[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FINAL] ACCEPT 191 candidates



I have made a Final Decision to ACCEPT the following candidates.
These candidates are now assigned CVE names as noted below.  The
resulting CVE entries will be published in the near future in a new
version of CVE.  Voting details and comments are provided at the end
of this report.

- Steve


Candidate	CVE Name
---------	----------
CAN-1999-1080	CVE-1999-1080
CAN-1999-1362	CVE-1999-1362
CAN-2000-0060	CVE-2000-0060
CAN-2000-0072	CVE-2000-0072
CAN-2000-0087	CVE-2000-0087
CAN-2000-0976	CVE-2000-0976
CAN-2000-1166	CVE-2000-1166
CAN-2000-1193	CVE-2000-1193
CAN-2001-0508	CVE-2001-0508
CAN-2001-0550	CVE-2001-0550
CAN-2001-0553	CVE-2001-0553
CAN-2001-0726	CVE-2001-0726
CAN-2001-0727	CVE-2001-0727
CAN-2001-0731	CVE-2001-0731
CAN-2001-0769	CVE-2001-0769
CAN-2001-0770	CVE-2001-0770
CAN-2001-0797	CVE-2001-0797
CAN-2001-0869	CVE-2001-0869
CAN-2001-0872	CVE-2001-0872
CAN-2001-0884	CVE-2001-0884
CAN-2001-0886	CVE-2001-0886
CAN-2001-0887	CVE-2001-0887
CAN-2001-0888	CVE-2001-0888
CAN-2001-0889	CVE-2001-0889
CAN-2001-0894	CVE-2001-0894
CAN-2001-0895	CVE-2001-0895
CAN-2001-0896	CVE-2001-0896
CAN-2001-0899	CVE-2001-0899
CAN-2001-0900	CVE-2001-0900
CAN-2001-0901	CVE-2001-0901
CAN-2001-0905	CVE-2001-0905
CAN-2001-0906	CVE-2001-0906
CAN-2001-0912	CVE-2001-0912
CAN-2001-0917	CVE-2001-0917
CAN-2001-0918	CVE-2001-0918
CAN-2001-0920	CVE-2001-0920
CAN-2001-0929	CVE-2001-0929
CAN-2001-0936	CVE-2001-0936
CAN-2001-0939	CVE-2001-0939
CAN-2001-0940	CVE-2001-0940
CAN-2001-0946	CVE-2001-0946
CAN-2001-0961	CVE-2001-0961
CAN-2001-0962	CVE-2001-0962
CAN-2001-0977	CVE-2001-0977
CAN-2001-0981	CVE-2001-0981
CAN-2001-1002	CVE-2001-1002
CAN-2001-1022	CVE-2001-1022
CAN-2001-1027	CVE-2001-1027
CAN-2001-1030	CVE-2001-1030
CAN-2001-1032	CVE-2001-1032
CAN-2001-1043	CVE-2001-1043
CAN-2001-1046	CVE-2001-1046
CAN-2001-1053	CVE-2001-1053
CAN-2001-1062	CVE-2001-1062
CAN-2001-1071	CVE-2001-1071
CAN-2001-1072	CVE-2001-1072
CAN-2001-1074	CVE-2001-1074
CAN-2001-1079	CVE-2001-1079
CAN-2001-1083	CVE-2001-1083
CAN-2001-1084	CVE-2001-1084
CAN-2001-1085	CVE-2001-1085
CAN-2001-1088	CVE-2001-1088
CAN-2001-1089	CVE-2001-1089
CAN-2001-1095	CVE-2001-1095
CAN-2001-1096	CVE-2001-1096
CAN-2001-1099	CVE-2001-1099
CAN-2001-1100	CVE-2001-1100
CAN-2001-1108	CVE-2001-1108
CAN-2001-1113	CVE-2001-1113
CAN-2001-1116	CVE-2001-1116
CAN-2001-1117	CVE-2001-1117
CAN-2001-1118	CVE-2001-1118
CAN-2001-1119	CVE-2001-1119
CAN-2001-1121	CVE-2001-1121
CAN-2001-1130	CVE-2001-1130
CAN-2001-1132	CVE-2001-1132
CAN-2001-1141	CVE-2001-1141
CAN-2001-1144	CVE-2001-1144
CAN-2001-1146	CVE-2001-1146
CAN-2001-1147	CVE-2001-1147
CAN-2001-1149	CVE-2001-1149
CAN-2001-1153	CVE-2001-1153
CAN-2001-1155	CVE-2001-1155
CAN-2001-1158	CVE-2001-1158
CAN-2001-1160	CVE-2001-1160
CAN-2001-1161	CVE-2001-1161
CAN-2001-1162	CVE-2001-1162
CAN-2001-1166	CVE-2001-1166
CAN-2001-1172	CVE-2001-1172
CAN-2001-1174	CVE-2001-1174
CAN-2001-1175	CVE-2001-1175
CAN-2001-1176	CVE-2001-1176
CAN-2001-1177	CVE-2001-1177
CAN-2001-1180	CVE-2001-1180
CAN-2001-1183	CVE-2001-1183
CAN-2001-1185	CVE-2001-1185
CAN-2001-1193	CVE-2001-1193
CAN-2001-1199	CVE-2001-1199
CAN-2001-1201	CVE-2001-1201
CAN-2001-1203	CVE-2001-1203
CAN-2001-1215	CVE-2001-1215
CAN-2001-1227	CVE-2001-1227
CAN-2001-1231	CVE-2001-1231
CAN-2001-1234	CVE-2001-1234
CAN-2001-1235	CVE-2001-1235
CAN-2001-1236	CVE-2001-1236
CAN-2001-1237	CVE-2001-1237
CAN-2001-1240	CVE-2001-1240
CAN-2001-1246	CVE-2001-1246
CAN-2001-1247	CVE-2001-1247
CAN-2001-1252	CVE-2001-1252
CAN-2001-1266	CVE-2001-1266
CAN-2001-1276	CVE-2001-1276
CAN-2001-1277	CVE-2001-1277
CAN-2001-1295	CVE-2001-1295
CAN-2001-1297	CVE-2001-1297
CAN-2001-1299	CVE-2001-1299
CAN-2001-1322	CVE-2001-1322
CAN-2001-1342	CVE-2001-1342
CAN-2001-1345	CVE-2001-1345
CAN-2002-0002	CVE-2002-0002
CAN-2002-0003	CVE-2002-0003
CAN-2002-0004	CVE-2002-0004
CAN-2002-0007	CVE-2002-0007
CAN-2002-0018	CVE-2002-0018
CAN-2002-0020	CVE-2002-0020
CAN-2002-0021	CVE-2002-0021
CAN-2002-0022	CVE-2002-0022
CAN-2002-0023	CVE-2002-0023
CAN-2002-0025	CVE-2002-0025
CAN-2002-0026	CVE-2002-0026
CAN-2002-0027	CVE-2002-0027
CAN-2002-0028	CVE-2002-0028
CAN-2002-0038	CVE-2002-0038
CAN-2002-0040	CVE-2002-0040
CAN-2002-0043	CVE-2002-0043
CAN-2002-0044	CVE-2002-0044
CAN-2002-0045	CVE-2002-0045
CAN-2002-0046	CVE-2002-0046
CAN-2002-0047	CVE-2002-0047
CAN-2002-0049	CVE-2002-0049
CAN-2002-0050	CVE-2002-0050
CAN-2002-0051	CVE-2002-0051
CAN-2002-0052	CVE-2002-0052
CAN-2002-0055	CVE-2002-0055
CAN-2002-0057	CVE-2002-0057
CAN-2002-0059	CVE-2002-0059
CAN-2002-0060	CVE-2002-0060
CAN-2002-0063	CVE-2002-0063
CAN-2002-0064	CVE-2002-0064
CAN-2002-0065	CVE-2002-0065
CAN-2002-0066	CVE-2002-0066
CAN-2002-0070	CVE-2002-0070
CAN-2002-0078	CVE-2002-0078
CAN-2002-0080	CVE-2002-0080
CAN-2002-0081	CVE-2002-0081
CAN-2002-0082	CVE-2002-0082
CAN-2002-0083	CVE-2002-0083
CAN-2002-0092	CVE-2002-0092
CAN-2002-0096	CVE-2002-0096
CAN-2002-0097	CVE-2002-0097
CAN-2002-0098	CVE-2002-0098
CAN-2002-0107	CVE-2002-0107
CAN-2002-0111	CVE-2002-0111
CAN-2002-0115	CVE-2002-0115
CAN-2002-0117	CVE-2002-0117
CAN-2002-0121	CVE-2002-0121
CAN-2002-0128	CVE-2002-0128
CAN-2002-0139	CVE-2002-0139
CAN-2002-0143	CVE-2002-0143
CAN-2002-0151	CVE-2002-0151
CAN-2002-0152	CVE-2002-0152
CAN-2002-0153	CVE-2002-0153
CAN-2002-0159	CVE-2002-0159
CAN-2002-0160	CVE-2002-0160
CAN-2002-0166	CVE-2002-0166
CAN-2002-0167	CVE-2002-0167
CAN-2002-0168	CVE-2002-0168
CAN-2002-0175	CVE-2002-0175
CAN-2002-0176	CVE-2002-0176
CAN-2002-0179	CVE-2002-0179
CAN-2002-0196	CVE-2002-0196
CAN-2002-0197	CVE-2002-0197
CAN-2002-0207	CVE-2002-0207
CAN-2002-0209	CVE-2002-0209
CAN-2002-0211	CVE-2002-0211
CAN-2002-0226	CVE-2002-0226
CAN-2002-0237	CVE-2002-0237
CAN-2002-0251	CVE-2002-0251
CAN-2002-0265	CVE-2002-0265
CAN-2002-1056	CVE-2002-1056


======================================================
Candidate: CAN-1999-1080
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1080
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20010912
Assigned: 20010831
Category: SF
Reference: BUGTRAQ:19990510 SunOS 5.7 rmmount, no nosuid.
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92633694100270&w=2
Reference: BUGTRAQ:19991011
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93971288323395&w=2
Reference: BID:250
Reference: URL:http://www.securityfocus.com/bid/250
Reference: SUNBUG:4205437
Reference: XF:solaris-rmmount-gain-root(8350)

rmmount in SunOS 5.7 may mount file systems without the nosuid flag
set, contrary to the documentation and its use in previous versions of
SunOS, which could allow local users with physical access to gain root
privileges by mounting a floppy or CD-ROM that contains a setuid
program and running volcheck, when the file systems do not have the
nosuid option specified in rmmount.conf.


Modifications:
  ADDREF SUNBUG:4205437
  ADDREF XF:solaris-rmmount-gain-root(8350)

INFERRED ACTION: CAN-1999-1080 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(2) Cole, Dik
   MODIFY(1) Frech
   NOOP(2) Wall, Foat

Voter Comments:
 Dik> sun bug: 4205437
 Frech> XF:solaris-rmmount-gain-root(8350)


======================================================
Candidate: CAN-1999-1362
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1362
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020218-01
Proposed: 20010912
Assigned: 20010831
Category: SF
Reference: MSKB:Q160601
Reference: URL:http://support.microsoft.com/support/kb/articles/q160/6/01.asp
Reference: XF:nt-win32k-dos(7403)
Reference: URL:http://www.iss.net/security_center/static/7403.php

Win32k.sys in Windows NT 4.0 before SP2 allows local users to cause a
denial of service (crash) by calling certain WIN32K functions with
incorrect parameters.


Modifications:
  ADDREF XF:nt-win32k-dos(7403)

INFERRED ACTION: CAN-1999-1362 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(3) Wall, Foat, Cole
   MODIFY(1) Frech

Voter Comments:
 Frech> XF:nt-win32k-dos(7403)


======================================================
Candidate: CAN-2000-0060
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0060
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020218-01
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: NTBUGTRAQ:19991227 Local / Remote Remote DoS Attack in Rover POP3 Server V1.1 NT From aVirt
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=94647711311057&w=2
Reference: BUGTRAQ:19991227 Local / Remote Remote DoS Attack in Rover POP3 Server V1.1 NT From aVirt
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94633851427858&w=2
Reference: BID:894
Reference: URL:http://www.securityfocus.com/bid/894
Reference: XF:avirt-rover-pop3-dos(3765)
Reference: URL:http://www.iss.net/security_center/static/3765.php

Buffer overflow in aVirt Rover POP3 server 1.1 allows remote attackers
to cause a denial of service via a long user name.


Modifications:
  ADDREF XF:avirt-rover-pop3-dos
  DESC add version
  ADDREF NTBUGTRAQ:19991227 Local / Remote Remote DoS Attack in Rover POP3 Server V1.1 NT From aVirt

INFERRED ACTION: CAN-2000-0060 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(2) Williams, Baker
   MODIFY(1) Frech
   NOOP(1) Balinsky

Voter Comments:
 Frech> XF:avirt-rover-pop3-dos
 Balinsky> No mention of the problem or relevant patch on vendor website.
 Williams> Balinsky - this product is no longer supported by vendor.

   should include v1.1 for NT in title


======================================================
Candidate: CAN-2000-0072
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0072
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020218-01
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: BUGTRAQ:20000118 Warning: VCasel security hole.
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94823061421676&w=2
Reference: BID:937
Reference: URL:http://www.securityfocus.com/bid/937
Reference: XF:vcasel-filename-trusting(3867)
Reference: URL:http://www.iss.net/security_center/static/3867.php

Visual Casel (Vcasel) does not properly prevent users from executing
files, which allows local users to use a relative pathname to specify
an alternate file which has an approved name and possibly gain
privileges.


Modifications:
  ADDREF XF:vcasel-filename-trusting(3867)

INFERRED ACTION: CAN-2000-0072 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(2) Williams, Baker
   MODIFY(1) Frech

Voter Comments:
 Frech> XF:vcasel-filename-trusting(3867)


======================================================
Candidate: CAN-2000-0087
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0087
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020218-01
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: BUGTRAQ:20000113 Misleading sense of security in Netscape
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94790377622943&w=2
Reference: XF:netscape-mail-notify-plaintext(4385)
Reference: URL:http://www.iss.net/security_center/static/4385.php

Netscape Mail Notification (nsnotify) utility in Netscape Communicator
uses IMAP without SSL, even if the user has set a preference for
Communicator to use an SSL connection, allowing a remote attacker to
sniff usernames and passwords in plaintext.


Modifications:
  ADDREF XF:netscape-mail-notify-plaintext(4385)

INFERRED ACTION: CAN-2000-0087 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(2) Williams, Baker
   MODIFY(1) Frech

Voter Comments:
 Frech> XF:netscape-mail-notify-plaintext


======================================================
Candidate: CAN-2000-0976
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0976
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20001129
Assigned: 20001124
Category: SF
Reference: BUGTRAQ:20001012 another Xlib buffer overflow
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0211.html
Reference: SGI:20020502-01-I
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020502-01-I
Reference: BID:1805
Reference: URL:http://www.securityfocus.com/bid/1805
Reference: XF:xfree-xlib-bo(5751)
Reference: URL:http://www.iss.net/security_center/static/5751.php

Buffer overflow in xlib in XFree 3.3.x possibly allows local users to
execute arbitrary commands via a long DISPLAY environment variable or
a -display command line parameter.


Modifications:
  ADDREF XF:xfree-xlib-bo(5751)
  ADDREF SGI:20020502-01-I

INFERRED ACTION: CAN-2000-0976 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(2) Mell, Baker
   MODIFY(1) Frech
   NOOP(2) Christey, Cole

Voter Comments:
 Frech> XF:xfree-xlib-bo(5751)
 Christey> This might not be exploitable; see followups
 CHANGE> [Christey changed vote from REVIEWING to NOOP]
 Christey> SGI:20020502-01-I


======================================================
Candidate: CAN-2000-1166
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1166
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20001219
Assigned: 20001214
Category: SF
Reference: BUGTRAQ:20001124 Security problems with TWIG webmail system
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0351.html
Reference: CONFIRM:http://twig.screwdriver.net/file.php3?file=CHANGELOG
Reference: BID:1998
Reference: URL:http://www.securityfocus.com/bid/1998
Reference: XF:twig-php3-script-execute(5581)

Twig webmail system does not properly set the "vhosts" variable if it
is not configured on the site, which allows remote attackers to insert
arbitrary PHP (PHP3) code by specifying an alternate vhosts as an
argument to the index.php3 program.


Modifications:
  ADDREF XF:twig-php3-script-execute(5581)
  ADDREF CONFIRM:http://twig.screwdriver.net/file.php3?file=CHANGELOG

INFERRED ACTION: CAN-2000-1166 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(3) Wall, Cole, Christey

Voter Comments:
 Frech> XF:twig-php3-script-execute(5581)
 Christey> CONFIRM:http://twig.screwdriver.net/file.php3?file=CHANGELOG
   Dated December 18, 2000: "Fixed security hole with respect to
   vhosts."


======================================================
Candidate: CAN-2000-1193
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1193
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20010912
Assigned: 20010831
Category: SF
Reference: BUGTRAQ:20000412 Performance Copilot for IRIX 6.5
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0056.html
Reference: XF:irix-pcp-pmcd-dos(4284)
Reference: URL:http://xforce.iss.net/static/4284.php
Reference: SGI:20020407-01-I
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020407-01-I

Performance Metrics Collector Daemon (PMCD) in Performance Copilot in
IRIX 6.x allows remote attackers to cause a denial of service
(resource exhaustion) via an extremely long string to the PMCD port.


Modifications:
  CHANGEREF XF:irix-pcp-pmcd-dos(4284)
  ADDREF SGI:20020407-01-I

INFERRED ACTION: CAN-2000-1193 FINAL (Final Decision 20020625)

Current Votes:
   MODIFY(2) Frech, Williams
   NOOP(5) Wall, Foat, Cole, Stracener, Christey

Voter Comments:
 Frech> XF:irix-pcp-pmcd-dos(4284)
   (same XF:ID number, but slightly different name)
 Williams> not just a DoS.  also involves information gathering vuln.
 Christey> ADDREF SGI:20020407-01-I


======================================================
Candidate: CAN-2001-0508
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0508
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20010829
Assigned: 20010608
Category: SF
Reference: BUGTRAQ:20010506 IIS 5.0 PROPFIND DOS #2
Reference: URL:http://online.securityfocus.com/archive/1/182579
Reference: MS:MS01-044
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms01-044.asp
Reference: XF:iis-webdav-long-request-dos(6982)
Reference: URL:http://www.iss.net/security_center/static/6982.php
Reference: BID:2690
Reference: URL:http://www.securityfocus.com/bid/2690

Vulnerability in IIS 5.0 allows remote attackers to cause a denial of
service (restart) via a long, invalid WebDAV request.


Modifications:
  ADDREF XF:iis-webdav-long-request-dos(6982)
  ADDREF BUGTRAQ:20010506 IIS 5.0 PROPFIND DOS #2
  ADDREF BID:2690

INFERRED ACTION: CAN-2001-0508 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(7) Wall, Baker, Foat, Cole, Armstrong, Bishop, Ziese
   MODIFY(1) Frech
   NOOP(1) Christey

Voter Comments:
 Frech> XF:iis-webdav-long-request-dos(6982)
 Christey> Need to determine whether this CAN is fixing this problem:
   BUGTRAQ:20010506 IIS 5.0 PROPFIND DOS #2
   URL:http://www.securityfocus.com/archive/1/3AF56057.1CB06CBC@guninski.com
   If so, then ADDREF BID:2690 as well.
 Christey> Yes, these are the same issue
 Christey> BUGTRAQ:20010506 IIS 5.0 PROPFIND DOS #2
   URL:http://online.securityfocus.com/archive/1/182579
   (confirmed w/Microsoft)


======================================================
Candidate: CAN-2001-0550
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0550
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20010718
Category: SF
Reference: VULN-DEV:20010430 some ftpd implementations mishandle CWD ~{
Reference: URL:http://www.securityfocus.com/archive/82/180823
Reference: BUGTRAQ:20011128 CORE-20011001: Wu-FTP glob heap corruption vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100700363414799&w=2
Reference: CERT:CA-2001-33
Reference: URL:http://www.cert.org/advisories/CA-2001-33.html
Reference: CERT-VN:VU#886083
Reference: URL:http://www.kb.cert.org/vuls/id/886083
Reference: REDHAT:RHSA-2001-157
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-157.html
Reference: CALDERA:CSSA-2001-041.0
Reference: URL:http://www.caldera.com/support/security/advisories/CSSA-2001-041.0.txt
Reference: CALDERA:CSSA-2001-SCO.36
Reference: MANDRAKE:MDKSA-2001:090
Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-090.php3
Reference: HP:HPSBUX0107-162
Reference: ISS:20011129 WU-FTPD Heap Corruption Vulnerability
Reference: BID:3581
Reference: URL:http://www.securityfocus.com/bid/3581
Reference: XF:wuftp-glob-heap-corruption(7611)

wu-ftpd 2.6.1 allows remote attackers to execute arbitrary commands
via a "~{" argument to commands such as CWD, which is not properly
handled by the glob function (ftpglob).


Modifications:
  ADDREF XF:wuftp-glob-heap-corruption(7611)
  ADDREF CALDERA:CSSA-2001-SCO.36

INFERRED ACTION: CAN-2001-0550 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(5) Wall, Baker, Cole, Armstrong, Green
   MODIFY(1) Frech
   NOOP(2) Christey, Foat

Voter Comments:
 Frech> XF:wuftp-glob-heap-corruption(7611)
 Christey> CALDERA:CSSA-2001-SCO.36


======================================================
Candidate: CAN-2001-0553
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0553
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20010727
Assigned: 20010724
Category: SF
Reference: BUGTRAQ:20010720 URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-07/0486.html
Reference: CONFIRM:http://www.ssh.com/products/ssh/exploit.cfm
Reference: CERT-VN:VU#737451
Reference: URL:http://www.kb.cert.org/vuls/id/737451
Reference: CIAC:L-121
Reference: URL:http://www.ciac.org/ciac/bulletins/l-121.shtml
Reference: BID:3078
Reference: URL:http://www.securityfocus.com/bid/3078
Reference: XF:ssh-password-length-unauth-access(6868)

SSH Secure Shell 3.0.0 on Unix systems does not properly perform
password authentication to the sshd2 daemon, which allows local users
to gain access to accounts with short password fields, such as locked
accounts that use "NP" in the password field.


Modifications:
  ADDREF XF:ssh-password-length-unauth-access(6868)
  ADDREF CONFIRM:http://www.ssh.com/products/ssh/exploit.cfm
  ADDREF CERT-VN:VU#737451
  ADDREF BID:3078
  ADDREF CIAC:L-121

INFERRED ACTION: CAN-2001-0553 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(1) Stracener
   MODIFY(1) Frech
   NOOP(5) Christey, Wall, Foat, Cole, Ziese

Voter Comments:
 Frech> XF:ssh-password-length-unauth-access(6868)
 Christey> CONFIRM:http://www.ssh.com/products/ssh/exploit.cfm
   CERT-VN:VU#737451
   URL:http://www.kb.cert.org/vuls/id/737451
   BID:3078
   URL:http://www.securityfocus.com/bid/3078
   CIAC:L-121
   URL:http://www.ciac.org/ciac/bulletins/l-121.shtml


======================================================
Candidate: CAN-2001-0726
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0726
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20010927
Category: SF
Reference: MS:MS01-057
Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS01-057.asp
Reference: XF:exchange-owa-embedded-script-execution(7663)
Reference: BID:3650
Reference: URL:http://online.securityfocus.com/bid/3650

Outlook Web Access (OWA) in Microsoft Exchange 5.5 Server, when used
with Internet Explorer, does not properly detect certain inline
script, which can allow remote attackers to perform arbitrary actions
on a user's Exchange mailbox via an HTML e-mail message.


Modifications:
  ADDREF XF:exchange-owa-embedded-script-execution(7663)
  ADDREF BID:3650

INFERRED ACTION: CAN-2001-0726 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(5) Wall, Baker, Foat, Cole, Green
   MODIFY(1) Frech
   NOOP(1) Christey

Voter Comments:
 Frech> XF:exchange-owa-embedded-script-execution(7663)
 Christey> Consider adding BID:3650


======================================================
Candidate: CAN-2001-0727
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0727
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20010927
Category: SF
Reference: BUGTRAQ:20011214 MSIE may download and run progams automatically
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100835204509262&w=2
Reference: BUGTRAQ:20011216 Re: MSIE may download and run progams automatically - NOT SO FAST
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100861273114437&w=2
Reference: MS:MS01-058
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms01-058.asp
Reference: CERT:CA-2001-36
Reference: URL:http://www.cert.org/advisories/CA-2001-36.html
Reference: XF:ie-file-download-execution(7703)
Reference: BID:3578

Internet Explorer 6.0 allows remote attackers to execute arbitrary
code by modifying the Content-Disposition and Content-Type header
fields in a way that causes Internet Explorer to believe that the file
is safe to open without prompting the user, aka the "File Execution
Vulnerability."


Modifications:
  ADDREF XF:ie-file-download-execution(7703)
  ADDREF BID:3578

INFERRED ACTION: CAN-2001-0727 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(5) Wall, Baker, Foat, Cole, Green
   MODIFY(1) Frech
   NOOP(1) Christey

Voter Comments:
 Frech> XF:ie-file-download-execution(7703)
 Christey> Consider adding BID:3578


======================================================
Candidate: CAN-2001-0731
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0731
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020315
Assigned: 20011008
Category: SF
Reference: BUGTRAQ:20010709 How Google indexed a file with no external link
Reference: URL:http://www.securityfocus.com/archive/1/20010709214744.A28765@brasscannon.net
Reference: CONFIRM:http://www.apacheweek.com/issues/01-10-05#security
Reference: MANDRAKE:MDKSA-2001:077
Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-077-1.php3
Reference: BID:3009
Reference: URL:http://www.securityfocus.com/bid/3009
Reference: XF:apache-multiviews-directory-listing(8275)
Reference: SGI:20020301-01-P
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020301-01-P

Apache 1.3.20 with Multiviews enabled allows remote attackers to view
directory contents and bypass the index page via a URL containing the
"M=D" query string.


Modifications:
  ADDREF XF:apache-multiviews-directory-listing(8275)
  ADDREF SGI:20020301-01-P

INFERRED ACTION: CAN-2001-0731 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(7) Wall, Baker, Foat, Cole, Armstrong, Ziese, Green
   MODIFY(1) Frech
   NOOP(1) Christey

Voter Comments:
 Christey> SGI:20020301-01-P
   URL:ftp://patches.sgi.com/support/free/security/advisories/20020301-01-P
 Frech> XF:apache-multiviews-directory-listing(8275)


======================================================
Candidate: CAN-2001-0769
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0769
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20011012
Assigned: 20011012
Category: SF
Reference: BUGTRAQ:20010527 def-2001-27: GuildFTPD Buffer Overflow and Memory Leak DoS
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-05/0254.html
Reference: XF:guildftpd-null-memory-leak(6613)
Reference: URL:http://xforce.iss.net/static/6613.php

Memory leak in GuildFTPd Server 0.97 allows remote attackers to cause
a denial of service via a request containing a null character.

INFERRED ACTION: CAN-2001-0769 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(2) Foat, Frech
   NOOP(4) Christey, Wall, Cole, Armstrong

Voter Comments:
 Christey> Email ack received from guildftpd@nitrolic.com on 3/8/2002


======================================================
Candidate: CAN-2001-0770
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0770
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020308-01
Proposed: 20011012
Assigned: 20011012
Category: SF
Reference: BUGTRAQ:20010527 def-2001-27: GuildFTPD Buffer Overflow and Memory Leak DoS
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-05/0254.html
Reference: XF:guildftpd-site-bo(6612)
Reference: URL:http://xforce.iss.net/static/6612.php
Reference: CONFIRM:http://www.nitrolic.com/help/history.htm

Buffer overflow in GuildFTPd Server 0.97 allows remote attacker to
execute arbitrary code via a long SITE command.


Modifications:
  ADDREF CONFIRM:http://www.nitrolic.com/help/history.htm

INFERRED ACTION: CAN-2001-0770 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(3) Foat, Armstrong, Frech
   NOOP(3) Christey, Wall, Cole

Voter Comments:
 Christey> Possible ACK at http://www.nitrolic.com/help/history.htm
   Inquiry sent to guildftpd@nitrolic.com on 2/25/2002
 Christey> Email ack received from guildftpd@nitrolic.com on 3/8/2002


======================================================
Candidate: CAN-2001-0797
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0797
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20011024
Category: SF
Reference: ISS:20011212 Buffer Overflow in /bin/login
Reference: URL:http://xforce.iss.net/alerts/advise105.php
Reference: BUGTRAQ:20011219 Linux distributions and /bin/login overflow
Reference: URL:http://www.securityfocus.com/archive/1/246487
Reference: CERT:CA-2001-34
Reference: URL:http://www.cert.org/advisories/CA-2001-34.html
Reference: CERT-VN:VU#569272
Reference: URL:http://www.kb.cert.org/vuls/id/569272
Reference: CALDERA:CSSA-2001-SCO.40
Reference: URL:ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.40/CSSA-2001-SCO.40.txt
Reference: SUN:00213
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/213
Reference: AIXAPAR:IY26221
Reference: SGI:20011201-01-I
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20011201-01-I
Reference: SUNBUG:4516885
Reference: BUGTRAQ:20011214 Sun Solaris login bug patches out
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100844757228307&w=2
Reference: XF:telnet-tab-bo(7284)
Reference: URL:http://xforce.iss.net/static/7284.php
Reference: BID:3681
Reference: URL:http://www.securityfocus.com/bid/3681

Buffer overflow in login in various System V based operating systems
allows remote attackers to execute arbitrary commands via a large
number of arguments through services such as telnet and rlogin.


Modifications:
  ADDREF SUNBUG:4516885
  ADDREF BUGTRAQ:20011214 Sun Solaris login bug patches out

INFERRED ACTION: CAN-2001-0797 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(5) Baker, Cole, Frech, Dik, Green
   NOOP(3) Christey, Wall, Foat

Voter Comments:
 Dik> Sun bugid: 4516885
 Christey> BUGTRAQ:20011214 Sun Solaris login bug patches out
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100844757228307&w=2


======================================================
Candidate: CAN-2001-0869
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0869
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20011129
Category: SF
Reference: SUSE:SuSE-SA:2001:042
Reference: URL:http://lwn.net/alerts/SuSE/SuSE-SA%3A2001%3A042.php3
Reference: CALDERA:CSSA-2001-040.0
Reference: URL:http://www.caldera.com/support/security/advisories/CSSA-2001-040.0.txt
Reference: REDHAT:RHSA-2001-150
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-150.html
Reference: REDHAT:RHSA-2001-151
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-151.html
Reference: MANDRAKE:MDKSA-2002:018
Reference: XF:cyrus-sasl-format-string(7443)
Reference: URL:http://xforce.iss.net/static/7443.php
Reference: FREEBSD:FreeBSD-SA-02:15
Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:15.cyrus-sasl.asc

Format string vulnerability in the default logging callback function
in Cyrus SASL library (cyrus-sasl) may allow remote attackers to
execute arbitrary commands.


Modifications:
  ADDREF MANDRAKE:MDKSA-2002:018
  ADDREF FREEBSD:FreeBSD-SA-02:15

INFERRED ACTION: CAN-2001-0869 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(5) Baker, Foat, Cole, Armstrong, Frech
   NOOP(2) Christey, Wall

Voter Comments:
 Christey> MANDRAKE:MDKSA-2002:018
 Christey> ADDREF FREEBSD:FreeBSD-SA-02:15
   URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:15.cyrus-sasl.asc


======================================================
Candidate: CAN-2001-0872
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0872
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020228-01
Proposed: 20020131
Assigned: 20011203
Category: SF
Reference: BUGTRAQ:20011204 [Fwd: OpenSSH 3.0.2 fixes UseLogin vulnerability]
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100749779131514&w=2
Reference: CONFIRM:http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=100747128105913&w=2
Reference: REDHAT:RHSA-2001:161
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-161.html
Reference: SUSE:SuSE-SA:2001:045
Reference: URL:http://lists.suse.com/archives/suse-security-announce/2001-Dec/0001.html
Reference: DEBIAN:DSA-091
Reference: URL:http://www.debian.org/security/2001/dsa-091
Reference: XF:openssh-uselogin-execute-code(7647)
Reference: URL:http://xforce.iss.net/static/7647.php

OpenSSH 3.0.1 and earlier with UseLogin enabled does not properly
cleanse critical environment variables such as LD_PRELOAD, which
allows local users to gain root privileges.


Modifications:
  ADDREF DEBIAN:DSA-091

INFERRED ACTION: CAN-2001-0872 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(6) Green, Wall, Baker, Foat, Cole, Frech


======================================================
Candidate: CAN-2001-0884
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0884
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020131
Assigned: 20011213
Category: SF
Reference: BUGTRAQ:20011128 Cgisecurity.com Advisory #7: Mailman Email Archive Cross Site Scripting
Reference: URL:http://www.securityfocus.com/archive/1/242839
Reference: CONECTIVA:CLA-2001:445
Reference: URL:http://www.securityfocus.com/advisories/3721
Reference: REDHAT:RHSA-2001:168
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-168.html
Reference: REDHAT:RHSA-2001:170
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-170.html
Reference: XF:mailman-java-css(7617)
Reference: URL:http://xforce.iss.net/static/7617.php
Reference: BID:3602
Reference: URL:http://www.securityfocus.com/bid/3602

Cross-site scripting vulnerability in Mailman email archiver before
2.08 allows attackers to obtain sensitive information or
authentication credentials via a malicious link that is accessed by
other web users.

INFERRED ACTION: CAN-2001-0884 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(4) Baker, Cole, Armstrong, Frech
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-0886
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0886
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020131
Assigned: 20011214
Category: SF
Reference: MISC:http://sources.redhat.com/ml/bug-glibc/2001-11/msg00109.html
Reference: BUGTRAQ:20011217 [Global InterSec 2001121001] glibc globbing issues.
Reference: URL:http://www.securityfocus.com/archive/1/245956
Reference: REDHAT:RHSA-2001-160
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-160.html
Reference: MANDRAKE:MDKSA-2001:095
Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-095.php3
Reference: ENGARDE:ESA-20011217-01
Reference: URL:http://www.linuxsecurity.com/advisories/other_advisory-1752.html
Reference: XF:glibc-glob-bo(7705)
Reference: URL:http://xforce.iss.net/static/7705.php
Reference: BID:3707
Reference: URL:http://www.securityfocus.com/bid/3707

Buffer overflow in glob function of glibc allows attackers to cause a
denial of service (crash) and possibly execute arbitrary code via a
glob pattern that ends in a brace "{" character.

INFERRED ACTION: CAN-2001-0886 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(5) Green, Wall, Baker, Cole, Frech
   NOOP(1) Foat


======================================================
Candidate: CAN-2001-0887
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0887
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020131
Assigned: 20011219
Category: SF
Reference: FREEBSD:FreeBSD-SA-01:68
Reference: URL:http://www.securityfocus.com/advisories/3734
Reference: BID:3700
Reference: URL:http://www.securityfocus.com/bid/3700
Reference: XF:xsane-temp-symlink(7714)
Reference: URL:http://xforce.iss.net/static/7714.php

xSANE 0.81 and earlier allows local users to modify files of other
xSANE users via a symlink attack on temporary files.

INFERRED ACTION: CAN-2001-0887 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(4) Green, Baker, Cole, Frech
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-0888
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0888
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020131
Assigned: 20011219
Category: SF
Reference: BUGTRAQ:20011221 VIGILANTe advisory 2001003 : Atmel SNMP Non Public Community String DoS Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100895903202798&w=2
Reference: XF:atmel-snmp-community-dos(7734)
Reference: URL:http://xforce.iss.net/static/7734.php
Reference: BID:3734
Reference: URL:http://www.securityfocus.com/bid/3734

Atmel Firmware 1.3 Wireless Access Point (WAP) allows remote attackers
to cause a denial of service via a SNMP request with (1) a community
string other than "public" or (2) an unknown OID, which causes the WAP
to deny subsequent SNMP requests.

INFERRED ACTION: CAN-2001-0888 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(4) Green, Baker, Cole, Frech
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-0889
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0889
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20011221
Category: SF
Reference: BUGTRAQ:20011219 [ph10@cus.cam.ac.uk: [Exim] Potential security problem]
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100877978506387&w=2
Reference: REDHAT:RHSA-2001:176
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-176.html
Reference: XF:exim-pipe-hostname-commands(7738)

Exim 3.22 and earlier, in some configurations, does not properly
verify the local part of an address when redirecting the address to a
pipe, which could allow remote attackers to execute arbitrary commands
via shell metacharacters.


Modifications:
  ADDREF XF:exim-pipe-hostname-commands(7738)

INFERRED ACTION: CAN-2001-0889 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(3) Green, Baker, Cole
   MODIFY(1) Frech
   NOOP(2) Wall, Foat

Voter Comments:
 Frech> XF:exim-pipe-hostname-commands(7738)


======================================================
Candidate: CAN-2001-0894
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0894
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20011115 Postfix session log memory exhaustion bugfix
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100584160110303&w=2
Reference: MANDRAKE:MDKSA-2001:089
Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-089.php3?dis=8.1
Reference: DEBIAN:DSA-093
Reference: URL:http://www.debian.org/security/2001/dsa-093
Reference: REDHAT:RHSA-2001:156
Reference: BID:3544
Reference: URL:http://www.securityfocus.com/bid/3544
Reference: XF:postfix-smtp-log-dos(7568)
Reference: URL:http://xforce.iss.net/static/7568.php

Vulnerability in Postfix SMTP server before 20010228-pl07, when
configured to email the postmaster when SMTP errors cause the session
to terminate, allows remote attackers to cause a denial of service
(memory exhaustion) by generating a large number of SMTP errors, which
forces the SMTP session log to grow too large.


Modifications:
  ADDREF REDHAT:RHSA-2001:156

INFERRED ACTION: CAN-2001-0894 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(5) Baker, Foat, Cole, Armstrong, Frech
   MODIFY(1) Cox
   NOOP(1) Wall

Voter Comments:
 Cox> ADDREF REDHAT:RHSA-2001:156


======================================================
Candidate: CAN-2001-0895
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0895
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: CISCO:20011115 Cisco IOS ARP Table Overwrite Vulnerability
Reference: URL:http://www.cisco.com/warp/public/707/IOS-arp-overwrite-vuln-pub.shtml
Reference: XF:cisco-arp-overwrite-table(7547)

Multiple Cisco networking products allow remote attackers to cause a
denial of service on the local network via a series of ARP packets
sent to the router's interface that contains a different MAC address
for the router, which eventually causes the router to overwrite the
MAC address in its ARP table.


Modifications:
  ADDREF XF:cisco-arp-overwrite-table(7547)

INFERRED ACTION: CAN-2001-0895 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(4) Baker, Foat, Cole, Armstrong
   MODIFY(1) Frech
   NOOP(1) Wall

Voter Comments:
 Frech> XF:cisco-arp-overwrite-table(7547)


======================================================
Candidate: CAN-2001-0896
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0896
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: CALDERA:CSSA-2001-SCO.33
Reference: URL:ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.33/CSSA-2001-SCO.33.txt
Reference: BUGTRAQ:20020201 RE: DoS bug on Tru64
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101284101228656&w=2
Reference: BUGTRAQ:20020205 nmap vs. inetd on Caldera (ex-SCO) OpenServer, Re: DoS bug on Tru64
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101303877215098&w=2
Reference: XF:openserver-nmap-po-option(7571)

Inetd in OpenServer 5.0.5 allows remote attackers to cause a denial of
service (crash) via a port scan, e.g. with nmap -PO.


Modifications:
  ADDREF BUGTRAQ:20020205 nmap vs. inetd on Caldera (ex-SCO) OpenServer, Re: DoS bug on Tru64
  ADDREF BUGTRAQ:20020201 RE: DoS bug on Tru64
  ADDREF XF:openserver-nmap-po-option(7571)

INFERRED ACTION: CAN-2001-0896 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(3) Baker, Cole, Armstrong
   MODIFY(1) Frech
   NOOP(3) Christey, Wall, Foat

Voter Comments:
 Christey> A rediscovery of this issue was reported in:
   BUGTRAQ:20020205 nmap vs. inetd on Caldera (ex-SCO) OpenServer, Re: DoS bug on Tru64
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101303877215098&w=2
   BUGTRAQ:20020201 RE: DoS bug on Tru64
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101284101228656&w=2
 Frech> XF:openserver-nmap-po-option(7571)


======================================================
Candidate: CAN-2001-0899
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0899
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20011116 Network Tool 0.2 Addon for PHPNuke vulnerable to remote command execution
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100593523104176&w=2
Reference: CONFIRM:http://phpnukerz.org/modules.php?name=Downloads&d_op=viewsdownload&sid=32
Reference: XF:phpnuke-nettools-command-execution(7578)

Network Tools 0.2 for PHP-Nuke allows remote attackers to execute
commands on the server via shell metacharacters in the $hostinput
variable.


Modifications:
  ADDREF XF:phpnuke-nettools-command-execution(7578)

INFERRED ACTION: CAN-2001-0899 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(3) Baker, Cole, Armstrong
   MODIFY(1) Frech
   NOOP(2) Wall, Foat

Voter Comments:
 Frech> XF:phpnuke-nettools-command-execution(7578)


======================================================
Candidate: CAN-2001-0900
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0900
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20011118 Gallery Addon for PhpNuke remote file viewing vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100619599000590&w=2
Reference: CONFIRM:http://www.menalto.com/projects/gallery/article.php?sid=33&mode=&order=
Reference: XF:phpnuke-gallery-directory-traversal(7580)

Directory traversal vulnerability in modules.php in Gallery before
1.2.3 allows remote attackers to read arbitrary files via a .. (dot
dot) in the include parameter.


Modifications:
  ADDREF XF:phpnuke-gallery-directory-traversal(7580)

INFERRED ACTION: CAN-2001-0900 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(3) Baker, Cole, Armstrong
   MODIFY(1) Frech
   NOOP(2) Wall, Foat

Voter Comments:
 Frech> XF:phpnuke-gallery-directory-traversal(7580)


======================================================
Candidate: CAN-2001-0901
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0901
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20011119 Hypermail SSI Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100626603407639&w=2
Reference: CONFIRM:http://www.hypermail.org/dist/hypermail-2.1.4.tar.gz
Reference: XF:hypermail-ssi-execute-commands(7576)

Hypermail allows remote attackers to execute arbitrary commands on a
server supporting SSI via an attachment with a .shtml extension, which
is archived on the server and can then be executed by requesting the
URL for the attachment.


Modifications:
  ADDREF XF:hypermail-ssi-execute-commands(7576)

INFERRED ACTION: CAN-2001-0901 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(3) Baker, Cole, Armstrong
   MODIFY(1) Frech
   NOOP(2) Wall, Foat

Voter Comments:
 Frech> XF:hypermail-ssi-execute-commands(7576)


======================================================
Candidate: CAN-2001-0905
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0905
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: DEBIAN:DSA-083
Reference: URL:http://www.debian.org/security/2001/dsa-083
Reference: REDHAT:RHSA-2001:093
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-093.html
Reference: MANDRAKE:MDKSA-2001:085
Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-085.php3
Reference: FREEBSD:FreeBSD-SA-01:60
Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:60.procmail.asc
Reference: CONECTIVA:CLA-2001:433
Reference: BID:3071
Reference: URL:http://www.securityfocus.com/bid/3071
Reference: XF:procmail-signal-handling-race(6872)

Race condition in signal handling of procmail 3.20 and earlier, when
running setuid, allows local users to cause a denial of service or
gain root privileges by sending a signal while a signal handling
routine is already running.


Modifications:
  ADDREF CONECTIVA:CLA-2001:433
  ADDREF XF:procmail-signal-handling-race(6872)

INFERRED ACTION: CAN-2001-0905 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(5) Green, Wall, Baker, Cole, Armstrong
   MODIFY(2) Christey, Frech
   NOOP(1) Foat

Voter Comments:
 Frech> XF:procmail-signal-handling-race(6872)
 Christey> ADDREF CONECTIVA:CLA-2001:433


======================================================
Candidate: CAN-2001-0906
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0906
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010622 LPRng + tetex tmpfile race - uid lp exploit
Reference: URL:http://www.securityfocus.com/archive/1/192647
Reference: REDHAT:RHSA-2001:102
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-102.html
Reference: MANDRAKE:MDKSA-2001:086
Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-086.php3
Reference: IMMUNIX:IMNX-2001-70-030-01
Reference: URL:http://download.immunix.org/ImmunixOS/7.0/updates/IMNX-2001-70-030-01
Reference: BID:2974
Reference: URL:http://www.securityfocus.com/bid/2974
Reference: XF:tetex-lprng-tmp-race(6785)
Reference: URL:http://xforce.iss.net/static/6785.php

teTeX filter before 1.0.7 allows local users to gain privileges via a
symlink attack on temporary files that are produced when printing .dvi
files using lpr.

INFERRED ACTION: CAN-2001-0906 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(6) Green, Wall, Baker, Cole, Armstrong, Frech
   NOOP(1) Foat


======================================================
Candidate: CAN-2001-0912
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0912
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020131
Assigned: 20020131
Category: CF
Reference: MANDRAKE:MDKSA-2001:087
Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-087.php3?dis=8.1
Reference: XF:linux-expect-unauth-root(7604)
Reference: URL:http://xforce.iss.net/static/7604.php

Packaging error for expect 8.3.3 in Mandrake Linux 8.1 causes expect
to search for its libraries in the /home/snailtalk directory before
other directories, which could allow a local user to gain root
privileges.

INFERRED ACTION: CAN-2001-0912 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(4) Baker, Cole, Armstrong, Frech
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-0917
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0917
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20011122 Hi
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100654722925155&w=2
Reference: CONFIRM:http://marc.theaimsgroup.com/?l=tomcat-dev&m=100658457507305&w=2
Reference: XF:tomcat-reveal-install-path(7599)

Jakarta Tomcat 4.0.1 allows remote attackers to reveal physical path
information by requesting a long URL with a .JSP extension.


Modifications:
  ADDREF XF:tomcat-reveal-install-path(7599)

INFERRED ACTION: CAN-2001-0917 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(3) Baker, Cole, Armstrong
   MODIFY(1) Frech
   NOOP(2) Wall, Foat

Voter Comments:
 Frech> XF:tomcat-reveal-install-path(7599)


======================================================
Candidate: CAN-2001-0918
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0918
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: SUSE:SuSE-SA:2001:041
Reference: URL:http://www.suse.de/de/support/security/2001_041_susehelp_txt.txt
Reference: XF:susehelp-cgi-command-execution(7583)
Reference: URL:http://xforce.iss.net/static/7583.php
Reference: BID:3576
Reference: URL:http://www.securityfocus.com/bid/3576

Vulnerabilities in CGI scripts in susehelp in SuSE 7.2 and 7.3 allow
remote attackers to execute arbitrary commands by not opening files
securely.

INFERRED ACTION: CAN-2001-0918 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(4) Baker, Cole, Armstrong, Frech
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-0920
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0920
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20011126 [CERT-intexxia] Auto Nice Daemon Format String Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100680319004162&w=2
Reference: CONFIRM:http://and.sourceforge.net/
Reference: XF:and-format-string(7606)
Reference: URL:http://xforce.iss.net/static/7606.php
Reference: BID:3580
Reference: URL:http://www.securityfocus.com/bid/3580

Format string vulnerability in auto nice daemon (AND) 1.0.4 and
earlier allows a local user to possibly execute arbitrary code via a
process name containing a format string.

INFERRED ACTION: CAN-2001-0920 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(4) Baker, Cole, Armstrong, Frech
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-0929
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0929
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: CISCO:20011128 A Vulnerability in IOS Firewall Feature Set
Reference: URL:http://www.cisco.com/warp/public/707/IOS-cbac-dynacl-pub.shtml
Reference: XF:ios-cbac-bypass-acl(7614)

Cisco IOS Firewall Feature set, aka Context Based Access Control
(CBAC) or Cisco Secure Integrated Software, for IOS 11.2P through
12.2T does not properly check the IP protocol type, which could allow
remote attackers to bypass access control lists.


Modifications:
  ADDREF XF:ios-cbac-bypass-acl(7614)

INFERRED ACTION: CAN-2001-0929 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(3) Baker, Cole, Armstrong
   MODIFY(1) Frech
   NOOP(2) Wall, Foat

Voter Comments:
 Frech> XF:ios-cbac-bypass-acl(7614)


======================================================
Candidate: CAN-2001-0936
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0936
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020131
Assigned: 20020131
Category: CF
Reference: BUGTRAQ:20011130 Alert: Vulnerability in frox transparent ftp proxy.
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100713367307799&w=2
Reference: CONFIRM:http://frox.sourceforge.net/security.txt
Reference: XF:frox-ftp-proxy-bo(7632)
Reference: URL:http://xforce.iss.net/static/7632.php
Reference: BID:3606
Reference: URL:http://www.securityfocus.com/bid/3606

Buffer overflow in Frox transparent FTP proxy 0.6.6 and earlier, with
the local caching method selected, allows remote FTP servers to run
arbitrary code via a long response to an MDTM request.

INFERRED ACTION: CAN-2001-0936 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(4) Baker, Cole, Armstrong, Frech
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-0939
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0939
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20020131
Category: CF
Reference: BUGTRAQ:20011130 Denial of Service in Lotus Domino 5.08 and earlier HTTP Server
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100715316426817&w=2
Reference: CONFIRM:http://www-1.ibm.com/support/manager.wss?rs=0&rt=0&org=sims&doc=4C8E450DBF2E7F1885256B200079FA88
Reference: BID:3607
Reference: URL:http://www.securityfocus.com/bid/3607
Reference: XF:lotus-domino-nhttp-dos(7631)

Lotus Domino 5.08 and earlier allows remote attackers to cause a
denial of service (crash) via a SunRPC NULL command to port 443.


Modifications:
  ADDREF XF:lotus-domino-nhttp-dos(7631)

INFERRED ACTION: CAN-2001-0939 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(5) Baker, Foat, Cole, Armstrong, Frech
   NOOP(1) Wall

Voter Comments:
 Frech> XF:lotus-domino-nhttp-dos(7631)
 CHANGE> [Frech changed vote from MODIFY to ACCEPT]


======================================================
Candidate: CAN-2001-0940
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0940
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: WIN2KSEC:20010921 Check Point FireWall-1 GUI Buffer Overflow
Reference: URL:http://archives.neohapsis.com/archives/win2ksecadvice/2001-q3/0151.html
Reference: BUGTRAQ:20011128 Firewall-1 remote SYSTEM shell buffer overflow
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100698954308436&w=2
Reference: BUGTRAQ:20010919 Check Point FireWall-1 GUI Log Viewer vulnerability (vuldb 3336)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100094268017271&w=2
Reference: BUGTRAQ:20011130 Fw: Firewall-1 remote SYSTEM shell buffer overflow
Reference: URL:http://cert.uni-stuttgart.de/archive/bugtraq/2001/11/msg00291.html
Reference: CHECKPOINT:20010919 GUI Buffer Overflow
Reference: URL:http://www.checkpoint.com/techsupport/alerts/buffer_overflow.html
Reference: BID:3336
Reference: URL:http://www.securityfocus.com/bid/3336
Reference: XF:fw1-log-viewer-bo(7145)
Reference: URL:http://xforce.iss.net/static/7145.php

Buffer overflow in the GUI authentication code of Check Point
VPN-1/FireWall-1 Management Server 4.0 and 4.1 allows remote attackers
to execute arbitrary code via a long user name.


Modifications:
  ADDREF BUGTRAQ:20010919 Check Point FireWall-1 GUI Log Viewer vulnerability (vuldb 3336)
  ADDREF BID:3336
  ADDREF XF:fw1-log-viewer-bo(7145)
  ADDREF BUGTRAQ:20011130 Fw: Firewall-1 remote SYSTEM shell buffer overflow

INFERRED ACTION: CAN-2001-0940 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(3) Green, Baker, Cole
   MODIFY(1) Frech
   NOOP(3) Christey, Wall, Foat

Voter Comments:
 Christey> BUGTRAQ:20010919 Check Point FireWall-1 GUI Log Viewer vulnerability (vuldb 3336)
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100094268017271&w=2
   BID:3336
   URL:http://www.securityfocus.com/bid/3336
   XF:fw1-log-viewer-bo(7145)
   URL:http://xforce.iss.net/static/7145.php
   BUGTRAQ:20011130 Fw: Firewall-1 remote SYSTEM shell buffer overflow
   URL:http://cert.uni-stuttgart.de/archive/bugtraq/2001/11/msg00291.html
 Frech> XF:fw1-log-viewer-bo(7145)


======================================================
Candidate: CAN-2001-0946
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0946
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20011204 Symlink attack with apmd of RH 7.2
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100743394701962&w=2
Reference: MISC:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=56389
Reference: XF:apmd-apmscript-symlink(8268)

apmscript in Apmd in Red Hat 7.2 "Enigma" allows local users to create
or change the modification dates of arbitrary files via a symlink
attack on the LOW_POWER temporary file, which could be used to cause a
denial of service, e.g. by creating /etc/nologin and disabling logins.


Modifications:
  ADDREF XF:apmd-apmscript-symlink(8268)

INFERRED ACTION: CAN-2001-0946 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(4) Green, Wall, Baker, Cole
   MODIFY(1) Frech
   NOOP(1) Foat

Voter Comments:
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:apmd-apmscript-symlink(8268)


======================================================
Candidate: CAN-2001-0961
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0961
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: DEBIAN:DSA-076
Reference: URL:http://www.debian.org/security/2001/dsa-076
Reference: XF:most-file-create-bo(7149)
Reference: URL:http://xforce.iss.net/static/7149.php
Reference: BID:3347
Reference: URL:http://www.securityfocus.com/bid/3347

Buffer overflow in tab expansion capability of the most program allows
local or remote attackers to execute arbitrary code via a malformed
file that is viewed with most.

INFERRED ACTION: CAN-2001-0961 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(4) Green, Baker, Cole, Frech
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-0962
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0962
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010919 Websphere cookie/sessionid predictable
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-09/0234.html
Reference: BUGTRAQ:20010928 Re: Websphere cookie/sessionid predictable
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-09/0234.html
Reference: CONFIRM:http://www14.software.ibm.com/webapp/download/postconfig.jsp?id=4000805&pf=Multi-Platform&v=3.0.2&e=Standard+%26+Advanced+Editions&cat=&s=p
Reference: XF:ibm-websphere-seq-predict(7153)
Reference: URL:http://xforce.iss.net/static/7153.php

IBM WebSphere Application Server 3.02 through 3.53 uses predictable
session IDs for cookies, which allows remote attackers to gain
privileges of WebSphere users via brute force guessing.

INFERRED ACTION: CAN-2001-0962 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(2) Green, Frech
   NOOP(3) Wall, Foat, Cole


======================================================
Candidate: CAN-2001-0977
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0977
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: CERT:CA-2001-18
Reference: URL:http://www.cert.org/advisories/CA-2001-18.html
Reference: CERT-VN:VU#935800
Reference: URL:http://www.kb.cert.org/vuls/id/935800
Reference: DEBIAN:DSA-068
Reference: URL:http://www.debian.org/security/2001/dsa-068
Reference: REDHAT:RHSA-2001:098
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-098.html
Reference: CONECTIVA:CLA-2001:417
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000417
Reference: MANDRAKE:MDKSA-2001:069
Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-069.php3
Reference: BID:3049
Reference: URL:http://www.securityfocus.com/bid/3049
Reference: XF:openldap-ldap-protos-dos(6904)
Reference: URL:http://xforce.iss.net/static/6904.php

slapd in OpenLDAP 1.x before 1.2.12, and 2.x before 2.0.8, allows
remote attackers to cause a denial of service (crash) via an invalid
Basic Encoding Rules (BER) length field.

INFERRED ACTION: CAN-2001-0977 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(6) Green, Wall, Baker, Cole, Armstrong, Frech
   NOOP(1) Foat


======================================================
Candidate: CAN-2001-0981
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0981
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: HP:HPSBUX0108-164
Reference: URL:http://archives.neohapsis.com/archives/hp/2001-q3/0048.html
Reference: XF:hp-cifs-change-passwords(7051)

HP CIFS/9000 Server (SAMBA) A.01.07 and earlier with the "unix
password sync" option enabled calls the passwd program without
specifying the username of the user making the request, which could
cause the server to change the password of a different user.


Modifications:
  ADDREF XF:hp-cifs-change-passwords(7051)

INFERRED ACTION: CAN-2001-0981 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(4) Green, Baker, Cole, Armstrong
   MODIFY(1) Frech
   NOOP(2) Wall, Foat

Voter Comments:
 Frech> XF:hp-cifs-change-passwords(7051)


======================================================
Candidate: CAN-2001-1002
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1002
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010827 LPRng/rhs-printfilters - remote execution of commands
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=99892644616749&w=2
Reference: REDHAT:RHSA-2001:102
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-102.html
Reference: BID:3241
Reference: URL:http://www.securityfocus.com/bid/3241
Reference: XF:tetex-lprng-tmp-race(6785)

The default configuration of the DVI print filter (dvips) in Red Hat
Linux 7.0 and earlier does not run dvips in secure mode when dvips is
executed by lpd, which could allow remote attackers to gain privileges
by printing a DVI file that contains malicious commands.


Modifications:
  ADDREF XF:tetex-lprng-tmp-race(6785)

INFERRED ACTION: CAN-2001-1002 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(5) Wall, Baker, Cole, Armstrong, Green
   MODIFY(1) Frech
   NOOP(2) Foat, Christey

Voter Comments:
 Frech> XF:tetex-lprng-tmp-race(6785)
   Similar to CAN-2001-0906?
 Christey> Similar in the sense that lprng/lpd uses Tetex, or something
   like that.


======================================================
Candidate: CAN-2001-1022
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1022
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010727 ADV/EXP:pic/lpd remote exploit - RH 7.0
Reference: URL:http://www.securityfocus.com/archive/1/199706
Reference: DEBIAN:DSA-072
Reference: URL:http://www.debian.org/security/2001/dsa-072
Reference: CONECTIVA:CLA-2001:428
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000428
Reference: XF:linux-groff-format-string(6918)
Reference: URL:http://xforce.iss.net/static/6918.php
Reference: BID:3103
Reference: URL:http://www.securityfocus.com/bid/3103

Format string vulnerability in pic utility in groff 1.16.1 and other
versions allows remote attackers to bypass the -S option and execute
arbitrary commands via format string specifiers in the plot command.

INFERRED ACTION: CAN-2001-1022 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(5) Baker, Cole, Armstrong, Frech, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-1027
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1027
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: CONFIRM:http://www.windowmaker.org/src/ChangeLog
Reference: DEBIAN:DSA-074
Reference: URL:http://www.debian.org/security/2001/dsa-074
Reference: CONECTIVA:CLA-2001:411
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000411
Reference: SUSE:SuSE-SA:2001:032
Reference: URL:http://www.suse.de/de/support/security/2001_032_wmaker_txt.txt
Reference: MANDRAKE:MDKSA-2001:074
Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-074.php3
Reference: BID:3177
Reference: URL:http://www.securityfocus.com/bid/3177
Reference: XF:windowmaker-title-bo(6969)

Buffer overflow in WindowMaker (aka wmaker) 0.64 and earlier allows
remote attackers to execute arbitrary code via a long window title.


Modifications:
  ADDREF XF:windowmaker-title-bo(6969)

INFERRED ACTION: CAN-2001-1027 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(4) Baker, Cole, Armstrong, Green
   MODIFY(1) Frech
   NOOP(2) Wall, Foat

Voter Comments:
 Frech> XF:windowmaker-title-bo(6969)


======================================================
Candidate: CAN-2001-1030
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1030
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010718 Squid httpd acceleration acl bug enables portscanning
Reference: URL:http://www.securityfocus.com/archive/1/197727
Reference: BUGTRAQ:20010719 TSLSA-2001-0013 - Squid
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-07/0362.html
Reference: IMMUNIX:IMNX-2001-70-031-01
Reference: URL:http://download.immunix.org/ImmunixOS/7.0/updates/IMNX-2001-70-031-01
Reference: CALDERA:CSSA-2001-029.0
Reference: URL:http://www.calderasystems.com/support/security/advisories/CSSA-2001-029.0.txt
Reference: MANDRAKE:MDKSA-2001:066
Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-066.php3
Reference: REDHAT:RHSA-2001:097
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-097.html
Reference: XF:squid-http-accelerator-portscanning(6862)
Reference: URL:http://xforce.iss.net/static/6862.php

Squid before 2.3STABLE5 in HTTP accelerator mode does not enable
access control lists (ACLs) when the httpd_accel_host and
http_accel_with_proxy off settings are used, which allows attackers to
bypass the ACLs and conduct unauthorized activities such as port
scanning.

INFERRED ACTION: CAN-2001-1030 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(5) Baker, Cole, Armstrong, Frech, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-1032
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1032
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010924 twlc advisory: all versions of php nuke are vulnerable...
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-09/0203.html
Reference: CONFIRM:http://sourceforge.net/forum/forum.php?forum_id=113892
Reference: XF:php-nuke-admin-file-overwrite(7170)
Reference: URL:http://xforce.iss.net/static/7170.php
Reference: BID:3361
Reference: URL:http://www.securityfocus.com/bid/3361

admin.php in PHP-Nuke 5.2 and earlier, except 5.0RC1, does not check
login credentials for upload operations, which allows remote attackers
to copy and upload arbitrary files and read the PHP-Nuke configuration
file by directly calling admin.php with an upload parameter and
specifying the file to copy.


Modifications:
  ADDREF CONFIRM:http://sourceforge.net/forum/forum.php?forum_id=113892
  ADDREF BID:3361

INFERRED ACTION: CAN-2001-1032 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(2) Frech, Green
   NOOP(4) Wall, Foat, Cole, Christey

Voter Comments:
 Christey> CONFIRM:http://sourceforge.net/forum/forum.php?forum_id=113892
   BID:3361
   URL:http://www.securityfocus.com/bid/3361


======================================================
Candidate: CAN-2001-1043
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1043
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010701 ArGoSoft 1.2.2.2 *.lnk upload Directory Traversal
Reference: URL:http://www.securityfocus.com/archive/1/194445
Reference: BID:2961
Reference: URL:http://www.securityfocus.com/bid/2961
Reference: XF:ftp-lnk-directory-traversal(6760)
Reference: URL:http://xforce.iss.net/static/6760.php

ArGoSoft FTP Server 1.2.2.2 allows remote attackers to read arbitrary
files and directories by uploading a .lnk (link) file that points to
the target file.

INFERRED ACTION: CAN-2001-1043 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(3) Cole, Frech, Green
   NOOP(4) Wall, Foat, Armstrong, Christey

Voter Comments:
 CHANGE> [Green changed vote from REVIEWING to ACCEPT]
 Christey> Acknowledged by the vendor in an email to Dave Baker,
   May 9.


======================================================
Candidate: CAN-2001-1046
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1046
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010602 Qpopper 4.0.3 **** Fixes Buffer Overflow **** (fwd)
Reference: URL:http://www.securityfocus.com/archive/1/188267
Reference: VULN-DEV:20010420 Qpopper 4.0 Buffer Overflow
Reference: URL:http://marc.theaimsgroup.com/?l=vuln-dev&m=98777649031406&w=2
Reference: CALDERA:CSSA-2001-SCO.8
Reference: URL:http://archives.neohapsis.com/archives/linux/caldera/2001-q3/0006.html
Reference: BID:2811
Reference: URL:http://www.securityfocus.com/bid/2811
Reference: XF:qpopper-username-bo(6647)
Reference: URL:http://xforce.iss.net/static/6647.php

Buffer overflow in qpopper (aka qpop or popper) 4.0 through 4.0.2
allows remote attackers gain privileges via a long username.

INFERRED ACTION: CAN-2001-1046 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(5) Baker, Cole, Armstrong, Frech, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-1053
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1053
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010713 AdCycle SQL Command Insertion Vulnerability - qDefense Advisory Number QDAV-2001-7-2
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-07/0249.html
Reference: CONFIRM:http://www.adcycle.com/cgi-bin/download.cgi?type=UNIX&version=1.17
Reference: XF:adcycle-insert-sql-command(6837)
Reference: URL:http://xforce.iss.net/static/6837.php
Reference: BID:3032
Reference: URL:http://www.securityfocus.com/bid/3032

AdLogin.pm in AdCycle 1.15 and earlier allows remote attackers to
bypass authentication and gain privileges by injecting SQL code in the
$password argument.


Modifications:
  DELREF XF:php-includedir-code-execution(7215)

INFERRED ACTION: CAN-2001-1053 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(4) Baker, Cole, Armstrong, Green
   MODIFY(1) Frech
   NOOP(2) Wall, Foat

Voter Comments:
 Frech> DELREF XF:php-includedir-code-execution(7215)


======================================================
Candidate: CAN-2001-1062
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1062
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020228-01
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: CALDERA:CSSA-2001-SCO.12
Reference: URL:ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.12/CSSA-2001-SCO.12.txt
Reference: XF:openserver-mana-bo(7034)
Reference: URL:http://www.iss.net/security_center/static/7034.php

Buffer overflow in mana in OpenServer 5.0.6a and earlier allows local
users to execute arbitrary code.


Modifications:
  ADDREF XF:openserver-mana-bo(7034)

INFERRED ACTION: CAN-2001-1062 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(4) Baker, Cole, Armstrong, Green
   MODIFY(1) Frech
   NOOP(2) Wall, Foat

Voter Comments:
 Frech> XF:openserver-mana-bo(7034)


======================================================
Candidate: CAN-2001-1071
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1071
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20011009 Cisco CDP attacks
Reference: URL:http://www.securityfocus.com/archive/1/219257
Reference: BUGTRAQ:20011009 Cisco Systems - Vulnerability in CDP
Reference: URL:http://www.securityfocus.com/archive/1/219305
Reference: BID:3412
Reference: URL:http://www.securityfocus.com/bid/3412
Reference: XF:cisco-ios-cdp-dos(7242)
Reference: URL:http://xforce.iss.net/static/7242.php

Cisco IOS 12.2 and earlier running Cisco Discovery Protocol (CDP)
allows remote attackers to cause a denial of service (memory
consumption) via a flood of CDP neighbor announcements.

INFERRED ACTION: CAN-2001-1071 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(4) Baker, Cole, Frech, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-1072
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1072
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010812 Are your mod_rewrite rules doing what you expect?
Reference: URL:http://www.securityfocus.com/archive/1/203955
Reference: CONFIRM:http://www.apacheweek.com/issues/02-02-01#security
Reference: BID:3176
Reference: URL:http://www.securityfocus.com/bid/3176
Reference: XF:apache-rewrite-bypass-directives(8633)

Apache with mod_rewrite enabled on most UNIX systems allows remote
attackers to bypass RewriteRules by inserting extra / (slash)
characters into the requested path, which causes the regular
expression in the RewriteRule to fail


Modifications:
  ADDREF CONFIRM:http://www.apacheweek.com/issues/02-02-01#security
  ADDREF XF:apache-rewrite-bypass-directives(8633)

INFERRED ACTION: CAN-2001-1072 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(5) Baker, Foat, Cole, Armstrong, Green
   MODIFY(1) Frech
   NOOP(2) Wall, Christey

Voter Comments:
 Christey> ADDREF CONFIRM:http://www.apacheweek.com/issues/02-02-01#security
 Christey> CONFIRM:http://www.apacheweek.com/issues/02-02-01#security
 Frech> Not apache-rewrite-view-files(5310).
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:apache-rewrite-bypass-directives(8633)


======================================================
Candidate: CAN-2001-1074
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1074
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010526 Webmin Doesn't Clean Env (root exploit)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-05/0262.html
Reference: CALDERA:CSSA-2001-019.1
Reference: URL:http://www.calderasystems.com/support/security/advisories/CSSA-2001-019.1.txt
Reference: MANDRAKE:MDKSA-2001:059
Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-059.php3
Reference: XF:webmin-gain-information(6627)
Reference: URL:http://xforce.iss.net/static/6627.php
Reference: BID:2795
Reference: URL:http://www.securityfocus.com/bid/2795

Webmin 0.84 and earlier does not properly clear the HTTP_AUTHORIZATION
environment variable when the web server is restarted, which makes
authentication information available to all CGI programs and allows
local users to gain privileges.

INFERRED ACTION: CAN-2001-1074 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(5) Baker, Cole, Armstrong, Frech, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-1079
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1079
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20020131
Category: CF
Reference: AIXAPAR:IY19069
Reference: URL:http://archives.neohapsis.com/archives/aix/2001-q3/0000.html
Reference: XF:aix-keyfile-world-writable(8923)

create_keyfiles in PSSP 3.2 with DCE 3.1 authentication on AIX creates
keyfile directories with world-writable permissions, which could allow
a local user to delete key files and cause a denial of service.


Modifications:
  DESC Remove 3.2.0 from AIX version number
  ADDREF XF:aix-keyfile-world-writable(8923)

INFERRED ACTION: CAN-2001-1079 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(4) Baker, Cole, Armstrong, Green
   MODIFY(2) Bollinger, Frech
   NOOP(2) Wall, Foat

Voter Comments:
 Bollinger> incorrect.  The "REL: 320" in the aixserv email refers to the PSSP
   version, not the AIX version.
 Frech> XF: aix-keyfile-world-writable(8923)


======================================================
Candidate: CAN-2001-1083
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1083
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-02
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010626 Advisory
Reference: URL:http://www.securityfocus.com/archive/1/193516
Reference: MISC:http://www.icecast.org/index.html
Reference: CONFIRM:http://www.icecast.org/releases/icecast-1.3.11.tar.gz
Reference: DEBIAN:DSA-089
Reference: URL:http://www.debian.org/security/2001/dsa-089
Reference: CALDERA:CSSA-2002-020.0
Reference: BID:2933
Reference: URL:http://www.securityfocus.com/bid/2933
Reference: XF:icecast-http-remote-dos(6751)
Reference: URL:http://xforce.iss.net/static/6751.php

Icecast 1.3.7, and other versions before 1.3.11 with HTTP server file
streaming support enabled allows remote attackers to cause a denial of
service (crash) via a URL that ends in . (dot), / (forward slash), or
\ (backward slash).


Modifications:
  ADDREF CONFIRM:http://www.icecast.org/releases/icecast-1.3.11.tar.gz
  DESC update versions.
  ADDREF DEBIAN:DSA-089
  ADDREF CALDERA:CSSA-2002-020.0

INFERRED ACTION: CAN-2001-1083 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(2) Frech, Green
   NOOP(5) Wall, Foat, Cole, Armstrong, Christey

Voter Comments:
 CHANGE> [Green changed vote from REVIEWING to ACCEPT]
 Christey> CALDERA:CSSA-2002-020.0


======================================================
Candidate: CAN-2001-1084
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1084
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20010702 Multiple Vendor Java Servlet Container Cross-Site Scripting Vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/194464
Reference: ALLAIRE:MPSB01-06
Reference: URL:http://www.macromedia.com/v1/handlers/index.cfm?ID=21498&Method=Full
Reference: BID:2983
Reference: URL:http://www.securityfocus.com/bid/2983
Reference: XF:java-servlet-crosssite-scripting(6793)
Reference: URL:http://www.iss.net/security_center/static/6793.php

Cross-site scripting vulnerability in Allaire JRun 3.1 and earlier
allows a malicious webmaster to embed Javascript in a request for a
.JSP, .shtml, .jsp10, .jrun, or .thtml file that does not exist, which
causes the Javascript to be inserted into an error message.

INFERRED ACTION: CAN-2001-1084 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(7) Wall, Baker, Cole, Armstrong, Frech, Ziese, Green
   NOOP(1) Foat


======================================================
Candidate: CAN-2001-1085
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1085
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20010705 lmail local root exploit
Reference: URL:http://www.securityfocus.com/archive/1/195022
Reference: XF:lmail-tmpfile-symlink(6809)
Reference: URL:http://xforce.iss.net/static/6809.php
Reference: BID:2984
Reference: URL:http://www.securityfocus.com/bid/2984

Lmail 2.7 and earlier allows local users to overwrite arbitrary files
via a symlink attack on a temporary file.

INFERRED ACTION: CAN-2001-1085 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(3) Baker, Frech, Ziese
   NOOP(5) Wall, Foat, Cole, Armstrong, Green


======================================================
Candidate: CAN-2001-1088
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1088
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: CF
Reference: BUGTRAQ:20010605 SECURITY.NNOV: Outlook Express address book spoofing
Reference: URL:http://www.securityfocus.com/archive/1/188752
Reference: CONFIRM:http://support.microsoft.com/default.aspx?scid=kb;EN-US;q234241
Reference: XF:outlook-address-book-spoofing(6655)
Reference: URL:http://xforce.iss.net/static/6655.php
Reference: BID:2823
Reference: URL:http://www.securityfocus.com/bid/2823

Microsoft Outlook 8.5 and earlier, and Outlook Express 5 and earlier,
with the "Automatically put people I reply to in my address book"
option enabled, do not notify the user when the "Reply-To" address is
different than the "From" address, which could allow an untrusted
remote attacker to spoof legitimate addresses and intercept email from
the client that is intended for another user.

INFERRED ACTION: CAN-2001-1088 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(8) Wall, Baker, Foat, Cole, Armstrong, Frech, Ziese, Green


======================================================
Candidate: CAN-2001-1089
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1089
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20010910 RUS-CERT Advisory 2001-09:01
Reference: URL:http://www.securityfocus.com/archive/1/213331
Reference: BID:3314
Reference: URL:http://www.securityfocus.com/bid/3314
Reference: XF:postgresql-nss-authentication-modules(7111)
Reference: URL:http://xforce.iss.net/static/7111.php

libnss-pgsql in nss-pgsql 0.9.0 and earlier allows remote attackers to
execute arbitrary SQL queries by inserting SQL code into an HTTP
request.

INFERRED ACTION: CAN-2001-1089 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(5) Cole, Armstrong, Frech, Ziese, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-1095
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1095
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: AIXAPAR:IY23401
Reference: URL:http://archives.neohapsis.com/archives/aix/2001-q4/0000.html

Buffer overflow in uuq in AIX 4 could alllow local users to execute
arbitrary code via a long -r parameter.

INFERRED ACTION: CAN-2001-1095 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(5) Bollinger, Cole, Armstrong, Ziese, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-1096
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1096
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: AIXAPAR:IY23402
Reference: URL:http://archives.neohapsis.com/archives/aix/2001-q4/0000.html

Buffer overflows in muxatmd in AIX 4 allows an attacker to cause a
core dump and possibly execute code.

INFERRED ACTION: CAN-2001-1096 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(5) Bollinger, Cole, Armstrong, Ziese, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-1099
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1099
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: CF
Reference: BUGTRAQ:20010907 Microsoft Exchange + Norton AntiVirus leak local information
Reference: URL:http://www.securityfocus.com/archive/1/212724
Reference: BUGTRAQ:20010912 Re: Microsoft Exchange + Norton AntiVirus leak local information
Reference: URL:http://www.securityfocus.com/archive/1/213762
Reference: XF:nav-exchange-reveal-information(7093)
Reference: URL:http://xforce.iss.net/static/7093.php
Reference: BID:3305
Reference: URL:http://www.securityfocus.com/bid/3305

The default configuration of Norton AntiVirus for Microsoft Exchange
2000 2.x allows remote attackers to identify the recipient's INBOX
file path by sending an email with an attachment containing malicious
content, which includes the path in the rejection notice.

INFERRED ACTION: CAN-2001-1099 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(6) Wall, Cole, Armstrong, Frech, Ziese, Green
   NOOP(1) Foat


======================================================
Candidate: CAN-2001-1100
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1100
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20011007 Bug found at W3Mail Webmail
Reference: URL:http://www.securityfocus.com/archive/1/218921
Reference: CONFIRM:http://www.w3mail.org/ChangeLog
Reference: BID:3673
Reference: URL:http://www.securityfocus.com/bid/3673
Reference: XF:w3mail-metacharacters-command-execution(7230)
Reference: URL:http://xforce.iss.net/static/7230.php

sendmessage.cgi in W3Mail 1.0.2, and possibly other CGI programs,
allows remote attackers to execute arbitrary commands via shell
metacharacters in any field of the 'Compose Message' page.

INFERRED ACTION: CAN-2001-1100 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(5) Cole, Armstrong, Frech, Ziese, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-1108
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1108
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20010726 Snapstream PVS vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-07/0606.html
Reference: CONFIRM:http://discuss.snapstream.com/ubb/Forum1/HTML/000216.html
Reference: XF:snapstream-dot-directory-traversal(6917)
Reference: URL:http://xforce.iss.net/static/6917.php
Reference: BID:3100
Reference: URL:http://www.securityfocus.com/bid/3100

Directory traversal vulnerability in SnapStream PVS 1.2a allows remote
attackers to read arbitrary files via a .. (dot dot) attack in the
requested URL.

INFERRED ACTION: CAN-2001-1108 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(6) Baker, Cole, Armstrong, Frech, Ziese, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-1113
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1113
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20010813 Local exploit for TrollFTPD-1.26
Reference: URL:http://www.securityfocus.com/archive/1/203874
Reference: CONFIRM:ftp://ftp.trolltech.com/freebies/ftpd/troll-ftpd-1.27.tar.gz
Reference: XF:trollftpd-long-path-bo(6974)
Reference: URL:http://xforce.iss.net/static/6974.php
Reference: BID:3174
Reference: URL:http://www.securityfocus.com/bid/3174

Buffer overflow in TrollFTPD 1.26 and earlier allows local users to
execute arbitrary code by creating a series of deeply nested
directories with long names, then running the ls -R (recursive)
command.

INFERRED ACTION: CAN-2001-1113 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(5) Cole, Armstrong, Frech, Ziese, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-1116
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1116
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020320-01
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: NTBUGTRAQ:20010802 Identix BioLogon Client security bug
Reference: URL:http://ntbugtraq.ntadvice.com/default.asp?pid=36&sid=1&A2=IND0108&L=NTBUGTRAQ&F=P&S=&P=71
Reference: NTBUGTRAQ:20010808 Response to Identix BioLogon Client security bug
Reference: URL:http://ntbugtraq.ntadvice.com/default.asp?pid=36&sid=1&A2=ind0108&L=ntbugtraq&F=P&S=&P=724
Reference: XF:identix-biologon-auth-bypass(6948)
Reference: URL:http://xforce.iss.net/static/6948.php
Reference: BID:3140
Reference: URL:http://www.securityfocus.com/bid/3140

Identix BioLogon 2.03 and earlier does not lock secondary displays on
a multi-monitor system running Windows 98 or ME, which allows an
attacker with physical access to the system to bypass authentication
through a secondary display.


Modifications:
  CHANGEREF XF [fix typo in tagname]

INFERRED ACTION: CAN-2001-1116 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(5) Foat, Cole, Frech, Ziese, Green
   NOOP(2) Wall, Armstrong


======================================================
Candidate: CAN-2001-1117
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1117
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20010810 Linksys router security fix
Reference: URL:http://www.securityfocus.com/archive/1/203302
Reference: BUGTRAQ:20010802 Advisory Update: Design Flaw in Linksys EtherFast 4-Port
Reference: URL:http://www.securityfocus.com/archive/1/201390
Reference: CONFIRM:ftp://ftp.linksys.com/pub/befsr41/befsr-fw1402.zip
Reference: XF:linksys-etherfast-reveal-passwords(6949)
Reference: URL:http://xforce.iss.net/static/6949.php
Reference: BID:3141
Reference: URL:http://www.securityfocus.com/bid/3141

LinkSys EtherFast BEFSR41 Cable/DSL routers running firmware before
1.39.3 Beta allows a remote attacker to view administration and user
passwords by connecting to the router and viewing the HTML source for
(1) index.htm and (2) Password.htm.

INFERRED ACTION: CAN-2001-1117 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(6) Foat, Cole, Armstrong, Frech, Ziese, Green
   NOOP(1) Wall


======================================================
Candidate: CAN-2001-1118
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1118
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20010802 Roxen security alert: URL decoding vulnerable
Reference: URL:http://www.securityfocus.com/archive/1/201476
Reference: BUGTRAQ:20010802 FW: Security alert: Remote user can access any file
Reference: URL:http://www.securityfocus.com/archive/1/201499
Reference: CONFIRM:http://download.roxen.com/2.0/patch/security-notice.html
Reference: BID:3145
Reference: URL:http://www.securityfocus.com/bid/3145
Reference: XF:roxen-urlrectifier-retrieve-files(6937)
Reference: URL:http://xforce.iss.net/static/6937.php

A module in Roxen 2.0 before 2.0.92, and 2.1 before 2.1.264, does not
properly decode UTF-8, Mac and ISO-2202 encoded URLs, which could
allow a remote attacker to execute arbitrary commands or view
arbitrary files via an encoded URL.

INFERRED ACTION: CAN-2001-1118 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(5) Cole, Armstrong, Frech, Ziese, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-1119
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1119
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: CERT-VN:VU#105347
Reference: URL:http://www.kb.cert.org/vuls/id/105347
Reference: SUSE:SuSE-SA:2001:025
Reference: URL:http://www.suse.de/de/support/security/2001_025_xmcd_txt.html
Reference: BID:3148
Reference: URL:http://www.securityfocus.com/bid/3148
Reference: XF:xmcd-cda-symlink(6941)
Reference: URL:http://xforce.iss.net/static/6941.php

cda in xmcd 3.0.2 and 2.6 in SuSE Linux allows local users to
overwrite arbitrary files via a symlink attack.

INFERRED ACTION: CAN-2001-1119 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(5) Cole, Armstrong, Frech, Ziese, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-1121
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1121
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20010702 Multiple Vendor Java Servlet Container Cross-Site Scripting Vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/194464
Reference: CONFIRM:http://www.macromedia.com/v1/handlers/index.cfm?ID=21498&Method=Full
Reference: XF:java-servlet-crosssite-scripting(6793)
Reference: URL:http://xforce.iss.net/static/6793.php
Reference: BID:2983
Reference: URL:http://www.securityfocus.com/bid/2983

Cross-site scripting (CSS) vulnerability in JRun 3.0 and 2.3.3 allows
remote attackers to execute JavaScript on other clients via a web page
URL that references a non-existent JSP file or Servlet, which causes
the script to be returned in an error message.

INFERRED ACTION: CAN-2001-1121 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(7) Wall, Baker, Cole, Armstrong, Frech, Ziese, Green
   NOOP(1) Foat


======================================================
Candidate: CAN-2001-1130
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1130
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20010802 suse: sdbsearch.cgi vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/201216
Reference: SUSE:SuSE-SA:2001:027
Reference: URL:http://www.suse.de/de/support/security/2001_027_sdb_txt.txt
Reference: XF:sdbsearch-cgi-command-execution(7003)
Reference: URL:http://xforce.iss.net/static/7003.php

Sdbsearch.cgi in SuSE Linux 6.0-7.2 could allow remote attackers to
execute arbitrary commands by uploading a keylist.txt file that
contains filenames with shell metacharacters, then causing the file to
be searched using a .. in the HTTP referer (from the HTTP_REFERER
variable) to point to the directory that contains the keylist.txt
file.

INFERRED ACTION: CAN-2001-1130 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(5) Cole, Armstrong, Frech, Ziese, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-1132
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1132
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: CF
Reference: CONECTIVA:CLA-2001:420
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000420
Reference: XF:mailman-blank-passwords(7091)
Reference: URL:http://xforce.iss.net/static/7091.php

Mailman 2.0.x before 2.0.6 allows remote attackers to gain access to
list administrative pages when there is an empty site or list
password, which is not properly handled during the call to the crypt
function during authentication.

INFERRED ACTION: CAN-2001-1132 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(4) Cole, Frech, Ziese, Green
   NOOP(3) Wall, Foat, Armstrong


======================================================
Candidate: CAN-2001-1141
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1141
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20010710 OpenSSL Security Advisory: PRNG weakness in versions up to 0.9.6a
Reference: URL:http://www.securityfocus.com/archive/1/195829
Reference: FREEBSD:FreeBSD-SA-01:51
Reference: URL:http://www.securityfocus.com/advisories/3475
Reference: NETBSD:NetBSD-SA2001-013
Reference: URL:http://www.securityfocus.com/advisories/3512
Reference: CONECTIVA:CLA-2001:418
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000418
Reference: MANDRAKE:MDKSA-2001:065
Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-065.php3?dis=8.0
Reference: REDHAT:RHSA-2001:051
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-051.html
Reference: ENGARDE:ESA-20010709-01
Reference: URL:http://www.linuxsecurity.com/advisories/other_advisory-1483.html
Reference: BID:3004
Reference: URL:http://www.securityfocus.com/bid/3004
Reference: XF:openssl-prng-brute-force(6823)
Reference: URL:http://xforce.iss.net/static/6823.php

The Pseudo-Random Number Generator (PRNG) in SSLeay and OpenSSL before
0.9.6b allows attackers to use the output of small PRNG requests to
determine the internal state information, which could be used by
attackers to predict future pseudo-random numbers.


Modifications:
  CHANGEREF REDHAT [normalize]

INFERRED ACTION: CAN-2001-1141 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(7) Wall, Baker, Cole, Armstrong, Frech, Ziese, Green
   NOOP(2) Christey, Foat

Voter Comments:
 Christey> Remove version number from REDHAT reference.


======================================================
Candidate: CAN-2001-1144
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1144
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20010711 McAfee ASaP Virusscan - myCIO HTTP Server Directory Traversal Vulnerabilty
Reference: URL:http://www.securityfocus.com/archive/1/196272
Reference: NTBUGTRAQ:20010716 McAfee ASaP Virusscan - MyCIO HTTP Server Directory Traversal Vul nerability
Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0107&L=ntbugtraq&F=P&S=&P=1558
Reference: CERT-VN:VU#190267
Reference: URL:http://www.kb.cert.org/vuls/id/190267
Reference: BID:3020
Reference: URL:http://www.securityfocus.com/bid/3020
Reference: XF:mcafee-mycio-directory-traversal(6834)
Reference: URL:http://www.iss.net/security_center/static/6834.php

Directory traversal vulnerability in McAfee ASaP VirusScan agent 1.0
allows remote attackers to read arbitrary files via a .. (dot dot) in
the HTTP request.

INFERRED ACTION: CAN-2001-1144 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(7) Wall, Baker, Cole, Armstrong, Frech, Ziese, Green
   NOOP(1) Foat


======================================================
Candidate: CAN-2001-1146
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1146
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: ENGARDE:ESA-20010711-01
Reference: URL:http://www.linuxsecurity.com/advisories/other_advisory-1492.html
Reference: XF:allcommerce-temp-symlink(6830)
Reference: URL:http://xforce.iss.net/static/6830.php
Reference: BID:3016
Reference: URL:http://online.securityfocus.com/bid/3016

AllCommerce with debugging enabled in EnGarde Secure Linux 1.0.1
creates temporary files with predictable names, which allows local
users to modify files via a symlink attack.


Modifications:
  DESC fix typo: "teporary"

INFERRED ACTION: CAN-2001-1146 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(6) Baker, Cole, Armstrong, Frech, Ziese, Green
   NOOP(2) Wall, Foat

Voter Comments:
 Frech> In description, 'teporary' should be 'temporary'.


======================================================
Candidate: CAN-2001-1147
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1147
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20011008 pam_limits.so Bug!!
Reference: URL:http://www.securityfocus.com/archive/1/219175
Reference: REDHAT:RHSA-2001:132
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-132.html
Reference: MANDRAKE:MDKSA-2001:084
Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-084.php3
Reference: SUSE:SuSE-SA:2001:034
Reference: URL:http://www.suse.de/de/support/security/2001_034_shadow_txt.txt
Reference: CIAC:M-009
Reference: URL:http://www.ciac.org/ciac/bulletins/m-009.shtml
Reference: BID:3415
Reference: URL:URL:http://www.securityfocus.com/bid/3415
Reference: XF:utillinux-pamlimits-gain-privileges(7266)
Reference: URL:http://www.iss.net/security_center/static/7266.php

The PAM implementation in /bin/login of the util-linux package before
2.11 causes a password entry to be rewritten across multiple PAM
calls, which could provide the credentials of one user to a different
user, when used in certain PAM modules such as pam_limits.

INFERRED ACTION: CAN-2001-1147 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(6) Wall, Cole, Armstrong, Frech, Ziese, Green
   NOOP(1) Foat


======================================================
Candidate: CAN-2001-1149
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1149
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: VULN-DEV:20010821 RE: Bug report -- Incident number 240649
Reference: URL:http://www.securityfocus.com/archive/82/209328

Panda Antivirus Platinum before 6.23.00 allows a remore attacker to
cause a denial of service (crash) when a user selects an action for a
malformed UPX packed executable file.

INFERRED ACTION: CAN-2001-1149 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(2) Ziese, Green
   NOOP(4) Wall, Foat, Cole, Armstrong


======================================================
Candidate: CAN-2001-1153
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1153
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: CALDERA:CSSA-2001-SCO.15
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-08/0391.html
Reference: XF:openunix-lpsystem-bo(7041)
Reference: URL:http://www.iss.net/security_center/static/7041.php
Reference: BID:3248
Reference: URL:http://online.securityfocus.com/bid/3248

lpsystem in OpenUnix 8.0.0 allows local users to cause a denial of
service and possibly execute arbitrary code via a long command line
argument.

INFERRED ACTION: CAN-2001-1153 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(5) Cole, Armstrong, Frech, Ziese, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-1155
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1155
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: FREEBSD:FreeBSD-SA-01:56
Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:56.tcp_wrappers.asc

TCP Wrappers (tcp_wrappers) in FreeBSD 4.1.1 through 4.3 with the
PARANOID ACL option enabled does not properly check the result of a
reverse DNS lookup, which could allow remote attackers to bypass
intended access restrictions via DNS spoofing.

INFERRED ACTION: CAN-2001-1155 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(5) Foat, Cole, Armstrong, Ziese, Green
   NOOP(1) Wall


======================================================
Candidate: CAN-2001-1158
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1158
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: CF
Reference: BUGTRAQ:20010709 Check Point FireWall-1 RDP Bypass Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-07/0128.html
Reference: BUGTRAQ:20010709 Check Point response to RDP Bypass
Reference: URL:http://online.securityfocus.com/cgi-bin/archive.pl?id=1&start=2002-03-11&end=2002-03-17&mid=195647&threads=1
Reference: CHECKPOINT:20010712 RDP Bypass workaround for VPN-1/FireWall 4.1 SPx
Reference: URL:http://www.checkpoint.com/techsupport/alerts/rdp.html
Reference: CERT:CA-2001-17
Reference: URL:http://www.cert.org/advisories/CA-2001-17.html
Reference: CERT-VN:VU#310295
Reference: URL:http://www.kb.cert.org/vuls/id/310295
Reference: CIAC:L-109
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/l-109.shtml
Reference: XF:fw1-rdp-bypass(6815)
Reference: URL:http://xforce.iss.net/static/6815.php
Reference: BID:2952
Reference: URL:http://www.securityfocus.com/bid/2952

Check Point VPN-1/FireWall-1 4.1 base.def contains a default macro,
accept_fw1_rdp, which can allow remote attackers to bypass intended
restrictions with forged RDP (internal protocol) headers to UDP port
259 of arbitrary hosts.

INFERRED ACTION: CAN-2001-1158 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(6) Baker, Cole, Armstrong, Frech, Ziese, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-1160
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1160
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20010618 udirectory from Microburst Technologies remote command execution
Reference: URL:http://www.securityfocus.com/archive/1/191829
Reference: BID:2884
Reference: URL:http://www.securityfocus.com/bid/2884
Reference: XF:udirectory-remote-command-execution(6706)
Reference: URL:http://xforce.iss.net/static/6706.php

udirectory.pl in Microburst Technologies uDirectory 2.0 and earlier
allows remote attackers to execute arbitrary commands via shell
metacharacters in the category_file field.

INFERRED ACTION: CAN-2001-1160 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(2) Baker, Frech
   NOOP(6) Wall, Foat, Cole, Armstrong, Ziese, Green

Voter Comments:
 CHANGE> [Baker changed vote from REVIEWING to ACCEPT]
 Baker> I received confirmation in an email message from the vendor.

   RE: uDirectory
   Date:
   Mon, 20 May 2002 07:52:59 -0400
   From:
   "Bill Weiner" <bweiner@uburst.com>

   Hello David,

   I just wanted to follow up with you in regard to:

   http://online.securityfocus.com/archive/1/191829

   ... Again, in that particular scenerio, the $category_file parameter was not
   being validated, so to correct any possible security problems, the call to
   the "validate_category_filename" was moved up to the top of the script -
   directly after the parameters are parsed - to make sure that it is called
   regardless of the command being processed.

   FYI:  The commented version of the "validate_category_filename" subroutine
   looks like this:

   #---------------------------------------------------------------------------
   # validate_category_filename()
   # Subroutine to remove/replace all special characters from the category
   # file name.
   # @param $vstring - The string to be validated.
   # @return Returns the validated string.
   #---------------------------------------------------------------------------
   sub validate_category_filename


======================================================
Candidate: CAN-2001-1161
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1161
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20010702 Lotus Domino Server Cross-Site Scripting Vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/194465
Reference: BUGTRAQ:20010702 Re: Lotus Domino Server Cross-Site Scripting Vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/194609
Reference: CERT-VN:VU#642239
Reference: URL:http://www.kb.cert.org/vuls/id/642239
Reference: BID:2962
Reference: URL:http://www.securityfocus.com/bid/2962
Reference: XF:lotus-domino-css(6789)
Reference: URL:http://www.iss.net/security_center/static/6789.php

Cross-site scripting (CSS) vulnerability in Lotus Domino 5.0.6 allows
remote attackers to execute script on other web clients via a URL that
ends in Javascript, which generates an error message that does not
quote the resulting script.

INFERRED ACTION: CAN-2001-1161 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(7) Wall, Baker, Cole, Armstrong, Frech, Ziese, Green
   NOOP(1) Foat


======================================================
Candidate: CAN-2001-1162
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1162
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20010623 smbd remote file creation vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/193027
Reference: CONFIRM:http://us1.samba.org/samba/whatsnew/macroexploit.html
Reference: MANDRAKE:MDKSA-2001-062
Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-062.php3
Reference: HP:HPSBUX0107-157
Reference: URL:http://www.securityfocus.com/advisories/3423
Reference: SGI:20011002-01-P
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20011002-01-P
Reference: CIAC:L-105
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/l-105.shtml
Reference: IMMUNIX:IMNX-2001-70-027-01
Reference: URL:http://download.immunix.org/ImmunixOS/7.0/updates/IMNX-2001-70-027-01
Reference: CALDERA:CSSA-2001-024.0
Reference: URL:http://www.calderasystems.com/support/security/advisories/CSSA-2001-024.0.txt
Reference: CONECTIVA:CLA-2001:405
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000405
Reference: REDHAT:RHSA-2001:086
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-086.html
Reference: DEBIAN:DSA-065
Reference: URL:http://www.debian.org/security/2001/dsa-065
Reference: BID:2928
Reference: URL:http://www.securityfocus.com/bid/2928
Reference: XF:samba-netbios-file-creation(6731)
Reference: URL:http://xforce.iss.net/static/6731.php

Directory traversal vulnerability in the %m macro in the smb.conf
configuration file in Samba before 2.2.0a allows remote attackers to
overwrite certain files via a .. in a NETBIOS name, which is used as
the name for a .log file.

INFERRED ACTION: CAN-2001-1162 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(7) Wall, Baker, Cole, Armstrong, Frech, Ziese, Green
   NOOP(1) Foat


======================================================
Candidate: CAN-2001-1166
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1166
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: FREEBSD:FreeBSD-SA-01:55
Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:55.procfs.asc
Reference: XF:linprocfs-process-memory-leak(7017)
Reference: URL:http://www.iss.net/security_center/static/7017.php
Reference: BID:3217
Reference: URL:http://www.securityfocus.com/bid/3217

linprocfs on FreeBSD 4.3 and earlier does not properly restrict access
to kernel memory, which allows one process with debugging rights on a
privileged process to read restricted memory from that process.

INFERRED ACTION: CAN-2001-1166 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(5) Cole, Armstrong, Frech, Ziese, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-1172
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1172
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20010719 [SNS Advisory No.37] HTTProtect allows attackers to change the protected file using a symlink
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-07/0357.html
Reference: CONFIRM:http://www.omnisecure.com/security-alert.html
Reference: XF:httprotect-protected-file-symlink(6880)
Reference: URL:http://xforce.iss.net/static/6880.php

OmniSecure HTTProtect 1.1.1 allows a superuser without omnish
privileges to modify a protected file by creating a symbolic link to
that file.

INFERRED ACTION: CAN-2001-1172 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(6) Baker, Cole, Armstrong, Frech, Ziese, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-1174
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1174
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: REDHAT:RHSA-2001:091
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-091.html
Reference: MANDRAKE:MDKSA-2001:067
Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-067.php
Reference: XF:elm-messageid-bo(6852)
Reference: URL:http://xforce.iss.net/static/6852.php

Buffer overflow in Elm 2.5.5 and earlier allows remote attackers to
execute arbitrary code via a long Message-ID header.

INFERRED ACTION: CAN-2001-1174 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(7) Wall, Baker, Cole, Armstrong, Frech, Ziese, Green
   NOOP(1) Foat


======================================================
Candidate: CAN-2001-1175
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1175
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: REDHAT:RHSA-2001:095
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-095.html
Reference: XF:vipw-world-readable-files(6851)
Reference: URL:http://xforce.iss.net/static/6851.php
Reference: BID:3036
Reference: URL:http://www.securityfocus.com/bid/3036

vipw in the util-linux package before 2.10 causes /etc/shadow to be
world-readable in some cases, which would make it easier for local
users to perform brute force password guessing.

INFERRED ACTION: CAN-2001-1175 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(8) Wall, Baker, Foat, Cole, Armstrong, Frech, Ziese, Green


======================================================
Candidate: CAN-2001-1176
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1176
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20010712 VPN-1/FireWall-1 Format Strings Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-07/0209.html
Reference: CONFIRM:http://www.checkpoint.com/techsupport/alerts/format_strings.html
Reference: BID:3021
Reference: URL:http://www.securityfocus.com/bid/3021
Reference: XF:fw1-management-format-string(6849)
Reference: URL:http://xforce.iss.net/static/6849.php

Format string vulnerability in Check Point VPN-1/FireWall-1 4.1 allows
a remote authenticated firewall administrator to execute arbitrary
code via format strings in the control connection.

INFERRED ACTION: CAN-2001-1176 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(6) Baker, Cole, Armstrong, Frech, Ziese, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-1177
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1177
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20010717 Samsung ML-85G Printer Linux Helper/Driver Binary Exploit (Mandrake: ghostscript package)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-07/0284.html
Reference: BID:3008
Reference: URL:http://www.securityfocus.com/bid/3008
Reference: XF:samsung-printer-temp-symlink(6845)
Reference: URL:http://xforce.iss.net/static/6845.php

ml85p in Samsung ML-85G GDI printer driver before 0.2.0 allows local
users to overwrite arbitrary files via a symlink attack on temporary
files.


Modifications:
  DESC add version number

INFERRED ACTION: CAN-2001-1177 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(2) Baker, Frech
   NOOP(7) Christey, Wall, Foat, Cole, Armstrong, Ziese, Green

Voter Comments:
 Christey> Fixed by vendor in release 0.2.0 (acknowledged via e-mail)
 CHANGE> [Baker changed vote from REVIEWING to ACCEPT]
 Baker> Vendor acknowledged via email.

   Subject:        Re: Samsung ML-85G Driver Issue
   Date:        Mon, 13 May 2002 20:11:14 -0300 (GMT+3)
   From:        Rildo Pragana <rildo@pragana.net>
   To:        David Baker <bakerd@mitre.org>
   Hi David,
   On Thu, 9 May 2002, David Baker wrote:
   >    I am a security researcher working for CVE (Common
   >    Vulnerabilities and Exposures) project.  I am researching a
   >    vulnerability in the ml85p printer driver.  I have been
   >    looking to determine if the driver was fixed to correct a
   >    flaw in the way it allowed a symlink attack via temporary
   >    files.  The vulnerability was reported on Bugtraq in Jul
   >    2001, BUGTRAQ:20010717 Samsung ML-85G Printer Linux
   >    Helper/Driver Binary Exploit (Mandrake: ghostscript
   >    package) at
   >    http://archives.neohapsis.com/archives/bugtraq/2001-07/0284.html
   >    and is listed in the Security Focus DB at BID 3008
   >    http://www.securityfocus.com/bid/3008  and as CVE candidate
   >    CAN-2001-1177.   I contacted Mandrake, who referred me to
   >    you, as the author of the driver.
   >
   > Can you shed any light on whether this was fixed or not?  --

   This issue was solved at the release 0.2.0, available at
   Ibiblio:
   http://ibiblio.org/pub/Linux/hardware/drivers/ml85p-0.2.0.tar.gz
   If there is something I can do, please let me know.
   best regards,
   Rildo


======================================================
Candidate: CAN-2001-1180
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1180
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20010710 FreeBSD 4.3 local root, yet Linux and *BSD much better than Windows
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-07/0179.html
Reference: CIAC:L-111
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/l-111.shtml
Reference: CERT-VN:VU#943633
Reference: URL:http://www.kb.cert.org/vuls/id/943633
Reference: FREEBSD:FreeBSD-SA-01:42
Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:42.signal.v1.1.asc
Reference: XF:bsd-rfork-signal-handlers(6829)
Reference: URL:http://xforce.iss.net/static/6829.php
Reference: BID:3007
Reference: URL:http://www.securityfocus.com/bid/3007

FreeBSD 4.3 does not properly clear shared signal handlers when
executing a process, which allows local users to gain privileges by
calling rfork with a shared signal handler, having the child process
execute a setuid program, and sending a signal to the child.

INFERRED ACTION: CAN-2001-1180 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(6) Baker, Cole, Armstrong, Frech, Ziese, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-1183
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1183
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: CISCO:20010712 Cisco IOS PPTP Vulnerability
Reference: URL:http://www.cisco.com/warp/public/707/PPTP-vulnerability-pub.html
Reference: CERT-VN:VU#656315
Reference: URL:http://www.kb.cert.org/vuls/id/656315
Reference: BID:3022
Reference: URL:http://www.securityfocus.com/bid/3022
Reference: XF:cisco-ios-pptp-dos(6835)
Reference: URL:http://xforce.iss.net/static/6835.php

PPTP implementation in Cisco IOS 12.1 and 12.2 allows remote attackers
to cause a denial of service (crash) via a malformed packet.

INFERRED ACTION: CAN-2001-1183 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(7) Wall, Baker, Cole, Armstrong, Frech, Ziese, Green
   NOOP(1) Foat


======================================================
Candidate: CAN-2001-1185
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1185
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20011210 AIO vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/244583
Reference: XF:bsd-aio-overwrite-memory(7693)
Reference: URL:http://www.iss.net/security_center/static/7693.php
Reference: BID:3661
Reference: URL:http://www.securityfocus.com/bid/3661

Some AIO operations in FreeBSD 4.4 may be delayed until after a call
to execve, which could allow a local user to overwrite memory of the
new process and gain privileges.

INFERRED ACTION: CAN-2001-1185 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(4) Foat, Cole, Frech, Green
   NOOP(2) Wall, Ziese


======================================================
Candidate: CAN-2001-1193
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1193
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20011213 EFTP 2.0.8.346 directory content disclosure
Reference: URL:http://www.securityfocus.com/archive/1/245393
Reference: CONFIRM:http://www.eftp.org/releasehistory.html
Reference: BID:3691
Reference: URL:http://www.securityfocus.com/bid/3691
Reference: XF:eftp-dot-directory-traversal(7699)

Directory traversal vulnerability in EFTP 2.0.8.346 allows local users
to read directories via a ... (modified dot dot) in the CWD command.


Modifications:
  ADDREF XF:eftp-dot-directory-traversal(7699)

INFERRED ACTION: CAN-2001-1193 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(3) Cole, Ziese, Green
   MODIFY(1) Frech
   NOOP(2) Wall, Foat

Voter Comments:
 Frech> XF:eftp-dot-directory-traversal(7699)


======================================================
Candidate: CAN-2001-1199
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1199
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20011217 Agoracgi v3.3e Cross Site Scripting Vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/246044
Reference: CONFIRM:http://www.agoracgi.com/security.html
Reference: BID:3702
Reference: URL:http://www.securityfocus.com/bid/3702
Reference: XF:agora-cgi-css(7708)
Reference: URL:http://www.iss.net/security_center/static/7708.php

Cross-site scripting vulnerability in agora.cgi for Agora 3.0a through
4.0g, when debug mode is enabled, allows remote attackers to execute
Javascript on other clients via the cart_id parameter.

INFERRED ACTION: CAN-2001-1199 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(4) Cole, Frech, Ziese, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-1201
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1201
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20011217 New Advisory + Exploit
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100863301405266&w=2
Reference: BUGTRAQ:20011218 wmcube-gdk is vulnerable to a local exploit
Reference: URL:http://online.securityfocus.com/archive/1/246273
Reference: CONFIRM:http://www.ne.jp/asahi/linux/timecop/software/wmcube-gdk-0.98p2.tar.gz
Reference: BID:3706
Reference: URL:http://www.securityfocus.com/cgi-bin/vulns-item.pl?section=info&id=3706
Reference: XF:wmcubegdk-object-file-bo(7720)
Reference: URL:http://www.iss.net/security_center/static/7720.php

Buffer overflow in wmcube-gdk for WMCube/GDK 0.98 allows local users
to execute arbitrary code via long lines in the object description
file.

INFERRED ACTION: CAN-2001-1201 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(4) Cole, Frech, Ziese, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-1203
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1203
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: DEBIAN:DSA-095
Reference: URL:http://www.debian.org/security/2001/dsa-095
Reference: XF:linux-gpm-format-string(7748)
Reference: BID:3750
Reference: URL:http://online.securityfocus.com/bid/3750

Format string vulnerability in gpm-root in gpm 1.17.8 through 1.17.18
allows local users to gain root privileges.


Modifications:
  ADDREF XF:linux-gpm-format-string(7748)
  ADDREF BID:3750

INFERRED ACTION: CAN-2001-1203 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(4) Foat, Cole, Ziese, Green
   MODIFY(1) Frech
   NOOP(1) Wall

Voter Comments:
 Frech> XF:linux-gpm-format-string(7748)
   http://online.securityfocus.com/bid/3750


======================================================
Candidate: CAN-2001-1215
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1215
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20011220 [CERT-intexxia] pfinger Format String Vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/246656
Reference: CONFIRM:http://www.xelia.ch/unix/pfinger/ChangeLog
Reference: XF:pfinger-plan-format-string(7742)
Reference: URL:http://www.iss.net/security_center/static/7742.php
Reference: BID:3725
Reference: URL:http://online.securityfocus.com/bid/3725

Format string vulnerability in PFinger 0.7.5 through 0.7.7 allows
remote attackers to execute arbitrary code via format string
specifiers in a .plan file.

INFERRED ACTION: CAN-2001-1215 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(4) Cole, Frech, Ziese, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-1227
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1227
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020502
Assigned: 20020411
Category: SF
Reference: REDHAT:RHSA-2001:115
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-115.html
Reference: MANDRAKE:MDKSA-2001:080
Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-080.php3
Reference: BID:3425
Reference: URL:http://online.securityfocus.com/bid/3425
Reference: XF:zope-fmt-access-methods(7271)

Zope before 2.2.4 allows partially trusted users to bypass security
controls for certain methods by accessing the methods through the fmt
attribute of dtml-var tags.


Modifications:
  ADDREF XF:zope-fmt-access-methods(7271)

INFERRED ACTION: CAN-2001-1227 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(4) Wall, Cole, Cox, Green
   MODIFY(1) Frech
   NOOP(1) Foat

Voter Comments:
 Frech> XF:zope-fmt-access-methods(7271)


======================================================
Candidate: CAN-2001-1231
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1231
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20010814 Fwd: Security Alert: Groupwise - Action Required
Reference: URL:http://www.securityfocus.com/archive/1/204672
Reference: CONFIRM:http://support.novell.com/padlock/details.htm
Reference: XF:novell-groupwise-admin-privileges(6998)
Reference: URL:http://xforce.iss.net/static/6998.php
Reference: BID:3189
Reference: URL:http://www.securityfocus.com/bid/3189

GroupWise 5.5 and 6 running in live remove or smart caching mode
allows remote attackers to read arbitrary users' mailboxes by
extracting usernames and passwords from sniffed network traffic, as
addressed by the "Padlock" fix.

INFERRED ACTION: CAN-2001-1231 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(2) Frech, Green
   NOOP(4) Wall, Foat, Cole, Cox


======================================================
Candidate: CAN-2001-1234
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1234
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20011002 results of semi-automatic source code audit
Reference: URL:http://www.securityfocus.com/archive/1/218000
Reference: CONFIRM:http://prdownloads.sourceforge.net/gallery/gallery-1.2.5.tar.gz
Reference: BID:3397
Reference: URL:http://www.securityfocus.com/bid/3397
Reference: XF:php-includedir-code-execution(7215)
Reference: URL:http://www.iss.net/security_center/static/7215.php

Bharat Mediratta Gallery PHP script before 1.2.1 allows remote
attackers to execute arbitrary code by including files from remote web
sites via an HTTP request that modifies the includedir variable.

INFERRED ACTION: CAN-2001-1234 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(3) Cole, Frech, Green
   NOOP(3) Wall, Foat, Cox


======================================================
Candidate: CAN-2001-1235
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1235
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20011002 results of semi-automatic source code audit
Reference: URL:http://www.securityfocus.com/archive/1/21800
Reference: CERT-VN:VU#847803
Reference: URL:http://www.kb.cert.org/vuls/id/847803
Reference: XF:php-includedir-code-execution(7215)
Reference: URL:http://xforce.iss.net/static/7215.php
Reference: BID:3395
Reference: URL:http://www.securityfocus.com/bid/3395

pSlash PHP script 0.7 and earlier allows remote attackers to execute
arbitrary code by including files from remote web sites, using an HTTP
request that modifies the includedir variable.

INFERRED ACTION: CAN-2001-1235 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(3) Cole, Frech, Green
   NOOP(3) Wall, Foat, Cox


======================================================
Candidate: CAN-2001-1236
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1236
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20011002 results of semi-automatic source code audit
Reference: URL:http://www.securityfocus.com/archive/1/218000
Reference: CERT-VN:VU#847803
Reference: URL:http://www.kb.cert.org/vuls/id/847803
Reference: BID:3394
Reference: URL:http://www.securityfocus.com/bid/3394
Reference: XF:php-includedir-code-execution(7215)
Reference: URL:http://xforce.iss.net/static/7215.php

myphpPagetool PHP script 0.4.3-1 and earlier allows remote attackers
to execute arbitrary code by including files from remote web sites,
using an HTTP request that modifies the includedir variable.

INFERRED ACTION: CAN-2001-1236 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(3) Cole, Frech, Green
   NOOP(3) Wall, Foat, Cox


======================================================
Candidate: CAN-2001-1237
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1237
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20011002 results of semi-automatic source code audit
Reference: URL:http://www.securityfocus.com/archive/1/218000
Reference: CONFIRM:http://www.peaceworks.ca/phormation/phormation-0.9.2.tar.gz
Reference: BID:3393
Reference: URL:http://www.securityfocus.com/bid/3393
Reference: XF:php-includedir-code-execution(7215)
Reference: URL:http://xforce.iss.net/static/7215.php
Reference: CERT-VN:VU#847803
Reference: URL:http://www.kb.cert.org/vuls/id/847803

Phormation PHP script 0.9.1 and earlier allows remote attackers to
execute arbitrary code by including files from remote web sites, using
an HTTP request that modifies the phormationdir variable.

INFERRED ACTION: CAN-2001-1237 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(3) Cole, Frech, Green
   NOOP(3) Wall, Foat, Cox


======================================================
Candidate: CAN-2001-1240
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1240
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020502
Assigned: 20020501
Category: CF
Reference: ENGARDE:ESA-20010711-02
Reference: URL:http://www.linuxsecurity.com/advisories/other_advisory-1493.html

The default configuration of sudo in Engarde Secure Linux 1.0.1 allows
any user in the admin group to run certain commands that could be
leveraged to gain full root access.

INFERRED ACTION: CAN-2001-1240 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(2) Cole, Green
   NOOP(3) Wall, Foat, Cox


======================================================
Candidate: CAN-2001-1246
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1246
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20010630 php breaks safe mode
Reference: URL:http://online.securityfocus.com/archive/1/194425
Reference: CONFIRM:http://www.php.net/do_download.php?download_file=php-4.1.2.tar.gz
Reference: BID:2954
Reference: URL:http://online.securityfocus.com/bid/2954
Reference: XF:php-safemode-elevate-privileges(6787)
Reference: URL:http://www.iss.net/security_center/static/6787.php

PHP 4.0.5 through 4.1.0 in safe mode does not properly cleanse the 5th
parameter to the mail() function, which allows local users and
possibly remote attackers to execute arbitrary commands via shell
metacharacters.

INFERRED ACTION: CAN-2001-1246 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(4) Cole, Frech, Cox, Green
   NOOP(2) Wall, Foat

Voter Comments:
 CHANGE> [Cox changed vote from REVIEWING to ACCEPT]


======================================================
Candidate: CAN-2001-1247
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1247
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20010630 php breaks safe mode
Reference: URL:http://online.securityfocus.com/archive/1/194425
Reference: CONFIRM:http://www.php.net/do_download.php?download_file=php-4.1.2.tar.gz
Reference: REDHAT:RHSA-2002:035
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-035.html

PHP 4.0.4pl1 and 4.0.5 in safe mode allows remote attackers to read
and write files owned by the web server UID by uploading a PHP script
that uses the error_log function to access the files.


Modifications:
  ADDREF REDHAT:RHSA-2002:035

INFERRED ACTION: CAN-2001-1247 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(3) Cole, Cox, Green
   NOOP(2) Wall, Foat

Voter Comments:
 CHANGE> [Cox changed vote from REVIEWING to ACCEPT]
 Cox> ADDREF: RHSA-2002:035


======================================================
Candidate: CAN-2001-1252
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1252
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020502
Assigned: 20020501
Category: CF
Reference: BUGTRAQ:20010928 SNS-43: PGP Keyserver Permissions Misconfiguration
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-09/0230.html
Reference: CONFIRM:http://www.pgp.com/support/product-advisories/keyserver.asp
Reference: XF:pgp-keyserver-http-dos(7203)
Reference: URL:http://www.iss.net/security_center/static/7203.php
Reference: BID:3375
Reference: URL:http://online.securityfocus.com/bid/3375

Network Associates PGP Keyserver 7.0 allows remote attackers to bypass
authentication and access the administrative web interface via URLs
that directly access cgi-bin instead of keyserver/cgi-bin for the
programs (1) console, (2) cs, (3) multi_config and (4) directory.

INFERRED ACTION: CAN-2001-1252 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(2) Frech, Green
   NOOP(4) Wall, Foat, Cole, Cox


======================================================
Candidate: CAN-2001-1266
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1266
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: CONFIRM:http://dnhttpd.sourceforge.net/changelog.html
Reference: MISC:http://archives.neohapsis.com/archives/apps/freshmeat/2001-07/0002.html

Directory traversal vulnerability in Doug Neal's HTTPD Daemon
(DNHTTPD) before 0.4.1 allows remote attackers to view arbitrary files
via a .. (dot dot) attack using the dot hex code '%2E'.

INFERRED ACTION: CAN-2001-1266 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(2) Cole, Green
   NOOP(3) Wall, Foat, Cox


======================================================
Candidate: CAN-2001-1276
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1276
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20010621 ispell update -- Immunix OS 6.2
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=99317439131174&w=2
Reference: IMMUNIX:IMNX-2001-62-004-01
Reference: URL:http://download.immunix.org/ImmunixOS/6.2/updates/IMNX-2001-62-004-01
Reference: MANDRAKE:MDKSA-2001:058
Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-058.php3
Reference: REDHAT:RHSA-2001:074
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-074.html

ispell before 3.1.20 allows local users to overwrite files of other
users via a symlink attack on a temporary file.

INFERRED ACTION: CAN-2001-1276 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(4) Wall, Cole, Cox, Green
   NOOP(1) Foat


======================================================
Candidate: CAN-2001-1277
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1277
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20010611 man 1.5h10 + man 1.5i-4 exploits
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=99227597227747&w=2
Reference: REDHAT:RHSA-2001:072
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-072.html
Reference: MISC:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=41805

makewhatis in the man package before 1.5i2 allows an attacker in group
man to overwrite arbitrary files via a man page whose name contains
shell metacharacters.


Modifications:
  DESC say "in group man"

INFERRED ACTION: CAN-2001-1277 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(3) Wall, Cole, Green
   MODIFY(1) Cox
   NOOP(1) Foat

Voter Comments:
 Cox> "in group man" rather than "with man privileges" is more
   precise


======================================================
Candidate: CAN-2001-1295
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1295
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: CONFIRM:http://www.greenepa.net/~averett/cerberus-releasenotes.htm#ReleaseNotes
Reference: MISC:http://www.securiteam.com/windowsntfocus/5SP0M0055W.html
Reference: XF:cerberus-ftp-directory-traversal(7004)
Reference: URL:http://www.iss.net/security_center/static/7004.php

Directory traversal vulnerability in Cerberus FTP Server 1.5 and
earlier allows remote attackers to read arbitrary files via a .. (dot
dot) in the CD command.

INFERRED ACTION: CAN-2001-1295 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(4) Wall, Cole, Frech, Green
   NOOP(2) Foat, Cox


======================================================
Candidate: CAN-2001-1297
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1297
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20011002 results of semi-automatic source code audit
Reference: URL:http://www.securityfocus.com/archive/1/218000
Reference: CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=58331
Reference: BID:3384
Reference: URL:http://www.securityfocus.com/bid/3384
Reference: XF:php-includedir-code-execution(7215)
Reference: URL:http://www.iss.net/security_center/static/7215.php

Actionpoll PHP script before 1.1.2 allows remote attackers to include
arbitrary files from remote web sites via an HTTP request that sets
the includedir variable.

INFERRED ACTION: CAN-2001-1297 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(3) Cole, Frech, Green
   NOOP(3) Wall, Foat, Cox


======================================================
Candidate: CAN-2001-1299
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1299
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20011002 results of semi-automatic source code audit
Reference: URL:http://www.securityfocus.com/archive/1/218000
Reference: CERT-VN:VU#847803
Reference: URL:http://www.kb.cert.org/vuls/id/847803
Reference: CONFIRM:http://www.come.to/zorbat/
Reference: CONFIRM:http://www.kb.cert.org/vuls/id/JARL-53RJKV
Reference: BID:3386
Reference: URL:http://www.securityfocus.com/bid/3386
Reference: XF:php-includedir-code-execution(7215)
Reference: URL:http://www.iss.net/security_center/static/7215.php

Zorbat Zorbstats PHP script before 0.9 allows remote attackers to
include arbitrary files from remote web sites via an HTTP request that
sets the includedir variable.

INFERRED ACTION: CAN-2001-1299 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(3) Cole, Frech, Green
   NOOP(3) Wall, Foat, Cox


======================================================
Candidate: CAN-2001-1322
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1322
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: REDHAT:RHSA-2001:075
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-075.html
Reference: DEBIAN:DSA-063
Reference: URL:http://www.debian.org/security/2001/dsa-063
Reference: ENGARDE:ESA-20010621-01
Reference: URL:http://www.linuxsecurity.com/advisories/other_advisory-1469.html
Reference: FREEBSD:FreeBSD-SA-01:47
Reference: URL:http://online.securityfocus.com/advisories/3446
Reference: SUSE:SuSE-SA:2001:022
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=99384417013990&w=2
Reference: CONECTIVA:CLA-2001:404
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000404
Reference: MANDRAKE:MDKSA-2001:055
Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-055.php3
Reference: IMMUNIX:IMNX-2001-70-024-01
Reference: URL:http://download.immunix.org/ImmunixOS/7.0/updates/IMNX-2001-70-024-01
Reference: XF:xinetd-insecure-permissions(6657)
Reference: URL:http://www.iss.net/security_center/static/6657.php
Reference: BID:2826
Reference: URL:http://online.securityfocus.com/bid/2826

xinetd 2.1.8 and earlier runs with a default umask of 0, which could
allow local users to read or modify files that are created by an
application that runs under xinetd but does not set its own safe
umask.

INFERRED ACTION: CAN-2001-1322 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(5) Wall, Cole, Frech, Cox, Green
   NOOP(1) Foat


======================================================
Candidate: CAN-2001-1342
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1342
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20010412 Apache Win32 8192 chars string bug
Reference: URL:http://online.securityfocus.com/archive/1/176144
Reference: BUGTRAQ:20010522 [Announce] Apache 1.3.20 Released
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=99054258728748&w=2
Reference: CONFIRM:http://www.apacheweek.com/issues/01-05-25
Reference: CONFIRM:http://bugs.apache.org/index.cgi/full/7522
Reference: XF:apache-server-dos(6527)
Reference: URL:http://www.iss.net/security_center/static/6527.php
Reference: BID:2740
Reference: URL:http://online.securityfocus.com/bid/2740

Apache before 1.3.20 on Windows and OS/2 systems allows remote
attackers to cause a denial of service (GPF) via an HTTP request for a
URI that contains a large number of / (slash) or other characters,
which causes certain functions to dereference a null pointer.


Modifications:
  DESC Change DoS expansion

INFERRED ACTION: CAN-2001-1342 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(5) Wall, Foat, Cole, Frech, Green
   MODIFY(1) Cox

Voter Comments:
 Cox> ADDREF http://www.apacheweek.com/issues/01-05-25
   The DOS here isn't the crash, it's the fact that the crash causes a GPF
   fault message box that has to be cleared by the operator


======================================================
Candidate: CAN-2001-1345
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1345
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20010604 Fatal flaw in BestCrypt <= v0.7 (Linux)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-06/0005.html
Reference: CONFIRM:http://www.jetico.com/index.htm#/linux.htm
Reference: XF:bestcrypt-bctool-gain-privileges(6648)
Reference: URL:http://xforce.iss.net/static/6648.php
Reference: BID:2820
Reference: URL:http://www.securityfocus.com/bid/2820

bctool in Jetico BestCrypt 0.7 and earlier trusts the user-supplied
PATH to find and execute an fsck utility program, which allows local
users to gain privileges by modifying the PATH to point to a Trojan
horse program.

INFERRED ACTION: CAN-2001-1345 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(3) Cole, Frech, Green
   NOOP(3) Wall, Foat, Cox


======================================================
Candidate: CAN-2002-0002
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0002
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20020102
Category: SF
Reference: MISC:http://marc.theaimsgroup.com/?l=stunnel-users&m=100869449828705&w=2
Reference: BUGTRAQ:20011227 Stunnel: Format String Bug in versions <3.22
Reference: URL:http://online.securityfocus.com/archive/1/247427
Reference: BUGTRAQ:20020102 Stunnel: Format String Bug update
Reference: URL:http://online.securityfocus.com/archive/1/248149
Reference: CONFIRM:http://stunnel.mirt.net/news.html
Reference: REDHAT:RHSA-2002:002
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-002.html
Reference: MANDRAKE:MDKSA-2002:004
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-004.php3
Reference: XF:stunnel-client-format-string(7741)
Reference: BID:3748
Reference: URL:http://online.securityfocus.com/bid/3748

Format string vulnerability in stunnel before 3.22 when used in client
mode for (1) smtp, (2) pop, or (3) nntp allows remote malicious
servers to execute arbitrary code.


Modifications:
  ADDREF XF:stunnel-client-format-string(7741)
  ADDREF MANDRAKE:MDKSA-2002:004
  ADDREF BID:3748
  ADDREF BUGTRAQ:20011227 Stunnel: Format String Bug in versions <3.22
  ADDREF BUGTRAQ:20020102 Stunnel: Format String Bug update

INFERRED ACTION: CAN-2002-0002 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(4) Wall, Baker, Cole, Green
   MODIFY(1) Frech
   NOOP(2) Foat, Christey

Voter Comments:
 Frech> XF:stunnel-client-format-string(7741)
 Christey> Consider adding BID:3748


======================================================
Candidate: CAN-2002-0003
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0003
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20020102
Category: SF
Reference: REDHAT:RHSA-2002:004
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-004.html
Reference: MANDRAKE:MDKSA-2002:012
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-012.php
Reference: HP:HPSBTL0201-014
Reference: URL:http://online.securityfocus.com/advisories/3793
Reference: XF:linux-groff-preprocessor-bo(7881)
Reference: BID:3869
Reference: URL:http://www.securityfocus.com/bid/3869

Buffer overflow in the preprocessor in groff 1.16 and earlier allows
remote attackers to gain privileges via lpd in the LPRng printing
system.


Modifications:
  ADDREF MANDRAKE:MDKSA-2002:012
  ADDREF XF:linux-groff-preprocessor-bo(7881)
  ADDREF BID:3869
  ADDREF HP:HPSBTL0201-014

INFERRED ACTION: CAN-2002-0003 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(4) Wall, Baker, Cole, Green
   MODIFY(1) Frech
   NOOP(2) Foat, Christey

Voter Comments:
 Christey> ADDREF MANDRAKE:MDKSA-2002:012
   URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-012.php
 Frech> XF:linux-groff-preprocessor-bo(7881)
 Christey> MANDRAKE:MDKSA-2002:012
   http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-012.php3
 Christey> Consider adding BID:3869


======================================================
Candidate: CAN-2002-0004
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0004
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20020102
Category: SF
Reference: BUGTRAQ:20020117 '/usr/bin/at 31337 + vuln' problem + exploit
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101128661602088&w=2
Reference: DEBIAN:DSA-102
Reference: URL:http://www.debian.org/security/2002/dsa-102
Reference: SUSE:SuSE-SA:2002:003
Reference: URL:http://www.suse.de/de/support/security/2002_003_at_txt.txt
Reference: MANDRAKE:MDKSA-2002:007
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101147632721031&w=2
Reference: REDHAT:RHSA-2002:015
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-015.html
Reference: HP:HPSBTL0201-021
Reference: URL:http://online.securityfocus.com/advisories/3833
Reference: HP:HPSBTL0302-034
Reference: URL:http://online.securityfocus.com/advisories/3969
Reference: XF:linux-at-exetime-heap-corruption(7909)
Reference: BID:3886
Reference: URL:http://www.securityfocus.com/bid/3886

Heap corruption vulnerability in the "at" program allows local users
to execute arbitrary code via a malformed execution time, which causes
at to free the same memory twice.


Modifications:
  ADDREF XF:linux-at-exetime-heap-corruption(7909)
  ADDREF HP:HPSBTL0201-021
  ADDREF HP:HPSBTL0302-034
  ADDREF BID:3886

INFERRED ACTION: CAN-2002-0004 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(4) Wall, Baker, Cole, Green
   MODIFY(1) Frech
   NOOP(2) Foat, Christey

Voter Comments:
 Frech> XF:linux-at-exetime-heap-corruption(7909)
 Christey> Consider adding BID:3886


======================================================
Candidate: CAN-2002-0007
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0007
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20020109
Category: SF
Reference: BUGTRAQ:20020105 Security Advisory for Bugzilla v2.15 (cvs20020103) and older
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-01/0034.html
Reference: CONFIRM:http://www.bugzilla.org/security2_14_1.html
Reference: MISC:http://bugzilla.mozilla.org/show_bug.cgi?id=54901
Reference: XF:bugzilla-ldap-auth-bypass(7812)

CGI.pl in Bugzilla before 2.14.1, when using LDAP, allows remote
attackers to obtain an anonymous bind to the LDAP server via a request
that does not include a password, which causes a null password to be
sent to the LDAP server.


Modifications:
  ADDREF XF:bugzilla-ldap-auth-bypass(7812)

INFERRED ACTION: CAN-2002-0007 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(3) Baker, Cole, Green
   MODIFY(1) Frech
   NOOP(2) Wall, Foat

Voter Comments:
 Frech> XF:bugzilla-ldap-auth-bypass(7812)


======================================================
Candidate: CAN-2002-0018
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0018
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020315
Assigned: 20020114
Category: SF
Reference: MS:MS02-001
Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS02-001.asp
Reference: BID:3997
Reference: URL:http://www.securityfocus.com/bid/3997

In Microsoft Windows NT and Windows 2000, a trusting domain that
receives authorization information from a trusted domain does not
verify that the trusted domain is authoritative for all listed SIDs,
which could allows remote attackers to gain Domain Administrator
privileges on the trusting domain by injecting SIDs from untrusted
domains into the authorization data that comes from from the trusted
domain.


Modifications:
  ADDREF BID:3997

INFERRED ACTION: CAN-2002-0018 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(5) Wall, Foat, Cole, Ziese, Green
   NOOP(1) Christey

Voter Comments:
 Christey> Consider adding BID:3997


======================================================
Candidate: CAN-2002-0020
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0020
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020114
Category: SF
Reference: MS:MS02-004
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-004.asp
Reference: BID:4061
Reference: URL:http://www.securityfocus.com/bid/4061
Reference: XF:ms-telnet-option-bo(8094)
Reference: URL:http://www.iss.net/security_center/static/8094.php

Buffer overflow in telnet server in Windows 2000 and Interix 2.2
allows remote attackers to execute arbitrary code via malformed
protocol options.

INFERRED ACTION: CAN-2002-0020 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(6) Wall, Foat, Cole, Frech, Ziese, Green


======================================================
Candidate: CAN-2002-0021
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0021
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020315
Assigned: 20020114
Category: SF
Reference: MS:MS02-002
Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS02-002.asp
Reference: BID:4045
Reference: URL:http://www.securityfocus.com/bid/4045

Network Product Identification (PID) Checker in Microsoft Office v. X
for Mac allows remote attackers to cause a denial of service (crash)
via a malformed product announcement.


Modifications:
  ADDREF BID:4045

INFERRED ACTION: CAN-2002-0021 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(5) Wall, Foat, Cole, Ziese, Green
   NOOP(1) Christey

Voter Comments:
 Christey> Consider adding BID:4045


======================================================
Candidate: CAN-2002-0022
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0022
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020315
Assigned: 20020114
Category: SF
Reference: BUGTRAQ:20020213 dH & SECURITY.NNOV: buffer overflow in mshtml.dll
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101362984930597&w=2
Reference: BUGTRAQ:20020227 Details and exploitation of buffer overflow in mshtml.dll (and few sidenotes on Unicode overflows in general)
Reference: URL:http://online.securityfocus.com/archive/1/258614
Reference: MS:MS02-005
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-005.asp
Reference: CERT:CA-2002-04
Reference: URL:http://www.cert.org/advisories/CA-2002-04.html
Reference: XF:ie-html-directive-bo(8116)
Reference: URL:http://www.iss.net/security_center/static/8116.php
Reference: BID:4080
Reference: URL:http://www.securityfocus.com/bid/4080

Buffer overflow in the implementation of an HTML directive in
mshtml.dll in Internet Explorer 5.5 and 6.0 allows remote attackers to
execute arbitrary code via a web page that specifies embedded ActiveX
controls in a way that causes 2 Unicode strings to be concatenated.


Modifications:
  ADDREF BID:4080
  ADDREF BUGTRAQ:20020227 Details and exploitation of buffer overflow in mshtml.dll (and few sidenotes on Unicode overflows in general)

INFERRED ACTION: CAN-2002-0022 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(6) Wall, Foat, Cole, Frech, Ziese, Green
   NOOP(1) Christey

Voter Comments:
 Christey> Consider adding BID:4080


======================================================
Candidate: CAN-2002-0023
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0023
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020114
Category: SF
Reference: BUGTRAQ:20020101 IE GetObject() problems
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-01/0000.html
Reference: MS:MS02-005
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-005.asp
Reference: BID:3767
Reference: URL:http://www.securityfocus.com/bid/3767

Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to read
arbitrary files via malformed requests to the GetObject function,
which bypass some of GetObject's security checks.

INFERRED ACTION: CAN-2002-0023 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(5) Wall, Foat, Cole, Ziese, Green


======================================================
Candidate: CAN-2002-0025
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0025
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020315
Assigned: 20020114
Category: SF
Reference: MS:MS02-005
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-005.asp
Reference: BUGTRAQ:20020212 [ GFISEC04102001 ] Internet Explorer and Access allow macros to be executed automatically
Reference: URL:http://online.securityfocus.com/archive/1/255767
Reference: BID:4085
Reference: URL:http://online.securityfocus.com/bid/4085

Internet Explorer 5.01, 5.5 and 6.0 does not properly handle the
Content-Type HTML header field, which allows remote attackers to
modify which application is used to process a document.


Modifications:
  ADDREF BUGTRAQ:20020212 [ GFISEC04102001 ] Internet Explorer and Access allow macros to be executed automatically
  ADDREF BID:4085

INFERRED ACTION: CAN-2002-0025 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(5) Wall, Foat, Cole, Ziese, Green
   NOOP(1) Christey

Voter Comments:
 Christey> BUGTRAQ:20020212 [ GFISEC04102001 ] Internet Explorer and Access allow macros to be executed automatically
   URL:http://online.securityfocus.com/archive/1/255767
   BID:4085
   URL:http://online.securityfocus.com/bid/4085


======================================================
Candidate: CAN-2002-0026
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0026
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020315
Assigned: 20020114
Category: SF
Reference: MS:MS02-005
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-005.asp
Reference: BID:4082
Reference: URL:http://online.securityfocus.com/bid/4082

Internet Explorer 5.5 and 6.0 allows remote attackers to bypass
restrictions for executing scripts via an object that processes
asynchronous events after the initial security checks have been made.


Modifications:
  ADDREF BID:4082

INFERRED ACTION: CAN-2002-0026 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(5) Wall, Foat, Cole, Ziese, Green
   NOOP(1) Christey

Voter Comments:
 Christey> Consider adding BID:4082


======================================================
Candidate: CAN-2002-0027
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0027
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020114
Category: SF
Reference: BUGTRAQ:20011219 Internet Explorer Document.Open() Without Close() Cookie Stealing, File Reading, Site Spoofing Bug
Reference: URL:http://www.securityfocus.com/archive/1/246522
Reference: MS:MS02-005
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-005.asp
Reference: BID:3721
Reference: URL:http://www.securityfocus.com/bid/3721

Internet Explorer 5.5 and 6.0 allows remote attackers to read certain
files and spoof the URL in the address bar by using the Document.open
function to pass information between two frames from different
domains, a new variant of the "Frame Domain Verification"
vulnerability described in MS:MS01-058/CAN-2001-0874.

INFERRED ACTION: CAN-2002-0027 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(5) Wall, Foat, Cole, Ziese, Green


======================================================
Candidate: CAN-2002-0028
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0028
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20020116
Category: SF
Reference: BUGTRAQ:20020106 ICQ remote buffer overflow vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101043894627851&w=2
Reference: VULN-DEV:20020107 ICQ remote buffer overflow vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=vuln-dev&m=101043076806401&w=2
Reference: CERT:CA-2002-02
Reference: URL:http://www.cert.org/advisories/CA-2002-02.html
Reference: CERT-VN:VU#570167
Reference: URL:http://www.kb.cert.org/vuls/id/570167
Reference: BID:3813
Reference: URL:http://www.securityfocus.com/bid/3813
Reference: XF:aim-game-overflow(7743)

Buffer overflow in ICQ before 2001B Beta v5.18 Build #3659 allows
remote attackers to execute arbitrary code via a Voice Video & Games
request.


Modifications:
  ADDREF XF:aim-game-overflow(7743)

INFERRED ACTION: CAN-2002-0028 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(4) Wall, Baker, Cole, Green
   MODIFY(1) Frech
   NOOP(1) Foat

Voter Comments:
 Frech> (Review whether issue is misassigned.)
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:aim-game-overflow(7743)


======================================================
Candidate: CAN-2002-0038
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0038
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20020116
Category: SF
Reference: SGI:20020102-01-I
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020102-01-I
Reference: SGI:20020102-02-I
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020102-02-I
Reference: SGI:20020102-03-P
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020102-03-P
Reference: XF:irix-nsd-cache-dos(7907)
Reference: BID:3882

Vulnerability in the cache-limiting function of the unified name
service daemon (nsd) in IRIX 6.5.4 through 6.5.11 allows remote
attackers to cause a denial of service by forcing the cache to fill
the disk.


Modifications:
  ADDREF XF:irix-nsd-cache-dos(7907)
  ADDREF BID:3882

INFERRED ACTION: CAN-2002-0038 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(3) Baker, Cole, Green
   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Christey

Voter Comments:
 Frech> XF:irix-nsd-cache-dos(7907)
 Christey> Consider adding BID:3882
 Christey> BID:3882


======================================================
Candidate: CAN-2002-0040
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0040
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020502
Assigned: 20020116
Category: SF
Reference: SGI:20020306-01-P
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020306-01-P
Reference: XF:irix-hostaliases-gain-privileges(8669)
Reference: URL:http://www.iss.net/security_center/static/8669.php
Reference: BID:4388
Reference: URL:http://www.securityfocus.com/bid/4388

Vulnerability in SGI IRIX 6.5.11 through 6.5.15f allows local users to
cause privileged applications to dump core via the HOSTALIASES
environment variable, which might allow the users to gain privileges.


Modifications:
  ADDREF XF:irix-hostaliases-gain-privileges(8669)
  ADDREF BID:4388

INFERRED ACTION: CAN-2002-0040 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(3) Cole, Frech, Green
   NOOP(4) Wall, Foat, Cox, Christey

Voter Comments:
 Christey> Consider adding BID:4388
 Christey> XF:irix-hostaliases-gain-privileges(8669)
   URL:http://www.iss.net/security_center/static/8669.php
   BID:4388
   URL:http://www.securityfocus.com/bid/4388


======================================================
Candidate: CAN-2002-0043
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0043
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20020122
Category: SF
Reference: BUGTRAQ:20020114 Sudo version 1.6.4 now available (fwd)
Reference: URL:http://www.securityfocus.com/archive/1/250168
Reference: REDHAT:RHSA-2002:013
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-013.html
Reference: REDHAT:RHSA-2002:011
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-011.html
Reference: CONECTIVA:CLA-2002:451
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000451
Reference: ENGARDE:ESA-20020114-001
Reference: SUSE:SuSE-SA:2002:002
Reference: URL:http://www.suse.de/de/support/security/2002_002_sudo_txt.txt
Reference: MANDRAKE:MDKSA-2002:003
Reference: DEBIAN:DSA-101
Reference: IMMUNIX:IMNX-2002-70-001-01
Reference: URL:http://www.securityfocus.com/advisories/3800
Reference: FREEBSD:FreeBSD-SA-02:06
Reference: BUGTRAQ:20020116 Sudo +Postfix Exploit
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101120193627756&w=2
Reference: MISC:http://www.sudo.ws/sudo/alerts/postfix.html
Reference: XF:sudo-unclean-env-root(7891)
Reference: URL:http://xforce.iss.net/static/7891.php
Reference: BID:3871
Reference: URL:http://www.securityfocus.com/bid/3871

sudo 1.6.0 through 1.6.3p7 does not properly clear the environment
before calling the mail program, which could allow local users to gain
root privileges by modifying environment variables and changing how
the mail program is invoked.


Modifications:
  ADDREF MANDRAKE:MDKSA-2002:003
  ADDREF DEBIAN:DSA-101
  ADDREF IMMUNIX:IMNX-2002-70-001-01
  ADDREF FREEBSD:FreeBSD-SA-02:06
  CHANGEREF REDHAT [normalize]

INFERRED ACTION: CAN-2002-0043 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(5) Wall, Baker, Cole, Frech, Green
   NOOP(2) Foat, Christey

Voter Comments:
 Christey> MANDRAKE:MDKSA-2002:003
   DEBIAN:DSA-101
   IMMUNIX:IMNX-2002-70-001-01
   URL:http://www.securityfocus.com/advisories/3800
   FREEBSD:FreeBSD-SA-02:06

   Normalize refs: REDHAT:RHSA-2002-011, REDHAT:RHSA-2002-013


======================================================
Candidate: CAN-2002-0044
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0044
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020131
Assigned: 20020122
Category: SF
Reference: REDHAT:RHSA-2002-012
Reference: URL:https://www.redhat.com/support/errata/RHSA-2002-012.html
Reference: HP:HPSBTL0201-019
Reference: URL:http://www.securityfocus.com/advisories/3818
Reference: MANDRAKE:MDKSA-2002:010
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-010.php3
Reference: DEBIAN:DSA-105
Reference: URL:http://www.debian.org/security/2002/dsa-105
Reference: XF:gnu-enscript-tmpfile-symlink(7932)
Reference: URL:http://xforce.iss.net/static/7932.php
Reference: BID:3920
Reference: URL:http://www.securityfocus.com/bid/3920

GNU Enscript 1.6.1 and earlier allows local users to overwrite
arbitrary files of the Enscript user via a symlink attack on temporary
files.

INFERRED ACTION: CAN-2002-0044 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(5) Wall, Baker, Cole, Frech, Green
   NOOP(1) Foat


======================================================
Candidate: CAN-2002-0045
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0045
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20020122
Category: SF
Reference: CONFIRM:http://www.openldap.org/lists/openldap-announce/200201/msg00002.html
Reference: CALDERA:CSSA-2002-001.0
Reference: MANDRAKE:MDKSA-2002:013
Reference: REDHAT:RHSA-2002:014
Reference: XF:openldap-slapd-delete-attributes(7978)

slapd in OpenLDAP 2.0 through 2.0.19 allows local users, and anonymous
users before 2.0.8, to conduct a "replace" action on access controls
without any values, which causes OpenLDAP to delete non-mandatory
attributes which would otherwise be protected by ACLs.


Modifications:
  ADDREF XF:openldap-slapd-delete-attributes(7978)
  ADDREF CALDERA:CSSA-2002-001.0
  ADDREF MANDRAKE:MDKSA-2002:013
  ADDREF REDHAT:RHSA-2002:014

INFERRED ACTION: CAN-2002-0045 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(3) Baker, Cole, Green
   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Christey

Voter Comments:
 Frech> XF:openldap-slapd-delete-attributes(7978)
 Christey> CALDERA:CSSA-2002-001.0
   MANDRAKE:MDKSA-2002:013


======================================================
Candidate: CAN-2002-0046
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0046
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020131
Assigned: 20020122
Category: SF
Reference: BUGTRAQ:20020120 remote memory reading through tcp/icmp
Reference: URL:http://www.securityfocus.com/archive/1/251418
Reference: REDHAT:RHSA-2002-007
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-007.html
Reference: XF:icmp-read-memory(7998)

Linux kernel, and possibly other operating systems, allows remote
attackers to read portions of memory via a series of fragmented ICMP
packets that generate an ICMP TTL Exceeded response, which includes
portions of the memory in the response packet.


Modifications:
  ADDREF XF:icmp-read-memory(7998)

INFERRED ACTION: CAN-2002-0046 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(5) Wall, Baker, Foat, Cole, Green
   MODIFY(1) Frech

Voter Comments:
 Frech> XF:icmp-read-memory(7998)


======================================================
Candidate: CAN-2002-0047
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0047
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020131
Assigned: 20020122
Category: SF
Reference: DEBIAN:DSA-104
Reference: URL:http://www.debian.org/security/2002/dsa-104
Reference: REDHAT:RHSA-2002:007
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-007.html
Reference: XF:cipe-packet-handling-dos(7883)
Reference: URL:http://xforce.iss.net/static/7883.php

CIPE VPN package before 1.3.0-3 allows remote attackers to cause a
denial of service (crash) via a short malformed packet.

INFERRED ACTION: CAN-2002-0047 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(5) Wall, Baker, Cole, Frech, Green
   NOOP(1) Foat


======================================================
Candidate: CAN-2002-0049
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0049
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020202
Category: CF
Reference: MS:MS02-003
Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS02-003.asp
Reference: BID:4053
Reference: URL:http://www.securityfocus.com/bid/4053

Microsoft Exchange Server 2000 System Attendant gives "Everyone" group
privileges to the WinReg key, which could allow remote attackers to
read or modify registry keys.

INFERRED ACTION: CAN-2002-0049 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(5) Wall, Foat, Cole, Ziese, Green


======================================================
Candidate: CAN-2002-0050
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0050
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020202
Category: SF
Reference: MS:MS02-010
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-010.asp
Reference: BID:4157
Reference: URL:http://online.securityfocus.com/bid/4157

Buffer overflow in AuthFilter ISAPI filter on Microsoft Commerce
Server 2000 allows remote attackers to execute arbitrary code via long
authentication data.

INFERRED ACTION: CAN-2002-0050 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(5) Wall, Foat, Cole, Ziese, Green


======================================================
Candidate: CAN-2002-0051
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0051
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020502
Assigned: 20020202
Category: SF
Reference: BUGTRAQ:20011205 SECURITY.NNOV: file locking and security (group policy DoS on Windows 2000 domain)
Reference: URL:http://online.securityfocus.com/archive/1/244329
Reference: MS:MS02-016
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-016.asp
Reference: BID:4438
Reference: URL:http://online.securityfocus.com/bid/4438

Windows 2000 allows local users to prevent the application of new
group policy settings by opening Group Policy files with
exclusive-read access.


Modifications:
  ADDREF BID:4438

INFERRED ACTION: CAN-2002-0051 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(4) Wall, Foat, Cole, Green
   NOOP(2) Cox, Christey

Voter Comments:
 Christey> Consider adding BID:4438
 Christey> XF:win2k-group-policy-block(8759)
   URL:http://www.iss.net/security_center/static/8759.php


======================================================
Candidate: CAN-2002-0052
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0052
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020202
Category: SF
Reference: MS:MS02-009
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-009.asp
Reference: BID:4158
Reference: URL:http://online.securityfocus.com/bid/4158

Internet Explorer 6.0 and earlier does not properly handle VBScript in
certain domain security checks, which allows remote attackers to read
arbitrary files.

INFERRED ACTION: CAN-2002-0052 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(5) Wall, Foat, Cole, Ziese, Green


======================================================
Candidate: CAN-2002-0055
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0055
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020315
Assigned: 20020202
Category: SF
Reference: BUGTRAQ:20020306 Vulnerability Details for MS02-012
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101558498401274&w=2
Reference: MS:MS02-012
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-012.asp
Reference: XF:ms-smtp-data-transfer-dos(8307)
Reference: URL:http://www.iss.net/security_center/static/8307.php
Reference: BID:4204
Reference: URL:http://www.securityfocus.com/bid/4204

SMTP service in Microsoft Windows 2000, Windows XP Professional, and
Exchange 2000 to cause a denial of service via a command with a
malformed data transfer (BDAT) request.


Modifications:
  ADDREF XF:ms-smtp-data-transfer-dos(8307)
  ADDREF BID:4204

INFERRED ACTION: CAN-2002-0055 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(6) Wall, Foat, Cole, Frech, Ziese, Green
   NOOP(1) Christey

Voter Comments:
 Christey> Consider adding BID:4204
 Christey> XF:ms-smtp-data-transfer-dos(8307)
   URL:http://www.iss.net/security_center/static/8307.php
   BID:4204
   URL:http://www.securityfocus.com/bid/4204


======================================================
Candidate: CAN-2002-0057
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0057
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020315
Assigned: 20020202
Category: SF
Reference: BUGTRAQ:20011214 MSIE6 can read local files
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-12/0152.html
Reference: BUGTRAQ:20020212 Update on the MS02-005 patch, holes still remain
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101366383408821&w=2
Reference: MS:MS02-008
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-008.asp
Reference: BID:3699
Reference: URL:http://online.securityfocus.com/bid/3699
Reference: XF:ie-xmlhttp-redirect(7712)

XMLHTTP control in Microsoft XML Core Services 2.6 and later does not
properly handle IE Security Zone settings, which allows remote
attackers to read arbitrary files by specifying a local file as an XML
Data Source.


Modifications:
  ADDREF XF:ie-xmlhttp-redirect(7712)

INFERRED ACTION: CAN-2002-0057 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(5) Wall, Foat, Cole, Ziese, Green
   MODIFY(1) Frech

Voter Comments:
 Frech> XF:ie-xmlhttp-redirect(7712)


======================================================
Candidate: CAN-2002-0059
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0059
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020315
Assigned: 20020207
Category: SF
Reference: BUGTRAQ:20020311 security problem fixed in zlib 1.1.4
Reference: BUGTRAQ:20020312 exploiting the zlib bug in openssh
Reference: VULNWATCH:20020312 exploiting the zlib bug in openssh
Reference: VULNWATCH:20020311 [VulnWatch] zlibscan : script to find suid binaries possibly affected by zlib vulnerability
Reference: BUGTRAQ:20020312 [OpenPKG-SA-2002.003] OpenPKG Security Advisory (zlib)
Reference: BUGTRAQ:20020312 Re: [VulnWatch] exploiting the zlib bug in openssh
Reference: BUGTRAQ:20020312 zlib & java
Reference: BUGTRAQ:20020312 zlibscan : script to find suid binaries possibly affected by zlib vulnerability
Reference: BUGTRAQ:20020313 OpenSSH rebuild warning: problems avoiding zlib problems in Solaris
Reference: BUGTRAQ:20020314 about zlib vulnerability
Reference: BUGTRAQ:20020314 ZLib double free bug: Windows NT potentially unaffected
Reference: BUGTRAQ:20020314 Re: about zlib vulnerability - Microsoft products
Reference: BUGTRAQ:20020315 RE: [Whitehat] about zlib vulnerability
Reference: CERT:CA-2002-07
Reference: CERT-VN:VU#368819
Reference: URL:http://www.kb.cert.org/vuls/id/368819
Reference: DEBIAN:DSA-122
Reference: REDHAT:RHSA-2002:026
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-026.html
Reference: REDHAT:RHSA-2002:027
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-027.html
Reference: SUSE:SuSE-SA:2002:010
Reference: SUSE:SuSE-SA:2002:011
Reference: ENGARDE:ESA-20020311-008
Reference: MANDRAKE:MDKSA-2002:022
Reference: MANDRAKE:MDKSA-2002:023
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-023.php
Reference: CALDERA:CSSA-2002-014.1
Reference: CALDERA:CSSA-2002-015.1
Reference: CONECTIVA:CLA-2002:469
Reference: HP:HPSBTL0204-030
Reference: HP:HPSBTL0204-036
Reference: HP:HPSBTL0204-037
Reference: MANDRAKE:MDKSA-2002:024
Reference: CISCO:20020403 Vulnerability in the zlib Compression Library
Reference: OPENBSD:20020313 015: RELIABILITY FIX: March 13, 2002
Reference: FREEBSD:FreeBSD-SA-02:18
Reference: BUGTRAQ:20020318 TSLSA-2002-0040 - zlib
Reference: BUGTRAQ:20020402 VNC Security Bulletin - zlib double free issue (multiple vendors and versions)
Reference: BID:4267
Reference: URL:http://online.securityfocus.com/bid/4267
Reference: XF:zlib-doublefree-memory-corruption(8427)

The decompression algorithm in zlib 1.1.3 and earlier, as used in many
different utilities and packages, causes inflateEnd to release certain
memory more than once (a "double free"), which may allow local and
remote attackers to execute arbitrary code via a block of malformed
compression data.


Modifications:
  CHANGEREF BUGTRAQ change some dates from 20020212 to 20020312
  ADDREF BUGTRAQ:20020312 [OpenPKG-SA-2002.003] OpenPKG Security Advisory (zlib)
  ADDREF BUGTRAQ:20020312 Re: [VulnWatch] exploiting the zlib bug in openssh
  ADDREF BUGTRAQ:20020312 zlib & java
  ADDREF BUGTRAQ:20020312 zlibscan : script to find suid binaries possibly affected by zlib vulnerability
  ADDREF BUGTRAQ:20020313 OpenSSH rebuild warning: problems avoiding zlib problems in Solaris
  ADDREF BUGTRAQ:20020314 about zlib vulnerability
  ADDREF BUGTRAQ:20020315 RE: [Whitehat] about zlib vulnerability
  ADDREF BUGTRAQ:20020314 Re: about zlib vulnerability - Microsoft products
  ADDREF FREEBSD:FreeBSD-SA-02:18
  ADDREF BUGTRAQ:20020318 TSLSA-2002-0040 - zlib
  ADDREF BUGTRAQ:20020402 VNC Security Bulletin - zlib double free issue (multiple vendors and versions)
  ADDREF CALDERA:CSSA-2002-014.1
  ADDREF CALDERA:CSSA-2002-015.1
  ADDREF CONECTIVA:CLA-2002:469
  ADDREF HP:HPSBTL0204-030
  ADDREF HP:HPSBTL0204-036
  ADDREF HP:HPSBTL0204-037
  ADDREF MANDRAKE:MDKSA-2002:024
  ADDREF CISCO:20020403 Vulnerability in the zlib Compression Library
  ADDREF OPENBSD:20020313 015: RELIABILITY FIX: March 13, 2002
  ADDREF XF:zlib-doublefree-memory-corruption(8427)
  ADDREF BUGTRAQ:20020314 ZLib double free bug: Windows NT potentially unaffected

INFERRED ACTION: CAN-2002-0059 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(6) Wall, Foat, Cole, Frech, Ziese, Green
   NOOP(1) Christey

Voter Comments:
 Christey> Need to change dates of Bugtraq and Vulnwatch posts from
   20020212 to 20020312 for "exploiting the zlib bug in openssh"
   BUGTRAQ:20020312 [OpenPKG-SA-2002.003] OpenPKG Security Advisory (zlib)
   BUGTRAQ:20020312 Re: [VulnWatch] exploiting the zlib bug in openssh
   BUGTRAQ:20020312 zlib & java
   BUGTRAQ:20020312 zlibscan : script to find suid binaries possibly affected by zlib vulnerability
   BUGTRAQ:20020313 OpenSSH rebuild warning: problems avoiding zlib problems in Solaris
   BUGTRAQ:20020314 about zlib vulnerability
   BUGTRAQ:20020315 RE: [Whitehat] about zlib vulnerability
   BUGTRAQ:20020314 Re: about zlib vulnerability - Microsoft products
   FREEBSD:FreeBSD-SA-02:18
   BUGTRAQ:20020318 TSLSA-2002-0040 - zlib
   BUGTRAQ:20020402 VNC Security Bulletin - zlib double free issue (multiple vendors and versions)
   CALDERA:CSSA-2002-014.1
   CALDERA:CSSA-2002-015.1
   CONECTIVA:CLA-2002:469
   HP:HPSBTL0204-030
   HP:HPSBTL0204-036
   HP:HPSBTL0204-037
   MANDRAKE:MDKSA-2002:024
   CISCO:20020403 Vulnerability in the zlib Compression Library
   OPENBSD:20020313 015: RELIABILITY FIX: March 13, 2002
   XF:zlib-doublefree-memory-corruption(8427)
   BUGTRAQ:20020314 ZLib double free bug: Windows NT potentially unaffected


======================================================
Candidate: CAN-2002-0060
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0060
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020213
Category: SF
Reference: BUGTRAQ:20020227 security advisory linux 2.4.x ip_conntrack_irc
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101483396412051&w=2
Reference: VULN-DEV:20020227 Fwd: [ANNOUNCE] Security Advisory about IRC DCC connection tracking
Reference: URL:http://marc.theaimsgroup.com/?l=vuln-dev&m=101486352429653&w=2
Reference: CONFIRM:http://www.netfilter.org/security/2002-02-25-irc-dcc-mask.html
Reference: REDHAT:RHSA-2002:028
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-028.html

IRC connection tracking helper module in the netfilter subsystem for
Linux 2.4.18-pre9 and earlier does not properly set the mask for
conntrack expectations for incoming DCC connections, which could allow
remote attackers to bypass intended firewall restrictions.

INFERRED ACTION: CAN-2002-0060 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(4) Wall, Cole, Ziese, Green
   NOOP(1) Foat


======================================================
Candidate: CAN-2002-0063
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0063
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020315
Assigned: 20020217
Category: SF
Reference: CONFIRM:http://www.cups.org/relnotes.html
Reference: DEBIAN:DSA-110
Reference: URL:http://www.debian.org/security/2002/dsa-110
Reference: MANDRAKE:MDKSA-2002:015
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-015.php
Reference: REDHAT:RHSA-2002:032
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-032.html
Reference: SUSE:SuSE-SA:2002:005
Reference: SUSE:SuSE-SA:2002:006
Reference: CALDERA:CSSA-2002-008.0
Reference: CONECTIVA:CLA-2002:471
Reference: XF:cups-ippread-bo(8192)
Reference: BID:4100

Buffer overflow in ippRead function of CUPS before 1.1.14 may allow
attackers to execute arbitrary code via long attribute names or
language values.


Modifications:
  ADDREF REDHAT:RHSA-2002:032
  ADDREF SUSE:SuSE-SA:2002:005
  ADDREF SUSE:SuSE-SA:2002:006
  ADDREF CALDERA:CSSA-2002-008.0
  ADDREF XF:cups-ippread-bo(8192)
  ADDREF BID:4100
  ADDREF CONECTIVA:CLA-2002:471

INFERRED ACTION: CAN-2002-0063 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(5) Wall, Cole, Frech, Ziese, Green
   NOOP(2) Foat, Christey

Voter Comments:
 Christey> REDHAT:RHSA-2002:032
   URL:http://www.redhat.com/support/errata/RHSA-2002-032.html
   SUSE:SuSE-SA:2002:005
   SUSE:SuSE-SA:2002:006
 Christey> SUSE:SuSE-SA:2002:005
 Christey> REDHAT:RHSA-2002:032
   CALDERA:CSSA-2002-008.0
   XF:cups-ippread-bo(8192)
   BID:4100
   SUSE:SuSE-SA:2002:006
   SUSE:SuSE-SA:2002:005
   CONECTIVA:CLA-2002:471


======================================================
Candidate: CAN-2002-0064
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0064
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020502
Assigned: 20020219
Category: CF
Reference: BINDVIEW:20020408 Unauthorized remote control access to systems running Funk Software's Proxy v3.x
Reference: URL:http://razor.bindview.com/publish/advisories/adv_FunkProxy.html
Reference: XF:funk-proxy-insecure-permissions(8791)
Reference: URL:http://www.iss.net/security_center/static/8791.php
Reference: BID:4458
Reference: URL:http://www.securityfocus.com/bid/4458

Funk Software Proxy Host 3.x is installed with insecure permissions
for the registry and the file system.


Modifications:
  ADDREF XF:funk-proxy-insecure-permissions(8791)
  ADDREF BID:4458

INFERRED ACTION: CAN-2002-0064 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(3) Cole, Frech, Green
   NOOP(4) Wall, Foat, Cox, Christey

Voter Comments:
 Christey> XF:funk-proxy-insecure-permissions(8791)
   URL:http://www.iss.net/security_center/static/8791.php
   BID:4458
   URL:http://www.securityfocus.com/bid/4458


======================================================
Candidate: CAN-2002-0065
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0065
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020502
Assigned: 20020219
Category: SF
Reference: BINDVIEW:20020408 Unauthorized remote control access to systems running Funk Software's Proxy v3.x
Reference: URL:http://razor.bindview.com/publish/advisories/adv_FunkProxy.html
Reference: XF:funk-proxy-weak-password(8792)
Reference: URL:http://www.iss.net/security_center/static/8792.php
Reference: BID:4459
Reference: URL:http://www.securityfocus.com/bid/4459

Funk Software Proxy Host 3.x uses weak encryption for the Proxy Host
password, which allows local users to gain privileges by recovering
the passwords from the PHOST.INI file or the Windows registry.


Modifications:
  ADDREF XF:funk-proxy-weak-password(8792)
  ADDREF BID:4459

INFERRED ACTION: CAN-2002-0065 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(3) Cole, Frech, Green
   NOOP(4) Wall, Foat, Cox, Christey

Voter Comments:
 Christey> XF:funk-proxy-weak-password(8792)
   URL:http://www.iss.net/security_center/static/8792.php
   BID:4459
   URL:http://www.securityfocus.com/bid/4459


======================================================
Candidate: CAN-2002-0066
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0066
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020502
Assigned: 20020219
Category: SF
Reference: BINDVIEW:20020408 Unauthorized remote control access to systems running Funk Software's Proxy v3.x
Reference: URL:http://razor.bindview.com/publish/advisories/adv_FunkProxy.html
Reference: XF:funk-proxy-named-pipe(8793)
Reference: URL:http://www.iss.net/security_center/static/8793.php
Reference: BID:4460
Reference: URL:http://www.securityfocus.com/bid/4460

Funk Software Proxy Host 3.x before 3.09A creates a Named Pipe that
does not require authentication and is installed with insecure access
control, which allows local and possibly remote users to use the Proxy
Host's configuration utilities and gain privileges.


Modifications:
  ADDREF XF:funk-proxy-named-pipe(8793)
  ADDREF BID:4460

INFERRED ACTION: CAN-2002-0066 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(3) Cole, Frech, Green
   NOOP(4) Wall, Foat, Cox, Christey

Voter Comments:
 Christey> XF:funk-proxy-named-pipe(8793)
   URL:http://www.iss.net/security_center/static/8793.php
   BID:4460
   URL:http://www.securityfocus.com/bid/4460


======================================================
Candidate: CAN-2002-0070
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0070
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020315
Assigned: 20020221
Category: SF
Reference: BUGTRAQ:20020312 ADVISORY: Windows Shell Overflow
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101594127017290&w=2
Reference: VULNWATCH:20020311 [VulnWatch] ADVISORY: Windows Shell Overflow
Reference: NTBUGTRAQ:20020311 ADVISORY: Windows Shell Overflow
Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0203&L=ntbugtraq&F=P&S=&P=2404
Reference: MS:MS02-014
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-014.asp
Reference: XF:win-shell-bo(8384)
Reference: URL:http://www.iss.net/security_center/static/8384.php
Reference: BID:4248
Reference: URL:http://www.securityfocus.com/bid/4248

Buffer overflow in Windows Shell (used as the Windows Desktop) allows
local and possibly remote attackers to execute arbitrary code via a
custom URL handler that has not been removed for an application that
has been improperly uninstalled.


Modifications:
  ADDREF XF:win-shell-bo(8384)
  ADDREF BID:4248
  ADDREF BUGTRAQ:20020312 ADVISORY: Windows Shell Overflow

INFERRED ACTION: CAN-2002-0070 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(6) Wall, Foat, Cole, Frech, Ziese, Green
   NOOP(1) Christey

Voter Comments:
 Christey> XF:win-shell-bo(8384)
   URL:http://www.iss.net/security_center/static/8384.php
   BID:4248
   URL:http://www.securityfocus.com/bid/4248
   BUGTRAQ:20020312 ADVISORY: Windows Shell Overflow
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101594127017290&w=2


======================================================
Candidate: CAN-2002-0078
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0078
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020502
Assigned: 20020221
Category: SF
Reference: BUGTRAQ:20020330 IE: Remote webpage can script in local zone
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101781180528301&w=2
Reference: MS:MS02-015
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-015.asp
Reference: BID:4392
Reference: URL:http://www.securityfocus.com/bid/4392
Reference: XF:ie-cookie-local-zone(8701)
Reference: URL:http://www.iss.net/security_center/static/8701.php

The zone determination function in Microsoft Internet Explorer 5.5 and
6.0 allows remote attackers to run scripts in the Local Computer zone
by embedding the script in a cookie, aka the "Cookie-based Script
Execution" vulnerability.


Modifications:
  ADDREF BID:4392
  ADDREF XF:ie-cookie-local-zone(8701)
  ADDREF BUGTRAQ:20020330 IE: Remote webpage can script in local zone

INFERRED ACTION: CAN-2002-0078 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(5) Wall, Foat, Cole, Frech, Green
   NOOP(2) Cox, Christey

Voter Comments:
 Christey> Consider adding BID:4392
 Christey> BUGTRAQ:20020330 IE: Remote webpage can script in local zone
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101781180528301&w=2
   XF:ie-cookie-local-zone(8701)
   URL:http://www.iss.net/security_center/static/8701.php
   BID:4392
   URL:http://www.securityfocus.com/bid/4392


======================================================
Candidate: CAN-2002-0080
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0080
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020315
Assigned: 20020221
Category: SF
Reference: REDHAT:RHSA-2002:026
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-026.html
Reference: MANDRAKE:MDKSA-2002:024
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-024.php3
Reference: CALDERA:CSSA-2002-014.1
Reference: URL:http://www.caldera.com/support/security/advisories/CSSA-2002-014.1.txt
Reference: XF:linux-rsync-inherit-privileges(8463)
Reference: URL:http://www.iss.net/security_center/static/8463.php
Reference: BID:4285
Reference: URL:http://www.securityfocus.com/bid/4285

rsync, when running in daemon mode, does not properly call setgroups
before dropping privileges, which could provide supplemental group
privileges to local users, who could then read certain files that
would otherwise be disallowed.


Modifications:
  DESC Add "when running in daemon mode"
  ADDREF CALDERA:CSSA-2002-014.1
  ADDREF XF:linux-rsync-inherit-privileges(8463)
  ADDREF BID:4285

INFERRED ACTION: CAN-2002-0080 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(5) Wall, Cole, Frech, Ziese, Green
   NOOP(2) Foat, Christey

Voter Comments:
 Christey> CALDERA:CSSA-2002-014.1
   URL:http://www.caldera.com/support/security/advisories/CSSA-2002-014.1.txt
   XF:linux-rsync-inherit-privileges(8463)
   URL:http://www.iss.net/security_center/static/8463.php
   BID:4285
   URL:http://www.securityfocus.com/bid/4285

   Add "when running in daemon mode" to description.


======================================================
Candidate: CAN-2002-0081
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0081
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020315
Assigned: 20020227
Category: SF
Reference: VULN-DEV:20020225 Re: Rumours about Apache 1.3.22 exploits
Reference: URL:http://marc.theaimsgroup.com/?l=vuln-dev&m=101468694824998&w=2
Reference: BUGTRAQ:20020227 Advisory 012002: PHP remote vulnerabilities
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101484705523351&w=2
Reference: NTBUGTRAQ:20020227 PHP remote vulnerabilities
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=101484975231922&w=2
Reference: CONFIRM:http://www.php.net/downloads.php
Reference: MISC:http://security.e-matters.de/advisories/012002.html
Reference: REDHAT:RHSA-2002:035
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-035.html
Reference: DEBIAN:DSA-115
Reference: URL:http://www.debian.org/security/2002/dsa-115
Reference: CERT:CA-2002-05
Reference: URL:http://www.cert.org/advisories/CA-2002-05.html
Reference: CERT-VN:VU#297363
Reference: URL:http://www.kb.cert.org/vuls/id/297363
Reference: ENGARDE:ESA-20020301-006
Reference: URL:http://www.linuxsecurity.com/advisories/other_advisory-1924.html
Reference: HP:HPSBTL0203-028
Reference: URL:http://online.securityfocus.com/advisories/3911
Reference: CONECTIVA:CLA-2002:468
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000468
Reference: XF:php-file-upload-overflow(8281)
Reference: URL:http://www.iss.net/security_center/static/8281.php
Reference: BID:4183
Reference: URL:http://www.securityfocus.com/bid/4183
Reference: BUGTRAQ:20020304 Apache+php Proof of Concept Exploit
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101537076619812&w=2
Reference: BUGTRAQ:20020228 TSLSA-2002-0033 - mod_php
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101497256024338&w=2
Reference: SUSE:SuSE-SA:2002:007
Reference: URL:http://www.suse.com/de/support/security/2002_007_mod_php4_txt.html
Reference: MANDRAKE:MDKSA-2002:017
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-017.php

Buffer overflows in (1) php_mime_split in PHP 4.1.0, 4.1.1, and 4.0.6
and earlier, and (2) php3_mime_split in PHP 3.0.x allows remote
attackers to execute arbitrary code via a multipart/form-data HTTP
POST request when file_uploads is enabled.


Modifications:
  ADDREF BUGTRAQ:20020304 Apache+php Proof of Concept Exploit
  ADDREF BUGTRAQ:20020228 TSLSA-2002-0033 - mod_php
  ADDREF SUSE:SuSE-SA:2002:007
  ADDREF MANDRAKE:MDKSA-2002:017

INFERRED ACTION: CAN-2002-0081 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(5) Wall, Cole, Frech, Ziese, Green
   NOOP(2) Foat, Christey

Voter Comments:
 Christey> BUGTRAQ:20020304 Apache+php Proof of Concept Exploit
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101537076619812&w=2
 Christey> ADDREF BUGTRAQ:20020228 TSLSA-2002-0033 - mod_php
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101497256024338&w=2
   SUSE:SuSE-SA:2002:007
   MANDRAKE:MDKSA-2002:017
 Christey> SUSE:SuSE-SA:2002:007
   URL:http://www.suse.com/de/support/security/2002_007_mod_php4_txt.html
   MANDRAKE:MDKSA-2002:017
   URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-017.php
   BUGTRAQ:20020228 TSLSA-2002-0033 - mod_php
   URL:http://archives.neohapsis.com/archives/bugtraq/2002-02/0362.html
   BUGTRAQ:20020304 Apache+php Proof of Concept Exploit
   URL:http://online.securityfocus.com/archive/1/259821


======================================================
Candidate: CAN-2002-0082
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0082
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020315
Assigned: 20020301
Category: SF
Reference: BUGTRAQ:20020227 mod_ssl Buffer Overflow Condition (Update Available)
Reference: URL:http://online.securityfocus.com/archive/1/258646
Reference: BUGTRAQ:20020301 Apache-SSL buffer overflow (fix available)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101518491916936&w=2
Reference: BUGTRAQ:20020304 Apache-SSL 1.3.22+1.47 - update to security fix
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101528358424306&w=2
Reference: CONFIRM:http://www.apacheweek.com/issues/02-03-01#security
Reference: BUGTRAQ:20020228 TSLSA-2002-0034 - apache
Reference: ENGARDE:ESA-20020301-005
Reference: URL:http://www.linuxsecurity.com/advisories/other_advisory-1923.html
Reference: CONECTIVA:CLA-2002:465
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000465
Reference: REDHAT:RHSA-2002:041
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-041.html
Reference: MANDRAKE:MDKSA-2002:020
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-020.php
Reference: REDHAT:RHSA-2002:042
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-042.html
Reference: DEBIAN:DSA-120
Reference: URL:http://www.debian.org/security/2002/dsa-120
Reference: HP:HPSBTL0203-031
Reference: URL:http://www.securityfocus.com/advisories/3965
Reference: HP:HPSBUX0204-190
Reference: URL:http://www.securityfocus.com/advisories/4008
Reference: CALDERA:CSSA-2002-011.0
Reference: URL:http://www.calderasystems.com/support/security/advisories/CSSA-2002-011.0.txt
Reference: COMPAQ:SSRT0817
Reference: URL:http://ftp.support.compaq.com/patches/.new/html/SSRT0817.shtml
Reference: BID:4189
Reference: URL:http://online.securityfocus.com/bid/4189
Reference: XF:apache-modssl-bo(8308)
Reference: URL:http://www.iss.net/security_center/static/8308.php

The dbm and shm session cache code in mod_ssl before 2.8.7-1.3.23, and
Apache-SSL before 1.3.22+1.46, does not properly initialize memory
using the i2d_SSL_SESSION function, which allows remote attackers to
use a buffer overflow to execute arbitrary code via a large client
certificate that is signed by a trusted Certificate Authority (CA),
which produces a large serialized session.


Modifications:
  ADDREF DEBIAN:DSA-120
  ADDREF HP:HPSBTL0203-031
  ADDREF HP:HPSBUX0204-190
  ADDREF CALDERA:CSSA-2002-011.0
  ADDREF COMPAQ:SSRT0817

INFERRED ACTION: CAN-2002-0082 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(6) Wall, Foat, Cole, Frech, Ziese, Green
   NOOP(1) Christey

Voter Comments:
 Christey> DEBIAN:DSA-120
   URL:http://www.debian.org/security/2002/dsa-120
   HP:HPSBTL0203-031
   URL:http://www.securityfocus.com/advisories/3965
   HP:HPSBUX0204-190
   URL:http://www.securityfocus.com/advisories/4008
   CALDERA:CSSA-2002-011.0
   URL:http://www.calderasystems.com/support/security/advisories/CSSA-2002-011.0.txt
   COMPAQ:SSRT0817
   http://ftp.support.compaq.com/patches/.new/html/SSRT0817.shtml


======================================================
Candidate: CAN-2002-0083
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0083
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020315
Assigned: 20020306
Category: SF
Reference: VULNWATCH:20020307 [VulnWatch] [PINE-CERT-20020301] OpenSSH off-by-one
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0060.html
Reference: BUGTRAQ:20020307 OpenSSH Security Advisory (adv.channelalloc)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101553908201861&w=2
Reference: BUGTRAQ:20020307 [PINE-CERT-20020301] OpenSSH off-by-one
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101552065005254&w=2
Reference: BUGTRAQ:20020308 [OpenPKG-SA-2002.002] OpenPKG Security Advisory (openssh)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101561384821761&w=2
Reference: BUGTRAQ:20020311 TSLSA-2002-0039 - openssh
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-03/0108.html
Reference: BUGTRAQ:20020310 OpenSSH 2.9.9p2 packages for Immunix 6.2 with latest fix
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101586991827622&w=2
Reference: BUGTRAQ:20020328 OpenSSH channel_lookup() off by one exploit
Reference: URL:http://online.securityfocus.com/archive/1/264657
Reference: CONFIRM:http://www.openbsd.org/advisories/ssh_channelalloc.txt
Reference: ENGARDE:ESA-20020307-007
Reference: URL:http://www.linuxsecurity.com/advisories/other_advisory-1937.html
Reference: SUSE:SuSE-SA:2002:009
Reference: URL:http://www.suse.de/de/support/security/2002_009_openssh_txt.html
Reference: CONECTIVA:CLA-2002:467
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000467
Reference: DEBIAN:DSA-119
Reference: URL:http://www.debian.org/security/2002/dsa-119
Reference: REDHAT:RHSA-2002:043
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-043.html
Reference: MANDRAKE:MDKSA-2002:019
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-019.php
Reference: NETBSD:NetBSD-SA2002-004
Reference: URL:ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-004.txt.asc
Reference: CALDERA:CSSA-2002-SCO.10
Reference: URL:ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.10/CSSA-2002-SCO.10.txt
Reference: CALDERA:CSSA-2002-SCO.11
Reference: URL:ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.11/CSSA-2002-SCO.11.txt
Reference: CALDERA:CSSA-2002-012.0
Reference: URL:http://www.calderasystems.com/support/security/advisories/CSSA-2002-012.0.txt
Reference: FREEBSD:FreeBSD-SA-02:13
Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:13.openssh.asc
Reference: HP:HPSBTL0203-029
Reference: URL:http://online.securityfocus.com/advisories/3960
Reference: XF:openssh-channel-error(8383)
Reference: URL:http://www.iss.net/security_center/static/8383.php
Reference: BID:4241
Reference: URL:http://www.securityfocus.com/bid/4241

Off-by-one error in the channel code of OpenSSH 2.0 through 3.0.2
allows local users or remote malicious servers to gain privileges.


Modifications:
  ADDREF BUGTRAQ:20020310 OpenSSH 2.9.9p2 packages for Immunix 6.2 with latest fix
  ADDREF BUGTRAQ:20020328 OpenSSH channel_lookup() off by one exploit
  ADDREF BID:4241
  ADDREF MANDRAKE:MDKSA-2002:019
  ADDREF BUGTRAQ:20020311 TSLSA-2002-0039 - openssh
  ADDREF NETBSD:NetBSD-SA2002-004
  ADDREF CALDERA:CSSA-2002-SCO.10
  ADDREF CALDERA:CSSA-2002-SCO.11
  ADDREF CALDERA:CSSA-2002-012.0
  ADDREF FREEBSD:FreeBSD-SA-02:13
  ADDREF XF:openssh-channel-error(8383)
  ADDREF HP:HPSBTL0203-029

INFERRED ACTION: CAN-2002-0083 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(6) Wall, Foat, Cole, Frech, Ziese, Green
   NOOP(1) Christey

Voter Comments:
 Christey> Consider adding BID:4241
 Christey> BUGTRAQ:20020310 OpenSSH 2.9.9p2 packages for Immunix 6.2 with latest fix
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101586991827622&w=2
 Christey> BUGTRAQ:20020328 OpenSSH channel_lookup() off by one exploit
   URL:http://online.securityfocus.com/archive/1/264657
   BID:4241
   URL:http://www.securityfocus.com/bid/4241
   MANDRAKE:MDKSA-2002:019
   URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-019.php
   BUGTRAQ:20020311 TSLSA-2002-0039 - openssh
   URL:http://archives.neohapsis.com/archives/bugtraq/2002-03/0108.html
   BUGTRAQ:20020310 OpenSSH 2.9.9p2 packages for Immunix 6.2 with latest fix
   URL:http://online.securityfocus.com/archive/1/260958
   NETBSD:NetBSD-SA2002-004
   URL:ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-004.txt.asc
   CALDERA:CSSA-2002-SCO.10
   URL:ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.10/CSSA-2002-SCO.10.txt
   CALDERA:CSSA-2002-SCO.11
   URL:ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.11/CSSA-2002-SCO.11.txt
   CALDERA:CSSA-2002-012.0
   URL:http://www.calderasystems.com/support/security/advisories/CSSA-2002-012.0.txt
   FREEBSD:FreeBSD-SA-02:13
   URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:13.openssh.asc
   XF:openssh-channel-error(8383)
   URL:http://www.iss.net/security_center/static/8383.php
   HP:HPSBTL0203-029
   URL:http://online.securityfocus.com/advisories/3960


======================================================
Candidate: CAN-2002-0092
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0092
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020315
Assigned: 20020308
Category: SF
Reference: VULN-DEV:20020220 Help needed with bufferoverflow in cvs
Reference: URL:http://marc.theaimsgroup.com/?l=vuln-dev&m=101422243817321&w=2
Reference: VULN-DEV:20020220 Re: [Fwd: Help needed with bufferoverflow in cvs]
Reference: URL:http://marc.theaimsgroup.com/?l=vuln-dev&m=101433077724524&w=2
Reference: DEBIAN:DSA-117
Reference: URL:http://www.debian.org/security/2002/dsa-117
Reference: REDHAT:RHSA-2002-026
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-026.html
Reference: BID:4234
Reference: URL:http://www.securityfocus.com/bid/4234
Reference: XF:cvs-global-var-dos(8366)
Reference: URL:http://www.iss.net/security_center/static/8366.php

CVS before 1.10.8 does not properly initialize a global variable,
which allows remote attackers to cause a denial of service (server
crash) via the diff capability.


Modifications:
  ADDREF BID:4234
  ADDREF XF:cvs-global-var-dos(8366)

INFERRED ACTION: CAN-2002-0092 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(5) Wall, Cole, Frech, Ziese, Green
   NOOP(2) Foat, Christey

Voter Comments:
 Christey> Consider adding BID:4234
 Christey> BID:4234
   URL:http://www.securityfocus.com/bid/4234
   XF:cvs-global-var-dos(8366)
   URL:http://www.iss.net/security_center/static/8366.php


======================================================
Candidate: CAN-2002-0096
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0096
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20020103 Vulnerability in new user creation in Geeklog 1.3
Reference: URL:http://www.securityfocus.com/archive/1/248367
Reference: CONFIRM:http://geeklog.sourceforge.net/index.php?topic=Security
Reference: BID:3783
Reference: URL:http://www.securityfocus.com/bid/3783
Reference: XF:geeklog-default-admin-privileges(7780)
Reference: URL:http://www.iss.net/security_center/static/7780.php

The installation of Geeklog 1.3 creates an extra group_assignments
record which is not properly deleted, which causes the first newly
created user to be added to the GroupAdmin and UserAdmin groups, which
could provide that user with administrative privileges that were not
intended.

INFERRED ACTION: CAN-2002-0096 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(4) Cole, Frech, Ziese, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2002-0097
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0097
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20020110 Cookie modification allows unauthenticated user login in Geeklog 1.3
Reference: URL:http://online.securityfocus.com/archive/1/249443
Reference: CONFIRM:http://geeklog.sourceforge.net/index.php?topic=Security
Reference: BID:3844
Reference: URL:http://online.securityfocus.com/bid/3844
Reference: XF:geeklog-modify-auth-cookie(7869)
Reference: URL:http://www.iss.net/security_center/static/7869.php

Geeklog 1.3 allows remote attackers to hijack user accounts, including
the administrator account, by modifying the UID of a user's permanent
cookie to the target account.

INFERRED ACTION: CAN-2002-0097 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(5) Foat, Cole, Frech, Ziese, Green
   NOOP(1) Wall

Voter Comments:
 CHANGE> [Green changed vote from REVIEWING to ACCEPT]
 Green> The security page at geeklog.sourceforge.net indicates
   acknowledgement of the vulnerability and it's resolution


======================================================
Candidate: CAN-2002-0098
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0098
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20020105 BOOZT! Standard 's administration cgi vulnerable to buffer overflow
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101027773404836&w=2
Reference: BUGTRAQ:20020109 BOOZT! Standard CGI Vulnerability : Exploit Released
Reference: URL:http://online.securityfocus.com/archive/1/249219
Reference: CONFIRM:http://www.boozt.com/news_detail.php?id=3
Reference: BID:3787
Reference: URL:http://online.securityfocus.com/cgi-bin/vulns-item.pl?section=info&id=3787
Reference: XF:boozt-long-name-bo(7790)
Reference: URL:http://www.iss.net/security_center/static/7790.php

Buffer overflow in index.cgi administration interface for Boozt!
Standard 0.9.8 allows local users to execute arbitrary code via a long
name field when creating a new banner.

INFERRED ACTION: CAN-2002-0098 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(4) Cole, Frech, Ziese, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2002-0107
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0107
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20020108 svindel.net security advisory - web admin vulnerability in CacheOS
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101052887431488&w=2
Reference: BID:3841
Reference: URL:http://www.securityfocus.com/bid/3841
Reference: BUGTRAQ:20020205 RE: svindel.net security advisory - web admin vulnerability in Ca cheOS
Reference: URL:http://online.securityfocus.com/archive/1/254167
Reference: XF:cachos-insecure-web-interface(7835)
Reference: URL:http://www.iss.net/security_center/static/7835.php

Web administration interface in CacheFlow CacheOS 4.0.13 and earlier
allows remote attackers to obtain sensitive information via a series
of GET requests that do not end in with HTTP/1.0 or another version
string, which causes the information to be leaked in the error
message.

INFERRED ACTION: CAN-2002-0107 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(4) Cole, Frech, Ziese, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2002-0111
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0111
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20020109 File Transversal Vulnerability in Dino's WebServer
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101062213627501&w=2
Reference: BID:3861
Reference: URL:http://online.securityfocus.com/cgi-bin/vulns-item.pl?section=info&id=3861
Reference: XF:dinos-webserver-directory-traversal(7853)
Reference: URL:http://www.iss.net/security_center/static/7853.php

Directory traversal vulnerability in Funsoft Dino's Webserver 1.2 and
earlier allows remote attackers to read files or execute arbitrary
commands via a .. (dot dot) in the URL.

INFERRED ACTION: CAN-2002-0111 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(4) Cole, Frech, Ziese, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2002-0115
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0115
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20020110 Snort core dumped
Reference: URL:http://online.securityfocus.com/archive/1/249340
Reference: BUGTRAQ:20020110 Re: Snort core dumped
Reference: URL:http://online.securityfocus.com/cgi-bin/archive.pl?id=1&start=2002-03-08&end=2002-03-14&mid=249623&threads=1
Reference: BID:3849
Reference: URL:http://online.securityfocus.com/bid/3849
Reference: XF:snort-icmp-dos(7874)
Reference: URL:http://www.iss.net/security_center/static/7874.php

Snort 1.8.3 does not properly define the minimum ICMP header size,
which allows remote attackers to cause a denial of service (crash and
core dump) via a malformed ICMP packet.

INFERRED ACTION: CAN-2002-0115 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(4) Cole, Frech, Ziese, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2002-0117
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0117
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20020108 CSS vulnerabilities in YaBB and UBB allow account hijack [Multiple Vendor]
Reference: URL:http://online.securityfocus.com/archive/1/249031
Reference: CONFIRM:http://www.yabbforum.com/
Reference: BID:3828
Reference: URL:http://online.securityfocus.com/cgi-bin/vulns-item.pl?section=info&id=3828
Reference: XF:yabb-encoded-css(7840)
Reference: URL:http://www.iss.net/security_center/static/7840.php

Cross-site scripting vulnerability in Yet Another Bulletin Board
(YaBB) 1 Gold SP 1 and earlier allows remote attackers to execute
arbitrary script and steal cookies via a message containing encoded
Javascript in an IMG tag.


Modifications:
  ADDREF CONFIRM:http://www.yabbforum.com/

INFERRED ACTION: CAN-2002-0117 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(2) Frech, Green
   NOOP(4) Christey, Wall, Foat, Cole

Voter Comments:
 Christey> CONFIRM:http://www.yabbforum.com/
   The "Latest News" section has an entry for SP1 dated 4/11/02,
   which states: "New javascript in image tags vulnerability
   fixed"


======================================================
Candidate: CAN-2002-0121
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0121
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20020113 PHP 4.x session spoofing
Reference: URL:http://online.securityfocus.com/archive/1/250196
Reference: BID:3873
Reference: URL:http://online.securityfocus.com/bid/3873
Reference: XF:php-session-temp-disclosure(7908)
Reference: URL:http://www.iss.net/security_center/static/7908.php

PHP 4.0 through 4.1.1 stores session IDs in temporary files whose name
contains the session ID, which allows local users to hijack web
connections.

INFERRED ACTION: CAN-2002-0121 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(4) Foat, Cole, Frech, Green
   NOOP(2) Wall, Balinsky


======================================================
Candidate: CAN-2002-0128
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0128
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20020116 Sambar Webserver v5.1 DoS Vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/250545
Reference: BUGTRAQ:20020206 Sambar Webserver Sample Script v5.1 DoS Vulnerability Exploit
Reference: URL:http://www.der-keiler.de/Mailing-Lists/securityfocus/bugtraq/2002-02/0083.html
Reference: CONFIRM:http://www.sambar.com/security.htm
Reference: BID:3885
Reference: URL:http://www.securityfocus.com/bid/3885
Reference: XF:sambar-cgitest-dos(7894)
Reference: URL:http://www.iss.net/security_center/static/7894.php

cgitest.exe in Sambar Server 5.1 before Beta 4 allows remote attackers
to cause a denial of service, and possibly execute arbitrary code, via
a long argument.

INFERRED ACTION: CAN-2002-0128 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(4) Cole, Frech, Ziese, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2002-0139
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0139
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20020120 Bounce vulnerability in SpoonFTP 1.1.0.1
Reference: URL:http://online.securityfocus.com/archive/1/251422
Reference: CONFIRM:http://www.pi-soft.com/spoonftp/index.shtml
Reference: BID:3910
Reference: URL:http://online.securityfocus.com/bid/3910
Reference: XF:spoonftp-ftp-bounce(7943)
Reference: URL:http://www.iss.net/security_center/static/7943.php

Pi-Soft SpoonFTP 1.1 and earlier allows remote attackers to redirect
traffic to other sites (aka FTP bounce) via the PORT command.

INFERRED ACTION: CAN-2002-0139 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(4) Cole, Frech, Ziese, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2002-0143
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0143
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20020113 Eterm SGID utmp Buffer Overflow (Local)
Reference: URL:http://online.securityfocus.com/archive/1/250145
Reference: BUGTRAQ:20020121 Re: Eterm SGID utmp Buffer Overflow (Local)
Reference: URL:http://online.securityfocus.com/archive/1/251597
Reference: BID:3868
Reference: URL:http://online.securityfocus.com/bid/3868
Reference: XF:eterm-home-bo(7896)
Reference: URL:http://www.iss.net/security_center/static/7896.php

Buffer overflow in Eterm of Enlightenment Imlib2 1.0.4 and earlier
allows local users to execute arbitrary code via a long HOME
environment variable.

INFERRED ACTION: CAN-2002-0143 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(4) Cole, Frech, Ziese, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2002-0151
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0151
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020502
Assigned: 20020319
Category: SF
Reference: BUGTRAQ:20020404 NSFOCUS SA2002-02 : Microsoft Windows MUP overlong request kernel overflow
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101793727306282&w=2
Reference: VULNWATCH:20020404 NSFOCUS SA2002-02 : Microsoft Windows MUP overlong request kernel overflow
Reference: MS:MS02-017
Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS02-017.asp
Reference: XF:win-mup-bo(8752)
Reference: URL:http://www.iss.net/security_center/static/8752.php
Reference: BID:4426
Reference: URL:http://www.securityfocus.com/bid/4426

Buffer overflow in Multiple UNC Provider (MUP) in Microsoft Windows
operating systems allows local users to cause a denial of service or
possibly gain SYSTEM privileges via a long UNC request.


Modifications:
  ADDREF XF:win-mup-bo(8752)
  ADDREF BID:4426

INFERRED ACTION: CAN-2002-0151 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(5) Wall, Foat, Cole, Frech, Green
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> Consider adding BID:4426
 Christey> XF:win-mup-bo(8752)
   URL:http://www.iss.net/security_center/static/8752.php
   BID:4426
   URL:http://www.securityfocus.com/bid/4426


======================================================
Candidate: CAN-2002-0152
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0152
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020502
Assigned: 20020319
Category: SF
Reference: BUGTRAQ:20020416 w00w00 on Microsoft IE/Office for Mac OS
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101897994314015&w=2
Reference: MS:MS02-019
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-019.asp
Reference: XF:ms-mac-html-file-bo(8850)
Reference: URL:http://www.iss.net/security_center/static/8850.php
Reference: BID:4517
Reference: URL:http://www.securityfocus.com/bid/4517

Buffer overflow in various Microsoft applications for Macintosh allows
remote attackers to cause a denial of service (crash) or execute
arbitrary code by invoking the file:// directive with a large number
of / characters, which affects Internet Explorer 5.1, Outlook Express
5.0 through 5.0.2, Entourage v. X and 2001, PowerPoint v. X, 2001, and
98, and Excel v. X and 2001 for Macintosh.


Modifications:
  ADDREF XF:ms-mac-html-file-bo(8850)
  ADDREF BID:4517

INFERRED ACTION: CAN-2002-0152 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(4) Wall, Cole, Frech, Green
   NOOP(3) Christey, Foat, Cox

Voter Comments:
 Christey> XF:ms-mac-html-file-bo(8850)
   URL:http://www.iss.net/security_center/static/8850.php
   BID:4517
   URL:http://www.securityfocus.com/bid/4517


======================================================
Candidate: CAN-2002-0153
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0153
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020502
Assigned: 20020319
Category: SF
Reference: BUGTRAQ:20020122 Macinosh IE file execuion
Reference: URL:http://www.securityfocus.com/archive/1/251805
Reference: MS:MS02-019
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-019.asp
Reference: XF:ie-mac-applescript-execution(8851)
Reference: URL:http://www.iss.net/security_center/static/8851.php
Reference: BID:3935
Reference: URL:http://www.securityfocus.com/bid/3935

Internet Explorer 5.1 for Macintosh allows remote attackers to bypass
security checks and invoke local AppleScripts within a specific HTML
element, aka the "Local Applescript Invocation" vulnerability.


Modifications:
  ADDREF BUGTRAQ:20020122 Macinosh IE file execuion
  ADDREF XF:ie-mac-applescript-execution(8851)
  ADDREF BID:3935

INFERRED ACTION: CAN-2002-0153 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(5) Wall, Foat, Cole, Frech, Green
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> XF:ie-mac-applescript-execution(8851)
   URL:http://www.iss.net/security_center/static/8851.php

   BID:3935
   BUGTRAQ:20020122 Macinosh IE file execuion
   URL:http://www.securityfocus.com/archive/1/251805


======================================================
Candidate: CAN-2002-0159
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0159
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020502
Assigned: 20020327
Category: SF
Reference: BUGTRAQ:20020403 iXsecurity.20020314.csadmin_fmt.a
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101787248913611&w=2
Reference: CISCO:20020403 Web Interface Vulnerabilities in Cisco Secure ACS for Windows
Reference: URL:http://www.cisco.com/warp/public/707/ACS-Win-Web.shtml
Reference: XF:ciscosecure-acs-format-string(8742)
Reference: URL:http://www.iss.net/security_center/static/8742.php
Reference: BID:4416
Reference: URL:http://www.securityfocus.com/bid/4416

Format string vulnerability in the administration function in Cisco
Secure Access Control Server (ACS) for Windows, 2.6.x and earlier and
3.x through 3.01 (build 40), allows remote attackers to crash the CSADMIN
module only (denial of service of administration function) or execute
arbitrary code via format strings in the URL to port 2002


Modifications:
  ADDREF XF:ciscosecure-acs-format-string(8742)
  ADDREF BID:4416

INFERRED ACTION: CAN-2002-0159 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(4) Foat, Cole, Frech, Green
   NOOP(3) Christey, Wall, Cox

Voter Comments:
 Christey> XF:ciscosecure-acs-format-string(8742)
   URL:http://www.iss.net/security_center/static/8742.php
   BID:4416
   URL:http://www.securityfocus.com/bid/4416


======================================================
Candidate: CAN-2002-0160
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0160
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020502
Assigned: 20020327
Category: SF
Reference: BUGTRAQ:20020403 iXsecurity.20020316.csadmin_dir.a
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101786689128667&w=2
Reference: CISCO:20020403 Web Interface Vulnerabilities in Cisco Secure ACS for Windows
Reference: URL:http://www.cisco.com/warp/public/707/ACS-Win-Web.shtml

The administration function in Cisco Secure Access Control Server
(ACS) for Windows, 2.6.x and earlier and 3.x through 3.01 (build 40),
allows remote attackers to read HTML, Java class, and image files
outside the web root via a ..\.. (modified ..) in the URL to port
2002.

INFERRED ACTION: CAN-2002-0160 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(3) Foat, Cole, Green
   NOOP(2) Wall, Cox


======================================================
Candidate: CAN-2002-0166
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0166
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020502
Assigned: 20020409
Category: SF
Reference: DEBIAN:DSA-125
Reference: URL:http://www.debian.org/security/2002/dsa-125
Reference: FREEBSD:FreeBSD-SN-02:02
Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SN-02:02.asc
Reference: XF:analog-logfile-css(8656)
Reference: URL:http://www.iss.net/security_center/static/8656.php
Reference: BID:4389
Reference: URL:http://www.securityfocus.com/bid/4389

Cross-site scripting vulnerability in analog before 5.22 allows remote
attackers to execute Javascript via an HTTP request containing the
script, which is entered into a web logfile and not properly filtered
by analog during display.


Modifications:
  ADDREF XF:analog-logfile-css(8656)
  ADDREF BID:4389
  ADDREF FREEBSD:FreeBSD-SN-02:02

INFERRED ACTION: CAN-2002-0166 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(5) Wall, Cole, Frech, Cox, Green
   NOOP(2) Christey, Foat

Voter Comments:
 Christey> XF:analog-logfile-css(8656)
   URL:http://www.iss.net/security_center/static/8656.php
   BID:4389
   URL:http://www.securityfocus.com/bid/4389
   FREEBSD:FreeBSD-SN-02:02
   URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SN-02:02.asc


======================================================
Candidate: CAN-2002-0167
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0167
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020502
Assigned: 20020410
Category: SF
Reference: REDHAT:RHSA-2002:048
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-048.html
Reference: CONECTIVA:CLA-2002:470
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000470
Reference: CALDERA:CSSA-2002-019.0
Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-019.0.txt
Reference: MANDRAKE:MDKSA-2002:029
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-029.php
Reference: SUSE:SuSE-SA:2002:015
Reference: URL:http://www.suse.de/de/support/security/2002_015_imlib_txt.html
Reference: BID:4339
Reference: URL:http://online.securityfocus.com/bid/4339

Imlib before 1.9.13 sometimes uses the NetPBM package to load trusted
images, which could allow attackers to cause a denial of service
(crash) and possibly execute arbitrary code via certain weaknesses of
NetPBM.


Modifications:
  ADDREF CALDERA:CSSA-2002-019.0
  ADDREF MANDRAKE:MDKSA-2002:029
  ADDREF SUSE:SuSE-SA:2002:015

INFERRED ACTION: CAN-2002-0167 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(4) Wall, Cole, Cox, Green
   NOOP(2) Christey, Foat

Voter Comments:
 Christey> CALDERA:CSSA-2002-019.0
   URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-019.0.txt
   MANDRAKE:MDKSA-2002:029
   URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-029.php
   SUSE:SuSE-SA:2002:015
   URL:http://www.suse.de/de/support/security/2002_015_imlib_txt.html


======================================================
Candidate: CAN-2002-0168
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0168
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020502
Assigned: 20020410
Category: SF
Reference: REDHAT:RHSA-2002:048
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-048.html
Reference: CONECTIVA:CLA-2002:470
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000470
Reference: CALDERA:CSSA-2002-019.0
Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-019.0.txt
Reference: MANDRAKE:MDKSA-2002:029
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-029.php
Reference: SUSE:SuSE-SA:2002:015
Reference: URL:http://www.suse.de/de/support/security/2002_015_imlib_txt.html
Reference: BID:4336
Reference: URL:http://online.securityfocus.com/bid/4336

Vulnerability in Imlib before 1.9.13 allows attackers to cause a
denial of service (crash) and possibly execute arbitrary code by
manipulating arguments that are passed to malloc, which results in a
heap corruption.


Modifications:
  ADDREF CALDERA:CSSA-2002-019.0
  ADDREF MANDRAKE:MDKSA-2002:029
  ADDREF SUSE:SuSE-SA:2002:015

INFERRED ACTION: CAN-2002-0168 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(4) Wall, Cole, Cox, Green
   NOOP(2) Christey, Foat

Voter Comments:
 Christey> CALDERA:CSSA-2002-019.0
   URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-019.0.txt
   MANDRAKE:MDKSA-2002:029
   URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-029.php
   SUSE:SuSE-SA:2002:015
   URL:http://www.suse.de/de/support/security/2002_015_imlib_txt.html


======================================================
Candidate: CAN-2002-0175
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0175
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020502
Assigned: 20020415
Category: SF
Reference: BUGTRAQ:20020320 Bypassing libsafe format string protection
Reference: URL:http://online.securityfocus.com/archive/1/263121
Reference: VULNWATCH:20020320 [VulnWatch] Bypassing libsafe format string protection
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0070.html
Reference: MANDRAKE:MDKSA-2002:026
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-026.php
Reference: BID:4326
Reference: URL:http://online.securityfocus.com/bid/4326
Reference: XF:libsafe-flagchar-protection-bypass(8593)
Reference: URL:http://www.iss.net/security_center/static/8593.php

libsafe 2.0-11 and earlier allows attackers to bypass protection
against format string vulnerabilities via format strings that use the
"'" and "I" characters, which are implemented in libc but not libsafe.


Modifications:
  ADDREF VULNWATCH:20020320 [VulnWatch] Bypassing libsafe format string protection
  ADDREF XF:libsafe-flagchar-protection-bypass(8593)

INFERRED ACTION: CAN-2002-0175 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(4) Wall, Cole, Frech, Green
   NOOP(3) Christey, Foat, Cox

Voter Comments:
 Christey> VULNWATCH:20020320 [VulnWatch] Bypassing libsafe format string protection
   URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0070.html
   XF:libsafe-flagchar-protection-bypass(8593)
   URL:http://www.iss.net/security_center/static/8593.php


======================================================
Candidate: CAN-2002-0176
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0176
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020502
Assigned: 20020415
Category: SF
Reference: BUGTRAQ:20020320 Bypassing libsafe format string protection
Reference: URL:http://online.securityfocus.com/archive/1/263121
Reference: VULNWATCH:20020320 [VulnWatch] Bypassing libsafe format string protection
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0070.html
Reference: MANDRAKE:MDKSA-2002:026
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-026.php
Reference: BID:4327
Reference: URL:http://online.securityfocus.com/bid/4327
Reference: XF:libsafe-argnum-protection-bypass(8594)
Reference: URL:http://www.iss.net/security_center/static/8594.php

The printf wrappers in libsafe 2.0-11 and earlier do not properly
handle argument indexing specifiers, which could allow attackers to
exploit certain function calls through arguments that are not verified
by libsafe.


Modifications:
  ADDREF VULNWATCH:20020320 [VulnWatch] Bypassing libsafe format string protection
  ADDREF XF:libsafe-argnum-protection-bypass(8594)

INFERRED ACTION: CAN-2002-0176 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(4) Wall, Cole, Frech, Green
   NOOP(3) Christey, Foat, Cox

Voter Comments:
 Christey> VULNWATCH:20020320 [VulnWatch] Bypassing libsafe format string protection
   URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0070.html
   XF:libsafe-argnum-protection-bypass(8594)
   URL:http://www.iss.net/security_center/static/8594.php


======================================================
Candidate: CAN-2002-0179
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0179
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020502
Assigned: 20020417
Category: SF
Reference: DEBIAN:DSA-127
Reference: URL:http://www.debian.org/security/2002/dsa-127
Reference: BID:4534
Reference: URL:http://www.securityfocus.com/bid/4534
Reference: XF:xpilot-server-bo(8852)
Reference: URL:http://www.iss.net/security_center/static/8852.php

Buffer overflow in xpilot-server for XPilot 4.5.0 and earlier allows
remote attackers to execute arbitrary code.


Modifications:
  ADDREF BID:4534
  ADDREF XF:xpilot-server-bo(8852)

INFERRED ACTION: CAN-2002-0179 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(5) Wall, Cole, Frech, Cox, Green
   NOOP(2) Christey, Foat

Voter Comments:
 Christey> BID:4534
   URL:http://www.securityfocus.com/bid/4534
   XF:xpilot-server-bo(8852)
   URL:http://www.iss.net/security_center/static/8852.php


======================================================
Candidate: CAN-2002-0196
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0196
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20020122 (Repost) CwpApi : GetRelativePath() returns invalid paths (security advisory)
Reference: URL:http://online.securityfocus.com/archive/1/251699
Reference: CONFIRM:http://sourceforge.net/forum/forum.php?forum_id=144966
Reference: BID:3924
Reference: URL:http://online.securityfocus.com/bid/3924
Reference: XF:cwpapi-getrelativepath-view-files(7981)
Reference: URL:http://www.iss.net/security_center/static/7981.php

GetRelativePath in ACD Incorporated CwpAPI 1.1 only verifies if the
server root is somewhere within the path, which could allow remote
attackers to read or write files outside of the web root, in other
directories whose path includes the web root.

INFERRED ACTION: CAN-2002-0196 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(3) Cole, Frech, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2002-0197
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0197
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20020122 psyBNC 2.3 Beta - encrypted text "spoofable" in others' irc terminals
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101173478806580&w=2
Reference: BUGTRAQ:20020122 psyBNC2.3 Beta - encrypted text spoofable in others irc terminal
Reference: URL:http://online.securityfocus.com/archive/1/251832
Reference: XF:psybnc-view-encrypted-messages(7985)
Reference: URL:http://www.iss.net/security_center/static/7985.php
Reference: BID:3931
Reference: URL:http://www.securityfocus.com/bid/3931

psyBNC 2.3 beta and earlier allows remote attackers to spoof
encrypted, trusted messages by sending lines that begin with the "[B]"
sequence, which makes the message appear legitimate.

INFERRED ACTION: CAN-2002-0197 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(3) Cole, Frech, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2002-0207
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0207
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: VULN-DEV:20020105 RealPlayer Buffer Problem
Reference: URL:http://archives.neohapsis.com/archives/vuln-dev/2002-q1/0044.html
Reference: BUGTRAQ:20020124 Potential RealPlayer 8 Vulnerability
Reference: URL:http://online.securityfocus.com/archive/1/252414
Reference: BUGTRAQ:20020124 RealPlayer Buffer Overflow [Sentinel Chicken Networks Security Advisory #01]
Reference: URL:http://online.securityfocus.com/archive/1/252425
Reference: MISC:http://sentinelchicken.com/advisories/realplayer/
Reference: BID:3809
Reference: URL:http://online.securityfocus.com/bid/3809
Reference: XF:realplayer-file-header-bo(7839)
Reference: URL:http://www.iss.net/security_center/static/7839.php

Buffer overflow in Real Networks RealPlayer 8.0 and earlier allows
remote attackers to execute arbitrary code via a header length value
that exceeds the actual length of the header.

INFERRED ACTION: CAN-2002-0207 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(3) Cole, Frech, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2002-0209
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0209
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20020125 Alteon ACEdirector signature/security bug
Reference: URL:http://online.securityfocus.com/archive/1/252455
Reference: BUGTRAQ:20020312 Re: Alteon ACEdirector signature/security bug
Reference: URL:http://online.securityfocus.com/archive/1/261548
Reference: BID:3964
Reference: URL:http://online.securityfocus.com/bid/3964
Reference: XF:acedirector-http-reveal-ip(8010)
Reference: URL:http://www.iss.net/security_center/static/8010.php

Nortel Alteon ACEdirector WebOS 9.0, with the Server Load Balancing
(SLB) and Cookie-Based Persistence features enabled, allows remote
attackers to determine the real IP address of a web server with a
half-closed session, which causes ACEdirector to send packets from the
server without changing the address to the virtual IP address.

INFERRED ACTION: CAN-2002-0209 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(3) Cole, Frech, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2002-0211
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0211
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20020126 Vulnerability report for Tarantella Enterprise 3.
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101208650722179&w=2
Reference: BUGTRAQ:20020404 Exploit for Tarantella Enterprise 3 installation (BID 3966)
Reference: URL:http://online.securityfocus.com/archive/1/265845
Reference: CONFIRM:http://www.tarantella.com/security/bulletin-04.html
Reference: BID:3966
Reference: URL:http://online.securityfocus.com/bid/3966
Reference: XF:tarantella-gunzip-tmp-race(7996)
Reference: URL:http://www.iss.net/security_center/static/7996.php

Race condition in the installation script for Tarantella Enterprise 3
3.01 through 3.20 creates a world-writeable temporary "gunzip" program
before executing it, which could allow local users to execute
arbitrary commands by modifying the program before it is executed.

INFERRED ACTION: CAN-2002-0211 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(3) Cole, Frech, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2002-0226
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0226
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20020201 Vulnerability in all versions of DCForum from dcscripts.com
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101258311519504&w=2
Reference: CONFIRM:http://www.dcscripts.com/bugtrac/DCForumID7/3.html
Reference: BID:4014
Reference: URL:http://www.securityfocus.com/bid/4014
Reference: XF:dcforum-cgi-recover-passwords(8044)
Reference: URL:http://www.iss.net/security_center/static/8044.php

retrieve_password.pl in DCForum 6.x and 2000 generates predictable new
passwords based on a sessionID, which allows remote attackers to
request a new password on behalf of another user and use the sessionID
to calculate the new password for that user.

INFERRED ACTION: CAN-2002-0226 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(3) Cole, Frech, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2002-0237
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0237
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20020209 ALERT: ISS BlackICE Kernel Overflow Exploitable
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101321744807452&w=2
Reference: BUGTRAQ:20020204 Vulnerability in Black ICE Defender
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101286393404301&w=2
Reference: NTBUGTRAQ:20020209 ALERT: ISS BlackICE Kernel Overflow Exploitable
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=101353165915171&w=2
Reference: BUGTRAQ:20020206 Black ICE Ping Vulnerability Side Note
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101302424803268&w=2
Reference: ISS:20020204 DoS and Potential Overflow Vulnerability in BlackICE Products
Reference: URL:http://www.iss.net/security_center/alerts/advise109.php
Reference: BID:4025
Reference: URL:http://online.securityfocus.com/bid/4025
Reference: XF:blackice-ping-flood-dos(8058)
Reference: URL:http://www.iss.net/security_center/static/8058.php

Buffer overflow in ISS BlackICE Defender 2.9 and earlier, BlackICE
Agent 3.0 and 3.1, and RealSecure Server Sensor 6.0.1 and 6.5 allow
remote attackers to cause a denial of service (crash) and possibly
execute arbitrary code via a flood of large ICMP ping packets.

INFERRED ACTION: CAN-2002-0237 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(4) Wall, Cole, Frech, Green
   NOOP(1) Foat


======================================================
Candidate: CAN-2002-0251
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0251
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20020206 -Possible- licq D.o.S
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101301254432079&w=2
Reference: BUGTRAQ:20020208 RE: -Possible- licq D.o.S
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101318594420200&w=2
Reference: BID:4036
Reference: URL:http://www.securityfocus.com/bid/4036
Reference: XF:licq-static-bo(8107)
Reference: URL:http://www.iss.net/security_center/static/8107.php

Buffer overflow in licq 1.0.4 and earlier allows remote attackers to
cause a denial of service (crash) and possibly execute arbitrary code
via a long string of format string characters such as "%d".

INFERRED ACTION: CAN-2002-0251 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(3) Cole, Frech, Cox
   NOOP(2) Wall, Foat

Voter Comments:
 CHANGE> [Cox changed vote from REVIEWING to ACCEPT]


======================================================
Candidate: CAN-2002-0265
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0265
Final-Decision: 20020625
Interim-Decision: 20020617
Modified:
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20020211 Vulnerability in Sawmill for  Solaris v. 6.2.14
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101346206921270&w=2
Reference: CONFIRM:http://www.sawmill.net/version_history.html
Reference: BID:4077
Reference: URL:http://www.securityfocus.com/bid/4077
Reference: XF:sawmill-admin-password-insecure(8173)
Reference: URL:http://www.iss.net/security_center/static/8173.php

Sawmill for Solaris 6.2.14 and earlier creates the AdminPassword file
with world-writable permissions, which allows local users to gain
privileges by modifying the file.

INFERRED ACTION: CAN-2002-0265 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(3) Wall, Cole, Frech
   NOOP(2) Foat, Cox


======================================================
Candidate: CAN-2002-1056
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1056
Final-Decision: 20020625
Interim-Decision: 20020617
Modified: 20020616-01
Proposed: 20020502
Assigned: 20020426
Category: SF
Reference: BUGTRAQ:20020331 More Office XP Problems
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101760380418890&w=2
Reference: BUGTRAQ:20020403 More Office XP problems (Version 2.0)
Reference: URL:http://online.securityfocus.com/archive/1/265621
Reference: MS:MS02-021
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-021.asp
Reference: BID:4397
Reference: URL:http://online.securityfocus.com/bid/4397
Reference: XF:outlook-object-execute-script(8708)
Reference: URL:http://www.iss.net/security_center/static/8708.php

Microsoft Outlook 2000 and 2002, when configured to use Microsoft Word
as the email editor, does not block scripts that are used while
editing email messages in HTML or Rich Text Format (RTF), which could
allow remote attackers to execute arbitrary scripts via an email that
the user forwards or replies to.


Modifications:
  ADDREF BUGTRAQ:20020403 More Office XP problems (Version 2.0)
  ADDREF XF:outlook-object-execute-script(8708)

INFERRED ACTION: CAN-2002-1056 FINAL (Final Decision 20020625)

Current Votes:
   ACCEPT(5) Green, Wall, Foat, Cole, Frech
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> BUGTRAQ:20020403 More Office XP problems (Version 2.0)
   URL:http://online.securityfocus.com/archive/1/265621
   XF:outlook-object-execute-script(8708)
   URL:http://www.iss.net/security_center/static/8708.php

 
Page Last Updated: May 22, 2007