|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [INTERIM] ACCEPT 191 candidates (Final June 21)
I have made an Interim Decision to ACCEPT the following 191 candidates. I will make a Final Decision on June 21. The candidates came from the following clusters: 1 RECENT-66 1 RECENT-68 1 LEGACY-MS-ADV 1 LEGACY-MISC-1999-B 1 OLD-2000-A 2 RECENT-69 12 RECENT-75 5 RECENT-76 5 RECENT-77 15 RECENT-78 20 RECENT-79 20 RECENT-80 17 RECENT-81 7 RECENT-82 11 RECENT-83 21 RECENT-84 7 MISC-2001-001 5 MISC-2001-002 7 MISC-2001-003 7 RECENT-85 2 RECENT-86 18 RECENT-88 3 RECENT-05 1 RECENT-41 1 RECENT-46 Voters: Green ACCEPT(159) NOOP(3) Cole ACCEPT(172) NOOP(16) Balinsky NOOP(2) Foat ACCEPT(48) NOOP(138) Cox ACCEPT(10) MODIFY(3) NOOP(27) Williams ACCEPT(3) MODIFY(1) Christey MODIFY(1) NOOP(60) Wall ACCEPT(75) NOOP(112) Ziese ACCEPT(72) NOOP(4) Dik ACCEPT(2) Frech ACCEPT(70) MODIFY(44) Mell ACCEPT(1) Stracener ACCEPT(1) NOOP(1) Bollinger ACCEPT(2) MODIFY(1) Baker ACCEPT(79) Bishop ACCEPT(1) Armstrong ACCEPT(63) NOOP(9) ====================================================== Candidate: CAN-1999-1080 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1080 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20010912 Assigned: 20010831 Category: SF Reference: BUGTRAQ:19990510 SunOS 5.7 rmmount, no nosuid. Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92633694100270&w=2 Reference: BUGTRAQ:19991011 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93971288323395&w=2 Reference: BID:250 Reference: URL:http://www.securityfocus.com/bid/250 Reference: SUNBUG:4205437 Reference: XF:solaris-rmmount-gain-root(8350) rmmount in SunOS 5.7 may mount file systems without the nosuid flag set, contrary to the documentation and its use in previous versions of SunOS, which could allow local users with physical access to gain root privileges by mounting a floppy or CD-ROM that contains a setuid program and running volcheck, when the file systems do not have the nosuid option specified in rmmount.conf. Modifications: ADDREF SUNBUG:4205437 ADDREF XF:solaris-rmmount-gain-root(8350) Analysis -------- Vendor Acknowledgement: yes INFERRED ACTION: CAN-1999-1080 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Cole, Dik MODIFY(1) Frech NOOP(2) Wall, Foat Voter Comments: Dik> sun bug: 4205437 Frech> XF:solaris-rmmount-gain-root(8350) ====================================================== Candidate: CAN-1999-1362 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1362 Final-Decision: Interim-Decision: 20020617 Modified: 20020218-01 Proposed: 20010912 Assigned: 20010831 Category: SF Reference: MSKB:Q160601 Reference: URL:http://support.microsoft.com/support/kb/articles/q160/6/01.asp Reference: XF:nt-win32k-dos(7403) Reference: URL:http://www.iss.net/security_center/static/7403.php Win32k.sys in Windows NT 4.0 before SP2 allows local users to cause a denial of service (crash) by calling certain WIN32K functions with incorrect parameters. Modifications: ADDREF XF:nt-win32k-dos(7403) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-1999-1362 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Wall, Foat, Cole MODIFY(1) Frech Voter Comments: Frech> XF:nt-win32k-dos(7403) ====================================================== Candidate: CAN-2000-0060 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0060 Final-Decision: Interim-Decision: 20020617 Modified: 20020218-01 Proposed: 20000125 Assigned: 20000122 Category: SF Reference: NTBUGTRAQ:19991227 Local / Remote Remote DoS Attack in Rover POP3 Server V1.1 NT From aVirt Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=94647711311057&w=2 Reference: BUGTRAQ:19991227 Local / Remote Remote DoS Attack in Rover POP3 Server V1.1 NT From aVirt Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94633851427858&w=2 Reference: BID:894 Reference: URL:http://www.securityfocus.com/bid/894 Reference: XF:avirt-rover-pop3-dos(3765) Reference: URL:http://www.iss.net/security_center/static/3765.php Buffer overflow in aVirt Rover POP3 server 1.1 allows remote attackers to cause a denial of service via a long user name. Modifications: ADDREF XF:avirt-rover-pop3-dos DESC add version ADDREF NTBUGTRAQ:19991227 Local / Remote Remote DoS Attack in Rover POP3 Server V1.1 NT From aVirt Analysis -------- Vendor Acknowledgement: unknown INFERRED ACTION: CAN-2000-0060 ACCEPT (3 accept, 0 ack, 0 review) Current Votes: ACCEPT(2) Williams, Baker MODIFY(1) Frech NOOP(1) Balinsky Voter Comments: Frech> XF:avirt-rover-pop3-dos Balinsky> No mention of the problem or relevant patch on vendor website. Williams> Balinsky - this product is no longer supported by vendor. should include v1.1 for NT in title ====================================================== Candidate: CAN-2000-0072 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0072 Final-Decision: Interim-Decision: 20020617 Modified: 20020218-01 Proposed: 20000125 Assigned: 20000122 Category: SF Reference: BUGTRAQ:20000118 Warning: VCasel security hole. Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94823061421676&w=2 Reference: BID:937 Reference: URL:http://www.securityfocus.com/bid/937 Reference: XF:vcasel-filename-trusting(3867) Reference: URL:http://www.iss.net/security_center/static/3867.php Visual Casel (Vcasel) does not properly prevent users from executing files, which allows local users to use a relative pathname to specify an alternate file which has an approved name and possibly gain privileges. Modifications: ADDREF XF:vcasel-filename-trusting(3867) Analysis -------- Vendor Acknowledgement: unknown INFERRED ACTION: CAN-2000-0072 ACCEPT (3 accept, 0 ack, 0 review) Current Votes: ACCEPT(2) Williams, Baker MODIFY(1) Frech Voter Comments: Frech> XF:vcasel-filename-trusting(3867) ====================================================== Candidate: CAN-2000-0087 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0087 Final-Decision: Interim-Decision: 20020617 Modified: 20020218-01 Proposed: 20000125 Assigned: 20000122 Category: SF Reference: BUGTRAQ:20000113 Misleading sense of security in Netscape Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94790377622943&w=2 Reference: XF:netscape-mail-notify-plaintext(4385) Reference: URL:http://www.iss.net/security_center/static/4385.php Netscape Mail Notification (nsnotify) utility in Netscape Communicator uses IMAP without SSL, even if the user has set a preference for Communicator to use an SSL connection, allowing a remote attacker to sniff usernames and passwords in plaintext. Modifications: ADDREF XF:netscape-mail-notify-plaintext(4385) Analysis -------- Vendor Acknowledgement: unknown INFERRED ACTION: CAN-2000-0087 ACCEPT (3 accept, 0 ack, 0 review) Current Votes: ACCEPT(2) Williams, Baker MODIFY(1) Frech Voter Comments: Frech> XF:netscape-mail-notify-plaintext ====================================================== Candidate: CAN-2000-0976 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0976 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20001129 Assigned: 20001124 Category: SF Reference: BUGTRAQ:20001012 another Xlib buffer overflow Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0211.html Reference: SGI:20020502-01-I Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020502-01-I Reference: BID:1805 Reference: URL:http://www.securityfocus.com/bid/1805 Reference: XF:xfree-xlib-bo(5751) Reference: URL:http://www.iss.net/security_center/static/5751.php Buffer overflow in xlib in XFree 3.3.x possibly allows local users to execute arbitrary commands via a long DISPLAY environment variable or a -display command line parameter. Modifications: ADDREF XF:xfree-xlib-bo(5751) ADDREF SGI:20020502-01-I Analysis -------- Vendor Acknowledgement: yes advisory INCLUSION: This might not be exploitable, as a post by Robert van der Meulen says that "the display number can only contain numeric values." See http://archives.neohapsis.com/archives/bugtraq/2000-10/0237.html INFERRED ACTION: CAN-2000-0976 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Mell, Baker MODIFY(1) Frech NOOP(2) Christey, Cole Voter Comments: Frech> XF:xfree-xlib-bo(5751) Christey> This might not be exploitable; see followups CHANGE> [Christey changed vote from REVIEWING to NOOP] Christey> SGI:20020502-01-I ====================================================== Candidate: CAN-2000-1166 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1166 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20001219 Assigned: 20001214 Category: SF Reference: BUGTRAQ:20001124 Security problems with TWIG webmail system Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0351.html Reference: CONFIRM:http://twig.screwdriver.net/file.php3?file=CHANGELOG Reference: BID:1998 Reference: URL:http://www.securityfocus.com/bid/1998 Reference: XF:twig-php3-script-execute(5581) Twig webmail system does not properly set the "vhosts" variable if it is not configured on the site, which allows remote attackers to insert arbitrary PHP (PHP3) code by specifying an alternate vhosts as an argument to the index.php3 program. Modifications: ADDREF XF:twig-php3-script-execute(5581) ADDREF CONFIRM:http://twig.screwdriver.net/file.php3?file=CHANGELOG Analysis -------- Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: The entry in the vendor changelog dated December 18, 2000, says ""Fixed security hole with respect to vhosts." INFERRED ACTION: CAN-2000-1166 ACCEPT_ACK (2 accept, 1 ack, 0 review) Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(3) Wall, Cole, Christey Voter Comments: Frech> XF:twig-php3-script-execute(5581) Christey> CONFIRM:http://twig.screwdriver.net/file.php3?file=CHANGELOG Dated December 18, 2000: "Fixed security hole with respect to vhosts." ====================================================== Candidate: CAN-2000-1193 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1193 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20010912 Assigned: 20010831 Category: SF Reference: BUGTRAQ:20000412 Performance Copilot for IRIX 6.5 Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0056.html Reference: XF:irix-pcp-pmcd-dos(4284) Reference: URL:http://xforce.iss.net/static/4284.php Reference: SGI:20020407-01-I Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020407-01-I Performance Metrics Collector Daemon (PMCD) in Performance Copilot in IRIX 6.x allows remote attackers to cause a denial of service (resource exhaustion) via an extremely long string to the PMCD port. Modifications: CHANGEREF XF:irix-pcp-pmcd-dos(4284) ADDREF SGI:20020407-01-I Analysis -------- Vendor Acknowledgement: yes advisory CVE-2000-0283 is a different bug that was discovered and announced at the same time. INFERRED ACTION: CAN-2000-1193 ACCEPT_ACK (2 accept, 1 ack, 0 review) Current Votes: MODIFY(2) Frech, Williams NOOP(5) Wall, Foat, Cole, Stracener, Christey Voter Comments: Frech> XF:irix-pcp-pmcd-dos(4284) (same XF:ID number, but slightly different name) Williams> not just a DoS. also involves information gathering vuln. Christey> ADDREF SGI:20020407-01-I ====================================================== Candidate: CAN-2001-0508 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0508 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20010829 Assigned: 20010608 Category: SF Reference: BUGTRAQ:20010506 IIS 5.0 PROPFIND DOS #2 Reference: URL:http://online.securityfocus.com/archive/1/182579 Reference: MS:MS01-044 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms01-044.asp Reference: XF:iis-webdav-long-request-dos(6982) Reference: URL:http://www.iss.net/security_center/static/6982.php Reference: BID:2690 Reference: URL:http://www.securityfocus.com/bid/2690 Vulnerability in IIS 5.0 allows remote attackers to cause a denial of service (restart) via a long, invalid WebDAV request. Modifications: ADDREF XF:iis-webdav-long-request-dos(6982) ADDREF BUGTRAQ:20010506 IIS 5.0 PROPFIND DOS #2 ADDREF BID:2690 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0508 ACCEPT (8 accept, 1 ack, 0 review) Current Votes: ACCEPT(7) Wall, Baker, Foat, Cole, Armstrong, Bishop, Ziese MODIFY(1) Frech NOOP(1) Christey Voter Comments: Frech> XF:iis-webdav-long-request-dos(6982) Christey> Need to determine whether this CAN is fixing this problem: BUGTRAQ:20010506 IIS 5.0 PROPFIND DOS #2 URL:http://www.securityfocus.com/archive/1/3AF56057.1CB06CBC@guninski.com If so, then ADDREF BID:2690 as well. Christey> Yes, these are the same issue Christey> BUGTRAQ:20010506 IIS 5.0 PROPFIND DOS #2 URL:http://online.securityfocus.com/archive/1/182579 (confirmed w/Microsoft) ====================================================== Candidate: CAN-2001-0550 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0550 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20010718 Category: SF Reference: VULN-DEV:20010430 some ftpd implementations mishandle CWD ~{ Reference: URL:http://www.securityfocus.com/archive/82/180823 Reference: BUGTRAQ:20011128 CORE-20011001: Wu-FTP glob heap corruption vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100700363414799&w=2 Reference: CERT:CA-2001-33 Reference: URL:http://www.cert.org/advisories/CA-2001-33.html Reference: CERT-VN:VU#886083 Reference: URL:http://www.kb.cert.org/vuls/id/886083 Reference: REDHAT:RHSA-2001-157 Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-157.html Reference: CALDERA:CSSA-2001-041.0 Reference: URL:http://www.caldera.com/support/security/advisories/CSSA-2001-041.0.txt Reference: CALDERA:CSSA-2001-SCO.36 Reference: MANDRAKE:MDKSA-2001:090 Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-090.php3 Reference: HP:HPSBUX0107-162 Reference: ISS:20011129 WU-FTPD Heap Corruption Vulnerability Reference: BID:3581 Reference: URL:http://www.securityfocus.com/bid/3581 Reference: XF:wuftp-glob-heap-corruption(7611) wu-ftpd 2.6.1 allows remote attackers to execute arbitrary commands via a "~{" argument to commands such as CWD, which is not properly handled by the glob function (ftpglob). Modifications: ADDREF XF:wuftp-glob-heap-corruption(7611) ADDREF CALDERA:CSSA-2001-SCO.36 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0550 ACCEPT (5 accept, 6 ack, 0 review) Current Votes: ACCEPT(5) Wall, Baker, Cole, Armstrong, Green MODIFY(1) Frech NOOP(2) Christey, Foat Voter Comments: Frech> XF:wuftp-glob-heap-corruption(7611) Christey> CALDERA:CSSA-2001-SCO.36 ====================================================== Candidate: CAN-2001-0553 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0553 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20010727 Assigned: 20010724 Category: SF Reference: BUGTRAQ:20010720 URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-07/0486.html Reference: CONFIRM:http://www.ssh.com/products/ssh/exploit.cfm Reference: CERT-VN:VU#737451 Reference: URL:http://www.kb.cert.org/vuls/id/737451 Reference: CIAC:L-121 Reference: URL:http://www.ciac.org/ciac/bulletins/l-121.shtml Reference: BID:3078 Reference: URL:http://www.securityfocus.com/bid/3078 Reference: XF:ssh-password-length-unauth-access(6868) SSH Secure Shell 3.0.0 on Unix systems does not properly perform password authentication to the sshd2 daemon, which allows local users to gain access to accounts with short password fields, such as locked accounts that use "NP" in the password field. Modifications: ADDREF XF:ssh-password-length-unauth-access(6868) ADDREF CONFIRM:http://www.ssh.com/products/ssh/exploit.cfm ADDREF CERT-VN:VU#737451 ADDREF BID:3078 ADDREF CIAC:L-121 Analysis -------- Vendor Acknowledgement: yes INFERRED ACTION: CAN-2001-0553 ACCEPT_ACK (2 accept, 3 ack, 0 review) Current Votes: ACCEPT(1) Stracener MODIFY(1) Frech NOOP(5) Christey, Wall, Foat, Cole, Ziese Voter Comments: Frech> XF:ssh-password-length-unauth-access(6868) Christey> CONFIRM:http://www.ssh.com/products/ssh/exploit.cfm CERT-VN:VU#737451 URL:http://www.kb.cert.org/vuls/id/737451 BID:3078 URL:http://www.securityfocus.com/bid/3078 CIAC:L-121 URL:http://www.ciac.org/ciac/bulletins/l-121.shtml ====================================================== Candidate: CAN-2001-0726 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0726 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20010927 Category: SF Reference: MS:MS01-057 Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS01-057.asp Reference: XF:exchange-owa-embedded-script-execution(7663) Reference: BID:3650 Reference: URL:http://online.securityfocus.com/bid/3650 Outlook Web Access (OWA) in Microsoft Exchange 5.5 Server, when used with Internet Explorer, does not properly detect certain inline script, which can allow remote attackers to perform arbitrary actions on a user's Exchange mailbox via an HTML e-mail message. Modifications: ADDREF XF:exchange-owa-embedded-script-execution(7663) ADDREF BID:3650 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0726 ACCEPT (6 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Wall, Baker, Foat, Cole, Green MODIFY(1) Frech NOOP(1) Christey Voter Comments: Frech> XF:exchange-owa-embedded-script-execution(7663) Christey> Consider adding BID:3650 ====================================================== Candidate: CAN-2001-0727 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0727 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20010927 Category: SF Reference: BUGTRAQ:20011214 MSIE may download and run progams automatically Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100835204509262&w=2 Reference: BUGTRAQ:20011216 Re: MSIE may download and run progams automatically - NOT SO FAST Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100861273114437&w=2 Reference: MS:MS01-058 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms01-058.asp Reference: CERT:CA-2001-36 Reference: URL:http://www.cert.org/advisories/CA-2001-36.html Reference: XF:ie-file-download-execution(7703) Reference: BID:3578 Internet Explorer 6.0 allows remote attackers to execute arbitrary code by modifying the Content-Disposition and Content-Type header fields in a way that causes Internet Explorer to believe that the file is safe to open without prompting the user, aka the "File Execution Vulnerability." Modifications: ADDREF XF:ie-file-download-execution(7703) ADDREF BID:3578 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0727 ACCEPT (6 accept, 2 ack, 0 review) Current Votes: ACCEPT(5) Wall, Baker, Foat, Cole, Green MODIFY(1) Frech NOOP(1) Christey Voter Comments: Frech> XF:ie-file-download-execution(7703) Christey> Consider adding BID:3578 ====================================================== Candidate: CAN-2001-0731 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0731 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020315 Assigned: 20011008 Category: SF Reference: BUGTRAQ:20010709 How Google indexed a file with no external link Reference: URL:http://www.securityfocus.com/archive/1/20010709214744.A28765@brasscannon.net Reference: CONFIRM:http://www.apacheweek.com/issues/01-10-05#security Reference: MANDRAKE:MDKSA-2001:077 Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-077-1.php3 Reference: BID:3009 Reference: URL:http://www.securityfocus.com/bid/3009 Reference: XF:apache-multiviews-directory-listing(8275) Reference: SGI:20020301-01-P Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020301-01-P Apache 1.3.20 with Multiviews enabled allows remote attackers to view directory contents and bypass the index page via a URL containing the "M=D" query string. Modifications: ADDREF XF:apache-multiviews-directory-listing(8275) ADDREF SGI:20020301-01-P Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0731 ACCEPT (8 accept, 2 ack, 0 review) Current Votes: ACCEPT(7) Wall, Baker, Foat, Cole, Armstrong, Ziese, Green MODIFY(1) Frech NOOP(1) Christey Voter Comments: Christey> SGI:20020301-01-P URL:ftp://patches.sgi.com/support/free/security/advisories/20020301-01-P Frech> XF:apache-multiviews-directory-listing(8275) ====================================================== Candidate: CAN-2001-0769 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0769 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20011012 Assigned: 20011012 Category: SF Reference: BUGTRAQ:20010527 def-2001-27: GuildFTPD Buffer Overflow and Memory Leak DoS Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-05/0254.html Reference: XF:guildftpd-null-memory-leak(6613) Reference: URL:http://xforce.iss.net/static/6613.php Memory leak in GuildFTPd Server 0.97 allows remote attackers to cause a denial of service via a request containing a null character. Analysis -------- Vendor Acknowledgement: yes via-email ACKNOWLEDGEMENT: the vendor acknowledged the problem via email on 3/8/2002. INFERRED ACTION: CAN-2001-0769 ACCEPT_ACK (2 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Foat, Frech NOOP(4) Christey, Wall, Cole, Armstrong Voter Comments: Christey> Email ack received from guildftpd@nitrolic.com on 3/8/2002 ====================================================== Candidate: CAN-2001-0770 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0770 Final-Decision: Interim-Decision: 20020617 Modified: 20020308-01 Proposed: 20011012 Assigned: 20011012 Category: SF Reference: BUGTRAQ:20010527 def-2001-27: GuildFTPD Buffer Overflow and Memory Leak DoS Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-05/0254.html Reference: XF:guildftpd-site-bo(6612) Reference: URL:http://xforce.iss.net/static/6612.php Reference: CONFIRM:http://www.nitrolic.com/help/history.htm Buffer overflow in GuildFTPd Server 0.97 allows remote attacker to execute arbitrary code via a long SITE command. Modifications: ADDREF CONFIRM:http://www.nitrolic.com/help/history.htm Analysis -------- Vendor Acknowledgement: yes via-email ACKNOWLEDGEMENT: The history file says "Fixed some problems with the SITE commands." This by itself is not sufficient to prove acknowledgement of *this* issue, but the vendor verified this via email on 3/8/2002. INFERRED ACTION: CAN-2001-0770 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Foat, Armstrong, Frech NOOP(3) Christey, Wall, Cole Voter Comments: Christey> Possible ACK at http://www.nitrolic.com/help/history.htm Inquiry sent to guildftpd@nitrolic.com on 2/25/2002 Christey> Email ack received from guildftpd@nitrolic.com on 3/8/2002 ====================================================== Candidate: CAN-2001-0797 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0797 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20011024 Category: SF Reference: ISS:20011212 Buffer Overflow in /bin/login Reference: URL:http://xforce.iss.net/alerts/advise105.php Reference: BUGTRAQ:20011219 Linux distributions and /bin/login overflow Reference: URL:http://www.securityfocus.com/archive/1/246487 Reference: CERT:CA-2001-34 Reference: URL:http://www.cert.org/advisories/CA-2001-34.html Reference: CERT-VN:VU#569272 Reference: URL:http://www.kb.cert.org/vuls/id/569272 Reference: CALDERA:CSSA-2001-SCO.40 Reference: URL:ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.40/CSSA-2001-SCO.40.txt Reference: SUN:00213 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/213 Reference: AIXAPAR:IY26221 Reference: SGI:20011201-01-I Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20011201-01-I Reference: SUNBUG:4516885 Reference: BUGTRAQ:20011214 Sun Solaris login bug patches out Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100844757228307&w=2 Reference: XF:telnet-tab-bo(7284) Reference: URL:http://xforce.iss.net/static/7284.php Reference: BID:3681 Reference: URL:http://www.securityfocus.com/bid/3681 Buffer overflow in login in various System V based operating systems allows remote attackers to execute arbitrary commands via a large number of arguments through services such as telnet and rlogin. Modifications: ADDREF SUNBUG:4516885 ADDREF BUGTRAQ:20011214 Sun Solaris login bug patches out Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0797 ACCEPT (3 accept, 8 ack, 0 review) Current Votes: ACCEPT(5) Baker, Cole, Frech, Dik, Green NOOP(3) Christey, Wall, Foat Voter Comments: Dik> Sun bugid: 4516885 Christey> BUGTRAQ:20011214 Sun Solaris login bug patches out URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100844757228307&w=2 ====================================================== Candidate: CAN-2001-0869 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0869 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20011129 Category: SF Reference: SUSE:SuSE-SA:2001:042 Reference: URL:http://lwn.net/alerts/SuSE/SuSE-SA%3A2001%3A042.php3 Reference: CALDERA:CSSA-2001-040.0 Reference: URL:http://www.caldera.com/support/security/advisories/CSSA-2001-040.0.txt Reference: REDHAT:RHSA-2001-150 Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-150.html Reference: REDHAT:RHSA-2001-151 Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-151.html Reference: MANDRAKE:MDKSA-2002:018 Reference: XF:cyrus-sasl-format-string(7443) Reference: URL:http://xforce.iss.net/static/7443.php Reference: FREEBSD:FreeBSD-SA-02:15 Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:15.cyrus-sasl.asc Format string vulnerability in the default logging callback function in Cyrus SASL library (cyrus-sasl) may allow remote attackers to execute arbitrary commands. Modifications: ADDREF MANDRAKE:MDKSA-2002:018 ADDREF FREEBSD:FreeBSD-SA-02:15 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0869 ACCEPT (5 accept, 4 ack, 0 review) Current Votes: ACCEPT(5) Baker, Foat, Cole, Armstrong, Frech NOOP(2) Christey, Wall Voter Comments: Christey> MANDRAKE:MDKSA-2002:018 Christey> ADDREF FREEBSD:FreeBSD-SA-02:15 URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:15.cyrus-sasl.asc ====================================================== Candidate: CAN-2001-0872 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0872 Final-Decision: Interim-Decision: 20020617 Modified: 20020228-01 Proposed: 20020131 Assigned: 20011203 Category: SF Reference: BUGTRAQ:20011204 [Fwd: OpenSSH 3.0.2 fixes UseLogin vulnerability] Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100749779131514&w=2 Reference: CONFIRM:http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=100747128105913&w=2 Reference: REDHAT:RHSA-2001:161 Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-161.html Reference: SUSE:SuSE-SA:2001:045 Reference: URL:http://lists.suse.com/archives/suse-security-announce/2001-Dec/0001.html Reference: DEBIAN:DSA-091 Reference: URL:http://www.debian.org/security/2001/dsa-091 Reference: XF:openssh-uselogin-execute-code(7647) Reference: URL:http://xforce.iss.net/static/7647.php OpenSSH 3.0.1 and earlier with UseLogin enabled does not properly cleanse critical environment variables such as LD_PRELOAD, which allows local users to gain root privileges. Modifications: ADDREF DEBIAN:DSA-091 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0872 ACCEPT (6 accept, 4 ack, 0 review) Current Votes: ACCEPT(6) Green, Wall, Baker, Foat, Cole, Frech ====================================================== Candidate: CAN-2001-0884 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0884 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020131 Assigned: 20011213 Category: SF Reference: BUGTRAQ:20011128 Cgisecurity.com Advisory #7: Mailman Email Archive Cross Site Scripting Reference: URL:http://www.securityfocus.com/archive/1/242839 Reference: CONECTIVA:CLA-2001:445 Reference: URL:http://www.securityfocus.com/advisories/3721 Reference: REDHAT:RHSA-2001:168 Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-168.html Reference: REDHAT:RHSA-2001:170 Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-170.html Reference: XF:mailman-java-css(7617) Reference: URL:http://xforce.iss.net/static/7617.php Reference: BID:3602 Reference: URL:http://www.securityfocus.com/bid/3602 Cross-site scripting vulnerability in Mailman email archiver before 2.08 allows attackers to obtain sensitive information or authentication credentials via a malicious link that is accessed by other web users. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0884 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Cole, Armstrong, Frech NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2001-0886 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0886 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020131 Assigned: 20011214 Category: SF Reference: MISC:http://sources.redhat.com/ml/bug-glibc/2001-11/msg00109.html Reference: BUGTRAQ:20011217 [Global InterSec 2001121001] glibc globbing issues. Reference: URL:http://www.securityfocus.com/archive/1/245956 Reference: REDHAT:RHSA-2001-160 Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-160.html Reference: MANDRAKE:MDKSA-2001:095 Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-095.php3 Reference: ENGARDE:ESA-20011217-01 Reference: URL:http://www.linuxsecurity.com/advisories/other_advisory-1752.html Reference: XF:glibc-glob-bo(7705) Reference: URL:http://xforce.iss.net/static/7705.php Reference: BID:3707 Reference: URL:http://www.securityfocus.com/bid/3707 Buffer overflow in glob function of glibc allows attackers to cause a denial of service (crash) and possibly execute arbitrary code via a glob pattern that ends in a brace "{" character. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0886 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Green, Wall, Baker, Cole, Frech NOOP(1) Foat ====================================================== Candidate: CAN-2001-0887 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0887 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020131 Assigned: 20011219 Category: SF Reference: FREEBSD:FreeBSD-SA-01:68 Reference: URL:http://www.securityfocus.com/advisories/3734 Reference: BID:3700 Reference: URL:http://www.securityfocus.com/bid/3700 Reference: XF:xsane-temp-symlink(7714) Reference: URL:http://xforce.iss.net/static/7714.php xSANE 0.81 and earlier allows local users to modify files of other xSANE users via a symlink attack on temporary files. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0887 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Green, Baker, Cole, Frech NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2001-0888 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0888 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020131 Assigned: 20011219 Category: SF Reference: BUGTRAQ:20011221 VIGILANTe advisory 2001003 : Atmel SNMP Non Public Community String DoS Vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100895903202798&w=2 Reference: XF:atmel-snmp-community-dos(7734) Reference: URL:http://xforce.iss.net/static/7734.php Reference: BID:3734 Reference: URL:http://www.securityfocus.com/bid/3734 Atmel Firmware 1.3 Wireless Access Point (WAP) allows remote attackers to cause a denial of service via a SNMP request with (1) a community string other than "public" or (2) an unknown OID, which causes the WAP to deny subsequent SNMP requests. Analysis -------- Vendor Acknowledgement: yes advisory/yes followup/yes changelog/yes/unknown discloser-claimed/unknown vague/unknown/no disputed/no INFERRED ACTION: CAN-2001-0888 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Green, Baker, Cole, Frech NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2001-0889 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0889 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20011221 Category: SF Reference: BUGTRAQ:20011219 [ph10@cus.cam.ac.uk: [Exim] Potential security problem] Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100877978506387&w=2 Reference: REDHAT:RHSA-2001:176 Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-176.html Reference: XF:exim-pipe-hostname-commands(7738) Exim 3.22 and earlier, in some configurations, does not properly verify the local part of an address when redirecting the address to a pipe, which could allow remote attackers to execute arbitrary commands via shell metacharacters. Modifications: ADDREF XF:exim-pipe-hostname-commands(7738) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0889 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Green, Baker, Cole MODIFY(1) Frech NOOP(2) Wall, Foat Voter Comments: Frech> XF:exim-pipe-hostname-commands(7738) ====================================================== Candidate: CAN-2001-0894 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0894 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20011115 Postfix session log memory exhaustion bugfix Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100584160110303&w=2 Reference: MANDRAKE:MDKSA-2001:089 Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-089.php3?dis=8.1 Reference: DEBIAN:DSA-093 Reference: URL:http://www.debian.org/security/2001/dsa-093 Reference: REDHAT:RHSA-2001:156 Reference: BID:3544 Reference: URL:http://www.securityfocus.com/bid/3544 Reference: XF:postfix-smtp-log-dos(7568) Reference: URL:http://xforce.iss.net/static/7568.php Vulnerability in Postfix SMTP server before 20010228-pl07, when configured to email the postmaster when SMTP errors cause the session to terminate, allows remote attackers to cause a denial of service (memory exhaustion) by generating a large number of SMTP errors, which forces the SMTP session log to grow too large. Modifications: ADDREF REDHAT:RHSA-2001:156 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0894 ACCEPT (6 accept, 2 ack, 0 review) Current Votes: ACCEPT(5) Baker, Foat, Cole, Armstrong, Frech MODIFY(1) Cox NOOP(1) Wall Voter Comments: Cox> ADDREF REDHAT:RHSA-2001:156 ====================================================== Candidate: CAN-2001-0895 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0895 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20020131 Category: SF Reference: CISCO:20011115 Cisco IOS ARP Table Overwrite Vulnerability Reference: URL:http://www.cisco.com/warp/public/707/IOS-arp-overwrite-vuln-pub.shtml Reference: XF:cisco-arp-overwrite-table(7547) Multiple Cisco networking products allow remote attackers to cause a denial of service on the local network via a series of ARP packets sent to the router's interface that contains a different MAC address for the router, which eventually causes the router to overwrite the MAC address in its ARP table. Modifications: ADDREF XF:cisco-arp-overwrite-table(7547) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0895 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Foat, Cole, Armstrong MODIFY(1) Frech NOOP(1) Wall Voter Comments: Frech> XF:cisco-arp-overwrite-table(7547) ====================================================== Candidate: CAN-2001-0896 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0896 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20020131 Category: SF Reference: CALDERA:CSSA-2001-SCO.33 Reference: URL:ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.33/CSSA-2001-SCO.33.txt Reference: BUGTRAQ:20020201 RE: DoS bug on Tru64 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101284101228656&w=2 Reference: BUGTRAQ:20020205 nmap vs. inetd on Caldera (ex-SCO) OpenServer, Re: DoS bug on Tru64 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101303877215098&w=2 Reference: XF:openserver-nmap-po-option(7571) Inetd in OpenServer 5.0.5 allows remote attackers to cause a denial of service (crash) via a port scan, e.g. with nmap -PO. Modifications: ADDREF BUGTRAQ:20020205 nmap vs. inetd on Caldera (ex-SCO) OpenServer, Re: DoS bug on Tru64 ADDREF BUGTRAQ:20020201 RE: DoS bug on Tru64 ADDREF XF:openserver-nmap-po-option(7571) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0896 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Cole, Armstrong MODIFY(1) Frech NOOP(3) Christey, Wall, Foat Voter Comments: Christey> A rediscovery of this issue was reported in: BUGTRAQ:20020205 nmap vs. inetd on Caldera (ex-SCO) OpenServer, Re: DoS bug on Tru64 URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101303877215098&w=2 BUGTRAQ:20020201 RE: DoS bug on Tru64 URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101284101228656&w=2 Frech> XF:openserver-nmap-po-option(7571) ====================================================== Candidate: CAN-2001-0899 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0899 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20011116 Network Tool 0.2 Addon for PHPNuke vulnerable to remote command execution Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100593523104176&w=2 Reference: CONFIRM:http://phpnukerz.org/modules.php?name=Downloads&d_op=viewsdownload&sid=32 Reference: XF:phpnuke-nettools-command-execution(7578) Network Tools 0.2 for PHP-Nuke allows remote attackers to execute commands on the server via shell metacharacters in the $hostinput variable. Modifications: ADDREF XF:phpnuke-nettools-command-execution(7578) Analysis -------- Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: The comment for version 0.3, dated November 26, says "This version is a bug fix to the remote command execution security hole in version 0.2" A look at the source code shows that all calls to system() are now quoted. INFERRED ACTION: CAN-2001-0899 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Cole, Armstrong MODIFY(1) Frech NOOP(2) Wall, Foat Voter Comments: Frech> XF:phpnuke-nettools-command-execution(7578) ====================================================== Candidate: CAN-2001-0900 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0900 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20011118 Gallery Addon for PhpNuke remote file viewing vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100619599000590&w=2 Reference: CONFIRM:http://www.menalto.com/projects/gallery/article.php?sid=33&mode=&order= Reference: XF:phpnuke-gallery-directory-traversal(7580) Directory traversal vulnerability in modules.php in Gallery before 1.2.3 allows remote attackers to read arbitrary files via a .. (dot dot) in the include parameter. Modifications: ADDREF XF:phpnuke-gallery-directory-traversal(7580) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0900 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Cole, Armstrong MODIFY(1) Frech NOOP(2) Wall, Foat Voter Comments: Frech> XF:phpnuke-gallery-directory-traversal(7580) ====================================================== Candidate: CAN-2001-0901 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0901 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20011119 Hypermail SSI Vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100626603407639&w=2 Reference: CONFIRM:http://www.hypermail.org/dist/hypermail-2.1.4.tar.gz Reference: XF:hypermail-ssi-execute-commands(7576) Hypermail allows remote attackers to execute arbitrary commands on a server supporting SSI via an attachment with a .shtml extension, which is archived on the server and can then be executed by requesting the URL for the attachment. Modifications: ADDREF XF:hypermail-ssi-execute-commands(7576) Analysis -------- Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: In the ChangeLog in HyperMail 2.1.4, the entry for Nov 14, 2001 says "Changes relevant to security... attachment filenames ending in .shtml get changed to .html." INFERRED ACTION: CAN-2001-0901 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Cole, Armstrong MODIFY(1) Frech NOOP(2) Wall, Foat Voter Comments: Frech> XF:hypermail-ssi-execute-commands(7576) ====================================================== Candidate: CAN-2001-0905 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0905 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20020131 Category: SF Reference: DEBIAN:DSA-083 Reference: URL:http://www.debian.org/security/2001/dsa-083 Reference: REDHAT:RHSA-2001:093 Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-093.html Reference: MANDRAKE:MDKSA-2001:085 Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-085.php3 Reference: FREEBSD:FreeBSD-SA-01:60 Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:60.procmail.asc Reference: CONECTIVA:CLA-2001:433 Reference: BID:3071 Reference: URL:http://www.securityfocus.com/bid/3071 Reference: XF:procmail-signal-handling-race(6872) Race condition in signal handling of procmail 3.20 and earlier, when running setuid, allows local users to cause a denial of service or gain root privileges by sending a signal while a signal handling routine is already running. Modifications: ADDREF CONECTIVA:CLA-2001:433 ADDREF XF:procmail-signal-handling-race(6872) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0905 ACCEPT (6 accept, 3 ack, 0 review) Current Votes: ACCEPT(5) Green, Wall, Baker, Cole, Armstrong MODIFY(2) Christey, Frech NOOP(1) Foat Voter Comments: Frech> XF:procmail-signal-handling-race(6872) Christey> ADDREF CONECTIVA:CLA-2001:433 ====================================================== Candidate: CAN-2001-0906 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0906 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20010622 LPRng + tetex tmpfile race - uid lp exploit Reference: URL:http://www.securityfocus.com/archive/1/192647 Reference: REDHAT:RHSA-2001:102 Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-102.html Reference: MANDRAKE:MDKSA-2001:086 Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-086.php3 Reference: IMMUNIX:IMNX-2001-70-030-01 Reference: URL:http://download.immunix.org/ImmunixOS/7.0/updates/IMNX-2001-70-030-01 Reference: BID:2974 Reference: URL:http://www.securityfocus.com/bid/2974 Reference: XF:tetex-lprng-tmp-race(6785) Reference: URL:http://xforce.iss.net/static/6785.php teTeX filter before 1.0.7 allows local users to gain privileges via a symlink attack on temporary files that are produced when printing .dvi files using lpr. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0906 ACCEPT (6 accept, 1 ack, 0 review) Current Votes: ACCEPT(6) Green, Wall, Baker, Cole, Armstrong, Frech NOOP(1) Foat ====================================================== Candidate: CAN-2001-0912 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0912 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020131 Assigned: 20020131 Category: CF Reference: MANDRAKE:MDKSA-2001:087 Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-087.php3?dis=8.1 Reference: XF:linux-expect-unauth-root(7604) Reference: URL:http://xforce.iss.net/static/7604.php Packaging error for expect 8.3.3 in Mandrake Linux 8.1 causes expect to search for its libraries in the /home/snailtalk directory before other directories, which could allow a local user to gain root privileges. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0912 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Cole, Armstrong, Frech NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2001-0917 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0917 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20011122 Hi Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100654722925155&w=2 Reference: CONFIRM:http://marc.theaimsgroup.com/?l=tomcat-dev&m=100658457507305&w=2 Reference: XF:tomcat-reveal-install-path(7599) Jakarta Tomcat 4.0.1 allows remote attackers to reveal physical path information by requesting a long URL with a .JSP extension. Modifications: ADDREF XF:tomcat-reveal-install-path(7599) Analysis -------- Vendor Acknowledgement: yes followup INFERRED ACTION: CAN-2001-0917 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Cole, Armstrong MODIFY(1) Frech NOOP(2) Wall, Foat Voter Comments: Frech> XF:tomcat-reveal-install-path(7599) ====================================================== Candidate: CAN-2001-0918 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0918 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020131 Assigned: 20020131 Category: SF Reference: SUSE:SuSE-SA:2001:041 Reference: URL:http://www.suse.de/de/support/security/2001_041_susehelp_txt.txt Reference: XF:susehelp-cgi-command-execution(7583) Reference: URL:http://xforce.iss.net/static/7583.php Reference: BID:3576 Reference: URL:http://www.securityfocus.com/bid/3576 Vulnerabilities in CGI scripts in susehelp in SuSE 7.2 and 7.3 allow remote attackers to execute arbitrary commands by not opening files securely. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0918 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Cole, Armstrong, Frech NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2001-0920 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0920 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20011126 [CERT-intexxia] Auto Nice Daemon Format String Vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100680319004162&w=2 Reference: CONFIRM:http://and.sourceforge.net/ Reference: XF:and-format-string(7606) Reference: URL:http://xforce.iss.net/static/7606.php Reference: BID:3580 Reference: URL:http://www.securityfocus.com/bid/3580 Format string vulnerability in auto nice daemon (AND) 1.0.4 and earlier allows a local user to possibly execute arbitrary code via a process name containing a format string. Analysis -------- Vendor Acknowledgement: yes advisory The home page for AND states "Security Alert! A format string vulnerability has been found in AND 1.0.4 and before. Update to 1.0.5 or newer NOW!" and references the author of the Bugtraq post. INFERRED ACTION: CAN-2001-0920 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Cole, Armstrong, Frech NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2001-0929 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0929 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20020131 Category: SF Reference: CISCO:20011128 A Vulnerability in IOS Firewall Feature Set Reference: URL:http://www.cisco.com/warp/public/707/IOS-cbac-dynacl-pub.shtml Reference: XF:ios-cbac-bypass-acl(7614) Cisco IOS Firewall Feature set, aka Context Based Access Control (CBAC) or Cisco Secure Integrated Software, for IOS 11.2P through 12.2T does not properly check the IP protocol type, which could allow remote attackers to bypass access control lists. Modifications: ADDREF XF:ios-cbac-bypass-acl(7614) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0929 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Cole, Armstrong MODIFY(1) Frech NOOP(2) Wall, Foat Voter Comments: Frech> XF:ios-cbac-bypass-acl(7614) ====================================================== Candidate: CAN-2001-0936 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0936 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020131 Assigned: 20020131 Category: CF Reference: BUGTRAQ:20011130 Alert: Vulnerability in frox transparent ftp proxy. Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100713367307799&w=2 Reference: CONFIRM:http://frox.sourceforge.net/security.txt Reference: XF:frox-ftp-proxy-bo(7632) Reference: URL:http://xforce.iss.net/static/7632.php Reference: BID:3606 Reference: URL:http://www.securityfocus.com/bid/3606 Buffer overflow in Frox transparent FTP proxy 0.6.6 and earlier, with the local caching method selected, allows remote FTP servers to run arbitrary code via a long response to an MDTM request. Analysis -------- Vendor Acknowledgement: yes advisory ACKNOWLEDGEMENT: The vendor advisory is a verbatim copy of the advisory that was sent to Bugtraq. INFERRED ACTION: CAN-2001-0936 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Cole, Armstrong, Frech NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2001-0939 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0939 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20020131 Category: CF Reference: BUGTRAQ:20011130 Denial of Service in Lotus Domino 5.08 and earlier HTTP Server Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100715316426817&w=2 Reference: CONFIRM:http://www-1.ibm.com/support/manager.wss?rs=0&rt=0&org=sims&doc=4C8E450DBF2E7F1885256B200079FA88 Reference: BID:3607 Reference: URL:http://www.securityfocus.com/bid/3607 Reference: XF:lotus-domino-nhttp-dos(7631) Lotus Domino 5.08 and earlier allows remote attackers to cause a denial of service (crash) via a SunRPC NULL command to port 443. Modifications: ADDREF XF:lotus-domino-nhttp-dos(7631) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0939 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Baker, Foat, Cole, Armstrong, Frech NOOP(1) Wall Voter Comments: Frech> XF:lotus-domino-nhttp-dos(7631) CHANGE> [Frech changed vote from MODIFY to ACCEPT] ====================================================== Candidate: CAN-2001-0940 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0940 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20020131 Category: SF Reference: WIN2KSEC:20010921 Check Point FireWall-1 GUI Buffer Overflow Reference: URL:http://archives.neohapsis.com/archives/win2ksecadvice/2001-q3/0151.html Reference: BUGTRAQ:20011128 Firewall-1 remote SYSTEM shell buffer overflow Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100698954308436&w=2 Reference: BUGTRAQ:20010919 Check Point FireWall-1 GUI Log Viewer vulnerability (vuldb 3336) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100094268017271&w=2 Reference: BUGTRAQ:20011130 Fw: Firewall-1 remote SYSTEM shell buffer overflow Reference: URL:http://cert.uni-stuttgart.de/archive/bugtraq/2001/11/msg00291.html Reference: CHECKPOINT:20010919 GUI Buffer Overflow Reference: URL:http://www.checkpoint.com/techsupport/alerts/buffer_overflow.html Reference: BID:3336 Reference: URL:http://www.securityfocus.com/bid/3336 Reference: XF:fw1-log-viewer-bo(7145) Reference: URL:http://xforce.iss.net/static/7145.php Buffer overflow in the GUI authentication code of Check Point VPN-1/FireWall-1 Management Server 4.0 and 4.1 allows remote attackers to execute arbitrary code via a long user name. Modifications: ADDREF BUGTRAQ:20010919 Check Point FireWall-1 GUI Log Viewer vulnerability (vuldb 3336) ADDREF BID:3336 ADDREF XF:fw1-log-viewer-bo(7145) ADDREF BUGTRAQ:20011130 Fw: Firewall-1 remote SYSTEM shell buffer overflow Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0940 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Green, Baker, Cole MODIFY(1) Frech NOOP(3) Christey, Wall, Foat Voter Comments: Christey> BUGTRAQ:20010919 Check Point FireWall-1 GUI Log Viewer vulnerability (vuldb 3336) URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100094268017271&w=2 BID:3336 URL:http://www.securityfocus.com/bid/3336 XF:fw1-log-viewer-bo(7145) URL:http://xforce.iss.net/static/7145.php BUGTRAQ:20011130 Fw: Firewall-1 remote SYSTEM shell buffer overflow URL:http://cert.uni-stuttgart.de/archive/bugtraq/2001/11/msg00291.html Frech> XF:fw1-log-viewer-bo(7145) ====================================================== Candidate: CAN-2001-0946 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0946 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20011204 Symlink attack with apmd of RH 7.2 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100743394701962&w=2 Reference: MISC:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=56389 Reference: XF:apmd-apmscript-symlink(8268) apmscript in Apmd in Red Hat 7.2 "Enigma" allows local users to create or change the modification dates of arbitrary files via a symlink attack on the LOW_POWER temporary file, which could be used to cause a denial of service, e.g. by creating /etc/nologin and disabling logins. Modifications: ADDREF XF:apmd-apmscript-symlink(8268) Analysis -------- Vendor Acknowledgement: yes changelog INFERRED ACTION: CAN-2001-0946 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Green, Wall, Baker, Cole MODIFY(1) Frech NOOP(1) Foat Voter Comments: CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:apmd-apmscript-symlink(8268) ====================================================== Candidate: CAN-2001-0961 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0961 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020131 Assigned: 20020131 Category: SF Reference: DEBIAN:DSA-076 Reference: URL:http://www.debian.org/security/2001/dsa-076 Reference: XF:most-file-create-bo(7149) Reference: URL:http://xforce.iss.net/static/7149.php Reference: BID:3347 Reference: URL:http://www.securityfocus.com/bid/3347 Buffer overflow in tab expansion capability of the most program allows local or remote attackers to execute arbitrary code via a malformed file that is viewed with most. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0961 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Green, Baker, Cole, Frech NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2001-0962 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0962 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20010919 Websphere cookie/sessionid predictable Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-09/0234.html Reference: BUGTRAQ:20010928 Re: Websphere cookie/sessionid predictable Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-09/0234.html Reference: CONFIRM:http://www14.software.ibm.com/webapp/download/postconfig.jsp?id=4000805&pf=Multi-Platform&v=3.0.2&e=Standard+%26+Advanced+Editions&cat=&s=p Reference: XF:ibm-websphere-seq-predict(7153) Reference: URL:http://xforce.iss.net/static/7153.php IBM WebSphere Application Server 3.02 through 3.53 uses predictable session IDs for cookies, which allows remote attackers to gain privileges of WebSphere users via brute force guessing. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0962 ACCEPT_ACK (2 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Green, Frech NOOP(3) Wall, Foat, Cole ====================================================== Candidate: CAN-2001-0977 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0977 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020131 Assigned: 20020131 Category: SF Reference: CERT:CA-2001-18 Reference: URL:http://www.cert.org/advisories/CA-2001-18.html Reference: CERT-VN:VU#935800 Reference: URL:http://www.kb.cert.org/vuls/id/935800 Reference: DEBIAN:DSA-068 Reference: URL:http://www.debian.org/security/2001/dsa-068 Reference: REDHAT:RHSA-2001:098 Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-098.html Reference: CONECTIVA:CLA-2001:417 Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000417 Reference: MANDRAKE:MDKSA-2001:069 Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-069.php3 Reference: BID:3049 Reference: URL:http://www.securityfocus.com/bid/3049 Reference: XF:openldap-ldap-protos-dos(6904) Reference: URL:http://xforce.iss.net/static/6904.php slapd in OpenLDAP 1.x before 1.2.12, and 2.x before 2.0.8, allows remote attackers to cause a denial of service (crash) via an invalid Basic Encoding Rules (BER) length field. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0977 ACCEPT (6 accept, 4 ack, 0 review) Current Votes: ACCEPT(6) Green, Wall, Baker, Cole, Armstrong, Frech NOOP(1) Foat ====================================================== Candidate: CAN-2001-0981 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0981 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20020131 Category: SF Reference: HP:HPSBUX0108-164 Reference: URL:http://archives.neohapsis.com/archives/hp/2001-q3/0048.html Reference: XF:hp-cifs-change-passwords(7051) HP CIFS/9000 Server (SAMBA) A.01.07 and earlier with the "unix password sync" option enabled calls the passwd program without specifying the username of the user making the request, which could cause the server to change the password of a different user. Modifications: ADDREF XF:hp-cifs-change-passwords(7051) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0981 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Green, Baker, Cole, Armstrong MODIFY(1) Frech NOOP(2) Wall, Foat Voter Comments: Frech> XF:hp-cifs-change-passwords(7051) ====================================================== Candidate: CAN-2001-1002 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1002 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20010827 LPRng/rhs-printfilters - remote execution of commands Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=99892644616749&w=2 Reference: REDHAT:RHSA-2001:102 Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-102.html Reference: BID:3241 Reference: URL:http://www.securityfocus.com/bid/3241 Reference: XF:tetex-lprng-tmp-race(6785) The default configuration of the DVI print filter (dvips) in Red Hat Linux 7.0 and earlier does not run dvips in secure mode when dvips is executed by lpd, which could allow remote attackers to gain privileges by printing a DVI file that contains malicious commands. Modifications: ADDREF XF:tetex-lprng-tmp-race(6785) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1002 ACCEPT (6 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Wall, Baker, Cole, Armstrong, Green MODIFY(1) Frech NOOP(2) Foat, Christey Voter Comments: Frech> XF:tetex-lprng-tmp-race(6785) Similar to CAN-2001-0906? Christey> Similar in the sense that lprng/lpd uses Tetex, or something like that. ====================================================== Candidate: CAN-2001-1022 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1022 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20010727 ADV/EXP:pic/lpd remote exploit - RH 7.0 Reference: URL:http://www.securityfocus.com/archive/1/199706 Reference: DEBIAN:DSA-072 Reference: URL:http://www.debian.org/security/2001/dsa-072 Reference: CONECTIVA:CLA-2001:428 Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000428 Reference: XF:linux-groff-format-string(6918) Reference: URL:http://xforce.iss.net/static/6918.php Reference: BID:3103 Reference: URL:http://www.securityfocus.com/bid/3103 Format string vulnerability in pic utility in groff 1.16.1 and other versions allows remote attackers to bypass the -S option and execute arbitrary commands via format string specifiers in the plot command. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1022 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Baker, Cole, Armstrong, Frech, Green NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2001-1027 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1027 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20020131 Category: SF Reference: CONFIRM:http://www.windowmaker.org/src/ChangeLog Reference: DEBIAN:DSA-074 Reference: URL:http://www.debian.org/security/2001/dsa-074 Reference: CONECTIVA:CLA-2001:411 Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000411 Reference: SUSE:SuSE-SA:2001:032 Reference: URL:http://www.suse.de/de/support/security/2001_032_wmaker_txt.txt Reference: MANDRAKE:MDKSA-2001:074 Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-074.php3 Reference: BID:3177 Reference: URL:http://www.securityfocus.com/bid/3177 Reference: XF:windowmaker-title-bo(6969) Buffer overflow in WindowMaker (aka wmaker) 0.64 and earlier allows remote attackers to execute arbitrary code via a long window title. Modifications: ADDREF XF:windowmaker-title-bo(6969) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1027 ACCEPT (5 accept, 3 ack, 0 review) Current Votes: ACCEPT(4) Baker, Cole, Armstrong, Green MODIFY(1) Frech NOOP(2) Wall, Foat Voter Comments: Frech> XF:windowmaker-title-bo(6969) ====================================================== Candidate: CAN-2001-1030 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1030 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20010718 Squid httpd acceleration acl bug enables portscanning Reference: URL:http://www.securityfocus.com/archive/1/197727 Reference: BUGTRAQ:20010719 TSLSA-2001-0013 - Squid Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-07/0362.html Reference: IMMUNIX:IMNX-2001-70-031-01 Reference: URL:http://download.immunix.org/ImmunixOS/7.0/updates/IMNX-2001-70-031-01 Reference: CALDERA:CSSA-2001-029.0 Reference: URL:http://www.calderasystems.com/support/security/advisories/CSSA-2001-029.0.txt Reference: MANDRAKE:MDKSA-2001:066 Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-066.php3 Reference: REDHAT:RHSA-2001:097 Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-097.html Reference: XF:squid-http-accelerator-portscanning(6862) Reference: URL:http://xforce.iss.net/static/6862.php Squid before 2.3STABLE5 in HTTP accelerator mode does not enable access control lists (ACLs) when the httpd_accel_host and http_accel_with_proxy off settings are used, which allows attackers to bypass the ACLs and conduct unauthorized activities such as port scanning. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1030 ACCEPT (5 accept, 2 ack, 0 review) Current Votes: ACCEPT(5) Baker, Cole, Armstrong, Frech, Green NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2001-1032 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1032 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20010924 twlc advisory: all versions of php nuke are vulnerable... Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-09/0203.html Reference: CONFIRM:http://sourceforge.net/forum/forum.php?forum_id=113892 Reference: XF:php-nuke-admin-file-overwrite(7170) Reference: URL:http://xforce.iss.net/static/7170.php Reference: BID:3361 Reference: URL:http://www.securityfocus.com/bid/3361 admin.php in PHP-Nuke 5.2 and earlier, except 5.0RC1, does not check login credentials for upload operations, which allows remote attackers to copy and upload arbitrary files and read the PHP-Nuke configuration file by directly calling admin.php with an upload parameter and specifying the file to copy. Modifications: ADDREF CONFIRM:http://sourceforge.net/forum/forum.php?forum_id=113892 ADDREF BID:3361 Analysis -------- Vendor Acknowledgement: yes INFERRED ACTION: CAN-2001-1032 ACCEPT_ACK (2 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Frech, Green NOOP(4) Wall, Foat, Cole, Christey Voter Comments: Christey> CONFIRM:http://sourceforge.net/forum/forum.php?forum_id=113892 BID:3361 URL:http://www.securityfocus.com/bid/3361 ====================================================== Candidate: CAN-2001-1043 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1043 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20010701 ArGoSoft 1.2.2.2 *.lnk upload Directory Traversal Reference: URL:http://www.securityfocus.com/archive/1/194445 Reference: BID:2961 Reference: URL:http://www.securityfocus.com/bid/2961 Reference: XF:ftp-lnk-directory-traversal(6760) Reference: URL:http://xforce.iss.net/static/6760.php ArGoSoft FTP Server 1.2.2.2 allows remote attackers to read arbitrary files and directories by uploading a .lnk (link) file that points to the target file. Analysis -------- Vendor Acknowledgement: yes via-email INFERRED ACTION: CAN-2001-1043 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Cole, Frech, Green NOOP(4) Wall, Foat, Armstrong, Christey Voter Comments: CHANGE> [Green changed vote from REVIEWING to ACCEPT] Christey> Acknowledged by the vendor in an email to Dave Baker, May 9. ====================================================== Candidate: CAN-2001-1046 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1046 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20010602 Qpopper 4.0.3 **** Fixes Buffer Overflow **** (fwd) Reference: URL:http://www.securityfocus.com/archive/1/188267 Reference: VULN-DEV:20010420 Qpopper 4.0 Buffer Overflow Reference: URL:http://marc.theaimsgroup.com/?l=vuln-dev&m=98777649031406&w=2 Reference: CALDERA:CSSA-2001-SCO.8 Reference: URL:http://archives.neohapsis.com/archives/linux/caldera/2001-q3/0006.html Reference: BID:2811 Reference: URL:http://www.securityfocus.com/bid/2811 Reference: XF:qpopper-username-bo(6647) Reference: URL:http://xforce.iss.net/static/6647.php Buffer overflow in qpopper (aka qpop or popper) 4.0 through 4.0.2 allows remote attackers gain privileges via a long username. Analysis -------- Vendor Acknowledgement: yes advisory ACKNOWLEDGEMENT: The Caldera advisory does not provide enough details to be certain that it fixes the reported problem, but it is released a month after the initial announcement, and it provides credits to the same people who are credited in the initial announcement, so there is enough evidence to determine that the Caldera advisory is addressing this problem. INFERRED ACTION: CAN-2001-1046 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Baker, Cole, Armstrong, Frech, Green NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2001-1053 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1053 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20010713 AdCycle SQL Command Insertion Vulnerability - qDefense Advisory Number QDAV-2001-7-2 Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-07/0249.html Reference: CONFIRM:http://www.adcycle.com/cgi-bin/download.cgi?type=UNIX&version=1.17 Reference: XF:adcycle-insert-sql-command(6837) Reference: URL:http://xforce.iss.net/static/6837.php Reference: BID:3032 Reference: URL:http://www.securityfocus.com/bid/3032 AdLogin.pm in AdCycle 1.15 and earlier allows remote attackers to bypass authentication and gain privileges by injecting SQL code in the $password argument. Modifications: DELREF XF:php-includedir-code-execution(7215) Analysis -------- Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: In the README.txt file bundled with the software, the "[v1.16] July 5, 2001" entry states "fixed security hole (with help from qDefense.com)." INFERRED ACTION: CAN-2001-1053 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Cole, Armstrong, Green MODIFY(1) Frech NOOP(2) Wall, Foat Voter Comments: Frech> DELREF XF:php-includedir-code-execution(7215) ====================================================== Candidate: CAN-2001-1062 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1062 Final-Decision: Interim-Decision: 20020617 Modified: 20020228-01 Proposed: 20020131 Assigned: 20020131 Category: SF Reference: CALDERA:CSSA-2001-SCO.12 Reference: URL:ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.12/CSSA-2001-SCO.12.txt Reference: XF:openserver-mana-bo(7034) Reference: URL:http://www.iss.net/security_center/static/7034.php Buffer overflow in mana in OpenServer 5.0.6a and earlier allows local users to execute arbitrary code. Modifications: ADDREF XF:openserver-mana-bo(7034) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1062 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Cole, Armstrong, Green MODIFY(1) Frech NOOP(2) Wall, Foat Voter Comments: Frech> XF:openserver-mana-bo(7034) ====================================================== Candidate: CAN-2001-1071 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1071 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20011009 Cisco CDP attacks Reference: URL:http://www.securityfocus.com/archive/1/219257 Reference: BUGTRAQ:20011009 Cisco Systems - Vulnerability in CDP Reference: URL:http://www.securityfocus.com/archive/1/219305 Reference: BID:3412 Reference: URL:http://www.securityfocus.com/bid/3412 Reference: XF:cisco-ios-cdp-dos(7242) Reference: URL:http://xforce.iss.net/static/7242.php Cisco IOS 12.2 and earlier running Cisco Discovery Protocol (CDP) allows remote attackers to cause a denial of service (memory consumption) via a flood of CDP neighbor announcements. Analysis -------- Vendor Acknowledgement: yes followup INFERRED ACTION: CAN-2001-1071 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Cole, Frech, Green NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2001-1072 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1072 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20010812 Are your mod_rewrite rules doing what you expect? Reference: URL:http://www.securityfocus.com/archive/1/203955 Reference: CONFIRM:http://www.apacheweek.com/issues/02-02-01#security Reference: BID:3176 Reference: URL:http://www.securityfocus.com/bid/3176 Reference: XF:apache-rewrite-bypass-directives(8633) Apache with mod_rewrite enabled on most UNIX systems allows remote attackers to bypass RewriteRules by inserting extra / (slash) characters into the requested path, which causes the regular expression in the RewriteRule to fail Modifications: ADDREF CONFIRM:http://www.apacheweek.com/issues/02-02-01#security ADDREF XF:apache-rewrite-bypass-directives(8633) Analysis -------- Vendor Acknowledgement: yes via-email ABSTRACTION: This problem is similar to CAN-2000-0913, but different. INFERRED ACTION: CAN-2001-1072 ACCEPT (6 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Baker, Foat, Cole, Armstrong, Green MODIFY(1) Frech NOOP(2) Wall, Christey Voter Comments: Christey> ADDREF CONFIRM:http://www.apacheweek.com/issues/02-02-01#security Christey> CONFIRM:http://www.apacheweek.com/issues/02-02-01#security Frech> Not apache-rewrite-view-files(5310). CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:apache-rewrite-bypass-directives(8633) ====================================================== Candidate: CAN-2001-1074 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1074 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20010526 Webmin Doesn't Clean Env (root exploit) Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-05/0262.html Reference: CALDERA:CSSA-2001-019.1 Reference: URL:http://www.calderasystems.com/support/security/advisories/CSSA-2001-019.1.txt Reference: MANDRAKE:MDKSA-2001:059 Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-059.php3 Reference: XF:webmin-gain-information(6627) Reference: URL:http://xforce.iss.net/static/6627.php Reference: BID:2795 Reference: URL:http://www.securityfocus.com/bid/2795 Webmin 0.84 and earlier does not properly clear the HTTP_AUTHORIZATION environment variable when the web server is restarted, which makes authentication information available to all CGI programs and allows local users to gain privileges. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1074 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Baker, Cole, Armstrong, Frech, Green NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2001-1079 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1079 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20020131 Category: CF Reference: AIXAPAR:IY19069 Reference: URL:http://archives.neohapsis.com/archives/aix/2001-q3/0000.html Reference: XF:aix-keyfile-world-writable(8923) create_keyfiles in PSSP 3.2 with DCE 3.1 authentication on AIX creates keyfile directories with world-writable permissions, which could allow a local user to delete key files and cause a denial of service. Modifications: DESC Remove 3.2.0 from AIX version number ADDREF XF:aix-keyfile-world-writable(8923) Analysis -------- Vendor Acknowledgement: yes INFERRED ACTION: CAN-2001-1079 ACCEPT (6 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Cole, Armstrong, Green MODIFY(2) Bollinger, Frech NOOP(2) Wall, Foat Voter Comments: Bollinger> incorrect. The "REL: 320" in the aixserv email refers to the PSSP version, not the AIX version. Frech> XF: aix-keyfile-world-writable(8923) ====================================================== Candidate: CAN-2001-1083 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1083 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-02 Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20010626 Advisory Reference: URL:http://www.securityfocus.com/archive/1/193516 Reference: MISC:http://www.icecast.org/index.html Reference: CONFIRM:http://www.icecast.org/releases/icecast-1.3.11.tar.gz Reference: DEBIAN:DSA-089 Reference: URL:http://www.debian.org/security/2001/dsa-089 Reference: CALDERA:CSSA-2002-020.0 Reference: BID:2933 Reference: URL:http://www.securityfocus.com/bid/2933 Reference: XF:icecast-http-remote-dos(6751) Reference: URL:http://xforce.iss.net/static/6751.php Icecast 1.3.7, and other versions before 1.3.11 with HTTP server file streaming support enabled allows remote attackers to cause a denial of service (crash) via a URL that ends in . (dot), / (forward slash), or \ (backward slash). Modifications: ADDREF CONFIRM:http://www.icecast.org/releases/icecast-1.3.11.tar.gz DESC update versions. ADDREF DEBIAN:DSA-089 ADDREF CALDERA:CSSA-2002-020.0 Analysis -------- Vendor Acknowledgement: yes patch ACKNOWLEDGEMENT: On August 7, 2001 (more than a month after the initial disclosure), the news page states "contains a couple security updates." There is insufficient information to be confident whether the vendor is fixing the DoS or directory traversal problems identified on Bugtraq. However, a diff of source.c between 1.3.10 and 1.3.11 indicates that for 1.3.11, the vendor inserted a check for the / character, which is sufficient acknowledgement. INFERRED ACTION: CAN-2001-1083 ACCEPT_ACK (2 accept, 3 ack, 0 review) Current Votes: ACCEPT(2) Frech, Green NOOP(5) Wall, Foat, Cole, Armstrong, Christey Voter Comments: CHANGE> [Green changed vote from REVIEWING to ACCEPT] Christey> CALDERA:CSSA-2002-020.0 ====================================================== Candidate: CAN-2001-1084 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1084 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: BUGTRAQ:20010702 Multiple Vendor Java Servlet Container Cross-Site Scripting Vulnerability Reference: URL:http://www.securityfocus.com/archive/1/194464 Reference: ALLAIRE:MPSB01-06 Reference: URL:http://www.macromedia.com/v1/handlers/index.cfm?ID=21498&Method=Full Reference: BID:2983 Reference: URL:http://www.securityfocus.com/bid/2983 Reference: XF:java-servlet-crosssite-scripting(6793) Reference: URL:http://www.iss.net/security_center/static/6793.php Cross-site scripting vulnerability in Allaire JRun 3.1 and earlier allows a malicious webmaster to embed Javascript in a request for a .JSP, .shtml, .jsp10, .jrun, or .thtml file that does not exist, which causes the Javascript to be inserted into an error message. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1084 ACCEPT (7 accept, 1 ack, 0 review) Current Votes: ACCEPT(7) Wall, Baker, Cole, Armstrong, Frech, Ziese, Green NOOP(1) Foat ====================================================== Candidate: CAN-2001-1085 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1085 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: BUGTRAQ:20010705 lmail local root exploit Reference: URL:http://www.securityfocus.com/archive/1/195022 Reference: XF:lmail-tmpfile-symlink(6809) Reference: URL:http://xforce.iss.net/static/6809.php Reference: BID:2984 Reference: URL:http://www.securityfocus.com/bid/2984 Lmail 2.7 and earlier allows local users to overwrite arbitrary files via a symlink attack on a temporary file. Analysis -------- Vendor Acknowledgement: unknown INFERRED ACTION: CAN-2001-1085 ACCEPT (3 accept, 0 ack, 0 review) Current Votes: ACCEPT(3) Baker, Frech, Ziese NOOP(5) Wall, Foat, Cole, Armstrong, Green ====================================================== Candidate: CAN-2001-1088 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1088 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: CF Reference: BUGTRAQ:20010605 SECURITY.NNOV: Outlook Express address book spoofing Reference: URL:http://www.securityfocus.com/archive/1/188752 Reference: CONFIRM:http://support.microsoft.com/default.aspx?scid=kb;EN-US;q234241 Reference: XF:outlook-address-book-spoofing(6655) Reference: URL:http://xforce.iss.net/static/6655.php Reference: BID:2823 Reference: URL:http://www.securityfocus.com/bid/2823 Microsoft Outlook 8.5 and earlier, and Outlook Express 5 and earlier, with the "Automatically put people I reply to in my address book" option enabled, do not notify the user when the "Reply-To" address is different than the "From" address, which could allow an untrusted remote attacker to spoof legitimate addresses and intercept email from the client that is intended for another user. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1088 ACCEPT (8 accept, 1 ack, 0 review) Current Votes: ACCEPT(8) Wall, Baker, Foat, Cole, Armstrong, Frech, Ziese, Green ====================================================== Candidate: CAN-2001-1089 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1089 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: BUGTRAQ:20010910 RUS-CERT Advisory 2001-09:01 Reference: URL:http://www.securityfocus.com/archive/1/213331 Reference: BID:3314 Reference: URL:http://www.securityfocus.com/bid/3314 Reference: XF:postgresql-nss-authentication-modules(7111) Reference: URL:http://xforce.iss.net/static/7111.php libnss-pgsql in nss-pgsql 0.9.0 and earlier allows remote attackers to execute arbitrary SQL queries by inserting SQL code into an HTTP request. Analysis -------- Vendor Acknowledgement: yes INFERRED ACTION: CAN-2001-1089 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Cole, Armstrong, Ziese, Green NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2001-1095 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1095 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: AIXAPAR:IY23401 Reference: URL:http://archives.neohapsis.com/archives/aix/2001-q4/0000.html Buffer overflow in uuq in AIX 4 could alllow local users to execute arbitrary code via a long -r parameter. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1095 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Bollinger, Cole, Armstrong, Ziese, Green NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2001-1096 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1096 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: AIXAPAR:IY23402 Reference: URL:http://archives.neohapsis.com/archives/aix/2001-q4/0000.html Buffer overflows in muxatmd in AIX 4 allows an attacker to cause a core dump and possibly execute code. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1096 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Bollinger, Cole, Armstrong, Ziese, Green NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2001-1099 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1099 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: CF Reference: BUGTRAQ:20010907 Microsoft Exchange + Norton AntiVirus leak local information Reference: URL:http://www.securityfocus.com/archive/1/212724 Reference: BUGTRAQ:20010912 Re: Microsoft Exchange + Norton AntiVirus leak local information Reference: URL:http://www.securityfocus.com/archive/1/213762 Reference: XF:nav-exchange-reveal-information(7093) Reference: URL:http://xforce.iss.net/static/7093.php Reference: BID:3305 Reference: URL:http://www.securityfocus.com/bid/3305 The default configuration of Norton AntiVirus for Microsoft Exchange 2000 2.x allows remote attackers to identify the recipient's INBOX file path by sending an email with an attachment containing malicious content, which includes the path in the rejection notice. Analysis -------- Vendor Acknowledgement: yes followup INFERRED ACTION: CAN-2001-1099 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Wall, Cole, Armstrong, Ziese, Green NOOP(1) Foat ====================================================== Candidate: CAN-2001-1100 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1100 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: BUGTRAQ:20011007 Bug found at W3Mail Webmail Reference: URL:http://www.securityfocus.com/archive/1/218921 Reference: CONFIRM:http://www.w3mail.org/ChangeLog Reference: BID:3673 Reference: URL:http://www.securityfocus.com/bid/3673 Reference: XF:w3mail-metacharacters-command-execution(7230) Reference: URL:http://xforce.iss.net/static/7230.php sendmessage.cgi in W3Mail 1.0.2, and possibly other CGI programs, allows remote attackers to execute arbitrary commands via shell metacharacters in any field of the 'Compose Message' page. Analysis -------- Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: in Version 1.0.3 of the ChangeLog, dated December 4, 2001, the vendor says "Fixed potential security exploit by filtering special metacharacters." INFERRED ACTION: CAN-2001-1100 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Cole, Armstrong, Ziese, Green NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2001-1108 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1108 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: BUGTRAQ:20010726 Snapstream PVS vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-07/0606.html Reference: CONFIRM:http://discuss.snapstream.com/ubb/Forum1/HTML/000216.html Reference: XF:snapstream-dot-directory-traversal(6917) Reference: URL:http://xforce.iss.net/static/6917.php Reference: BID:3100 Reference: URL:http://www.securityfocus.com/bid/3100 Directory traversal vulnerability in SnapStream PVS 1.2a allows remote attackers to read arbitrary files via a .. (dot dot) attack in the requested URL. Analysis -------- Vendor Acknowledgement: yes ACKNOWLEDGEMENT: The online bulletin board includes a query about whether SnapStream fixed certain bugs, which included a URL to the problem description which indicates that it's the same as the Bugtraq post. "rakeshagrawal," whose email address is from SnapStream, said "issue 1 has been corrected," and issue 1 is the directory traversal problem identified in the Bugtraq post. INFERRED ACTION: CAN-2001-1108 ACCEPT (6 accept, 1 ack, 0 review) Current Votes: ACCEPT(6) Baker, Cole, Armstrong, Frech, Ziese, Green NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2001-1113 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1113 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: BUGTRAQ:20010813 Local exploit for TrollFTPD-1.26 Reference: URL:http://www.securityfocus.com/archive/1/203874 Reference: CONFIRM:ftp://ftp.trolltech.com/freebies/ftpd/troll-ftpd-1.27.tar.gz Reference: XF:trollftpd-long-path-bo(6974) Reference: URL:http://xforce.iss.net/static/6974.php Reference: BID:3174 Reference: URL:http://www.securityfocus.com/bid/3174 Buffer overflow in TrollFTPD 1.26 and earlier allows local users to execute arbitrary code by creating a series of deeply nested directories with long names, then running the ls -R (recursive) command. Analysis -------- Vendor Acknowledgement: yes patch ACKNOWLEDGEMENT: the discloser says that a fixed version is at ftp://ftp.trolltech.com/freebies/ftpd/troll-ftpd-1.27.tar.gz. There is no clear acknowledgement on the web site or in the README file. A look at listdir() in ls.c indicates that snprintf is being used to copy pathnmes. So the question is, was this fix *always* there, or was it just added? Fortunately we can download troll-ftpd-1.26.tar.gz and do a diff between the ls.c files from 1.26 and 1.27... Sure enough, 1.26 used sprintf whereas 1.27 used snprintf. So we have indirect vendor acknowledgement through creation of a patch. QED. INFERRED ACTION: CAN-2001-1113 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Cole, Armstrong, Ziese, Green NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2001-1116 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1116 Final-Decision: Interim-Decision: 20020617 Modified: 20020320-01 Proposed: 20020315 Assigned: 20020315 Category: SF Reference: NTBUGTRAQ:20010802 Identix BioLogon Client security bug Reference: URL:http://ntbugtraq.ntadvice.com/default.asp?pid=36&sid=1&A2=IND0108&L=NTBUGTRAQ&F=P&S=&P=71 Reference: NTBUGTRAQ:20010808 Response to Identix BioLogon Client security bug Reference: URL:http://ntbugtraq.ntadvice.com/default.asp?pid=36&sid=1&A2=ind0108&L=ntbugtraq&F=P&S=&P=724 Reference: XF:identix-biologon-auth-bypass(6948) Reference: URL:http://xforce.iss.net/static/6948.php Reference: BID:3140 Reference: URL:http://www.securityfocus.com/bid/3140 Identix BioLogon 2.03 and earlier does not lock secondary displays on a multi-monitor system running Windows 98 or ME, which allows an attacker with physical access to the system to bypass authentication through a secondary display. Modifications: CHANGEREF XF [fix typo in tagname] Analysis -------- Vendor Acknowledgement: yes followup INFERRED ACTION: CAN-2001-1116 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Foat, Cole, Ziese, Green NOOP(2) Wall, Armstrong ====================================================== Candidate: CAN-2001-1117 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1117 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: BUGTRAQ:20010810 Linksys router security fix Reference: URL:http://www.securityfocus.com/archive/1/203302 Reference: BUGTRAQ:20010802 Advisory Update: Design Flaw in Linksys EtherFast 4-Port Reference: URL:http://www.securityfocus.com/archive/1/201390 Reference: CONFIRM:ftp://ftp.linksys.com/pub/befsr41/befsr-fw1402.zip Reference: XF:linksys-etherfast-reveal-passwords(6949) Reference: URL:http://xforce.iss.net/static/6949.php Reference: BID:3141 Reference: URL:http://www.securityfocus.com/bid/3141 LinkSys EtherFast BEFSR41 Cable/DSL routers running firmware before 1.39.3 Beta allows a remote attacker to view administration and user passwords by connecting to the router and viewing the HTML source for (1) index.htm and (2) Password.htm. Analysis -------- Vendor Acknowledgement: yes ACKNOWLEDGEMENT: In befsr-fw1402.zip available from the vendor, the notes for version 4.40.2 in ver.txt, dated October 24 2001, says "5. Fixed some time user can see the UI page without password problem" INFERRED ACTION: CAN-2001-1117 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Foat, Cole, Armstrong, Ziese, Green NOOP(1) Wall ====================================================== Candidate: CAN-2001-1118 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1118 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: BUGTRAQ:20010802 Roxen security alert: URL decoding vulnerable Reference: URL:http://www.securityfocus.com/archive/1/201476 Reference: BUGTRAQ:20010802 FW: Security alert: Remote user can access any file Reference: URL:http://www.securityfocus.com/archive/1/201499 Reference: CONFIRM:http://download.roxen.com/2.0/patch/security-notice.html Reference: BID:3145 Reference: URL:http://www.securityfocus.com/bid/3145 Reference: XF:roxen-urlrectifier-retrieve-files(6937) Reference: URL:http://xforce.iss.net/static/6937.php A module in Roxen 2.0 before 2.0.92, and 2.1 before 2.1.264, does not properly decode UTF-8, Mac and ISO-2202 encoded URLs, which could allow a remote attacker to execute arbitrary commands or view arbitrary files via an encoded URL. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1118 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Cole, Armstrong, Ziese, Green NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2001-1119 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1119 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: CERT-VN:VU#105347 Reference: URL:http://www.kb.cert.org/vuls/id/105347 Reference: SUSE:SuSE-SA:2001:025 Reference: URL:http://www.suse.de/de/support/security/2001_025_xmcd_txt.html Reference: BID:3148 Reference: URL:http://www.securityfocus.com/bid/3148 Reference: XF:xmcd-cda-symlink(6941) Reference: URL:http://xforce.iss.net/static/6941.php cda in xmcd 3.0.2 and 2.6 in Su | ||||