: CONFIRM:http://sourceforge.net/forum/forum.php?forum_id=113892
Reference: XF:php-nuke-admin-file-overwrite(7170)
Reference: URL:http://xforce.iss.net/static/7170.php
Reference: BID:3361
Reference: URL:http://www.securityfocus.com/bid/3361

admin.php in PHP-Nuke 5.2 and earlier, except 5.0RC1, does not check
login credentials for upload operations, which allows remote attackers
to copy and upload arbitrary files and read the PHP-Nuke configuration
file by directly calling admin.php with an upload parameter and
specifying the file to copy.


Modifications:
  ADDREF CONFIRM:http://sourceforge.net/forum/forum.php?forum_id=113892
  ADDREF BID:3361

Analysis
--------
Vendor Acknowledgement: yes

INFERRED ACTION: CAN-2001-1032 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Frech, Green
   NOOP(4) Wall, Foat, Cole, Christey

Voter Comments:
 Christey> CONFIRM:http://sourceforge.net/forum/forum.php?forum_id=113892
   BID:3361
   URL:http://www.securityfocus.com/bid/3361


======================================================
Candidate: CAN-2001-1043
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1043
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010701 ArGoSoft 1.2.2.2 *.lnk upload Directory Traversal
Reference: URL:http://www.securityfocus.com/archive/1/194445
Reference: BID:2961
Reference: URL:http://www.securityfocus.com/bid/2961
Reference: XF:ftp-lnk-directory-traversal(6760)
Reference: URL:http://xforce.iss.net/static/6760.php

ArGoSoft FTP Server 1.2.2.2 allows remote attackers to read arbitrary
files and directories by uploading a .lnk (link) file that points to
the target file.

Analysis
--------
Vendor Acknowledgement: yes via-email

INFERRED ACTION: CAN-2001-1043 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Frech, Green
   NOOP(4) Wall, Foat, Armstrong, Christey

Voter Comments:
 CHANGE> [Green changed vote from REVIEWING to ACCEPT]
 Christey> Acknowledged by the vendor in an email to Dave Baker,
   May 9.


======================================================
Candidate: CAN-2001-1046
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1046
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010602 Qpopper 4.0.3 **** Fixes Buffer Overflow **** (fwd)
Reference: URL:http://www.securityfocus.com/archive/1/188267
Reference: VULN-DEV:20010420 Qpopper 4.0 Buffer Overflow
Reference: URL:http://marc.theaimsgroup.com/?l=vuln-dev&m=98777649031406&w=2
Reference: CALDERA:CSSA-2001-SCO.8
Reference: URL:http://archives.neohapsis.com/archives/linux/caldera/2001-q3/0006.html
Reference: BID:2811
Reference: URL:http://www.securityfocus.com/bid/2811
Reference: XF:qpopper-username-bo(6647)
Reference: URL:http://xforce.iss.net/static/6647.php

Buffer overflow in qpopper (aka qpop or popper) 4.0 through 4.0.2
allows remote attackers gain privileges via a long username.

Analysis
--------
Vendor Acknowledgement: yes advisory

ACKNOWLEDGEMENT: The Caldera advisory does not provide enough details
to be certain that it fixes the reported problem, but it is released a
month after the initial announcement, and it provides credits to the
same people who are credited in the initial announcement, so there is
enough evidence to determine that the Caldera advisory is addressing
this problem.

INFERRED ACTION: CAN-2001-1046 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Baker, Cole, Armstrong, Frech, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-1053
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1053
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010713 AdCycle SQL Command Insertion Vulnerability - qDefense Advisory Number QDAV-2001-7-2
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-07/0249.html
Reference: CONFIRM:http://www.adcycle.com/cgi-bin/download.cgi?type=UNIX&version=1.17
Reference: XF:adcycle-insert-sql-command(6837)
Reference: URL:http://xforce.iss.net/static/6837.php
Reference: BID:3032
Reference: URL:http://www.securityfocus.com/bid/3032

AdLogin.pm in AdCycle 1.15 and earlier allows remote attackers to
bypass authentication and gain privileges by injecting SQL code in the
$password argument.


Modifications:
  DELREF XF:php-includedir-code-execution(7215)

Analysis
--------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: In the README.txt file bundled with the software, the
"[v1.16] July 5, 2001" entry states "fixed security hole (with help
from qDefense.com)."

INFERRED ACTION: CAN-2001-1053 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Cole, Armstrong, Green
   MODIFY(1) Frech
   NOOP(2) Wall, Foat

Voter Comments:
 Frech> DELREF XF:php-includedir-code-execution(7215)


======================================================
Candidate: CAN-2001-1062
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1062
Final-Decision:
Interim-Decision: 20020617
Modified: 20020228-01
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: CALDERA:CSSA-2001-SCO.12
Reference: URL:ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.12/CSSA-2001-SCO.12.txt
Reference: XF:openserver-mana-bo(7034)
Reference: URL:http://www.iss.net/security_center/static/7034.php

Buffer overflow in mana in OpenServer 5.0.6a and earlier allows local
users to execute arbitrary code.


Modifications:
  ADDREF XF:openserver-mana-bo(7034)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1062 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Cole, Armstrong, Green
   MODIFY(1) Frech
   NOOP(2) Wall, Foat

Voter Comments:
 Frech> XF:openserver-mana-bo(7034)


======================================================
Candidate: CAN-2001-1071
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1071
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20011009 Cisco CDP attacks
Reference: URL:http://www.securityfocus.com/archive/1/219257
Reference: BUGTRAQ:20011009 Cisco Systems - Vulnerability in CDP
Reference: URL:http://www.securityfocus.com/archive/1/219305
Reference: BID:3412
Reference: URL:http://www.securityfocus.com/bid/3412
Reference: XF:cisco-ios-cdp-dos(7242)
Reference: URL:http://xforce.iss.net/static/7242.php

Cisco IOS 12.2 and earlier running Cisco Discovery Protocol (CDP)
allows remote attackers to cause a denial of service (memory
consumption) via a flood of CDP neighbor announcements.

Analysis
--------
Vendor Acknowledgement: yes followup

INFERRED ACTION: CAN-2001-1071 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Cole, Frech, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-1072
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1072
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010812 Are your mod_rewrite rules doing what you expect?
Reference: URL:http://www.securityfocus.com/archive/1/203955
Reference: CONFIRM:http://www.apacheweek.com/issues/02-02-01#security
Reference: BID:3176
Reference: URL:http://www.securityfocus.com/bid/3176
Reference: XF:apache-rewrite-bypass-directives(8633)

Apache with mod_rewrite enabled on most UNIX systems allows remote
attackers to bypass RewriteRules by inserting extra / (slash)
characters into the requested path, which causes the regular
expression in the RewriteRule to fail


Modifications:
  ADDREF CONFIRM:http://www.apacheweek.com/issues/02-02-01#security
  ADDREF XF:apache-rewrite-bypass-directives(8633)

Analysis
--------
Vendor Acknowledgement: yes via-email

ABSTRACTION: This problem is similar to CAN-2000-0913, but different.

INFERRED ACTION: CAN-2001-1072 ACCEPT (6 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Baker, Foat, Cole, Armstrong, Green
   MODIFY(1) Frech
   NOOP(2) Wall, Christey

Voter Comments:
 Christey> ADDREF CONFIRM:http://www.apacheweek.com/issues/02-02-01#security
 Christey> CONFIRM:http://www.apacheweek.com/issues/02-02-01#security
 Frech> Not apache-rewrite-view-files(5310).
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:apache-rewrite-bypass-directives(8633)


======================================================
Candidate: CAN-2001-1074
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1074
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010526 Webmin Doesn't Clean Env (root exploit)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-05/0262.html
Reference: CALDERA:CSSA-2001-019.1
Reference: URL:http://www.calderasystems.com/support/security/advisories/CSSA-2001-019.1.txt
Reference: MANDRAKE:MDKSA-2001:059
Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-059.php3
Reference: XF:webmin-gain-information(6627)
Reference: URL:http://xforce.iss.net/static/6627.php
Reference: BID:2795
Reference: URL:http://www.securityfocus.com/bid/2795

Webmin 0.84 and earlier does not properly clear the HTTP_AUTHORIZATION
environment variable when the web server is restarted, which makes
authentication information available to all CGI programs and allows
local users to gain privileges.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1074 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Baker, Cole, Armstrong, Frech, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-1079
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1079
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20020131
Category: CF
Reference: AIXAPAR:IY19069
Reference: URL:http://archives.neohapsis.com/archives/aix/2001-q3/0000.html
Reference: XF:aix-keyfile-world-writable(8923)

create_keyfiles in PSSP 3.2 with DCE 3.1 authentication on AIX creates
keyfile directories with world-writable permissions, which could allow
a local user to delete key files and cause a denial of service.


Modifications:
  DESC Remove 3.2.0 from AIX version number
  ADDREF XF:aix-keyfile-world-writable(8923)

Analysis
--------
Vendor Acknowledgement: yes

INFERRED ACTION: CAN-2001-1079 ACCEPT (6 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Cole, Armstrong, Green
   MODIFY(2) Bollinger, Frech
   NOOP(2) Wall, Foat

Voter Comments:
 Bollinger> incorrect.  The "REL: 320" in the aixserv email refers to the PSSP
   version, not the AIX version.
 Frech> XF: aix-keyfile-world-writable(8923)


======================================================
Candidate: CAN-2001-1083
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1083
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-02
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010626 Advisory
Reference: URL:http://www.securityfocus.com/archive/1/193516
Reference: MISC:http://www.icecast.org/index.html
Reference: CONFIRM:http://www.icecast.org/releases/icecast-1.3.11.tar.gz
Reference: DEBIAN:DSA-089
Reference: URL:http://www.debian.org/security/2001/dsa-089
Reference: CALDERA:CSSA-2002-020.0
Reference: BID:2933
Reference: URL:http://www.securityfocus.com/bid/2933
Reference: XF:icecast-http-remote-dos(6751)
Reference: URL:http://xforce.iss.net/static/6751.php

Icecast 1.3.7, and other versions before 1.3.11 with HTTP server file
streaming support enabled allows remote attackers to cause a denial of
service (crash) via a URL that ends in . (dot), / (forward slash), or
\ (backward slash).


Modifications:
  ADDREF CONFIRM:http://www.icecast.org/releases/icecast-1.3.11.tar.gz
  DESC update versions.
  ADDREF DEBIAN:DSA-089
  ADDREF CALDERA:CSSA-2002-020.0

Analysis
--------
Vendor Acknowledgement: yes patch

ACKNOWLEDGEMENT: On August 7, 2001 (more than a month after the
initial disclosure), the news page states "contains a couple security
updates." There is insufficient information to be confident whether
the vendor is fixing the DoS or directory traversal problems
identified on Bugtraq.  However, a diff of source.c between 1.3.10 and
1.3.11 indicates that for 1.3.11, the vendor inserted a check for the
/ character, which is sufficient acknowledgement.

INFERRED ACTION: CAN-2001-1083 ACCEPT_ACK (2 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(2) Frech, Green
   NOOP(5) Wall, Foat, Cole, Armstrong, Christey

Voter Comments:
 CHANGE> [Green changed vote from REVIEWING to ACCEPT]
 Christey> CALDERA:CSSA-2002-020.0


======================================================
Candidate: CAN-2001-1084
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1084
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20010702 Multiple Vendor Java Servlet Container Cross-Site Scripting Vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/194464
Reference: ALLAIRE:MPSB01-06
Reference: URL:http://www.macromedia.com/v1/handlers/index.cfm?ID=21498&Method=Full
Reference: BID:2983
Reference: URL:http://www.securityfocus.com/bid/2983
Reference: XF:java-servlet-crosssite-scripting(6793)
Reference: URL:http://www.iss.net/security_center/static/6793.php

Cross-site scripting vulnerability in Allaire JRun 3.1 and earlier
allows a malicious webmaster to embed Javascript in a request for a
.JSP, .shtml, .jsp10, .jrun, or .thtml file that does not exist, which
causes the Javascript to be inserted into an error message.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1084 ACCEPT (7 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(7) Wall, Baker, Cole, Armstrong, Frech, Ziese, Green
   NOOP(1) Foat


======================================================
Candidate: CAN-2001-1085
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1085
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20010705 lmail local root exploit
Reference: URL:http://www.securityfocus.com/archive/1/195022
Reference: XF:lmail-tmpfile-symlink(6809)
Reference: URL:http://xforce.iss.net/static/6809.php
Reference: BID:2984
Reference: URL:http://www.securityfocus.com/bid/2984

Lmail 2.7 and earlier allows local users to overwrite arbitrary files
via a symlink attack on a temporary file.

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2001-1085 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Frech, Ziese
   NOOP(5) Wall, Foat, Cole, Armstrong, Green


======================================================
Candidate: CAN-2001-1088
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1088
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: CF
Reference: BUGTRAQ:20010605 SECURITY.NNOV: Outlook Express address book spoofing
Reference: URL:http://www.securityfocus.com/archive/1/188752
Reference: CONFIRM:http://support.microsoft.com/default.aspx?scid=kb;EN-US;q234241
Reference: XF:outlook-address-book-spoofing(6655)
Reference: URL:http://xforce.iss.net/static/6655.php
Reference: BID:2823
Reference: URL:http://www.securityfocus.com/bid/2823

Microsoft Outlook 8.5 and earlier, and Outlook Express 5 and earlier,
with the "Automatically put people I reply to in my address book"
option enabled, do not notify the user when the "Reply-To" address is
different than the "From" address, which could allow an untrusted
remote attacker to spoof legitimate addresses and intercept email from
the client that is intended for another user.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1088 ACCEPT (8 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(8) Wall, Baker, Foat, Cole, Armstrong, Frech, Ziese, Green


======================================================
Candidate: CAN-2001-1089
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1089
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20010910 RUS-CERT Advisory 2001-09:01
Reference: URL:http://www.securityfocus.com/archive/1/213331
Reference: BID:3314
Reference: URL:http://www.securityfocus.com/bid/3314
Reference: XF:postgresql-nss-authentication-modules(7111)
Reference: URL:http://xforce.iss.net/static/7111.php

libnss-pgsql in nss-pgsql 0.9.0 and earlier allows remote attackers to
execute arbitrary SQL queries by inserting SQL code into an HTTP
request.

Analysis
--------
Vendor Acknowledgement: yes

INFERRED ACTION: CAN-2001-1089 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Armstrong, Ziese, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-1095
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1095
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: AIXAPAR:IY23401
Reference: URL:http://archives.neohapsis.com/archives/aix/2001-q4/0000.html

Buffer overflow in uuq in AIX 4 could alllow local users to execute
arbitrary code via a long -r parameter.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1095 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Bollinger, Cole, Armstrong, Ziese, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-1096
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1096
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: AIXAPAR:IY23402
Reference: URL:http://archives.neohapsis.com/archives/aix/2001-q4/0000.html

Buffer overflows in muxatmd in AIX 4 allows an attacker to cause a
core dump and possibly execute code.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1096 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Bollinger, Cole, Armstrong, Ziese, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-1099
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1099
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: CF
Reference: BUGTRAQ:20010907 Microsoft Exchange + Norton AntiVirus leak local information
Reference: URL:http://www.securityfocus.com/archive/1/212724
Reference: BUGTRAQ:20010912 Re: Microsoft Exchange + Norton AntiVirus leak local information
Reference: URL:http://www.securityfocus.com/archive/1/213762
Reference: XF:nav-exchange-reveal-information(7093)
Reference: URL:http://xforce.iss.net/static/7093.php
Reference: BID:3305
Reference: URL:http://www.securityfocus.com/bid/3305

The default configuration of Norton AntiVirus for Microsoft Exchange
2000 2.x allows remote attackers to identify the recipient's INBOX
file path by sending an email with an attachment containing malicious
content, which includes the path in the rejection notice.

Analysis
--------
Vendor Acknowledgement: yes followup

INFERRED ACTION: CAN-2001-1099 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Wall, Cole, Armstrong, Ziese, Green
   NOOP(1) Foat


======================================================
Candidate: CAN-2001-1100
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1100
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20011007 Bug found at W3Mail Webmail
Reference: URL:http://www.securityfocus.com/archive/1/218921
Reference: CONFIRM:http://www.w3mail.org/ChangeLog
Reference: BID:3673
Reference: URL:http://www.securityfocus.com/bid/3673
Reference: XF:w3mail-metacharacters-command-execution(7230)
Reference: URL:http://xforce.iss.net/static/7230.php

sendmessage.cgi in W3Mail 1.0.2, and possibly other CGI programs,
allows remote attackers to execute arbitrary commands via shell
metacharacters in any field of the 'Compose Message' page.

Analysis
--------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: in Version 1.0.3 of the ChangeLog, dated December 4,
2001, the vendor says "Fixed potential security exploit by filtering
special metacharacters."

INFERRED ACTION: CAN-2001-1100 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Armstrong, Ziese, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-1108
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1108
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20010726 Snapstream PVS vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-07/0606.html
Reference: CONFIRM:http://discuss.snapstream.com/ubb/Forum1/HTML/000216.html
Reference: XF:snapstream-dot-directory-traversal(6917)
Reference: URL:http://xforce.iss.net/static/6917.php
Reference: BID:3100
Reference: URL:http://www.securityfocus.com/bid/3100

Directory traversal vulnerability in SnapStream PVS 1.2a allows remote
attackers to read arbitrary files via a .. (dot dot) attack in the
requested URL.

Analysis
--------
Vendor Acknowledgement: yes

ACKNOWLEDGEMENT: The online bulletin board includes a query about
whether SnapStream fixed certain bugs, which included a URL to the
problem description which indicates that it's the same as the Bugtraq
post.  "rakeshagrawal," whose email address is from SnapStream, said
"issue 1 has been corrected," and issue 1 is the directory traversal
problem identified in the Bugtraq post.

INFERRED ACTION: CAN-2001-1108 ACCEPT (6 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(6) Baker, Cole, Armstrong, Frech, Ziese, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-1113
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1113
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20010813 Local exploit for TrollFTPD-1.26
Reference: URL:http://www.securityfocus.com/archive/1/203874
Reference: CONFIRM:ftp://ftp.trolltech.com/freebies/ftpd/troll-ftpd-1.27.tar.gz
Reference: XF:trollftpd-long-path-bo(6974)
Reference: URL:http://xforce.iss.net/static/6974.php
Reference: BID:3174
Reference: URL:http://www.securityfocus.com/bid/3174

Buffer overflow in TrollFTPD 1.26 and earlier allows local users to
execute arbitrary code by creating a series of deeply nested
directories with long names, then running the ls -R (recursive)
command.

Analysis
--------
Vendor Acknowledgement: yes patch

ACKNOWLEDGEMENT: the discloser says that a fixed version is at
ftp://ftp.trolltech.com/freebies/ftpd/troll-ftpd-1.27.tar.gz. There is
no clear acknowledgement on the web site or in the README file.  A
look at listdir() in ls.c indicates that snprintf is being used to
copy pathnmes.  So the question is, was this fix *always* there, or
was it just added?  Fortunately we can download troll-ftpd-1.26.tar.gz
and do a diff between the ls.c files from 1.26 and 1.27...  Sure
enough, 1.26 used sprintf whereas 1.27 used snprintf.  So we have
indirect vendor acknowledgement through creation of a patch.  QED.

INFERRED ACTION: CAN-2001-1113 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Armstrong, Ziese, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-1116
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1116
Final-Decision:
Interim-Decision: 20020617
Modified: 20020320-01
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: NTBUGTRAQ:20010802 Identix BioLogon Client security bug
Reference: URL:http://ntbugtraq.ntadvice.com/default.asp?pid=36&sid=1&A2=IND0108&L=NTBUGTRAQ&F=P&S=&P=71
Reference: NTBUGTRAQ:20010808 Response to Identix BioLogon Client security bug
Reference: URL:http://ntbugtraq.ntadvice.com/default.asp?pid=36&sid=1&A2=ind0108&L=ntbugtraq&F=P&S=&P=724
Reference: XF:identix-biologon-auth-bypass(6948)
Reference: URL:http://xforce.iss.net/static/6948.php
Reference: BID:3140
Reference: URL:http://www.securityfocus.com/bid/3140

Identix BioLogon 2.03 and earlier does not lock secondary displays on
a multi-monitor system running Windows 98 or ME, which allows an
attacker with physical access to the system to bypass authentication
through a secondary display.


Modifications:
  CHANGEREF XF [fix typo in tagname]

Analysis
--------
Vendor Acknowledgement: yes followup

INFERRED ACTION: CAN-2001-1116 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Foat, Cole, Ziese, Green
   NOOP(2) Wall, Armstrong


======================================================
Candidate: CAN-2001-1117
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1117
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20010810 Linksys router security fix
Reference: URL:http://www.securityfocus.com/archive/1/203302
Reference: BUGTRAQ:20010802 Advisory Update: Design Flaw in Linksys EtherFast 4-Port
Reference: URL:http://www.securityfocus.com/archive/1/201390
Reference: CONFIRM:ftp://ftp.linksys.com/pub/befsr41/befsr-fw1402.zip
Reference: XF:linksys-etherfast-reveal-passwords(6949)
Reference: URL:http://xforce.iss.net/static/6949.php
Reference: BID:3141
Reference: URL:http://www.securityfocus.com/bid/3141

LinkSys EtherFast BEFSR41 Cable/DSL routers running firmware before
1.39.3 Beta allows a remote attacker to view administration and user
passwords by connecting to the router and viewing the HTML source for
(1) index.htm and (2) Password.htm.

Analysis
--------
Vendor Acknowledgement: yes

ACKNOWLEDGEMENT: In befsr-fw1402.zip available from the vendor, the
notes for version 4.40.2 in ver.txt, dated October 24 2001, says
"5. Fixed some time user can see the UI page without password problem"

INFERRED ACTION: CAN-2001-1117 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Foat, Cole, Armstrong, Ziese, Green
   NOOP(1) Wall


======================================================
Candidate: CAN-2001-1118
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1118
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20010802 Roxen security alert: URL decoding vulnerable
Reference: URL:http://www.securityfocus.com/archive/1/201476
Reference: BUGTRAQ:20010802 FW: Security alert: Remote user can access any file
Reference: URL:http://www.securityfocus.com/archive/1/201499
Reference: CONFIRM:http://download.roxen.com/2.0/patch/security-notice.html
Reference: BID:3145
Reference: URL:http://www.securityfocus.com/bid/3145
Reference: XF:roxen-urlrectifier-retrieve-files(6937)
Reference: URL:http://xforce.iss.net/static/6937.php

A module in Roxen 2.0 before 2.0.92, and 2.1 before 2.1.264, does not
properly decode UTF-8, Mac and ISO-2202 encoded URLs, which could
allow a remote attacker to execute arbitrary commands or view
arbitrary files via an encoded URL.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1118 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Armstrong, Ziese, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-1119
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1119
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: CERT-VN:VU#105347
Reference: URL:http://www.kb.cert.org/vuls/id/105347
Reference: SUSE:SuSE-SA:2001:025
Reference: URL:http://www.suse.de/de/support/security/2001_025_xmcd_txt.html
Reference: BID:3148
Reference: URL:http://www.securityfocus.com/bid/3148
Reference: XF:xmcd-cda-symlink(6941)
Reference: URL:http://xforce.iss.net/static/6941.php

cda in xmcd 3.0.2 and 2.6 in SuSE Linux allows local users to
overwrite arbitrary files via a symlink attack.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1119 ACCEPT (4 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Armstrong, Ziese, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-1121
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1121
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20010702 Multiple Vendor Java Servlet Container Cross-Site Scripting Vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/194464
Reference: CONFIRM:http://www.macromedia.com/v1/handlers/index.cfm?ID=21498&Method=Full
Reference: XF:java-servlet-crosssite-scripting(6793)
Reference: URL:http://xforce.iss.net/static/6793.php
Reference: BID:2983
Reference: URL:http://www.securityfocus.com/bid/2983

Cross-site scripting (CSS) vulnerability in JRun 3.0 and 2.3.3 allows
remote attackers to execute JavaScript on other clients via a web page
URL that references a non-existent JSP file or Servlet, which causes
the script to be returned in an error message.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1121 ACCEPT (7 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(7) Wall, Baker, Cole, Armstrong, Frech, Ziese, Green
   NOOP(1) Foat


======================================================
Candidate: CAN-2001-1130
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1130
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20010802 suse: sdbsearch.cgi vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/201216
Reference: SUSE:SuSE-SA:2001:027
Reference: URL:http://www.suse.de/de/support/security/2001_027_sdb_txt.txt
Reference: XF:sdbsearch-cgi-command-execution(7003)
Reference: URL:http://xforce.iss.net/static/7003.php

Sdbsearch.cgi in SuSE Linux 6.0-7.2 could allow remote attackers to
execute arbitrary commands by uploading a keylist.txt file that
contains filenames with shell metacharacters, then causing the file to
be searched using a .. in the HTTP referer (from the HTTP_REFERER
variable) to point to the directory that contains the keylist.txt
file.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1130 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Armstrong, Ziese, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-1132
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1132
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: CF
Reference: CONECTIVA:CLA-2001:420
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000420
Reference: XF:mailman-blank-passwords(7091)
Reference: URL:http://xforce.iss.net/static/7091.php

Mailman 2.0.x before 2.0.6 allows remote attackers to gain access to
list administrative pages when there is an empty site or list
password, which is not properly handled during the call to the crypt
function during authentication.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1132 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Ziese, Green
   NOOP(3) Wall, Foat, Armstrong


======================================================
Candidate: CAN-2001-1141
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1141
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20010710 OpenSSL Security Advisory: PRNG weakness in versions up to 0.9.6a
Reference: URL:http://www.securityfocus.com/archive/1/195829
Reference: FREEBSD:FreeBSD-SA-01:51
Reference: URL:http://www.securityfocus.com/advisories/3475
Reference: NETBSD:NetBSD-SA2001-013
Reference: URL:http://www.securityfocus.com/advisories/3512
Reference: CONECTIVA:CLA-2001:418
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000418
Reference: MANDRAKE:MDKSA-2001:065
Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-065.php3?dis=8.0
Reference: REDHAT:RHSA-2001:051
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-051.html
Reference: ENGARDE:ESA-20010709-01
Reference: URL:http://www.linuxsecurity.com/advisories/other_advisory-1483.html
Reference: BID:3004
Reference: URL:http://www.securityfocus.com/bid/3004
Reference: XF:openssl-prng-brute-force(6823)
Reference: URL:http://xforce.iss.net/static/6823.php

The Pseudo-Random Number Generator (PRNG) in SSLeay and OpenSSL before
0.9.6b allows attackers to use the output of small PRNG requests to
determine the internal state information, which could be used by
attackers to predict future pseudo-random numbers.


Modifications:
  CHANGEREF REDHAT [normalize]

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1141 ACCEPT (7 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(7) Wall, Baker, Cole, Armstrong, Frech, Ziese, Green
   NOOP(2) Christey, Foat

Voter Comments:
 Christey> Remove version number from REDHAT reference.


======================================================
Candidate: CAN-2001-1144
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1144
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20010711 McAfee ASaP Virusscan - myCIO HTTP Server Directory Traversal Vulnerabilty
Reference: URL:http://www.securityfocus.com/archive/1/196272
Reference: NTBUGTRAQ:20010716 McAfee ASaP Virusscan - MyCIO HTTP Server Directory Traversal Vul nerability
Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0107&L=ntbugtraq&F=P&S=&P=1558
Reference: CERT-VN:VU#190267
Reference: URL:http://www.kb.cert.org/vuls/id/190267
Reference: BID:3020
Reference: URL:http://www.securityfocus.com/bid/3020
Reference: XF:mcafee-mycio-directory-traversal(6834)
Reference: URL:http://www.iss.net/security_center/static/6834.php

Directory traversal vulnerability in McAfee ASaP VirusScan agent 1.0
allows remote attackers to read arbitrary files via a .. (dot dot) in
the HTTP request.

Analysis
--------
Vendor Acknowledgement: yes followup

INFERRED ACTION: CAN-2001-1144 ACCEPT (7 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(7) Wall, Baker, Cole, Armstrong, Frech, Ziese, Green
   NOOP(1) Foat


======================================================
Candidate: CAN-2001-1146
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1146
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: ENGARDE:ESA-20010711-01
Reference: URL:http://www.linuxsecurity.com/advisories/other_advisory-1492.html
Reference: XF:allcommerce-temp-symlink(6830)
Reference: URL:http://xforce.iss.net/static/6830.php
Reference: BID:3016
Reference: URL:http://online.securityfocus.com/bid/3016

AllCommerce with debugging enabled in EnGarde Secure Linux 1.0.1
creates temporary files with predictable names, which allows local
users to modify files via a symlink attack.


Modifications:
  DESC fix typo: "teporary"

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1146 ACCEPT (6 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(6) Baker, Cole, Armstrong, Frech, Ziese, Green
   NOOP(2) Wall, Foat

Voter Comments:
 Frech> In description, 'teporary' should be 'temporary'.


======================================================
Candidate: CAN-2001-1147
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1147
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20011008 pam_limits.so Bug!!
Reference: URL:http://www.securityfocus.com/archive/1/219175
Reference: REDHAT:RHSA-2001:132
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-132.html
Reference: MANDRAKE:MDKSA-2001:084
Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-084.php3
Reference: SUSE:SuSE-SA:2001:034
Reference: URL:http://www.suse.de/de/support/security/2001_034_shadow_txt.txt
Reference: CIAC:M-009
Reference: URL:http://www.ciac.org/ciac/bulletins/m-009.shtml
Reference: BID:3415
Reference: URL:URL:http://www.securityfocus.com/bid/3415
Reference: XF:utillinux-pamlimits-gain-privileges(7266)
Reference: URL:http://www.iss.net/security_center/static/7266.php

The PAM implementation in /bin/login of the util-linux package before
2.11 causes a password entry to be rewritten across multiple PAM
calls, which could provide the credentials of one user to a different
user, when used in certain PAM modules such as pam_limits.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1147 ACCEPT (5 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(5) Wall, Cole, Armstrong, Ziese, Green
   NOOP(1) Foat


======================================================
Candidate: CAN-2001-1149
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1149
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: VULN-DEV:20010821 RE: Bug report -- Incident number 240649
Reference: URL:http://www.securityfocus.com/archive/82/209328

Panda Antivirus Platinum before 6.23.00 allows a remore attacker to
cause a denial of service (crash) when a user selects an action for a
malformed UPX packed executable file.

Analysis
--------
Vendor Acknowledgement: yes followup

INFERRED ACTION: CAN-2001-1149 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Ziese, Green
   NOOP(4) Wall, Foat, Cole, Armstrong


======================================================
Candidate: CAN-2001-1153
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1153
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: CALDERA:CSSA-2001-SCO.15
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-08/0391.html
Reference: XF:openunix-lpsystem-bo(7041)
Reference: URL:http://www.iss.net/security_center/static/7041.php
Reference: BID:3248
Reference: URL:http://online.securityfocus.com/bid/3248

lpsystem in OpenUnix 8.0.0 allows local users to cause a denial of
service and possibly execute arbitrary code via a long command line
argument.

Analysis
--------
Vendor Acknowledgement: yes advisory

The advisory describes behavior indicating a buffer overflow; hence,
my choice given our limited time constraints. A long argument causes
lpsystem to have a segmentation violation. Unfortunately this url does
not get me there:
ftp://stage.caldera.com/pub/security/openunix/CSSA-2001-SCO.15/, so I
contented myself with the neohapsis archive reference.

INFERRED ACTION: CAN-2001-1153 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Armstrong, Ziese, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-1155
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1155
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: FREEBSD:FreeBSD-SA-01:56
Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:56.tcp_wrappers.asc

TCP Wrappers (tcp_wrappers) in FreeBSD 4.1.1 through 4.3 with the
PARANOID ACL option enabled does not properly check the result of a
reverse DNS lookup, which could allow remote attackers to bypass
intended access restrictions via DNS spoofing.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1155 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Foat, Cole, Armstrong, Ziese, Green
   NOOP(1) Wall


======================================================
Candidate: CAN-2001-1158
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1158
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: CF
Reference: BUGTRAQ:20010709 Check Point FireWall-1 RDP Bypass Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-07/0128.html
Reference: BUGTRAQ:20010709 Check Point response to RDP Bypass
Reference: URL:http://online.securityfocus.com/cgi-bin/archive.pl?id=1&start=2002-03-11&end=2002-03-17&mid=195647&threads=1
Reference: CHECKPOINT:20010712 RDP Bypass workaround for VPN-1/FireWall 4.1 SPx
Reference: URL:http://www.checkpoint.com/techsupport/alerts/rdp.html
Reference: CERT:CA-2001-17
Reference: URL:http://www.cert.org/advisories/CA-2001-17.html
Reference: CERT-VN:VU#310295
Reference: URL:http://www.kb.cert.org/vuls/id/310295
Reference: CIAC:L-109
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/l-109.shtml
Reference: XF:fw1-rdp-bypass(6815)
Reference: URL:http://xforce.iss.net/static/6815.php
Reference: BID:2952
Reference: URL:http://www.securityfocus.com/bid/2952

Check Point VPN-1/FireWall-1 4.1 base.def contains a default macro,
accept_fw1_rdp, which can allow remote attackers to bypass intended
restrictions with forged RDP (internal protocol) headers to UDP port
259 of arbitrary hosts.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1158 ACCEPT (6 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(6) Baker, Cole, Armstrong, Frech, Ziese, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-1160
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1160
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20010618 udirectory from Microburst Technologies remote command execution
Reference: URL:http://www.securityfocus.com/archive/1/191829
Reference: BID:2884
Reference: URL:http://www.securityfocus.com/bid/2884
Reference: XF:udirectory-remote-command-execution(6706)
Reference: URL:http://xforce.iss.net/static/6706.php

udirectory.pl in Microburst Technologies uDirectory 2.0 and earlier
allows remote attackers to execute arbitrary commands via shell
metacharacters in the category_file field.

Analysis
--------
Vendor Acknowledgement: yes via-email

ACKNOWLEDGEMENT: confirmed via email to David Baker on May 20, 2002 "I
just wanted to follow up with you in regard to [the Bugtraq
post]... the $category_file parameter was not being validated, so to
correct any possible security problems, the call to the
'validate_category_filename' was moved up to the top of the script -
directly after the parameters are parsed - to make sure that it is
called regardless of the command being processed."

INFERRED ACTION: CAN-2001-1160 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Baker, Frech
   NOOP(6) Wall, Foat, Cole, Armstrong, Ziese, Green

Voter Comments:
 CHANGE> [Baker changed vote from REVIEWING to ACCEPT]
 Baker> I received confirmation in an email message from the vendor.

   RE: uDirectory
   Date:
   Mon, 20 May 2002 07:52:59 -0400
   From:
   "Bill Weiner" <bweiner@uburst.com>

   Hello David,

   I just wanted to follow up with you in regard to:

   http://online.securityfocus.com/archive/1/191829

   ... Again, in that particular scenerio, the $category_file parameter was not
   being validated, so to correct any possible security problems, the call to
   the "validate_category_filename" was moved up to the top of the script -
   directly after the parameters are parsed - to make sure that it is called
   regardless of the command being processed.

   FYI:  The commented version of the "validate_category_filename" subroutine
   looks like this:

   #---------------------------------------------------------------------------
   # validate_category_filename()
   # Subroutine to remove/replace all special characters from the category
   # file name.
   # @param $vstring - The string to be validated.
   # @return Returns the validated string.
   #---------------------------------------------------------------------------
   sub validate_category_filename


======================================================
Candidate: CAN-2001-1161
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1161
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20010702 Lotus Domino Server Cross-Site Scripting Vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/194465
Reference: BUGTRAQ:20010702 Re: Lotus Domino Server Cross-Site Scripting Vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/194609
Reference: CERT-VN:VU#642239
Reference: URL:http://www.kb.cert.org/vuls/id/642239
Reference: BID:2962
Reference: URL:http://www.securityfocus.com/bid/2962
Reference: XF:lotus-domino-css(6789)
Reference: URL:http://www.iss.net/security_center/static/6789.php

Cross-site scripting (CSS) vulnerability in Lotus Domino 5.0.6 allows
remote attackers to execute script on other web clients via a URL that
ends in Javascript, which generates an error message that does not
quote the resulting script.

Analysis
--------
Vendor Acknowledgement: yes followup

INFERRED ACTION: CAN-2001-1161 ACCEPT (7 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(7) Wall, Baker, Cole, Armstrong, Frech, Ziese, Green
   NOOP(1) Foat


======================================================
Candidate: CAN-2001-1162
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1162
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20010623 smbd remote file creation vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/193027
Reference: CONFIRM:http://us1.samba.org/samba/whatsnew/macroexploit.html
Reference: MANDRAKE:MDKSA-2001-062
Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-062.php3
Reference: HP:HPSBUX0107-157
Reference: URL:http://www.securityfocus.com/advisories/3423
Reference: SGI:20011002-01-P
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20011002-01-P
Reference: CIAC:L-105
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/l-105.shtml
Reference: IMMUNIX:IMNX-2001-70-027-01
Reference: URL:http://download.immunix.org/ImmunixOS/7.0/updates/IMNX-2001-70-027-01
Reference: CALDERA:CSSA-2001-024.0
Reference: URL:http://www.calderasystems.com/support/security/advisories/CSSA-2001-024.0.txt
Reference: CONECTIVA:CLA-2001:405
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000405
Reference: REDHAT:RHSA-2001:086
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-086.html
Reference: DEBIAN:DSA-065
Reference: URL:http://www.debian.org/security/2001/dsa-065
Reference: BID:2928
Reference: URL:http://www.securityfocus.com/bid/2928
Reference: XF:samba-netbios-file-creation(6731)
Reference: URL:http://xforce.iss.net/static/6731.php

Directory traversal vulnerability in the %m macro in the smb.conf
configuration file in Samba before 2.2.0a allows remote attackers to
overwrite certain files via a .. in a NETBIOS name, which is used as
the name for a .log file.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1162 ACCEPT (7 accept, 7 ack, 0 review)

Current Votes:
   ACCEPT(7) Wall, Baker, Cole, Armstrong, Frech, Ziese, Green
   NOOP(1) Foat


======================================================
Candidate: CAN-2001-1166
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1166
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: FREEBSD:FreeBSD-SA-01:55
Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:55.procfs.asc
Reference: XF:linprocfs-process-memory-leak(7017)
Reference: URL:http://www.iss.net/security_center/static/7017.php
Reference: BID:3217
Reference: URL:http://www.securityfocus.com/bid/3217

linprocfs on FreeBSD 4.3 and earlier does not properly restrict access
to kernel memory, which allows one process with debugging rights on a
privileged process to read restricted memory from that process.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1166 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Armstrong, Ziese, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-1172
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1172
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20010719 [SNS Advisory No.37] HTTProtect allows attackers to change the protected file using a symlink
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-07/0357.html
Reference: CONFIRM:http://www.omnisecure.com/security-alert.html
Reference: XF:httprotect-protected-file-symlink(6880)
Reference: URL:http://xforce.iss.net/static/6880.php

OmniSecure HTTProtect 1.1.1 allows a superuser without omnish
privileges to modify a protected file by creating a symbolic link to
that file.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1172 ACCEPT (6 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(6) Baker, Cole, Armstrong, Frech, Ziese, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-1174
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1174
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: REDHAT:RHSA-2001:091
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-091.html
Reference: MANDRAKE:MDKSA-2001:067
Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-067.php
Reference: XF:elm-messageid-bo(6852)
Reference: URL:http://xforce.iss.net/static/6852.php

Buffer overflow in Elm 2.5.5 and earlier allows remote attackers to
execute arbitrary code via a long Message-ID header.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1174 ACCEPT (7 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(7) Wall, Baker, Cole, Armstrong, Frech, Ziese, Green
   NOOP(1) Foat


======================================================
Candidate: CAN-2001-1175
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1175
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: REDHAT:RHSA-2001:095
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-095.html
Reference: XF:vipw-world-readable-files(6851)
Reference: URL:http://xforce.iss.net/static/6851.php
Reference: BID:3036
Reference: URL:http://www.securityfocus.com/bid/3036

vipw in the util-linux package before 2.10 causes /etc/shadow to be
world-readable in some cases, which would make it easier for local
users to perform brute force password guessing.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1175 ACCEPT (8 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(8) Wall, Baker, Foat, Cole, Armstrong, Frech, Ziese, Green


======================================================
Candidate: CAN-2001-1176
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1176
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20010712 VPN-1/FireWall-1 Format Strings Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-07/0209.html
Reference: CONFIRM:http://www.checkpoint.com/techsupport/alerts/format_strings.html
Reference: BID:3021
Reference: URL:http://www.securityfocus.com/bid/3021
Reference: XF:fw1-management-format-string(6849)
Reference: URL:http://xforce.iss.net/static/6849.php

Format string vulnerability in Check Point VPN-1/FireWall-1 4.1 allows
a remote authenticated firewall administrator to execute arbitrary
code via format strings in the control connection.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1176 ACCEPT (6 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(6) Baker, Cole, Armstrong, Frech, Ziese, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-1177
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1177
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20010717 Samsung ML-85G Printer Linux Helper/Driver Binary Exploit (Mandrake: ghostscript package)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-07/0284.html
Reference: BID:3008
Reference: URL:http://www.securityfocus.com/bid/3008
Reference: XF:samsung-printer-temp-symlink(6845)
Reference: URL:http://xforce.iss.net/static/6845.php

ml85p in Samsung ML-85G GDI printer driver before 0.2.0 allows local
users to overwrite arbitrary files via a symlink attack on temporary
files.


Modifications:
  DESC add version number

Analysis
--------
Vendor Acknowledgement: yes via-email

ACKNOWLEDGEMENT: acknowledged by vendor via e-mail to Dave Baker on
May 9, 2002: "This issue was solved at the release 0.2.0, available at
Ibiblio"

INFERRED ACTION: CAN-2001-1177 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Baker, Frech
   NOOP(7) Christey, Wall, Foat, Cole, Armstrong, Ziese, Green

Voter Comments:
 Christey> Fixed by vendor in release 0.2.0 (acknowledged via e-mail)
 CHANGE> [Baker changed vote from REVIEWING to ACCEPT]
 Baker> Vendor acknowledged via email.

   Subject:        Re: Samsung ML-85G Driver Issue
   Date:        Mon, 13 May 2002 20:11:14 -0300 (GMT+3)
   From:        Rildo Pragana <rildo@pragana.net>
   To:        David Baker <bakerd@mitre.org>
   Hi David,
   On Thu, 9 May 2002, David Baker wrote:
   >    I am a security researcher working for CVE (Common
   >    Vulnerabilities and Exposures) project.  I am researching a
   >    vulnerability in the ml85p printer driver.  I have been
   >    looking to determine if the driver was fixed to correct a
   >    flaw in the way it allowed a symlink attack via temporary
   >    files.  The vulnerability was reported on Bugtraq in Jul
   >    2001, BUGTRAQ:20010717 Samsung ML-85G Printer Linux
   >    Helper/Driver Binary Exploit (Mandrake: ghostscript
   >    package) at
   >    http://archives.neohapsis.com/archives/bugtraq/2001-07/0284.html
   >    and is listed in the Security Focus DB at BID 3008
   >    http://www.securityfocus.com/bid/3008  and as CVE candidate
   >    CAN-2001-1177.   I contacted Mandrake, who referred me to
   >    you, as the author of the driver.
   >
   > Can you shed any light on whether this was fixed or not?  --

   This issue was solved at the release 0.2.0, available at
   Ibiblio:
   http://ibiblio.org/pub/Linux/hardware/drivers/ml85p-0.2.0.tar.gz
   If there is something I can do, please let me know.
   best regards,
   Rildo


======================================================
Candidate: CAN-2001-1180
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1180
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20010710 FreeBSD 4.3 local root, yet Linux and *BSD much better than Windows
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-07/0179.html
Reference: CIAC:L-111
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/l-111.shtml
Reference: CERT-VN:VU#943633
Reference: URL:http://www.kb.cert.org/vuls/id/943633
Reference: FREEBSD:FreeBSD-SA-01:42
Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:42.signal.v1.1.asc
Reference: XF:bsd-rfork-signal-handlers(6829)
Reference: URL:http://xforce.iss.net/static/6829.php
Reference: BID:3007
Reference: URL:http://www.securityfocus.com/bid/3007

FreeBSD 4.3 does not properly clear shared signal handlers when
executing a process, which allows local users to gain privileges by
calling rfork with a shared signal handler, having the child process
execute a setuid program, and sending a signal to the child.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1180 ACCEPT (6 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(6) Baker, Cole, Armstrong, Frech, Ziese, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-1183
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1183
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: CISCO:20010712 Cisco IOS PPTP Vulnerability
Reference: URL:http://www.cisco.com/warp/public/707/PPTP-vulnerability-pub.html
Reference: CERT-VN:VU#656315
Reference: URL:http://www.kb.cert.org/vuls/id/656315
Reference: BID:3022
Reference: URL:http://www.securityfocus.com/bid/3022
Reference: XF:cisco-ios-pptp-dos(6835)
Reference: URL:http://xforce.iss.net/static/6835.php

PPTP implementation in Cisco IOS 12.1 and 12.2 allows remote attackers
to cause a denial of service (crash) via a malformed packet.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1183 ACCEPT (7 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(7) Wall, Baker, Cole, Armstrong, Frech, Ziese, Green
   NOOP(1) Foat


======================================================
Candidate: CAN-2001-1185
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1185
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20011210 AIO vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/244583
Reference: XF:bsd-aio-overwrite-memory(7693)
Reference: URL:http://www.iss.net/security_center/static/7693.php
Reference: BID:3661
Reference: URL:http://www.securityfocus.com/bid/3661

Some AIO operations in FreeBSD 4.4 may be delayed until after a call
to execve, which could allow a local user to overwrite memory of the
new process and gain privileges.

Analysis
--------
Vendor Acknowledgement:

INFERRED ACTION: CAN-2001-1185 ACCEPT (4 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(4) Foat, Cole, Frech, Green
   NOOP(2) Wall, Ziese


======================================================
Candidate: CAN-2001-1193
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1193
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20011213 EFTP 2.0.8.346 directory content disclosure
Reference: URL:http://www.securityfocus.com/archive/1/245393
Reference: CONFIRM:http://www.eftp.org/releasehistory.html
Reference: BID:3691
Reference: URL:http://www.securityfocus.com/bid/3691
Reference: XF:eftp-dot-directory-traversal(7699)

Directory traversal vulnerability in EFTP 2.0.8.346 allows local users
to read directories via a ... (modified dot dot) in the CWD command.


Modifications:
  ADDREF XF:eftp-dot-directory-traversal(7699)

Analysis
--------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: In the release history, the entry for version
2.0.8.347, dated December 12, says "Fixed a security flaw where users
could inadvertantly change directory by changing to '...'"

INFERRED ACTION: CAN-2001-1193 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Ziese, Green
   MODIFY(1) Frech
   NOOP(2) Wall, Foat

Voter Comments:
 Frech> XF:eftp-dot-directory-traversal(7699)


======================================================
Candidate: CAN-2001-1199
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1199
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20011217 Agoracgi v3.3e Cross Site Scripting Vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/246044
Reference: CONFIRM:http://www.agoracgi.com/security.html
Reference: BID:3702
Reference: URL:http://www.securityfocus.com/bid/3702
Reference: XF:agora-cgi-css(7708)
Reference: URL:http://www.iss.net/security_center/static/7708.php

Cross-site scripting vulnerability in agora.cgi for Agora 3.0a through
4.0g, when debug mode is enabled, allows remote attackers to execute
Javascript on other clients via the cart_id parameter.

Analysis
--------
Vendor Acknowledgement: yes advisory

ACKNOWLEDGEMENT: The Agoracgi security page says "The Cross-Site
Scripting vulnerability demonstrations (erroneously described as
running on 3.x stores) don't work with this patch installed...  No
store version 3.0a through 4.0g should run without [this patch]"

INFERRED ACTION: CAN-2001-1199 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Frech, Ziese, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-1201
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1201
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20011217 New Advisory + Exploit
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100863301405266&w=2
Reference: BUGTRAQ:20011218 wmcube-gdk is vulnerable to a local exploit
Reference: URL:http://online.securityfocus.com/archive/1/246273
Reference: CONFIRM:http://www.ne.jp/asahi/linux/timecop/software/wmcube-gdk-0.98p2.tar.gz
Reference: BID:3706
Reference: URL:http://www.securityfocus.com/cgi-bin/vulns-item.pl?section=info&id=3706
Reference: XF:wmcubegdk-object-file-bo(7720)
Reference: URL:http://www.iss.net/security_center/static/7720.php

Buffer overflow in wmcube-gdk for WMCube/GDK 0.98 allows local users
to execute arbitrary code via long lines in the object description
file.

Analysis
--------
Vendor Acknowledgement: yes

ACKNOWLEDGEMENT: the CHANGES file in wmcube-gdk-0.98p2.tar.gz includes
an entry dated 20011218, stating "drop kmem priviliges on FreeBSD
after opening kvm."  Given the timing of this file relative to the
Bugtraq announcement, and the fact that it would fix the issue being
discussed in this item, there is sufficient acknowledgement.

INFERRED ACTION: CAN-2001-1201 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Frech, Ziese, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-1203
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1203
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: DEBIAN:DSA-095
Reference: URL:http://www.debian.org/security/2001/dsa-095
Reference: XF:linux-gpm-format-string(7748)
Reference: BID:3750
Reference: URL:http://online.securityfocus.com/bid/3750

Format string vulnerability in gpm-root in gpm 1.17.8 through 1.17.18
allows local users to gain root privileges.


Modifications:
  ADDREF XF:linux-gpm-format-string(7748)
  ADDREF BID:3750

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1203 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Foat, Cole, Ziese, Green
   MODIFY(1) Frech
   NOOP(1) Wall

Voter Comments:
 Frech> XF:linux-gpm-format-string(7748)
   http://online.securityfocus.com/bid/3750


======================================================
Candidate: CAN-2001-1215
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1215
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20011220 [CERT-intexxia] pfinger Format String Vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/246656
Reference: CONFIRM:http://www.xelia.ch/unix/pfinger/ChangeLog
Reference: XF:pfinger-plan-format-string(7742)
Reference: URL:http://www.iss.net/security_center/static/7742.php
Reference: BID:3725
Reference: URL:http://online.securityfocus.com/bid/3725

Format string vulnerability in PFinger 0.7.5 through 0.7.7 allows
remote attackers to execute arbitrary code via format string
specifiers in a .plan file.

Analysis
--------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: in the Change Log, the entry dated 2001-12-19 says
"Security Fix: Malicious local user could induce a bad format string"
and credits the disclosers.

INFERRED ACTION: CAN-2001-1215 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Frech, Ziese, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-1227
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1227
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020502
Assigned: 20020411
Category: SF
Reference: REDHAT:RHSA-2001:115
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-115.html
Reference: MANDRAKE:MDKSA-2001:080
Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-080.php3
Reference: BID:3425
Reference: URL:http://online.securityfocus.com/bid/3425
Reference: XF:zope-fmt-access-methods(7271)

Zope before 2.2.4 allows partially trusted users to bypass security
controls for certain methods by accessing the methods through the fmt
attribute of dtml-var tags.


Modifications:
  ADDREF XF:zope-fmt-access-methods(7271)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1227 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Wall, Cole, Cox, Green
   MODIFY(1) Frech
   NOOP(1) Foat

Voter Comments:
 Frech> XF:zope-fmt-access-methods(7271)


======================================================
Candidate: CAN-2001-1231
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1231
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20010814 Fwd: Security Alert: Groupwise - Action Required
Reference: URL:http://www.securityfocus.com/archive/1/204672
Reference: CONFIRM:http://support.novell.com/padlock/details.htm
Reference: XF:novell-groupwise-admin-privileges(6998)
Reference: URL:http://xforce.iss.net/static/6998.php
Reference: BID:3189
Reference: URL:http://www.securityfocus.com/bid/3189

GroupWise 5.5 and 6 running in live remove or smart caching mode
allows remote attackers to read arbitrary users' mailboxes by
extracting usernames and passwords from sniffed network traffic, as
addressed by the "Padlock" fix.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1231 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Frech, Green
   NOOP(4) Wall, Foat, Cole, Cox


======================================================
Candidate: CAN-2001-1234
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1234
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20011002 results of semi-automatic source code audit
Reference: URL:http://www.securityfocus.com/archive/1/218000
Reference: CONFIRM:http://prdownloads.sourceforge.net/gallery/gallery-1.2.5.tar.gz
Reference: BID:3397
Reference: URL:http://www.securityfocus.com/bid/3397
Reference: XF:php-includedir-code-execution(7215)
Reference: URL:http://www.iss.net/security_center/static/7215.php

Bharat Mediratta Gallery PHP script before 1.2.1 allows remote
attackers to execute arbitrary code by including files from remote web
sites via an HTTP request that modifies the includedir variable.

Analysis
--------
Vendor Acknowledgement: yes patch

ACKNOWLEDGEMENT: The UPGRADING file in the distribution of 1.2.5 says:
"Due to a security fix, you now have to modify index.php if you want
to use the Gallery random photo block for Nuke...  The file you tried
to include is not on the approved file list. To include this file you
must edit Gallery's index.php and add XXX to the $safe_to_include
array."  This clearly addresses the problem that was reported.

INFERRED ACTION: CAN-2001-1234 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Frech, Green
   NOOP(3) Wall, Foat, Cox


======================================================
Candidate: CAN-2001-1235
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1235
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20011002 results of semi-automatic source code audit
Reference: URL:http://www.securityfocus.com/archive/1/21800
Reference: CERT-VN:VU#847803
Reference: URL:http://www.kb.cert.org/vuls/id/847803
Reference: XF:php-includedir-code-execution(7215)
Reference: URL:http://xforce.iss.net/static/7215.php
Reference: BID:3395
Reference: URL:http://www.securityfocus.com/bid/3395

pSlash PHP script 0.7 and earlier allows remote attackers to execute
arbitrary code by including files from remote web sites, using an HTTP
request that modifies the includedir variable.

Analysis
--------
Vendor Acknowledgement: unknown

ACKNOWLEDGEMENT: Could not find ACK and the software has not been
updated on sourceforge since Jun 05, 2001, 5 months before this
vulnerability was announced.

INFERRED ACTION: CAN-2001-1235 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Green
   NOOP(3) Wall, Foat, Cox


======================================================
Candidate: CAN-2001-1236
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1236
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20011002 results of semi-automatic source code audit
Reference: URL:http://www.securityfocus.com/archive/1/218000
Reference: CERT-VN:VU#847803
Reference: URL:http://www.kb.cert.org/vuls/id/847803
Reference: BID:3394
Reference: URL:http://www.securityfocus.com/bid/3394
Reference: XF:php-includedir-code-execution(7215)
Reference: URL:http://xforce.iss.net/static/7215.php

myphpPagetool PHP script 0.4.3-1 and earlier allows remote attackers
to execute arbitrary code by including files from remote web sites,
using an HTTP request that modifies the includedir variable.

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2001-1236 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Green
   NOOP(3) Wall, Foat, Cox


======================================================
Candidate: CAN-2001-1237
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1237
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20011002 results of semi-automatic source code audit
Reference: URL:http://www.securityfocus.com/archive/1/218000
Reference: CONFIRM:http://www.peaceworks.ca/phormation/phormation-0.9.2.tar.gz
Reference: BID:3393
Reference: URL:http://www.securityfocus.com/bid/3393
Reference: XF:php-includedir-code-execution(7215)
Reference: URL:http://xforce.iss.net/static/7215.php
Reference: CERT-VN:VU#847803
Reference: URL:http://www.kb.cert.org/vuls/id/847803

Phormation PHP script 0.9.1 and earlier allows remote attackers to
execute arbitrary code by including files from remote web sites, using
an HTTP request that modifies the phormationdir variable.

Analysis
--------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: Ack is in /phormation-0.9.2/phormation/CHANGELOG: -
"changed the $phormationdir variable to be a constant. This closes a
huge security hole: The client could set the variable to something
like 'http://his_site.com'. Then your script would include
http://his_site.com/form.php and execute his code! (assuming you
haven't turned off certain php options)"

INFERRED ACTION: CAN-2001-1237 ACCEPT_ACK (2 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Green
   NOOP(3) Wall, Foat, Cox


======================================================
Candidate: CAN-2001-1240
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1240
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020502
Assigned: 20020501
Category: CF
Reference: ENGARDE:ESA-20010711-02
Reference: URL:http://www.linuxsecurity.com/advisories/other_advisory-1493.html

The default configuration of sudo in Engarde Secure Linux 1.0.1 allows
any user in the admin group to run certain commands that could be
leveraged to gain full root access.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1240 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Green
   NOOP(3) Wall, Foat, Cox


======================================================
Candidate: CAN-2001-1246
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1246
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20010630 php breaks safe mode
Reference: URL:http://online.securityfocus.com/archive/1/194425
Reference: CONFIRM:http://www.php.net/do_download.php?download_file=php-4.1.2.tar.gz
Reference: BID:2954
Reference: URL:http://online.securityfocus.com/bid/2954
Reference: XF:php-safemode-elevate-privileges(6787)
Reference: URL:http://www.iss.net/security_center/static/6787.php

PHP 4.0.5 through 4.1.0 in safe mode does not properly cleanse the 5th
parameter to the mail() function, which allows local users and
possibly remote attackers to execute arbitrary commands via shell
metacharacters.

Analysis
--------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: php-4.1.2 source, NEWS file, 10 Dec 2001, Version
4.1.0 states: "Fixed a bug that allowed users to spawn processes while
using the 5th parameter to mail()" The 5th param to mail was added in
version 4.0.5.

INFERRED ACTION: CAN-2001-1246 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Cox, Green
   NOOP(2) Wall, Foat

Voter Comments:
 CHANGE> [Cox changed vote from REVIEWING to ACCEPT]


======================================================
Candidate: CAN-2001-1247
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1247
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20010630 php breaks safe mode
Reference: URL:http://online.securityfocus.com/archive/1/194425
Reference: CONFIRM:http://www.php.net/do_download.php?download_file=php-4.1.2.tar.gz
Reference: REDHAT:RHSA-2002:035
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-035.html

PHP 4.0.4pl1 and 4.0.5 in safe mode allows remote attackers to read
and write files owned by the web server UID by uploading a PHP script
that uses the error_log function to access the files.


Modifications:
  ADDREF REDHAT:RHSA-2002:035

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2001-1247 ACCEPT (3 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Cox, Green
   NOOP(2) Wall, Foat

Voter Comments:
 CHANGE> [Cox changed vote from REVIEWING to ACCEPT]
 Cox> ADDREF: RHSA-2002:035


======================================================
Candidate: CAN-2001-1252
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1252
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020502
Assigned: 20020501
Category: CF
Reference: BUGTRAQ:20010928 SNS-43: PGP Keyserver Permissions Misconfiguration
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-09/0230.html
Reference: CONFIRM:http://www.pgp.com/support/product-advisories/keyserver.asp
Reference: XF:pgp-keyserver-http-dos(7203)
Reference: URL:http://www.iss.net/security_center/static/7203.php
Reference: BID:3375
Reference: URL:http://online.securityfocus.com/bid/3375

Network Associates PGP Keyserver 7.0 allows remote attackers to bypass
authentication and access the administrative web interface via URLs
that directly access cgi-bin instead of keyserver/cgi-bin for the
programs (1) console, (2) cs, (3) multi_config and (4) directory.

Analysis
--------
Vendor Acknowledgement: unknown discloser-claimed

ACKNOWLEDGEMENT: the PGP advisory is referenced by the discloser.
While it does not provide quite enough details to be certain that it's
addressing the same problem, and advisory has no date to "line up"
with the Bugtraq post, the poster is credited at the end of the
advisory.

INFERRED ACTION: CAN-2001-1252 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Frech, Green
   NOOP(4) Wall, Foat, Cole, Cox


======================================================
Candidate: CAN-2001-1266
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1266
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: CONFIRM:http://dnhttpd.sourceforge.net/changelog.html
Reference: MISC:http://archives.neohapsis.com/archives/apps/freshmeat/2001-07/0002.html

Directory traversal vulnerability in Doug Neal's HTTPD Daemon
(DNHTTPD) before 0.4.1 allows remote attackers to view arbitrary files
via a .. (dot dot) attack using the dot hex code '%2E'.

Analysis
--------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: the change log for version 0.4.1 says: "Just a
bug/security fix. I mistakenly put the bit that checked for '..' in
the URL *before* the bit that translated hex codes in URLs to ASCII,
so you could use %2E%2E in place of '..' and view any directory
listing or file in the filesystem that the server has read access to."

INFERRED ACTION: CAN-2001-1266 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Green
   NOOP(3) Wall, Foat, Cox


======================================================
Candidate: CAN-2001-1276
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1276
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20010621 ispell update -- Immunix OS 6.2
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=99317439131174&w=2
Reference: IMMUNIX:IMNX-2001-62-004-01
Reference: URL:http://download.immunix.org/ImmunixOS/6.2/updates/IMNX-2001-62-004-01
Reference: MANDRAKE:MDKSA-2001:058
Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-058.php3
Reference: REDHAT:RHSA-2001:074
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-074.html

ispell before 3.1.20 allows local users to overwrite files of other
users via a symlink attack on a temporary file.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1276 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Wall, Cole, Cox, Green
   NOOP(1) Foat


======================================================
Candidate: CAN-2001-1277
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1277
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20010611 man 1.5h10 + man 1.5i-4 exploits
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=99227597227747&w=2
Reference: REDHAT:RHSA-2001:072
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-072.html
Reference: MISC:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=41805

makewhatis in the man package before 1.5i2 allows an attacker in group
man to overwrite arbitrary files via a man page whose name contains
shell metacharacters.


Modifications:
  DESC say "in group man"

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1277 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Wall, Cole, Green
   MODIFY(1) Cox
   NOOP(1) Foat

Voter Comments:
 Cox> "in group man" rather than "with man privileges" is more
   precise


======================================================
Candidate: CAN-2001-1295
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1295
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: CONFIRM:http://www.greenepa.net/~averett/cerberus-releasenotes.htm#ReleaseNotes
Reference: MISC:http://www.securiteam.com/windowsntfocus/5SP0M0055W.html
Reference: XF:cerberus-ftp-directory-traversal(7004)
Reference: URL:http://www.iss.net/security_center/static/7004.php

Directory traversal vulnerability in Cerberus FTP Server 1.5 and
earlier allows remote attackers to read arbitrary files via a .. (dot
dot) in the CD command.

Analysis
--------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: the release notes for version 1.6 beta, dated August
29, 2001, say "Fixed a major security bug that allowed unrestricted
access to the server machine by using periods in the change directory
path."

INFERRED ACTION: CAN-2001-1295 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Wall, Cole, Frech, Green
   NOOP(2) Foat, Cox


======================================================
Candidate: CAN-2001-1297
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1297
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20011002 results of semi-automatic source code audit
Reference: URL:http://www.securityfocus.com/archive/1/218000
Reference: CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=58331
Reference: BID:3384
Reference: URL:http://www.securityfocus.com/bid/3384
Reference: XF:php-includedir-code-execution(7215)
Reference: URL:http://www.iss.net/security_center/static/7215.php

Actionpoll PHP script before 1.1.2 allows remote attackers to include
arbitrary files from remote web sites via an HTTP request that sets
the includedir variable.

Analysis
--------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: The change log for 1.1.2 says "Fixed Security Bug"
and references BID:3384, i.e. this item.

INFERRED ACTION: CAN-2001-1297 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Frech, Green
   NOOP(3) Wall, Foat, Cox


======================================================
Candidate: CAN-2001-1299
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1299
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20011002 results of semi-automatic source code audit
Reference: URL:http://www.securityfocus.com/archive/1/218000
Reference: CERT-VN:VU#847803
Reference: URL:http://www.kb.cert.org/vuls/id/847803
Reference: CONFIRM:http://www.come.to/zorbat/
Reference: CONFIRM:http://www.kb.cert.org/vuls/id/JARL-53RJKV
Reference: BID:3386
Reference: URL:http://www.securityfocus.com/bid/3386
Reference: XF:php-includedir-code-execution(7215)
Reference: URL:http://www.iss.net/security_center/static/7215.php

Zorbat Zorbstats PHP script before 0.9 allows remote attackers to
include arbitrary files from remote web sites via an HTTP request that
sets the includedir variable.

Analysis
--------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: On the vendor's home page, an announcement for
Zorbstats 0.9, dated October 21, 2001, says "Security problem
corrected." Normally this is insufficient to be certain that the
vendor is acknowledging *this* problem, but the vendor is also said to
have fixed the issue in a CERT vuilnerability note.

INFERRED ACTION: CAN-2001-1299 ACCEPT (3 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Frech, Green
   NOOP(3) Wall, Foat, Cox


======================================================
Candidate: CAN-2001-1322
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1322
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: REDHAT:RHSA-2001:075
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-075.html
Reference: DEBIAN:DSA-063
Reference: URL:http://www.debian.org/security/2001/dsa-063
Reference: ENGARDE:ESA-20010621-01
Reference: URL:http://www.linuxsecurity.com/advisories/other_advisory-1469.html
Reference: FREEBSD:FreeBSD-SA-01:47
Reference: URL:http://online.securityfocus.com/advisories/3446
Reference: SUSE:SuSE-SA:2001:022
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=99384417013990&w=2
Reference: CONECTIVA:CLA-2001:404
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000404
Reference: MANDRAKE:MDKSA-2001:055
Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-055.php3
Reference: IMMUNIX:IMNX-2001-70-024-01
Reference: URL:http://download.immunix.org/ImmunixOS/7.0/updates/IMNX-2001-70-024-01
Reference: XF:xinetd-insecure-permissions(6657)
Reference: URL:http://www.iss.net/security_center/static/6657.php
Reference: BID:2826
Reference: URL:http://online.securityfocus.com/bid/2826

xinetd 2.1.8 and earlier runs with a default umask of 0, which could
allow local users to read or modify files that are created by an
application that runs under xinetd but does not set its own safe
umask.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1322 ACCEPT (4 accept, 4 ack, 0 review)

Current Votes:
   ACCEPT(4) Wall, Cole, Cox, Green
   NOOP(1) Foat


======================================================
Candidate: CAN-2001-1342
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1342
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20010412 Apache Win32 8192 chars string bug
Reference: URL:http://online.securityfocus.com/archive/1/176144
Reference: BUGTRAQ:20010522 [Announce] Apache 1.3.20 Released
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=99054258728748&w=2
Reference: CONFIRM:http://www.apacheweek.com/issues/01-05-25
Reference: CONFIRM:http://bugs.apache.org/index.cgi/full/7522
Reference: XF:apache-server-dos(6527)
Reference: URL:http://www.iss.net/security_center/static/6527.php
Reference: BID:2740
Reference: URL:http://online.securityfocus.com/bid/2740

Apache before 1.3.20 on Windows and OS/2 systems allows remote
attackers to cause a denial of service (GPF) via an HTTP request for a
URI that contains a large number of / (slash) or other characters,
which causes certain functions to dereference a null pointer.


Modifications:
  DESC Change DoS expansion

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1342 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Wall, Foat, Cole, Green
   MODIFY(1) Cox

Voter Comments:
 Cox> ADDREF http://www.apacheweek.com/issues/01-05-25
   The DOS here isn't the crash, it's the fact that the crash causes a GPF
   fault message box that has to be cleared by the operator


======================================================
Candidate: CAN-2001-1345
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1345
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20010604 Fatal flaw in BestCrypt <= v0.7 (Linux)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-06/0005.html
Reference: CONFIRM:http://www.jetico.com/index.htm#/linux.htm
Reference: XF:bestcrypt-bctool-gain-privileges(6648)
Reference: URL:http://xforce.iss.net/static/6648.php
Reference: BID:2820
Reference: URL:http://www.securityfocus.com/bid/2820

bctool in Jetico BestCrypt 0.7 and earlier trusts the user-supplied
PATH to find and execute an fsck utility program, which allows local
users to gain privileges by modifying the PATH to point to a Trojan
horse program.

Analysis
--------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: The change log includes an entry for version 0.8-2,
dated 04-June-2001, which states "root access bug fixed" and credits
the person who reported the problem to Bugtraq.

INFERRED ACTION: CAN-2001-1345 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Green
   NOOP(3) Wall, Foat, Cox


======================================================
Candidate: CAN-2002-0002
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0002
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20020102
Category: SF
Reference: MISC:http://marc.theaimsgroup.com/?l=stunnel-users&m=100869449828705&w=2
Reference: BUGTRAQ:20011227 Stunnel: Format String Bug in versions <3.22
Reference: URL:http://online.securityfocus.com/archive/1/247427
Reference: BUGTRAQ:20020102 Stunnel: Format String Bug update
Reference: URL:http://online.securityfocus.com/archive/1/248149
Reference: CONFIRM:http://stunnel.mirt.net/news.html
Reference: REDHAT:RHSA-2002:002
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-002.html
Reference: MANDRAKE:MDKSA-2002:004
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-004.php3
Reference: XF:stunnel-client-format-string(7741)
Reference: BID:3748
Reference: URL:http://online.securityfocus.com/bid/3748

Format string vulnerability in stunnel before 3.22 when used in client
mode for (1) smtp, (2) pop, or (3) nntp allows remote malicious
servers to execute arbitrary code.


Modifications:
  ADDREF XF:stunnel-client-format-string(7741)
  ADDREF MANDRAKE:MDKSA-2002:004
  ADDREF BID:3748
  ADDREF BUGTRAQ:20011227 Stunnel: Format String Bug in versions <3.22
  ADDREF BUGTRAQ:20020102 Stunnel: Format String Bug update

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0002 ACCEPT (5 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(4) Wall, Baker, Cole, Green
   MODIFY(1) Frech
   NOOP(2) Foat, Christey

Voter Comments:
 Frech> XF:stunnel-client-format-string(7741)
 Christey> Consider adding BID:3748


======================================================
Candidate: CAN-2002-0003
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0003
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20020102
Category: SF
Reference: REDHAT:RHSA-2002:004
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-004.html
Reference: MANDRAKE:MDKSA-2002:012
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-012.php
Reference: HP:HPSBTL0201-014
Reference: URL:http://online.securityfocus.com/advisories/3793
Reference: XF:linux-groff-preprocessor-bo(7881)
Reference: BID:3869
Reference: URL:http://www.securityfocus.com/bid/3869

Buffer overflow in the preprocessor in groff 1.16 and earlier allows
remote attackers to gain privileges via lpd in the LPRng printing
system.


Modifications:
  ADDREF MANDRAKE:MDKSA-2002:012
  ADDREF XF:linux-groff-preprocessor-bo(7881)
  ADDREF BID:3869
  ADDREF HP:HPSBTL0201-014

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0003 ACCEPT (5 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(4) Wall, Baker, Cole, Green
   MODIFY(1) Frech
   NOOP(2) Foat, Christey

Voter Comments:
 Christey> ADDREF MANDRAKE:MDKSA-2002:012
   URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-012.php
 Frech> XF:linux-groff-preprocessor-bo(7881)
 Christey> MANDRAKE:MDKSA-2002:012
   http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-012.php3
 Christey> Consider adding BID:3869


======================================================
Candidate: CAN-2002-0004
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0004
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20020102
Category: SF
Reference: BUGTRAQ:20020117 '/usr/bin/at 31337 + vuln' problem + exploit
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101128661602088&w=2
Reference: DEBIAN:DSA-102
Reference: URL:http://www.debian.org/security/2002/dsa-102
Reference: SUSE:SuSE-SA:2002:003
Reference: URL:http://www.suse.de/de/support/security/2002_003_at_txt.txt
Reference: MANDRAKE:MDKSA-2002:007
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101147632721031&w=2
Reference: REDHAT:RHSA-2002:015
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-015.html
Reference: HP:HPSBTL0201-021
Reference: URL:http://online.securityfocus.com/advisories/3833
Reference: HP:HPSBTL0302-034
Reference: URL:http://online.securityfocus.com/advisories/3969
Reference: XF:linux-at-exetime-heap-corruption(7909)
Reference: BID:3886
Reference: URL:http://www.securityfocus.com/bid/3886

Heap corruption vulnerability in the "at" program allows local users
to execute arbitrary code via a malformed execution time, which causes
at to free the same memory twice.


Modifications:
  ADDREF XF:linux-at-exetime-heap-corruption(7909)
  ADDREF HP:HPSBTL0201-021
  ADDREF HP:HPSBTL0302-034
  ADDREF BID:3886

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0004 ACCEPT (5 accept, 4 ack, 0 review)

Current Votes:
   ACCEPT(4) Wall, Baker, Cole, Green
   MODIFY(1) Frech
   NOOP(2) Foat, Christey

Voter Comments:
 Frech> XF:linux-at-exetime-heap-corruption(7909)
 Christey> Consider adding BID:3886


======================================================
Candidate: CAN-2002-0007
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0007
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20020109
Category: SF
Reference: BUGTRAQ:20020105 Security Advisory for Bugzilla v2.15 (cvs20020103) and older
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-01/0034.html
Reference: CONFIRM:http://www.bugzilla.org/security2_14_1.html
Reference: MISC:http://bugzilla.mozilla.org/show_bug.cgi?id=54901
Reference: XF:bugzilla-ldap-auth-bypass(7812)

CGI.pl in Bugzilla before 2.14.1, when using LDAP, allows remote
attackers to obtain an anonymous bind to the LDAP server via a request
that does not include a password, which causes a null password to be
sent to the LDAP server.


Modifications:
  ADDREF XF:bugzilla-ldap-auth-bypass(7812)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0007 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Cole, Green
   MODIFY(1) Frech
   NOOP(2) Wall, Foat

Voter Comments:
 Frech> XF:bugzilla-ldap-auth-bypass(7812)


======================================================
Candidate: CAN-2002-0018
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0018
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020315
Assigned: 20020114
Category: SF
Reference: MS:MS02-001
Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS02-001.asp
Reference: BID:3997
Reference: URL:http://www.securityfocus.com/bid/3997

In Microsoft Windows NT and Windows 2000, a trusting domain that
receives authorization information from a trusted domain does not
verify that the trusted domain is authoritative for all listed SIDs,
which could allows remote attackers to gain Domain Administrator
privileges on the trusting domain by injecting SIDs from untrusted
domains into the authorization data that comes from from the trusted
domain.


Modifications:
  ADDREF BID:3997

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0018 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Wall, Foat, Cole, Ziese, Green
   NOOP(1) Christey

Voter Comments:
 Christey> Consider adding BID:3997


======================================================
Candidate: CAN-2002-0020
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0020
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020114
Category: SF
Reference: MS:MS02-004
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-004.asp
Reference: BID:4061
Reference: URL:http://www.securityfocus.com/bid/4061
Reference: XF:ms-telnet-option-bo(8094)
Reference: URL:http://www.iss.net/security_center/static/8094.php

Buffer overflow in telnet server in Windows 2000 and Interix 2.2
allows remote attackers to execute arbitrary code via malformed
protocol options.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0020 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Wall, Foat, Cole, Ziese, Green


======================================================
Candidate: CAN-2002-0021
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0021
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020315
Assigned: 20020114
Category: SF
Reference: MS:MS02-002
Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS02-002.asp
Reference: BID:4045
Reference: URL:http://www.securityfocus.com/bid/4045

Network Product Identification (PID) Checker in Microsoft Office v. X
for Mac allows remote attackers to cause a denial of service (crash)
via a malformed product announcement.


Modifications:
  ADDREF BID:4045

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0021 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Wall, Foat, Cole, Ziese, Green
   NOOP(1) Christey

Voter Comments:
 Christey> Consider adding BID:4045


======================================================
Candidate: CAN-2002-0022
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0022
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020315
Assigned: 20020114
Category: SF
Reference: BUGTRAQ:20020213 dH & SECURITY.NNOV: buffer overflow in mshtml.dll
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101362984930597&w=2
Reference: BUGTRAQ:20020227 Details and exploitation of buffer overflow in mshtml.dll (and few sidenotes on Unicode overflows in general)
Reference: URL:http://online.securityfocus.com/archive/1/258614
Reference: MS:MS02-005
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-005.asp
Reference: CERT:CA-2002-04
Reference: URL:http://www.cert.org/advisories/CA-2002-04.html
Reference: XF:ie-html-directive-bo(8116)
Reference: URL:http://www.iss.net/security_center/static/8116.php
Reference: BID:4080
Reference: URL:http://www.securityfocus.com/bid/4080

Buffer overflow in the implementation of an HTML directive in
mshtml.dll in Internet Explorer 5.5 and 6.0 allows remote attackers to
execute arbitrary code via a web page that specifies embedded ActiveX
controls in a way that causes 2 Unicode strings to be concatenated.


Modifications:
  ADDREF BID:4080
  ADDREF BUGTRAQ:20020227 Details and exploitation of buffer overflow in mshtml.dll (and few sidenotes on Unicode overflows in general)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0022 ACCEPT (5 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(5) Wall, Foat, Cole, Ziese, Green
   NOOP(1) Christey

Voter Comments:
 Christey> Consider adding BID:4080


======================================================
Candidate: CAN-2002-0023
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0023
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020114
Category: SF
Reference: BUGTRAQ:20020101 IE GetObject() problems
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-01/0000.html
Reference: MS:MS02-005
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-005.asp
Reference: BID:3767
Reference: URL:http://www.securityfocus.com/bid/3767

Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to read
arbitrary files via malformed requests to the GetObject function,
which bypass some of GetObject's security checks.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0023 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Wall, Foat, Cole, Ziese, Green


======================================================
Candidate: CAN-2002-0025
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0025
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020315
Assigned: 20020114
Category: SF
Reference: MS:MS02-005
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-005.asp
Reference: BUGTRAQ:20020212 [ GFISEC04102001 ] Internet Explorer and Access allow macros to be executed automatically
Reference: URL:http://online.securityfocus.com/archive/1/255767
Reference: BID:4085
Reference: URL:http://online.securityfocus.com/bid/4085

Internet Explorer 5.01, 5.5 and 6.0 does not properly handle the
Content-Type HTML header field, which allows remote attackers to
modify which application is used to process a document.


Modifications:
  ADDREF BUGTRAQ:20020212 [ GFISEC04102001 ] Internet Explorer and Access allow macros to be executed automatically
  ADDREF BID:4085

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0025 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Wall, Foat, Cole, Ziese, Green
   NOOP(1) Christey

Voter Comments:
 Christey> BUGTRAQ:20020212 [ GFISEC04102001 ] Internet Explorer and Access allow macros to be executed automatically
   URL:http://online.securityfocus.com/archive/1/255767
   BID:4085
   URL:http://online.securityfocus.com/bid/4085


======================================================
Candidate: CAN-2002-0026
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0026
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020315
Assigned: 20020114
Category: SF
Reference: MS:MS02-005
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-005.asp
Reference: BID:4082
Reference: URL:http://online.securityfocus.com/bid/4082

Internet Explorer 5.5 and 6.0 allows remote attackers to bypass
restrictions for executing scripts via an object that processes
asynchronous events after the initial security checks have been made.


Modifications:
  ADDREF BID:4082

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0026 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Wall, Foat, Cole, Ziese, Green
   NOOP(1) Christey

Voter Comments:
 Christey> Consider adding BID:4082


======================================================
Candidate: CAN-2002-0027
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0027
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020114
Category: SF
Reference: BUGTRAQ:20011219 Internet Explorer Document.Open() Without Close() Cookie Stealing, File Reading, Site Spoofing Bug
Reference: URL:http://www.securityfocus.com/archive/1/246522
Reference: MS:MS02-005
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-005.asp
Reference: BID:3721
Reference: URL:http://www.securityfocus.com/bid/3721

Internet Explorer 5.5 and 6.0 allows remote attackers to read certain
files and spoof the URL in the address bar by using the Document.open
function to pass information between two frames from different
domains, a new variant of the "Frame Domain Verification"
vulnerability described in MS:MS01-058/CAN-2001-0874.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0027 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Wall, Foat, Cole, Ziese, Green


======================================================
Candidate: CAN-2002-0028
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0028
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20020116
Category: SF
Reference: BUGTRAQ:20020106 ICQ remote buffer overflow vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101043894627851&w=2
Reference: VULN-DEV:20020107 ICQ remote buffer overflow vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=vuln-dev&m=101043076806401&w=2
Reference: CERT:CA-2002-02
Reference: URL:http://www.cert.org/advisories/CA-2002-02.html
Reference: CERT-VN:VU#570167
Reference: URL:http://www.kb.cert.org/vuls/id/570167
Reference: BID:3813
Reference: URL:http://www.securityfocus.com/bid/3813
Reference: XF:aim-game-overflow(7743)

Buffer overflow in ICQ before 2001B Beta v5.18 Build #3659 allows
remote attackers to execute arbitrary code via a Voice Video & Games
request.


Modifications:
  ADDREF XF:aim-game-overflow(7743)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0028 ACCEPT (5 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(4) Wall, Baker, Cole, Green
   MODIFY(1) Frech
   NOOP(1) Foat

Voter Comments:
 Frech> (Review whether issue is misassigned.)
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:aim-game-overflow(7743)


======================================================
Candidate: CAN-2002-0038
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0038
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20020116
Category: SF
Reference: SGI:20020102-01-I
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020102-01-I
Reference: SGI:20020102-02-I
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020102-02-I
Reference: SGI:20020102-03-P
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020102-03-P
Reference: XF:irix-nsd-cache-dos(7907)
Reference: BID:3882

Vulnerability in the cache-limiting function of the unified name
service daemon (nsd) in IRIX 6.5.4 through 6.5.11 allows remote
attackers to cause a denial of service by forcing the cache to fill
the disk.


Modifications:
  ADDREF XF:irix-nsd-cache-dos(7907)
  ADDREF BID:3882

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0038 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Cole, Green
   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Christey

Voter Comments:
 Frech> XF:irix-nsd-cache-dos(7907)
 Christey> Consider adding BID:3882
 Christey> BID:3882


======================================================
Candidate: CAN-2002-0040
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0040
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020502
Assigned: 20020116
Category: SF
Reference: SGI:20020306-01-P
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020306-01-P
Reference: XF:irix-hostaliases-gain-privileges(8669)
Reference: URL:http://www.iss.net/security_center/static/8669.php
Reference: BID:4388
Reference: URL:http://www.securityfocus.com/bid/4388

Vulnerability in SGI IRIX 6.5.11 through 6.5.15f allows local users to
cause privileged applications to dump core via the HOSTALIASES
environment variable, which might allow the users to gain privileges.


Modifications:
  ADDREF XF:irix-hostaliases-gain-privileges(8669)
  ADDREF BID:4388

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0040 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Green
   NOOP(4) Wall, Foat, Cox, Christey

Voter Comments:
 Christey> Consider adding BID:4388
 Christey> XF:irix-hostaliases-gain-privileges(8669)
   URL:http://www.iss.net/security_center/static/8669.php
   BID:4388
   URL:http://www.securityfocus.com/bid/4388


======================================================
Candidate: CAN-2002-0043
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0043
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20020122
Category: SF
Reference: BUGTRAQ:20020114 Sudo version 1.6.4 now available (fwd)
Reference: URL:http://www.securityfocus.com/archive/1/250168
Reference: REDHAT:RHSA-2002:013
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-013.html
Reference: REDHAT:RHSA-2002:011
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-011.html
Reference: CONECTIVA:CLA-2002:451
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000451
Reference: ENGARDE:ESA-20020114-001
Reference: SUSE:SuSE-SA:2002:002
Reference: URL:http://www.suse.de/de/support/security/2002_002_sudo_txt.txt
Reference: MANDRAKE:MDKSA-2002:003
Reference: DEBIAN:DSA-101
Reference: IMMUNIX:IMNX-2002-70-001-01
Reference: URL:http://www.securityfocus.com/advisories/3800
Reference: FREEBSD:FreeBSD-SA-02:06
Reference: BUGTRAQ:20020116 Sudo +Postfix Exploit
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101120193627756&w=2
Reference: MISC:http://www.sudo.ws/sudo/alerts/postfix.html
Reference: XF:sudo-unclean-env-root(7891)
Reference: URL:http://xforce.iss.net/static/7891.php
Reference: BID:3871
Reference: URL:http://www.securityfocus.com/bid/3871

sudo 1.6.0 through 1.6.3p7 does not properly clear the environment
before calling the mail program, which could allow local users to gain
root privileges by modifying environment variables and changing how
the mail program is invoked.


Modifications:
  ADDREF MANDRAKE:MDKSA-2002:003
  ADDREF DEBIAN:DSA-101
  ADDREF IMMUNIX:IMNX-2002-70-001-01
  ADDREF FREEBSD:FreeBSD-SA-02:06
  CHANGEREF REDHAT [normalize]

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0043 ACCEPT (5 accept, 4 ack, 0 review)

Current Votes:
   ACCEPT(5) Wall, Baker, Cole, Frech, Green
   NOOP(2) Foat, Christey

Voter Comments:
 Christey> MANDRAKE:MDKSA-2002:003
   DEBIAN:DSA-101
   IMMUNIX:IMNX-2002-70-001-01
   URL:http://www.securityfocus.com/advisories/3800
   FREEBSD:FreeBSD-SA-02:06

   Normalize refs: REDHAT:RHSA-2002-011, REDHAT:RHSA-2002-013


======================================================
Candidate: CAN-2002-0044
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0044
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020131
Assigned: 20020122
Category: SF
Reference: REDHAT:RHSA-2002-012
Reference: URL:https://www.redhat.com/support/errata/RHSA-2002-012.html
Reference: HP:HPSBTL0201-019
Reference: URL:http://www.securityfocus.com/advisories/3818
Reference: MANDRAKE:MDKSA-2002:010
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-010.php3
Reference: DEBIAN:DSA-105
Reference: URL:http://www.debian.org/security/2002/dsa-105
Reference: XF:gnu-enscript-tmpfile-symlink(7932)
Reference: URL:http://xforce.iss.net/static/7932.php
Reference: BID:3920
Reference: URL:http://www.securityfocus.com/bid/3920

GNU Enscript 1.6.1 and earlier allows local users to overwrite
arbitrary files of the Enscript user via a symlink attack on temporary
files.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0044 ACCEPT (5 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(5) Wall, Baker, Cole, Frech, Green
   NOOP(1) Foat


======================================================
Candidate: CAN-2002-0045
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0045
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20020122
Category: SF
Reference: CONFIRM:http://www.openldap.org/lists/openldap-announce/200201/msg00002.html
Reference: CALDERA:CSSA-2002-001.0
Reference: MANDRAKE:MDKSA-2002:013
Reference: REDHAT:RHSA-2002:014
Reference: XF:openldap-slapd-delete-attributes(7978)

slapd in OpenLDAP 2.0 through 2.0.19 allows local users, and anonymous
users before 2.0.8, to conduct a "replace" action on access controls
without any values, which causes OpenLDAP to delete non-mandatory
attributes which would otherwise be protected by ACLs.


Modifications:
  ADDREF XF:openldap-slapd-delete-attributes(7978)
  ADDREF CALDERA:CSSA-2002-001.0
  ADDREF MANDRAKE:MDKSA-2002:013
  ADDREF REDHAT:RHSA-2002:014

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0045 ACCEPT (4 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Cole, Green
   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Christey

Voter Comments:
 Frech> XF:openldap-slapd-delete-attributes(7978)
 Christey> CALDERA:CSSA-2002-001.0
   MANDRAKE:MDKSA-2002:013


======================================================
Candidate: CAN-2002-0046
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0046
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20020122
Category: SF
Reference: BUGTRAQ:20020120 remote memory reading through tcp/icmp
Reference: URL:http://www.securityfocus.com/archive/1/251418
Reference: REDHAT:RHSA-2002-007
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-007.html
Reference: XF:icmp-read-memory(7998)

Linux kernel, and possibly other operating systems, allows remote
attackers to read portions of memory via a series of fragmented ICMP
packets that generate an ICMP TTL Exceeded response, which includes
portions of the memory in the response packet.


Modifications:
  ADDREF XF:icmp-read-memory(7998)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0046 ACCEPT (6 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Wall, Baker, Foat, Cole, Green
   MODIFY(1) Frech

Voter Comments:
 Frech> XF:icmp-read-memory(7998)


======================================================
Candidate: CAN-2002-0047
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0047
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020131
Assigned: 20020122
Category: SF
Reference: DEBIAN:DSA-104
Reference: URL:http://www.debian.org/security/2002/dsa-104
Reference: REDHAT:RHSA-2002:007
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-007.html
Reference: XF:cipe-packet-handling-dos(7883)
Reference: URL:http://xforce.iss.net/static/7883.php

CIPE VPN package before 1.3.0-3 allows remote attackers to cause a
denial of service (crash) via a short malformed packet.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0047 ACCEPT (5 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(5) Wall, Baker, Cole, Frech, Green
   NOOP(1) Foat


======================================================
Candidate: CAN-2002-0049
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0049
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020202
Category: CF
Reference: MS:MS02-003
Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS02-003.asp
Reference: BID:4053
Reference: URL:http://www.securityfocus.com/bid/4053

Microsoft Exchange Server 2000 System Attendant gives "Everyone" group
privileges to the WinReg key, which could allow remote attackers to
read or modify registry keys.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0049 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Wall, Foat, Cole, Ziese, Green


======================================================
Candidate: CAN-2002-0050
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0050
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020202
Category: SF
Reference: MS:MS02-010
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-010.asp
Reference: BID:4157
Reference: URL:http://online.securityfocus.com/bid/4157

Buffer overflow in AuthFilter ISAPI filter on Microsoft Commerce
Server 2000 allows remote attackers to execute arbitrary code via long
authentication data.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0050 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Wall, Foat, Cole, Ziese, Green


======================================================
Candidate: CAN-2002-0051
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0051
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020502
Assigned: 20020202
Category: SF
Reference: BUGTRAQ:20011205 SECURITY.NNOV: file locking and security (group policy DoS on Windows 2000 domain)
Reference: URL:http://online.securityfocus.com/archive/1/244329
Reference: MS:MS02-016
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-016.asp
Reference: BID:4438
Reference: URL:http://online.securityfocus.com/bid/4438

Windows 2000 allows local users to prevent the application of new
group policy settings by opening Group Policy files with
exclusive-read access.


Modifications:
  ADDREF BID:4438

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0051 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Wall, Foat, Cole, Green
   NOOP(2) Cox, Christey

Voter Comments:
 Christey> Consider adding BID:4438
 Christey> XF:win2k-group-policy-block(8759)
   URL:http://www.iss.net/security_center/static/8759.php


======================================================
Candidate: CAN-2002-0052
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0052
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020202
Category: SF
Reference: MS:MS02-009
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-009.asp
Reference: BID:4158
Reference: URL:http://online.securityfocus.com/bid/4158

Internet Explorer 6.0 and earlier does not properly handle VBScript in
certain domain security checks, which allows remote attackers to read
arbitrary files.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0052 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Wall, Foat, Cole, Ziese, Green


======================================================
Candidate: CAN-2002-0055
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0055
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020315
Assigned: 20020202
Category: SF
Reference: BUGTRAQ:20020306 Vulnerability Details for MS02-012
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101558498401274&w=2
Reference: MS:MS02-012
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-012.asp
Reference: XF:ms-smtp-data-transfer-dos(8307)
Reference: URL:http://www.iss.net/security_center/static/8307.php
Reference: BID:4204
Reference: URL:http://www.securityfocus.com/bid/4204

SMTP service in Microsoft Windows 2000, Windows XP Professional, and
Exchange 2000 to cause a denial of service via a command with a
malformed data transfer (BDAT) request.


Modifications:
  ADDREF XF:ms-smtp-data-transfer-dos(8307)
  ADDREF BID:4204

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0055 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Wall, Foat, Cole, Ziese, Green
   NOOP(1) Christey

Voter Comments:
 Christey> Consider adding BID:4204
 Christey> XF:ms-smtp-data-transfer-dos(8307)
   URL:http://www.iss.net/security_center/static/8307.php
   BID:4204
   URL:http://www.securityfocus.com/bid/4204


======================================================
Candidate: CAN-2002-0057
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0057
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020315
Assigned: 20020202
Category: SF
Reference: BUGTRAQ:20011214 MSIE6 can read local files
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-12/0152.html
Reference: BUGTRAQ:20020212 Update on the MS02-005 patch, holes still remain
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101366383408821&w=2
Reference: MS:MS02-008
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-008.asp
Reference: BID:3699
Reference: URL:http://online.securityfocus.com/bid/3699
Reference: XF:ie-xmlhttp-redirect(7712)

XMLHTTP control in Microsoft XML Core Services 2.6 and later does not
properly handle IE Security Zone settings, which allows remote
attackers to read arbitrary files by specifying a local file as an XML
Data Source.


Modifications:
  ADDREF XF:ie-xmlhttp-redirect(7712)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0057 ACCEPT (6 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Wall, Foat, Cole, Ziese, Green
   MODIFY(1) Frech

Voter Comments:
 Frech> XF:ie-xmlhttp-redirect(7712)


======================================================
Candidate: CAN-2002-0059
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0059
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020315
Assigned: 20020207
Category: SF
Reference: BUGTRAQ:20020311 security problem fixed in zlib 1.1.4
Reference: BUGTRAQ:20020312 exploiting the zlib bug in openssh
Reference: VULNWATCH:20020312 exploiting the zlib bug in openssh
Reference: VULNWATCH:20020311 [VulnWatch] zlibscan : script to find suid binaries possibly affected by zlib vulnerability
Reference: BUGTRAQ:20020312 [OpenPKG-SA-2002.003] OpenPKG Security Advisory (zlib)
Reference: BUGTRAQ:20020312 Re: [VulnWatch] exploiting the zlib bug in openssh
Reference: BUGTRAQ:20020312 zlib & java
Reference: BUGTRAQ:20020312 zlibscan : script to find suid binaries possibly affected by zlib vulnerability
Reference: BUGTRAQ:20020313 OpenSSH rebuild warning: problems avoiding zlib problems in Solaris
Reference: BUGTRAQ:20020314 about zlib vulnerability
Reference: BUGTRAQ:20020314 ZLib double free bug: Windows NT potentially unaffected
Reference: BUGTRAQ:20020314 Re: about zlib vulnerability - Microsoft products
Reference: BUGTRAQ:20020315 RE: [Whitehat] about zlib vulnerability
Reference: CERT:CA-2002-07
Reference: CERT-VN:VU#368819
Reference: URL:http://www.kb.cert.org/vuls/id/368819
Reference: DEBIAN:DSA-122
Reference: REDHAT:RHSA-2002:026
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-026.html
Reference: REDHAT:RHSA-2002:027
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-027.html
Reference: SUSE:SuSE-SA:2002:010
Reference: SUSE:SuSE-SA:2002:011
Reference: ENGARDE:ESA-20020311-008
Reference: MANDRAKE:MDKSA-2002:022
Reference: MANDRAKE:MDKSA-2002:023
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-023.php
Reference: CALDERA:CSSA-2002-014.1
Reference: CALDERA:CSSA-2002-015.1
Reference: CONECTIVA:CLA-2002:469
Reference: HP:HPSBTL0204-030
Reference: HP:HPSBTL0204-036
Reference: HP:HPSBTL0204-037
Reference: MANDRAKE:MDKSA-2002:024
Reference: CISCO:20020403 Vulnerability in the zlib Compression Library
Reference: OPENBSD:20020313 015: RELIABILITY FIX: March 13, 2002
Reference: FREEBSD:FreeBSD-SA-02:18
Reference: BUGTRAQ:20020318 TSLSA-2002-0040 - zlib
Reference: BUGTRAQ:20020402 VNC Security Bulletin - zlib double free issue (multiple vendors and versions)
Reference: BID:4267
Reference: URL:http://online.securityfocus.com/bid/4267
Reference: XF:zlib-doublefree-memory-corruption(8427)

The decompression algorithm in zlib 1.1.3 and earlier, as used in many
different utilities and packages, causes inflateEnd to release certain
memory more than once (a "double free"), which may allow local and
remote attackers to execute arbitrary code via a block of malformed
compression data.


Modifications:
  CHANGEREF BUGTRAQ change some dates from 20020212 to 20020312
  ADDREF BUGTRAQ:20020312 [OpenPKG-SA-2002.003] OpenPKG Security Advisory (zlib)
  ADDREF BUGTRAQ:20020312 Re: [VulnWatch] exploiting the zlib bug in openssh
  ADDREF BUGTRAQ:20020312 zlib & java
  ADDREF BUGTRAQ:20020312 zlibscan : script to find suid binaries possibly affected by zlib vulnerability
  ADDREF BUGTRAQ:20020313 OpenSSH rebuild warning: problems avoiding zlib problems in Solaris
  ADDREF BUGTRAQ:20020314 about zlib vulnerability
  ADDREF BUGTRAQ:20020315 RE: [Whitehat] about zlib vulnerability
  ADDREF BUGTRAQ:20020314 Re: about zlib vulnerability - Microsoft products
  ADDREF FREEBSD:FreeBSD-SA-02:18
  ADDREF BUGTRAQ:20020318 TSLSA-2002-0040 - zlib
  ADDREF BUGTRAQ:20020402 VNC Security Bulletin - zlib double free issue (multiple vendors and versions)
  ADDREF CALDERA:CSSA-2002-014.1
  ADDREF CALDERA:CSSA-2002-015.1
  ADDREF CONECTIVA:CLA-2002:469
  ADDREF HP:HPSBTL0204-030
  ADDREF HP:HPSBTL0204-036
  ADDREF HP:HPSBTL0204-037
  ADDREF MANDRAKE:MDKSA-2002:024
  ADDREF CISCO:20020403 Vulnerability in the zlib Compression Library
  ADDREF OPENBSD:20020313 015: RELIABILITY FIX: March 13, 2002
  ADDREF XF:zlib-doublefree-memory-corruption(8427)
  ADDREF BUGTRAQ:20020314 ZLib double free bug: Windows NT potentially unaffected

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0059 ACCEPT (5 accept, 10 ack, 0 review)

Current Votes:
   ACCEPT(5) Wall, Foat, Cole, Ziese, Green
   NOOP(1) Christey

Voter Comments:
 Christey> Need to change dates of Bugtraq and Vulnwatch posts from
   20020212 to 20020312 for "exploiting the zlib bug in openssh"
   BUGTRAQ:20020312 [OpenPKG-SA-2002.003] OpenPKG Security Advisory (zlib)
   BUGTRAQ:20020312 Re: [VulnWatch] exploiting the zlib bug in openssh
   BUGTRAQ:20020312 zlib & java
   BUGTRAQ:20020312 zlibscan : script to find suid binaries possibly affected by zlib vulnerability
   BUGTRAQ:20020313 OpenSSH rebuild warning: problems avoiding zlib problems in Solaris
   BUGTRAQ:20020314 about zlib vulnerability
   BUGTRAQ:20020315 RE: [Whitehat] about zlib vulnerability
   BUGTRAQ:20020314 Re: about zlib vulnerability - Microsoft products
   FREEBSD:FreeBSD-SA-02:18
   BUGTRAQ:20020318 TSLSA-2002-0040 - zlib
   BUGTRAQ:20020402 VNC Security Bulletin - zlib double free issue (multiple vendors and versions)
   CALDERA:CSSA-2002-014.1
   CALDERA:CSSA-2002-015.1
   CONECTIVA:CLA-2002:469
   HP:HPSBTL0204-030
   HP:HPSBTL0204-036
   HP:HPSBTL0204-037
   MANDRAKE:MDKSA-2002:024
   CISCO:20020403 Vulnerability in the zlib Compression Library
   OPENBSD:20020313 015: RELIABILITY FIX: March 13, 2002
   XF:zlib-doublefree-memory-corruption(8427)
   BUGTRAQ:20020314 ZLib double free bug: Windows NT potentially unaffected


======================================================
Candidate: CAN-2002-0060
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0060
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020213
Category: SF
Reference: BUGTRAQ:20020227 security advisory linux 2.4.x ip_conntrack_irc
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101483396412051&w=2
Reference: VULN-DEV:20020227 Fwd: [ANNOUNCE] Security Advisory about IRC DCC connection tracking
Reference: URL:http://marc.theaimsgroup.com/?l=vuln-dev&m=101486352429653&w=2
Reference: CONFIRM:http://www.netfilter.org/security/2002-02-25-irc-dcc-mask.html
Reference: REDHAT:RHSA-2002:028
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-028.html

IRC connection tracking helper module in the netfilter subsystem for
Linux 2.4.18-pre9 and earlier does not properly set the mask for
conntrack expectations for incoming DCC connections, which could allow
remote attackers to bypass intended firewall restrictions.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0060 ACCEPT (4 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(4) Wall, Cole, Ziese, Green
   NOOP(1) Foat


======================================================
Candidate: CAN-2002-0063
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0063
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020315
Assigned: 20020217
Category: SF
Reference: CONFIRM:http://www.cups.org/relnotes.html
Reference: DEBIAN:DSA-110
Reference: URL:http://www.debian.org/security/2002/dsa-110
Reference: MANDRAKE:MDKSA-2002:015
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-015.php
Reference: REDHAT:RHSA-2002:032
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-032.html
Reference: SUSE:SuSE-SA:2002:005
Reference: SUSE:SuSE-SA:2002:006
Reference: CALDERA:CSSA-2002-008.0
Reference: CONECTIVA:CLA-2002:471
Reference: XF:cups-ippread-bo(8192)
Reference: BID:4100

Buffer overflow in ippRead function of CUPS before 1.1.14 may allow
attackers to execute arbitrary code via long attribute names or
language values.


Modifications:
  ADDREF REDHAT:RHSA-2002:032
  ADDREF SUSE:SuSE-SA:2002:005
  ADDREF SUSE:SuSE-SA:2002:006
  ADDREF CALDERA:CSSA-2002-008.0
  ADDREF XF:cups-ippread-bo(8192)
  ADDREF BID:4100
  ADDREF CONECTIVA:CLA-2002:471

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0063 ACCEPT (4 accept, 5 ack, 0 review)

Current Votes:
   ACCEPT(4) Wall, Cole, Ziese, Green
   NOOP(2) Foat, Christey

Voter Comments:
 Christey> REDHAT:RHSA-2002:032
   URL:http://www.redhat.com/support/errata/RHSA-2002-032.html
   SUSE:SuSE-SA:2002:005
   SUSE:SuSE-SA:2002:006
 Christey> SUSE:SuSE-SA:2002:005
 Christey> REDHAT:RHSA-2002:032
   CALDERA:CSSA-2002-008.0
   XF:cups-ippread-bo(8192)
   BID:4100
   SUSE:SuSE-SA:2002:006
   SUSE:SuSE-SA:2002:005
   CONECTIVA:CLA-2002:471


======================================================
Candidate: CAN-2002-0064
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0064
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020502
Assigned: 20020219
Category: CF
Reference: BINDVIEW:20020408 Unauthorized remote control access to systems running Funk Software's Proxy v3.x
Reference: URL:http://razor.bindview.com/publish/advisories/adv_FunkProxy.html
Reference: XF:funk-proxy-insecure-permissions(8791)
Reference: URL:http://www.iss.net/security_center/static/8791.php
Reference: BID:4458
Reference: URL:http://www.securityfocus.com/bid/4458

Funk Software Proxy Host 3.x is installed with insecure permissions
for the registry and the file system.


Modifications:
  ADDREF XF:funk-proxy-insecure-permissions(8791)
  ADDREF BID:4458

Analysis
--------
Vendor Acknowledgement: yes

INFERRED ACTION: CAN-2002-0064 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Green
   NOOP(4) Wall, Foat, Cox, Christey

Voter Comments:
 Christey> XF:funk-proxy-insecure-permissions(8791)
   URL:http://www.iss.net/security_center/static/8791.php
   BID:4458
   URL:http://www.securityfocus.com/bid/4458


======================================================
Candidate: CAN-2002-0065
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0065
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020502
Assigned: 20020219
Category: SF
Reference: BINDVIEW:20020408 Unauthorized remote control access to systems running Funk Software's Proxy v3.x
Reference: URL:http://razor.bindview.com/publish/advisories/adv_FunkProxy.html
Reference: XF:funk-proxy-weak-password(8792)
Reference: URL:http://www.iss.net/security_center/static/8792.php
Reference: BID:4459
Reference: URL:http://www.securityfocus.com/bid/4459

Funk Software Proxy Host 3.x uses weak encryption for the Proxy Host
password, which allows local users to gain privileges by recovering
the passwords from the PHOST.INI file or the Windows registry.


Modifications:
  ADDREF XF:funk-proxy-weak-password(8792)
  ADDREF BID:4459

Analysis
--------
Vendor Acknowledgement: yes

INFERRED ACTION: CAN-2002-0065 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Green
   NOOP(4) Wall, Foat, Cox, Christey

Voter Comments:
 Christey> XF:funk-proxy-weak-password(8792)
   URL:http://www.iss.net/security_center/static/8792.php
   BID:4459
   URL:http://www.securityfocus.com/bid/4459


======================================================
Candidate: CAN-2002-0066
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0066
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020502
Assigned: 20020219
Category: SF
Reference: BINDVIEW:20020408 Unauthorized remote control access to systems running Funk Software's Proxy v3.x
Reference: URL:http://razor.bindview.com/publish/advisories/adv_FunkProxy.html
Reference: XF:funk-proxy-named-pipe(8793)
Reference: URL:http://www.iss.net/security_center/static/8793.php
Reference: BID:4460
Reference: URL:http://www.securityfocus.com/bid/4460

Funk Software Proxy Host 3.x before 3.09A creates a Named Pipe that
does not require authentication and is installed with insecure access
control, which allows local and possibly remote users to use the Proxy
Host's configuration utilities and gain privileges.


Modifications:
  ADDREF XF:funk-proxy-named-pipe(8793)
  ADDREF BID:4460

Analysis
--------
Vendor Acknowledgement: yes

INFERRED ACTION: CAN-2002-0066 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Green
   NOOP(4) Wall, Foat, Cox, Christey

Voter Comments:
 Christey> XF:funk-proxy-named-pipe(8793)
   URL:http://www.iss.net/security_center/static/8793.php
   BID:4460
   URL:http://www.securityfocus.com/bid/4460


======================================================
Candidate: CAN-2002-0070
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0070
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020315
Assigned: 20020221
Category: SF
Reference: BUGTRAQ:20020312 ADVISORY: Windows Shell Overflow
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101594127017290&w=2
Reference: VULNWATCH:20020311 [VulnWatch] ADVISORY: Windows Shell Overflow
Reference: NTBUGTRAQ:20020311 ADVISORY: Windows Shell Overflow
Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0203&L=ntbugtraq&F=P&S=&P=2404
Reference: MS:MS02-014
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-014.asp
Reference: XF:win-shell-bo(8384)
Reference: URL:http://www.iss.net/security_center/static/8384.php
Reference: BID:4248
Reference: URL:http://www.securityfocus.com/bid/4248

Buffer overflow in Windows Shell (used as the Windows Desktop) allows
local and possibly remote attackers to execute arbitrary code via a
custom URL handler that has not been removed for an application that
has been improperly uninstalled.


Modifications:
  ADDREF XF:win-shell-bo(8384)
  ADDREF BID:4248
  ADDREF BUGTRAQ:20020312 ADVISORY: Windows Shell Overflow

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0070 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Wall, Foat, Cole, Ziese, Green
   NOOP(1) Christey

Voter Comments:
 Christey> XF:win-shell-bo(8384)
   URL:http://www.iss.net/security_center/static/8384.php
   BID:4248
   URL:http://www.securityfocus.com/bid/4248
   BUGTRAQ:20020312 ADVISORY: Windows Shell Overflow
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101594127017290&w=2


======================================================
Candidate: CAN-2002-0078
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0078
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020502
Assigned: 20020221
Category: SF
Reference: BUGTRAQ:20020330 IE: Remote webpage can script in local zone
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101781180528301&w=2
Reference: MS:MS02-015
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-015.asp
Reference: BID:4392
Reference: URL:http://www.securityfocus.com/bid/4392
Reference: XF:ie-cookie-local-zone(8701)
Reference: URL:http://www.iss.net/security_center/static/8701.php

The zone determination function in Microsoft Internet Explorer 5.5 and
6.0 allows remote attackers to run scripts in the Local Computer zone
by embedding the script in a cookie, aka the "Cookie-based Script
Execution" vulnerability.


Modifications:
  ADDREF BID:4392
  ADDREF XF:ie-cookie-local-zone(8701)
  ADDREF BUGTRAQ:20020330 IE: Remote webpage can script in local zone

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0078 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Wall, Foat, Cole, Green
   NOOP(2) Cox, Christey

Voter Comments:
 Christey> Consider adding BID:4392
 Christey> BUGTRAQ:20020330 IE: Remote webpage can script in local zone
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101781180528301&w=2
   XF:ie-cookie-local-zone(8701)
   URL:http://www.iss.net/security_center/static/8701.php
   BID:4392
   URL:http://www.securityfocus.com/bid/4392


======================================================
Candidate: CAN-2002-0080
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0080
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020315
Assigned: 20020221
Category: SF
Reference: REDHAT:RHSA-2002:026
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-026.html
Reference: MANDRAKE:MDKSA-2002:024
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-024.php3
Reference: CALDERA:CSSA-2002-014.1
Reference: URL:http://www.caldera.com/support/security/advisories/CSSA-2002-014.1.txt
Reference: XF:linux-rsync-inherit-privileges(8463)
Reference: URL:http://www.iss.net/security_center/static/8463.php
Reference: BID:4285
Reference: URL:http://www.securityfocus.com/bid/4285

rsync, when running in daemon mode, does not properly call setgroups
before dropping privileges, which could provide supplemental group
privileges to local users, who could then read certain files that
would otherwise be disallowed.


Modifications:
  DESC Add "when running in daemon mode"
  ADDREF CALDERA:CSSA-2002-014.1
  ADDREF XF:linux-rsync-inherit-privileges(8463)
  ADDREF BID:4285

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0080 ACCEPT (4 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(4) Wall, Cole, Ziese, Green
   NOOP(2) Foat, Christey

Voter Comments:
 Christey> CALDERA:CSSA-2002-014.1
   URL:http://www.caldera.com/support/security/advisories/CSSA-2002-014.1.txt
   XF:linux-rsync-inherit-privileges(8463)
   URL:http://www.iss.net/security_center/static/8463.php
   BID:4285
   URL:http://www.securityfocus.com/bid/4285

   Add "when running in daemon mode" to description.


======================================================
Candidate: CAN-2002-0081
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0081
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020315
Assigned: 20020227
Category: SF
Reference: VULN-DEV:20020225 Re: Rumours about Apache 1.3.22 exploits
Reference: URL:http://marc.theaimsgroup.com/?l=vuln-dev&m=101468694824998&w=2
Reference: BUGTRAQ:20020227 Advisory 012002: PHP remote vulnerabilities
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101484705523351&w=2
Reference: NTBUGTRAQ:20020227 PHP remote vulnerabilities
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=101484975231922&w=2
Reference: CONFIRM:http://www.php.net/downloads.php
Reference: MISC:http://security.e-matters.de/advisories/012002.html
Reference: REDHAT:RHSA-2002:035
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-035.html
Reference: DEBIAN:DSA-115
Reference: URL:http://www.debian.org/security/2002/dsa-115
Reference: CERT:CA-2002-05
Reference: URL:http://www.cert.org/advisories/CA-2002-05.html
Reference: CERT-VN:VU#297363
Reference: URL:http://www.kb.cert.org/vuls/id/297363
Reference: ENGARDE:ESA-20020301-006
Reference: URL:http://www.linuxsecurity.com/advisories/other_advisory-1924.html
Reference: HP:HPSBTL0203-028
Reference: URL:http://online.securityfocus.com/advisories/3911
Reference: CONECTIVA:CLA-2002:468
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000468
Reference: XF:php-file-upload-overflow(8281)
Reference: URL:http://www.iss.net/security_center/static/8281.php
Reference: BID:4183
Reference: URL:http://www.securityfocus.com/bid/4183
Reference: BUGTRAQ:20020304 Apache+php Proof of Concept Exploit
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101537076619812&w=2
Reference: BUGTRAQ:20020228 TSLSA-2002-0033 - mod_php
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101497256024338&w=2
Reference: SUSE:SuSE-SA:2002:007
Reference: URL:http://www.suse.com/de/support/security/2002_007_mod_php4_txt.html
Reference: MANDRAKE:MDKSA-2002:017
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-017.php

Buffer overflows in (1) php_mime_split in PHP 4.1.0, 4.1.1, and 4.0.6
and earlier, and (2) php3_mime_split in PHP 3.0.x allows remote
attackers to execute arbitrary code via a multipart/form-data HTTP
POST request when file_uploads is enabled.


Modifications:
  ADDREF BUGTRAQ:20020304 Apache+php Proof of Concept Exploit
  ADDREF BUGTRAQ:20020228 TSLSA-2002-0033 - mod_php
  ADDREF SUSE:SuSE-SA:2002:007
  ADDREF MANDRAKE:MDKSA-2002:017

Analysis
--------
Vendor Acknowledgement: yes advisory

ABSTRACTION: there is mixed overlap between these different versions,
in terms of the fixes provided.  One could argue that these are
different bugs in different versions, thus CD:SF-LOC would state that
these should be separated.  However, these clearly stem from the same
codebase.

INFERRED ACTION: CAN-2002-0081 ACCEPT (4 accept, 7 ack, 0 review)

Current Votes:
   ACCEPT(4) Wall, Cole, Ziese, Green
   NOOP(2) Foat, Christey

Voter Comments:
 Christey> BUGTRAQ:20020304 Apache+php Proof of Concept Exploit
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101537076619812&w=2
 Christey> ADDREF BUGTRAQ:20020228 TSLSA-2002-0033 - mod_php
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101497256024338&w=2
   SUSE:SuSE-SA:2002:007
   MANDRAKE:MDKSA-2002:017
 Christey> SUSE:SuSE-SA:2002:007
   URL:http://www.suse.com/de/support/security/2002_007_mod_php4_txt.html
   MANDRAKE:MDKSA-2002:017
   URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-017.php
   BUGTRAQ:20020228 TSLSA-2002-0033 - mod_php
   URL:http://archives.neohapsis.com/archives/bugtraq/2002-02/0362.html
   BUGTRAQ:20020304 Apache+php Proof of Concept Exploit
   URL:http://online.securityfocus.com/archive/1/259821


======================================================
Candidate: CAN-2002-0082
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0082
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020315
Assigned: 20020301
Category: SF
Reference: BUGTRAQ:20020227 mod_ssl Buffer Overflow Condition (Update Available)
Reference: URL:http://online.securityfocus.com/archive/1/258646
Reference: BUGTRAQ:20020301 Apache-SSL buffer overflow (fix available)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101518491916936&w=2
Reference: BUGTRAQ:20020304 Apache-SSL 1.3.22+1.47 - update to security fix
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101528358424306&w=2
Reference: CONFIRM:http://www.apacheweek.com/issues/02-03-01#security
Reference: BUGTRAQ:20020228 TSLSA-2002-0034 - apache
Reference: ENGARDE:ESA-20020301-005
Reference: URL:http://www.linuxsecurity.com/advisories/other_advisory-1923.html
Reference: CONECTIVA:CLA-2002:465
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000465
Reference: REDHAT:RHSA-2002:041
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-041.html
Reference: MANDRAKE:MDKSA-2002:020
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-020.php
Reference: REDHAT:RHSA-2002:042
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-042.html
Reference: DEBIAN:DSA-120
Reference: URL:http://www.debian.org/security/2002/dsa-120
Reference: HP:HPSBTL0203-031
Reference: URL:http://www.securityfocus.com/advisories/3965
Reference: HP:HPSBUX0204-190
Reference: URL:http://www.securityfocus.com/advisories/4008
Reference: CALDERA:CSSA-2002-011.0
Reference: URL:http://www.calderasystems.com/support/security/advisories/CSSA-2002-011.0.txt
Reference: COMPAQ:SSRT0817
Reference: URL:http://ftp.support.compaq.com/patches/.new/html/SSRT0817.shtml
Reference: BID:4189
Reference: URL:http://online.securityfocus.com/bid/4189
Reference: XF:apache-modssl-bo(8308)
Reference: URL:http://www.iss.net/security_center/static/8308.php

The dbm and shm session cache code in mod_ssl before 2.8.7-1.3.23, and
Apache-SSL before 1.3.22+1.46, does not properly initialize memory
using the i2d_SSL_SESSION function, which allows remote attackers to
use a buffer overflow to execute arbitrary code via a large client
certificate that is signed by a trusted Certificate Authority (CA),
which produces a large serialized session.


Modifications:
  ADDREF DEBIAN:DSA-120
  ADDREF HP:HPSBTL0203-031
  ADDREF HP:HPSBUX0204-190
  ADDREF CALDERA:CSSA-2002-011.0
  ADDREF COMPAQ:SSRT0817

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0082 ACCEPT (5 accept, 6 ack, 0 review)

Current Votes:
   ACCEPT(5) Wall, Foat, Cole, Ziese, Green
   NOOP(1) Christey

Voter Comments:
 Christey> DEBIAN:DSA-120
   URL:http://www.debian.org/security/2002/dsa-120
   HP:HPSBTL0203-031
   URL:http://www.securityfocus.com/advisories/3965
   HP:HPSBUX0204-190
   URL:http://www.securityfocus.com/advisories/4008
   CALDERA:CSSA-2002-011.0
   URL:http://www.calderasystems.com/support/security/advisories/CSSA-2002-011.0.txt
   COMPAQ:SSRT0817
   http://ftp.support.compaq.com/patches/.new/html/SSRT0817.shtml


======================================================
Candidate: CAN-2002-0083
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0083
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020315
Assigned: 20020306
Category: SF
Reference: VULNWATCH:20020307 [VulnWatch] [PINE-CERT-20020301] OpenSSH off-by-one
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0060.html
Reference: BUGTRAQ:20020307 OpenSSH Security Advisory (adv.channelalloc)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101553908201861&w=2
Reference: BUGTRAQ:20020307 [PINE-CERT-20020301] OpenSSH off-by-one
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101552065005254&w=2
Reference: BUGTRAQ:20020308 [OpenPKG-SA-2002.002] OpenPKG Security Advisory (openssh)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101561384821761&w=2
Reference: BUGTRAQ:20020311 TSLSA-2002-0039 - openssh
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-03/0108.html
Reference: BUGTRAQ:20020310 OpenSSH 2.9.9p2 packages for Immunix 6.2 with latest fix
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101586991827622&w=2
Reference: BUGTRAQ:20020328 OpenSSH channel_lookup() off by one exploit
Reference: URL:http://online.securityfocus.com/archive/1/264657
Reference: CONFIRM:http://www.openbsd.org/advisories/ssh_channelalloc.txt
Reference: ENGARDE:ESA-20020307-007
Reference: URL:http://www.linuxsecurity.com/advisories/other_advisory-1937.html
Reference: SUSE:SuSE-SA:2002:009
Reference: URL:http://www.suse.de/de/support/security/2002_009_openssh_txt.html
Reference: CONECTIVA:CLA-2002:467
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000467
Reference: DEBIAN:DSA-119
Reference: URL:http://www.debian.org/security/2002/dsa-119
Reference: REDHAT:RHSA-2002:043
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-043.html
Reference: MANDRAKE:MDKSA-2002:019
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-019.php
Reference: NETBSD:NetBSD-SA2002-004
Reference: URL:ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-004.txt.asc
Reference: CALDERA:CSSA-2002-SCO.10
Reference: URL:ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.10/CSSA-2002-SCO.10.txt
Reference: CALDERA:CSSA-2002-SCO.11
Reference: URL:ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.11/CSSA-2002-SCO.11.txt
Reference: CALDERA:CSSA-2002-012.0
Reference: URL:http://www.calderasystems.com/support/security/advisories/CSSA-2002-012.0.txt
Reference: FREEBSD:FreeBSD-SA-02:13
Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:13.openssh.asc
Reference: HP:HPSBTL0203-029
Reference: URL:http://online.securityfocus.com/advisories/3960
Reference: XF:openssh-channel-error(8383)
Reference: URL:http://www.iss.net/security_center/static/8383.php
Reference: BID:4241
Reference: URL:http://www.securityfocus.com/bid/4241

Off-by-one error in the channel code of OpenSSH 2.0 through 3.0.2
allows local users or remote malicious servers to gain privileges.


Modifications:
  ADDREF BUGTRAQ:20020310 OpenSSH 2.9.9p2 packages for Immunix 6.2 with latest fix
  ADDREF BUGTRAQ:20020328 OpenSSH channel_lookup() off by one exploit
  ADDREF BID:4241
  ADDREF MANDRAKE:MDKSA-2002:019
  ADDREF BUGTRAQ:20020311 TSLSA-2002-0039 - openssh
  ADDREF NETBSD:NetBSD-SA2002-004
  ADDREF CALDERA:CSSA-2002-SCO.10
  ADDREF CALDERA:CSSA-2002-SCO.11
  ADDREF CALDERA:CSSA-2002-012.0
  ADDREF FREEBSD:FreeBSD-SA-02:13
  ADDREF XF:openssh-channel-error(8383)
  ADDREF HP:HPSBTL0203-029

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0083 ACCEPT (5 accept, 8 ack, 0 review)

Current Votes:
   ACCEPT(5) Wall, Foat, Cole, Ziese, Green
   NOOP(1) Christey

Voter Comments:
 Christey> Consider adding BID:4241
 Christey> BUGTRAQ:20020310 OpenSSH 2.9.9p2 packages for Immunix 6.2 with latest fix
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101586991827622&w=2
 Christey> BUGTRAQ:20020328 OpenSSH channel_lookup() off by one exploit
   URL:http://online.securityfocus.com/archive/1/264657
   BID:4241
   URL:http://www.securityfocus.com/bid/4241
   MANDRAKE:MDKSA-2002:019
   URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-019.php
   BUGTRAQ:20020311 TSLSA-2002-0039 - openssh
   URL:http://archives.neohapsis.com/archives/bugtraq/2002-03/0108.html
   BUGTRAQ:20020310 OpenSSH 2.9.9p2 packages for Immunix 6.2 with latest fix
   URL:http://online.securityfocus.com/archive/1/260958
   NETBSD:NetBSD-SA2002-004
   URL:ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-004.txt.asc
   CALDERA:CSSA-2002-SCO.10
   URL:ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.10/CSSA-2002-SCO.10.txt
   CALDERA:CSSA-2002-SCO.11
   URL:ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.11/CSSA-2002-SCO.11.txt
   CALDERA:CSSA-2002-012.0
   URL:http://www.calderasystems.com/support/security/advisories/CSSA-2002-012.0.txt
   FREEBSD:FreeBSD-SA-02:13
   URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:13.openssh.asc
   XF:openssh-channel-error(8383)
   URL:http://www.iss.net/security_center/static/8383.php
   HP:HPSBTL0203-029
   URL:http://online.securityfocus.com/advisories/3960


======================================================
Candidate: CAN-2002-0092
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0092
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020315
Assigned: 20020308
Category: SF
Reference: VULN-DEV:20020220 Help needed with bufferoverflow in cvs
Reference: URL:http://marc.theaimsgroup.com/?l=vuln-dev&m=101422243817321&w=2
Reference: VULN-DEV:20020220 Re: [Fwd: Help needed with bufferoverflow in cvs]
Reference: URL:http://marc.theaimsgroup.com/?l=vuln-dev&m=101433077724524&w=2
Reference: DEBIAN:DSA-117
Reference: URL:http://www.debian.org/security/2002/dsa-117
Reference: REDHAT:RHSA-2002-026
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-026.html
Reference: BID:4234
Reference: URL:http://www.securityfocus.com/bid/4234
Reference: XF:cvs-global-var-dos(8366)
Reference: URL:http://www.iss.net/security_center/static/8366.php

CVS before 1.10.8 does not properly initialize a global variable,
which allows remote attackers to cause a denial of service (server
crash) via the diff capability.


Modifications:
  ADDREF BID:4234
  ADDREF XF:cvs-global-var-dos(8366)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0092 ACCEPT (4 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(4) Wall, Cole, Ziese, Green
   NOOP(2) Foat, Christey

Voter Comments:
 Christey> Consider adding BID:4234
 Christey> BID:4234
   URL:http://www.securityfocus.com/bid/4234
   XF:cvs-global-var-dos(8366)
   URL:http://www.iss.net/security_center/static/8366.php


======================================================
Candidate: CAN-2002-0096
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0096
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20020103 Vulnerability in new user creation in Geeklog 1.3
Reference: URL:http://www.securityfocus.com/archive/1/248367
Reference: CONFIRM:http://geeklog.sourceforge.net/index.php?topic=Security
Reference: BID:3783
Reference: URL:http://www.securityfocus.com/bid/3783
Reference: XF:geeklog-default-admin-privileges(7780)
Reference: URL:http://www.iss.net/security_center/static/7780.php

The installation of Geeklog 1.3 creates an extra group_assignments
record which is not properly deleted, which causes the first newly
created user to be added to the GroupAdmin and UserAdmin groups, which
could provide that user with administrative privileges that were not
intended.

Analysis
--------
Vendor Acknowledgement: yes advisory

ACKNOWLEDGEMENT: The "Security" page for the geeklog project site
includes an entry dated January 3, 2002, which states "Security Fix!
... the first user that creates an account has access to the
GroupAdmin Group and, subsequently, the UserAdmin Group."

INFERRED ACTION: CAN-2002-0096 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Frech, Ziese, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2002-0097
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0097
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20020110 Cookie modification allows unauthenticated user login in Geeklog 1.3
Reference: URL:http://online.securityfocus.com/archive/1/249443
Reference: CONFIRM:http://geeklog.sourceforge.net/index.php?topic=Security
Reference: BID:3844
Reference: URL:http://online.securityfocus.com/bid/3844
Reference: XF:geeklog-modify-auth-cookie(7869)
Reference: URL:http://www.iss.net/security_center/static/7869.php

Geeklog 1.3 allows remote attackers to hijack user accounts, including
the administrator account, by modifying the UID of a user's permanent
cookie to the target account.

Analysis
--------
Vendor Acknowledgement: unknown

ACKNOWLEDGEMENT: In an item dated January 9, 2002, the geeklog vendor
states: "Major Security Hole Fixed! ... it is possible to have your
Geeklog 1.3 system compromised by simply editing the cookie and
changing the user ID to that of a Geeklog admin."

INFERRED ACTION: CAN-2002-0097 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Foat, Cole, Frech, Ziese, Green
   NOOP(1) Wall

Voter Comments:
 CHANGE> [Green changed vote from REVIEWING to ACCEPT]
 Green> The security page at geeklog.sourceforge.net indicates
   acknowledgement of the vulnerability and it's resolution


======================================================
Candidate: CAN-2002-0098
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0098
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20020105 BOOZT! Standard 's administration cgi vulnerable to buffer overflow
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101027773404836&w=2
Reference: BUGTRAQ:20020109 BOOZT! Standard CGI Vulnerability : Exploit Released
Reference: URL:http://online.securityfocus.com/archive/1/249219
Reference: CONFIRM:http://www.boozt.com/news_detail.php?id=3
Reference: BID:3787
Reference: URL:http://online.securityfocus.com/cgi-bin/vulns-item.pl?section=info&id=3787
Reference: XF:boozt-long-name-bo(7790)
Reference: URL:http://www.iss.net/security_center/static/7790.php

Buffer overflow in index.cgi administration interface for Boozt!
Standard 0.9.8 allows local users to execute arbitrary code via a long
name field when creating a new banner.

Analysis
--------
Vendor Acknowledgement: yes

INFERRED ACTION: CAN-2002-0098 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Frech, Ziese, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2002-0107
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0107
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20020108 svindel.net security advisory - web admin vulnerability in CacheOS
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101052887431488&w=2
Reference: BID:3841
Reference: URL:http://www.securityfocus.com/bid/3841
Reference: BUGTRAQ:20020205 RE: svindel.net security advisory - web admin vulnerability in Ca cheOS
Reference: URL:http://online.securityfocus.com/archive/1/254167
Reference: XF:cachos-insecure-web-interface(7835)
Reference: URL:http://www.iss.net/security_center/static/7835.php

Web administration interface in CacheFlow CacheOS 4.0.13 and earlier
allows remote attackers to obtain sensitive information via a series
of GET requests that do not end in with HTTP/1.0 or another version
string, which causes the information to be leaked in the error
message.

Analysis
--------
Vendor Acknowledgement: yes followup

INFERRED ACTION: CAN-2002-0107 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Frech, Ziese, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2002-0111
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0111
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20020109 File Transversal Vulnerability in Dino's WebServer
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101062213627501&w=2
Reference: BID:3861
Reference: URL:http://online.securityfocus.com/cgi-bin/vulns-item.pl?section=info&id=3861
Reference: XF:dinos-webserver-directory-traversal(7853)
Reference: URL:http://www.iss.net/security_center/static/7853.php

Directory traversal vulnerability in Funsoft Dino's Webserver 1.2 and
earlier allows remote attackers to read files or execute arbitrary
commands via a .. (dot dot) in the URL.

Analysis
--------
Vendor Acknowledgement: yes via-email

ACKNOWLEDGEMENT: email inquiry sent to andgjens@online.no (subject
"Dino's FunSoft") on 3/11/2002, acknowledgement received on 3/12/2002.

INFERRED ACTION: CAN-2002-0111 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Frech, Ziese, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2002-0115
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0115
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20020110 Snort core dumped
Reference: URL:http://online.securityfocus.com/archive/1/249340
Reference: BUGTRAQ:20020110 Re: Snort core dumped
Reference: URL:http://online.securityfocus.com/cgi-bin/archive.pl?id=1&start=2002-03-08&end=2002-03-14&mid=249623&threads=1
Reference: BID:3849
Reference: URL:http://online.securityfocus.com/bid/3849
Reference: XF:snort-icmp-dos(7874)
Reference: URL:http://www.iss.net/security_center/static/7874.php

Snort 1.8.3 does not properly define the minimum ICMP header size,
which allows remote attackers to cause a denial of service (crash and
core dump) via a malformed ICMP packet.

Analysis
--------
Vendor Acknowledgement: yes followup

INFERRED ACTION: CAN-2002-0115 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Frech, Ziese, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2002-0117
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0117
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20020108 CSS vulnerabilities in YaBB and UBB allow account hijack [Multiple Vendor]
Reference: URL:http://online.securityfocus.com/archive/1/249031
Reference: CONFIRM:http://www.yabbforum.com/
Reference: BID:3828
Reference: URL:http://online.securityfocus.com/cgi-bin/vulns-item.pl?section=info&id=3828
Reference: XF:yabb-encoded-css(7840)
Reference: URL:http://www.iss.net/security_center/static/7840.php

Cross-site scripting vulnerability in Yet Another Bulletin Board
(YaBB) 1 Gold SP 1 and earlier allows remote attackers to execute
arbitrary script and steal cookies via a message containing encoded
Javascript in an IMG tag.


Modifications:
  ADDREF CONFIRM:http://www.yabbforum.com/

Analysis
--------
Vendor Acknowledgement: yes

ACKNOWLEDGEMENT: The "Latest News" section has an entry for SP1 dated
4/11/02, which states: "New javascript in image tags vulnerability
fixed"

INFERRED ACTION: CAN-2002-0117 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Frech, Green
   NOOP(4) Christey, Wall, Foat, Cole

Voter Comments:
 Christey> CONFIRM:http://www.yabbforum.com/
   The "Latest News" section has an entry for SP1 dated 4/11/02,
   which states: "New javascript in image tags vulnerability
   fixed"


======================================================
Candidate: CAN-2002-0121
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0121
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20020113 PHP 4.x session spoofing
Reference: URL:http://online.securityfocus.com/archive/1/250196
Reference: BID:3873
Reference: URL:http://online.securityfocus.com/bid/3873
Reference: XF:php-session-temp-disclosure(7908)
Reference: URL:http://www.iss.net/security_center/static/7908.php

PHP 4.0 through 4.1.1 stores session IDs in temporary files whose name
contains the session ID, which allows local users to hijack web
connections.

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2002-0121 ACCEPT (4 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(4) Foat, Cole, Frech, Green
   NOOP(2) Wall, Balinsky


======================================================
Candidate: CAN-2002-0128
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0128
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20020116 Sambar Webserver v5.1 DoS Vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/250545
Reference: BUGTRAQ:20020206 Sambar Webserver Sample Script v5.1 DoS Vulnerability Exploit
Reference: URL:http://www.der-keiler.de/Mailing-Lists/securityfocus/bugtraq/2002-02/0083.html
Reference: CONFIRM:http://www.sambar.com/security.htm
Reference: BID:3885
Reference: URL:http://www.securityfocus.com/bid/3885
Reference: XF:sambar-cgitest-dos(7894)
Reference: URL:http://www.iss.net/security_center/static/7894.php

cgitest.exe in Sambar Server 5.1 before Beta 4 allows remote attackers
to cause a denial of service, and possibly execute arbitrary code, via
a long argument.

Analysis
--------
Vendor Acknowledgement: yes advisory

ACKNOWLEDGEMENT: The Sambar security page says "All versions of the
Sambar WWW Server prior to the 5.1 Beta 4 release are vulnerable to a
reported DoS attack against the /cgi-win/cgitest.exe sample
application" and credits the Bugtraq poster.

INFERRED ACTION: CAN-2002-0128 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Frech, Ziese, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2002-0139
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0139
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20020120 Bounce vulnerability in SpoonFTP 1.1.0.1
Reference: URL:http://online.securityfocus.com/archive/1/251422
Reference: CONFIRM:http://www.pi-soft.com/spoonftp/index.shtml
Reference: BID:3910
Reference: URL:http://online.securityfocus.com/bid/3910
Reference: XF:spoonftp-ftp-bounce(7943)
Reference: URL:http://www.iss.net/security_center/static/7943.php

Pi-Soft SpoonFTP 1.1 and earlier allows remote attackers to redirect
traffic to other sites (aka FTP bounce) via the PORT command.

Analysis
--------
Vendor Acknowledgement: yes

ACKNOWLEDGEMENT: the home page for SpoonFTP states that "A fix to
prevent a potential 'bounce attack' against SpoonFTP was added in
version 1.2."

INFERRED ACTION: CAN-2002-0139 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Frech, Ziese, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2002-0143
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0143
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20020113 Eterm SGID utmp Buffer Overflow (Local)
Reference: URL:http://online.securityfocus.com/archive/1/250145
Reference: BUGTRAQ:20020121 Re: Eterm SGID utmp Buffer Overflow (Local)
Reference: URL:http://online.securityfocus.com/archive/1/251597
Reference: BID:3868
Reference: URL:http://online.securityfocus.com/bid/3868
Reference: XF:eterm-home-bo(7896)
Reference: URL:http://www.iss.net/security_center/static/7896.php

Buffer overflow in Eterm of Enlightenment Imlib2 1.0.4 and earlier
allows local users to execute arbitrary code via a long HOME
environment variable.

Analysis
--------
Vendor Acknowledgement: yes followup

INFERRED ACTION: CAN-2002-0143 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Frech, Ziese, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2002-0151
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0151
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020502
Assigned: 20020319
Category: SF
Reference: BUGTRAQ:20020404 NSFOCUS SA2002-02 : Microsoft Windows MUP overlong request kernel overflow
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101793727306282&w=2
Reference: VULNWATCH:20020404 NSFOCUS SA2002-02 : Microsoft Windows MUP overlong request kernel overflow
Reference: MS:MS02-017
Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS02-017.asp
Reference: XF:win-mup-bo(8752)
Reference: URL:http://www.iss.net/security_center/static/8752.php
Reference: BID:4426
Reference: URL:http://www.securityfocus.com/bid/4426

Buffer overflow in Multiple UNC Provider (MUP) in Microsoft Windows
operating systems allows local users to cause a denial of service or
possibly gain SYSTEM privileges via a long UNC request.


Modifications:
  ADDREF XF:win-mup-bo(8752)
  ADDREF BID:4426

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0151 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Wall, Foat, Cole, Green
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> Consider adding BID:4426
 Christey> XF:win-mup-bo(8752)
   URL:http://www.iss.net/security_center/static/8752.php
   BID:4426
   URL:http://www.securityfocus.com/bid/4426


======================================================
Candidate: CAN-2002-0152
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0152
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020502
Assigned: 20020319
Category: SF
Reference: BUGTRAQ:20020416 w00w00 on Microsoft IE/Office for Mac OS
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101897994314015&w=2
Reference: MS:MS02-019
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-019.asp
Reference: XF:ms-mac-html-file-bo(8850)
Reference: URL:http://www.iss.net/security_center/static/8850.php
Reference: BID:4517
Reference: URL:http://www.securityfocus.com/bid/4517

Buffer overflow in various Microsoft applications for Macintosh allows
remote attackers to cause a denial of service (crash) or execute
arbitrary code by invoking the file:// directive with a large number
of / characters, which affects Internet Explorer 5.1, Outlook Express
5.0 through 5.0.2, Entourage v. X and 2001, PowerPoint v. X, 2001, and
98, and Excel v. X and 2001 for Macintosh.


Modifications:
  ADDREF XF:ms-mac-html-file-bo(8850)
  ADDREF BID:4517

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0152 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Wall, Cole, Green
   NOOP(3) Christey, Foat, Cox

Voter Comments:
 Christey> XF:ms-mac-html-file-bo(8850)
   URL:http://www.iss.net/security_center/static/8850.php
   BID:4517
   URL:http://www.securityfocus.com/bid/4517


======================================================
Candidate: CAN-2002-0153
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0153
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020502
Assigned: 20020319
Category: SF
Reference: BUGTRAQ:20020122 Macinosh IE file execuion
Reference: URL:http://www.securityfocus.com/archive/1/251805
Reference: MS:MS02-019
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-019.asp
Reference: XF:ie-mac-applescript-execution(8851)
Reference: URL:http://www.iss.net/security_center/static/8851.php
Reference: BID:3935
Reference: URL:http://www.securityfocus.com/bid/3935

Internet Explorer 5.1 for Macintosh allows remote attackers to bypass
security checks and invoke local AppleScripts within a specific HTML
element, aka the "Local Applescript Invocation" vulnerability.


Modifications:
  ADDREF BUGTRAQ:20020122 Macinosh IE file execuion
  ADDREF XF:ie-mac-applescript-execution(8851)
  ADDREF BID:3935

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0153 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Wall, Foat, Cole, Green
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> XF:ie-mac-applescript-execution(8851)
   URL:http://www.iss.net/security_center/static/8851.php

   BID:3935
   BUGTRAQ:20020122 Macinosh IE file execuion
   URL:http://www.securityfocus.com/archive/1/251805


======================================================
Candidate: CAN-2002-0159
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0159
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020502
Assigned: 20020327
Category: SF
Reference: BUGTRAQ:20020403 iXsecurity.20020314.csadmin_fmt.a
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101787248913611&w=2
Reference: CISCO:20020403 Web Interface Vulnerabilities in Cisco Secure ACS for Windows
Reference: URL:http://www.cisco.com/warp/public/707/ACS-Win-Web.shtml
Reference: XF:ciscosecure-acs-format-string(8742)
Reference: URL:http://www.iss.net/security_center/static/8742.php
Reference: BID:4416
Reference: URL:http://www.securityfocus.com/bid/4416

Format string vulnerability in the administration function in Cisco
Secure Access Control Server (ACS) for Windows, 2.6.x and earlier and
3.x through 3.01 (build 40), allows remote attackers to crash the CSADMIN
module only (denial of service of administration function) or execute
arbitrary code via format strings in the URL to port 2002


Modifications:
  ADDREF XF:ciscosecure-acs-format-string(8742)
  ADDREF BID:4416

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0159 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Foat, Cole, Green
   NOOP(3) Christey, Wall, Cox

Voter Comments:
 Christey> XF:ciscosecure-acs-format-string(8742)
   URL:http://www.iss.net/security_center/static/8742.php
   BID:4416
   URL:http://www.securityfocus.com/bid/4416


======================================================
Candidate: CAN-2002-0160
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0160
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020502
Assigned: 20020327
Category: SF
Reference: BUGTRAQ:20020403 iXsecurity.20020316.csadmin_dir.a
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101786689128667&w=2
Reference: CISCO:20020403 Web Interface Vulnerabilities in Cisco Secure ACS for Windows
Reference: URL:http://www.cisco.com/warp/public/707/ACS-Win-Web.shtml

The administration function in Cisco Secure Access Control Server
(ACS) for Windows, 2.6.x and earlier and 3.x through 3.01 (build 40),
allows remote attackers to read HTML, Java class, and image files
outside the web root via a ..\.. (modified ..) in the URL to port
2002.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0160 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Foat, Cole, Green
   NOOP(2) Wall, Cox


======================================================
Candidate: CAN-2002-0166
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0166
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020502
Assigned: 20020409
Category: SF
Reference: DEBIAN:DSA-125
Reference: URL:http://www.debian.org/security/2002/dsa-125
Reference: FREEBSD:FreeBSD-SN-02:02
Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SN-02:02.asc
Reference: XF:analog-logfile-css(8656)
Reference: URL:http://www.iss.net/security_center/static/8656.php
Reference: BID:4389
Reference: URL:http://www.securityfocus.com/bid/4389

Cross-site scripting vulnerability in analog before 5.22 allows remote
attackers to execute Javascript via an HTTP request containing the
script, which is entered into a web logfile and not properly filtered
by analog during display.


Modifications:
  ADDREF XF:analog-logfile-css(8656)
  ADDREF BID:4389
  ADDREF FREEBSD:FreeBSD-SN-02:02

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0166 ACCEPT (4 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(4) Wall, Cole, Cox, Green
   NOOP(2) Christey, Foat

Voter Comments:
 Christey> XF:analog-logfile-css(8656)
   URL:http://www.iss.net/security_center/static/8656.php
   BID:4389
   URL:http://www.securityfocus.com/bid/4389
   FREEBSD:FreeBSD-SN-02:02
   URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SN-02:02.asc


======================================================
Candidate: CAN-2002-0167
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0167
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020502
Assigned: 20020410
Category: SF
Reference: REDHAT:RHSA-2002:048
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-048.html
Reference: CONECTIVA:CLA-2002:470
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000470
Reference: CALDERA:CSSA-2002-019.0
Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-019.0.txt
Reference: MANDRAKE:MDKSA-2002:029
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-029.php
Reference: SUSE:SuSE-SA:2002:015
Reference: URL:http://www.suse.de/de/support/security/2002_015_imlib_txt.html
Reference: BID:4339
Reference: URL:http://online.securityfocus.com/bid/4339

Imlib before 1.9.13 sometimes uses the NetPBM package to load trusted
images, which could allow attackers to cause a denial of service
(crash) and possibly execute arbitrary code via certain weaknesses of
NetPBM.


Modifications:
  ADDREF CALDERA:CSSA-2002-019.0
  ADDREF MANDRAKE:MDKSA-2002:029
  ADDREF SUSE:SuSE-SA:2002:015

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0167 ACCEPT (4 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(4) Wall, Cole, Cox, Green
   NOOP(2) Christey, Foat

Voter Comments:
 Christey> CALDERA:CSSA-2002-019.0
   URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-019.0.txt
   MANDRAKE:MDKSA-2002:029
   URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-029.php
   SUSE:SuSE-SA:2002:015
   URL:http://www.suse.de/de/support/security/2002_015_imlib_txt.html


======================================================
Candidate: CAN-2002-0168
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0168
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020502
Assigned: 20020410
Category: SF
Reference: REDHAT:RHSA-2002:048
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-048.html
Reference: CONECTIVA:CLA-2002:470
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000470
Reference: CALDERA:CSSA-2002-019.0
Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-019.0.txt
Reference: MANDRAKE:MDKSA-2002:029
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-029.php
Reference: SUSE:SuSE-SA:2002:015
Reference: URL:http://www.suse.de/de/support/security/2002_015_imlib_txt.html
Reference: BID:4336
Reference: URL:http://online.securityfocus.com/bid/4336

Vulnerability in Imlib before 1.9.13 allows attackers to cause a
denial of service (crash) and possibly execute arbitrary code by
manipulating arguments that are passed to malloc, which results in a
heap corruption.


Modifications:
  ADDREF CALDERA:CSSA-2002-019.0
  ADDREF MANDRAKE:MDKSA-2002:029
  ADDREF SUSE:SuSE-SA:2002:015

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0168 ACCEPT (4 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(4) Wall, Cole, Cox, Green
   NOOP(2) Christey, Foat

Voter Comments:
 Christey> CALDERA:CSSA-2002-019.0
   URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-019.0.txt
   MANDRAKE:MDKSA-2002:029
   URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-029.php
   SUSE:SuSE-SA:2002:015
   URL:http://www.suse.de/de/support/security/2002_015_imlib_txt.html


======================================================
Candidate: CAN-2002-0175
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0175
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020502
Assigned: 20020415
Category: SF
Reference: BUGTRAQ:20020320 Bypassing libsafe format string protection
Reference: URL:http://online.securityfocus.com/archive/1/263121
Reference: VULNWATCH:20020320 [VulnWatch] Bypassing libsafe format string protection
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0070.html
Reference: MANDRAKE:MDKSA-2002:026
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-026.php
Reference: BID:4326
Reference: URL:http://online.securityfocus.com/bid/4326
Reference: XF:libsafe-flagchar-protection-bypass(8593)
Reference: URL:http://www.iss.net/security_center/static/8593.php

libsafe 2.0-11 and earlier allows attackers to bypass protection
against format string vulnerabilities via format strings that use the
"'" and "I" characters, which are implemented in libc but not libsafe.


Modifications:
  ADDREF VULNWATCH:20020320 [VulnWatch] Bypassing libsafe format string protection
  ADDREF XF:libsafe-flagchar-protection-bypass(8593)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0175 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Wall, Cole, Green
   NOOP(3) Christey, Foat, Cox

Voter Comments:
 Christey> VULNWATCH:20020320 [VulnWatch] Bypassing libsafe format string protection
   URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0070.html
   XF:libsafe-flagchar-protection-bypass(8593)
   URL:http://www.iss.net/security_center/static/8593.php


======================================================
Candidate: CAN-2002-0176
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0176
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020502
Assigned: 20020415
Category: SF
Reference: BUGTRAQ:20020320 Bypassing libsafe format string protection
Reference: URL:http://online.securityfocus.com/archive/1/263121
Reference: VULNWATCH:20020320 [VulnWatch] Bypassing libsafe format string protection
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0070.html
Reference: MANDRAKE:MDKSA-2002:026
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-026.php
Reference: BID:4327
Reference: URL:http://online.securityfocus.com/bid/4327
Reference: XF:libsafe-argnum-protection-bypass(8594)
Reference: URL:http://www.iss.net/security_center/static/8594.php

The printf wrappers in libsafe 2.0-11 and earlier do not properly
handle argument indexing specifiers, which could allow attackers to
exploit certain function calls through arguments that are not verified
by libsafe.


Modifications:
  ADDREF VULNWATCH:20020320 [VulnWatch] Bypassing libsafe format string protection
  ADDREF XF:libsafe-argnum-protection-bypass(8594)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0176 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Wall, Cole, Green
   NOOP(3) Christey, Foat, Cox

Voter Comments:
 Christey> VULNWATCH:20020320 [VulnWatch] Bypassing libsafe format string protection
   URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0070.html
   XF:libsafe-argnum-protection-bypass(8594)
   URL:http://www.iss.net/security_center/static/8594.php


======================================================
Candidate: CAN-2002-0179
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0179
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020502
Assigned: 20020417
Category: SF
Reference: DEBIAN:DSA-127
Reference: URL:http://www.debian.org/security/2002/dsa-127
Reference: BID:4534
Reference: URL:http://www.securityfocus.com/bid/4534
Reference: XF:xpilot-server-bo(8852)
Reference: URL:http://www.iss.net/security_center/static/8852.php

Buffer overflow in xpilot-server for XPilot 4.5.0 and earlier allows
remote attackers to execute arbitrary code.


Modifications:
  ADDREF BID:4534
  ADDREF XF:xpilot-server-bo(8852)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0179 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Wall, Cole, Cox, Green
   NOOP(2) Christey, Foat

Voter Comments:
 Christey> BID:4534
   URL:http://www.securityfocus.com/bid/4534
   XF:xpilot-server-bo(8852)
   URL:http://www.iss.net/security_center/static/8852.php


======================================================
Candidate: CAN-2002-0196
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0196
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20020122 (Repost) CwpApi : GetRelativePath() returns invalid paths (security advisory)
Reference: URL:http://online.securityfocus.com/archive/1/251699
Reference: CONFIRM:http://sourceforge.net/forum/forum.php?forum_id=144966
Reference: BID:3924
Reference: URL:http://online.securityfocus.com/bid/3924
Reference: XF:cwpapi-getrelativepath-view-files(7981)
Reference: URL:http://www.iss.net/security_center/static/7981.php

GetRelativePath in ACD Incorporated CwpAPI 1.1 only verifies if the
server root is somewhere within the path, which could allow remote
attackers to read or write files outside of the web root, in other
directories whose path includes the web root.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0196 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2002-0197
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0197
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20020122 psyBNC 2.3 Beta - encrypted text "spoofable" in others' irc terminals
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101173478806580&w=2
Reference: BUGTRAQ:20020122 psyBNC2.3 Beta - encrypted text spoofable in others irc terminal
Reference: URL:http://online.securityfocus.com/archive/1/251832
Reference: XF:psybnc-view-encrypted-messages(7985)
Reference: URL:http://www.iss.net/security_center/static/7985.php
Reference: BID:3931
Reference: URL:http://www.securityfocus.com/bid/3931

psyBNC 2.3 beta and earlier allows remote attackers to spoof
encrypted, trusted messages by sending lines that begin with the "[B]"
sequence, which makes the message appear legitimate.

Analysis
--------
Vendor Acknowledgement: yes followup

INFERRED ACTION: CAN-2002-0197 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2002-0207
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0207
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: VULN-DEV:20020105 RealPlayer Buffer Problem
Reference: URL:http://archives.neohapsis.com/archives/vuln-dev/2002-q1/0044.html
Reference: BUGTRAQ:20020124 Potential RealPlayer 8 Vulnerability
Reference: URL:http://online.securityfocus.com/archive/1/252414
Reference: BUGTRAQ:20020124 RealPlayer Buffer Overflow [Sentinel Chicken Networks Security Advisory #01]
Reference: URL:http://online.securityfocus.com/archive/1/252425
Reference: MISC:http://sentinelchicken.com/advisories/realplayer/
Reference: BID:3809
Reference: URL:http://online.securityfocus.com/bid/3809
Reference: XF:realplayer-file-header-bo(7839)
Reference: URL:http://www.iss.net/security_center/static/7839.php

Buffer overflow in Real Networks RealPlayer 8.0 and earlier allows
remote attackers to execute arbitrary code via a header length value
that exceeds the actual length of the header.

Analysis
--------
Vendor Acknowledgement: yes followup

INFERRED ACTION: CAN-2002-0207 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2002-0209
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0209
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20020125 Alteon ACEdirector signature/security bug
Reference: URL:http://online.securityfocus.com/archive/1/252455
Reference: BUGTRAQ:20020312 Re: Alteon ACEdirector signature/security bug
Reference: URL:http://online.securityfocus.com/archive/1/261548
Reference: BID:3964
Reference: URL:http://online.securityfocus.com/bid/3964
Reference: XF:acedirector-http-reveal-ip(8010)
Reference: URL:http://www.iss.net/security_center/static/8010.php

Nortel Alteon ACEdirector WebOS 9.0, with the Server Load Balancing
(SLB) and Cookie-Based Persistence features enabled, allows remote
attackers to determine the real IP address of a web server with a
half-closed session, which causes ACEdirector to send packets from the
server without changing the address to the virtual IP address.

Analysis
--------
Vendor Acknowledgement: yes followup

INFERRED ACTION: CAN-2002-0209 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2002-0211
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0211
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20020126 Vulnerability report for Tarantella Enterprise 3.
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101208650722179&w=2
Reference: BUGTRAQ:20020404 Exploit for Tarantella Enterprise 3 installation (BID 3966)
Reference: URL:http://online.securityfocus.com/archive/1/265845
Reference: CONFIRM:http://www.tarantella.com/security/bulletin-04.html
Reference: BID:3966
Reference: URL:http://online.securityfocus.com/bid/3966
Reference: XF:tarantella-gunzip-tmp-race(7996)
Reference: URL:http://www.iss.net/security_center/static/7996.php

Race condition in the installation script for Tarantella Enterprise 3
3.01 through 3.20 creates a world-writeable temporary "gunzip" program
before executing it, which could allow local users to execute
arbitrary commands by modifying the program before it is executed.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0211 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2002-0226
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0226
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20020201 Vulnerability in all versions of DCForum from dcscripts.com
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101258311519504&w=2
Reference: CONFIRM:http://www.dcscripts.com/bugtrac/DCForumID7/3.html
Reference: BID:4014
Reference: URL:http://www.securityfocus.com/bid/4014
Reference: XF:dcforum-cgi-recover-passwords(8044)
Reference: URL:http://www.iss.net/security_center/static/8044.php

retrieve_password.pl in DCForum 6.x and 2000 generates predictable new
passwords based on a sessionID, which allows remote attackers to
request a new password on behalf of another user and use the sessionID
to calculate the new password for that user.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0226 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2002-0237
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0237
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20020209 ALERT: ISS BlackICE Kernel Overflow Exploitable
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101321744807452&w=2
Reference: BUGTRAQ:20020204 Vulnerability in Black ICE Defender
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101286393404301&w=2
Reference: NTBUGTRAQ:20020209 ALERT: ISS BlackICE Kernel Overflow Exploitable
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=101353165915171&w=2
Reference: BUGTRAQ:20020206 Black ICE Ping Vulnerability Side Note
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101302424803268&w=2
Reference: ISS:20020204 DoS and Potential Overflow Vulnerability in BlackICE Products
Reference: URL:http://www.iss.net/security_center/alerts/advise109.php
Reference: BID:4025
Reference: URL:http://online.securityfocus.com/bid/4025
Reference: XF:blackice-ping-flood-dos(8058)
Reference: URL:http://www.iss.net/security_center/static/8058.php

Buffer overflow in ISS BlackICE Defender 2.9 and earlier, BlackICE
Agent 3.0 and 3.1, and RealSecure Server Sensor 6.0.1 and 6.5 allow
remote attackers to cause a denial of service (crash) and possibly
execute arbitrary code via a flood of large ICMP ping packets.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0237 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Wall, Cole, Green
   NOOP(1) Foat


======================================================
Candidate: CAN-2002-0251
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0251
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20020206 -Possible- licq D.o.S
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101301254432079&w=2
Reference: BUGTRAQ:20020208 RE: -Possible- licq D.o.S
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101318594420200&w=2
Reference: BID:4036
Reference: URL:http://www.securityfocus.com/bid/4036
Reference: XF:licq-static-bo(8107)
Reference: URL:http://www.iss.net/security_center/static/8107.php

Buffer overflow in licq 1.0.4 and earlier allows remote attackers to
cause a denial of service (crash) and possibly execute arbitrary code
via a long string of format string characters such as "%d".

Analysis
--------
Vendor Acknowledgement: yes followup

INFERRED ACTION: CAN-2002-0251 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Cox
   NOOP(2) Wall, Foat

Voter Comments:
 CHANGE> [Cox changed vote from REVIEWING to ACCEPT]


======================================================
Candidate: CAN-2002-0265
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0265
Final-Decision:
Interim-Decision: 20020617
Modified:
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20020211 Vulnerability in Sawmill for  Solaris v. 6.2.14
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101346206921270&w=2
Reference: CONFIRM:http://www.sawmill.net/version_history.html
Reference: BID:4077
Reference: URL:http://www.securityfocus.com/bid/4077
Reference: XF:sawmill-admin-password-insecure(8173)
Reference: URL:http://www.iss.net/security_center/static/8173.php

Sawmill for Solaris 6.2.14 and earlier creates the AdminPassword file
with world-writable permissions, which allows local users to gain
privileges by modifying the file.

Analysis
--------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: in the release notes, in the section titled "Version
6.2.15, shipped February 10, 2002," the vendor states: "Fixed a
security flaw in which the AdminPassword file was created with
incorrect permissions (666 instead of 600)"

INFERRED ACTION: CAN-2002-0265 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Wall, Cole
   NOOP(2) Foat, Cox


======================================================
Candidate: CAN-2002-1056
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1056
Final-Decision:
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020502
Assigned: 20020426
Category: SF
Reference: BUGTRAQ:20020331 More Office XP Problems
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101760380418890&w=2
Reference: BUGTRAQ:20020403 More Office XP problems (Version 2.0)
Reference: URL:http://online.securityfocus.com/archive/1/265621
Reference: MS:MS02-021
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-021.asp
Reference: BID:4397
Reference: URL:http://online.securityfocus.com/bid/4397
Reference: XF:outlook-object-execute-script(8708)
Reference: URL:http://www.iss.net/security_center/static/8708.php

Microsoft Outlook 2000 and 2002, when configured to use Microsoft Word
as the email editor, does not block scripts that are used while
editing email messages in HTML or Rich Text Format (RTF), which could
allow remote attackers to execute arbitrary scripts via an email that
the user forwards or replies to.


Modifications:
  ADDREF BUGTRAQ:20020403 More Office XP problems (Version 2.0)
  ADDREF XF:outlook-object-execute-script(8708)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1056 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Green, Wall, Foat, Cole
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> BUGTRAQ:20020403 More Office XP problems (Version 2.0)
   URL:http://online.securityfocus.com/archive/1/265621
   XF:outlook-object-execute-script(8708)
   URL:http://www.iss.net/security_center/static/8708.php

 
Page Last Updated: May 22, 2007