[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[INTERIM] ACCEPT 350 candidates (Final April 2)



I have made an Interim Decision to ACCEPT the following 350
candidates.

I will make a Final Decision on April 2.

The following Editorial Board members voted on these candidates:

  Ozancin ACCEPT(1)
  Green ACCEPT(90) MODIFY(2) NOOP(1)
  Magdych NOOP(1)
  LeBlanc NOOP(2)
  Cole ACCEPT(335) NOOP(14)
  Jones ACCEPT(4) MODIFY(9) NOOP(2)
  Balinsky ACCEPT(2) NOOP(2)
  Foat ACCEPT(82) MODIFY(3) NOOP(263)
  Cox ACCEPT(48) MODIFY(19) NOOP(239)
  Christey NOOP(136)
  Wall ACCEPT(118) NOOP(221)
  Ziese ACCEPT(8) NOOP(3)
  Levy ACCEPT(3)
  Frech ACCEPT(110) MODIFY(104)
  Alderson ACCEPT(31)
  Stracener ACCEPT(1)
  Baker ACCEPT(279)
  Prosser ACCEPT(3)
  Armstrong ACCEPT(159) NOOP(17)


======================================================
Candidate: CAN-1999-1337
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1337
Final-Decision:
Interim-Decision: 20030326
Modified: 20030318-01
Proposed: 20010912
Assigned: 20010831
Category: SF
Reference: BUGTRAQ:19990801 midnight commander vulnerability(?) (fwd)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93370073207984&w=2
Reference: XF:midnight-commander-data-disclosure(9873)
Reference: URL:http://www.iss.net/security_center/static/9873.php

FTP client in Midnight Commander (mc) before 4.5.11 stores usernames
and passwords for visited sites in plaintext in the world-readable
history file, which allows other local users to gain privileges.


Modifications:
  ADDREF XF:midnight-commander-data-disclosure(9873)

Analysis
--------
Vendor Acknowledgement: yes followup

INFERRED ACTION: CAN-1999-1337 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(1) Cole
   MODIFY(1) Frech
   NOOP(2) Wall, Foat

Voter Comments:
 Frech> (Task 1765)
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:midnight-commander-data-disclosure(9873)


======================================================
Candidate: CAN-1999-1468
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1468
Final-Decision:
Interim-Decision: 20030326
Modified: 20020218-01
Proposed: 20010912
Assigned: 20010831
Category: SF
Reference: MISC:http://www.alw.nih.gov/Security/8lgm/8lgm-Advisory-01.html
Reference: CERT:CA-91.20
Reference: URL:http://www.cert.org/advisories/CA-91.20.rdist.vulnerability
Reference: BID:31
Reference: URL:http://www.securityfocus.com/bid/31
Reference: XF:rdist-popen-gain-privileges(7160)
Reference: URL:http://www.iss.net/security_center/static/7160.php

rdist in various UNIX systems uses popen to execute sendmail, which
allows local users to gain root privileges by modifying the IFS
(Internal Field Separator) variable.


Modifications:
  ADDREF XF:rdist-popen-gain-privileges(7160)
  CHANGEREF MISC [change url]

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-1999-1468 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Foat, Cole, Stracener
   MODIFY(1) Frech
   NOOP(2) Christey, Wall

Voter Comments:
 Frech> XF:rdist-popen-gain-privileges(7160)
   MISC reference is dead. Alternative:
   http://www.alw.nih.gov/Security/8lgm/8lgm-Advisory-01.html
 Christey> It is unclear whether this is addressed by SUN:00115,
   SUN:00110, both, or neither.


======================================================
Candidate: CAN-1999-1490
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1490
Final-Decision:
Interim-Decision: 20030326
Modified: 20030318-01
Proposed: 20010912
Assigned: 20010831
Category: SF
Reference: BUGTRAQ:19980528 ALERT: Tiresome security hole in "xosview", RedHat5.1?
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101926021&w=2
Reference: BUGTRAQ:19980529 Re: Tiresome security hole in "xosview" (xosexp.c)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101926034&w=2
Reference: BID:362
Reference: URL:http://www.securityfocus.com/bid/362
Reference: XF:linux-xosview-bo(8787)
Reference: URL:http://www.iss.net/security_center/static/8787.php

xosview 1.5.1 in Red Hat 5.1 allows local users to gain root access
via a long HOME environmental variable.


Modifications:
  ADDREF XF:linux-xosview-bo(8787)

Analysis
--------
Vendor Acknowledgement: yes

INFERRED ACTION: CAN-1999-1490 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(1) Cole
   MODIFY(1) Frech
   NOOP(2) Wall, Foat

Voter Comments:
 Frech> (ACCEPT; Task 2354)
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:linux-xosview-bo(8787)


======================================================
Candidate: CAN-2000-0502
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0502
Final-Decision:
Interim-Decision: 20030326
Modified: 20020222-01
Proposed: 20000712
Assigned: 20000711
Category: SF
Reference: BUGTRAQ:20000607 Mcafee Alerting DOS vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0038.html
Reference: BID:1326
Reference: URL:http://www.securityfocus.com/bid/1326
Reference: XF:mcafee-alerting-dos(4641)
Reference: URL:http://xforce.iss.net/static/4641.php

Mcafee VirusScan 4.03 does not properly restrict access to the alert
text file before it is sent to the Central Alert Server, which allows
local users to modify alerts in an arbitrary fashion.


Modifications:
  ADDREF XF:mcafee-alerting-dos(4641)

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2000-0502 ACCEPT (4 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Ozancin, Levy, Wall
   MODIFY(1) Frech
   NOOP(1) LeBlanc

Voter Comments:
 Frech> XF:mcafee-alerting-dos(4641)
 CHANGE> [Wall changed vote from REVIEWING to ACCEPT]


======================================================
Candidate: CAN-2000-0590
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0590
Final-Decision:
Interim-Decision: 20030326
Modified: 20010910-01
Proposed: 20000719
Assigned: 20000719
Category: SF
Reference: BUGTRAQ:20000706 Vulnerability in Poll_It cgi v2.0
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0076.html
Reference: BID:1431
Reference: URL:http://www.securityfocus.com/bid/1431
Reference: XF:http-cgi-pollit-variable-overwrite(4878)
Reference: URL:http://xforce.iss.net/static/4878.php

Poll It 2.0 CGI script allows remote attackers to read arbitrary files
by specifying the file name in the data_dir parameter.


Modifications:
  ADDREF XF:http-cgi-pollit-variable-overwrite(4878)

Analysis
--------
Vendor Acknowledgement: yes via-email

ACKNOWLEDGEMENT: Inquiry sent to
http://www.cgi-world.com/cgi-bin/forms/forms.cgi on 2/22/2002.
Confirmed by vendor on 2/22/2002.

INFERRED ACTION: CAN-2000-0590 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Levy, Cole
   MODIFY(1) Frech
   NOOP(4) Magdych, LeBlanc, Wall, Christey

Voter Comments:
 Frech> XF;http-cgi-pollit-variable-overwrite(4878)
 CHANGE> [Magdych changed vote from REVIEWING to NOOP]
 Christey> MISC:http://www.cgi-world.com/download/pollit.html
   An item on October 24, 2000 says "Updated to Version 2.05 from
   2.0 to Fix Security Issues" but it's not clear whether it's
   related to *this* security issue; it's probably talking
   about CVE-2000-1068/1069/1070.
   Inquiry sent to http://www.cgi-world.com/cgi-bin/forms/forms.cgi
   on 2/22/2002.  Confirmed by vendor on 2/22/2002.


======================================================
Candidate: CAN-2000-1210
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1210
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: BUGTRAQ:20000322 Security bug in Apache project: Jakarta Tomcat
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95371672300045&w=2
Reference: XF:apache-tomcat-file-contents(4205)
Reference: URL:http://www.iss.net/security_center/static/4205.php

Directory traversal vulnerability in source.jsp of Apache Tomcat
before 3.1 allows remote attackers to read arbitrary files via a ..
(dot dot) in the argument to source.jsp.

Analysis
--------
Vendor Acknowledgement:

INFERRED ACTION: CAN-2000-1210 ACCEPT (6 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(6) Baker, Frech, Cox, Cole, Armstrong, Green
   NOOP(2) Wall, Foat

Voter Comments:
 Green> APPEARS TO BE ACKNOWLEDGED IN APACHE'S BUGZILLA (#93 SEEMS CLOSE)


======================================================
Candidate: CAN-2000-1211
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1211
Final-Decision:
Interim-Decision: 20030326
Modified: 20030318-01
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: BUGTRAQ:20001222 Zope DTML Role Issue
Reference: REDHAT:RHSA-2000:125
Reference: CONFIRM:http://www.zope.org/Products/Zope/Hotfix_2000-12-08/security_alert
Reference: MANDRAKE:MDKSA-2000:083
Reference: URL:http://www.linux-mandrake.com/en/security/2000/MDKSA-2000-083.php3
Reference: XF:zope-legacy-names(5824)
Reference: URL:http://www.iss.net/security_center/static/5824.php

Zope 2.2.0 through 2.2.4 does not properly perform security
registration for legacy names of object constructors such as DTML
method objects, which could allow attackers to perform unauthorized
activities.


Modifications:
  ADDREF XF:zope-legacy-names(5824)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2000-1211 ACCEPT (6 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(5) Baker, Cox, Cole, Armstrong, Green
   MODIFY(1) Frech
   NOOP(2) Wall, Foat

Voter Comments:
 Cox> ADDREF:REDHAT:RHSA-2000:125
 Frech> XF:zope-legacy-names(5824)


======================================================
Candidate: CAN-2000-1212
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1212
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: MANDRAKE:MDKSA-2000:086
Reference: CONECTIVA:CLA-2000:365
Reference: DEBIAN:DSA-007
Reference: CONFIRM:http://www.zope.org/Products/Zope/Hotfix_2000-12-18/security_alert
Reference: REDHAT:RHSA-2000:135
Reference: XF:zope-image-file(5778)

Zope 2.2.0 through 2.2.4 does not properly protect a data updating
method on Image and File objects, which allows attackers with DTML
editing privileges to modify the raw data of these objects.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2000-1212 ACCEPT (6 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(6) Baker, Frech, Cox, Cole, Armstrong, Green
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-0724
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0724
Final-Decision:
Interim-Decision: 20030326
Modified: 20030318-02
Proposed: 20020131
Assigned: 20010927
Category: SF
Reference: MS:MS01-055
Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS01-055.asp
Reference: XF:ie-incorrect-security-zone-variant(8471)

Internet Explorer 5.5 allows remote attackers to bypass security
restrictions via malformed URLs that contain dotless IP addresses,
which causes Internet Explorer to process the page in the Intranet
Zone, which may have fewer security restrictions, aka the "Zone
Spoofing Vulnerability variant" of CVE-2001-0664.


Modifications:
  ADDREF XF:ie-incorrect-security-zone-variant(8471)
  DESC Change "CAN" to "CVE" in description.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-0724 ACCEPT (6 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Wall, Foat, Cole, Armstrong, Baker
   MODIFY(1) Frech

Voter Comments:
 Frech> (ACCEPT)
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:ie-incorrect-security-zone-variant(8471)


======================================================
Candidate: CAN-2001-0748
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0748
Final-Decision:
Interim-Decision: 20030326
Modified: 20030318-01
Proposed: 20011012
Assigned: 20011012
Category: SF
Reference: BUGTRAQ:20010531 Acme.Server v1.7 of 13nov96 Directory Browsing
Reference: URL:http://www.securityfocus.com/archive/1/188141
Reference: XF:acme-serve-directory-traversal(6634)
Reference: URL:http://www.iss.net/security_center/static/6634.php
Reference: CISCO:20020702 Cisco Secure ACS Unix Acme.server Information Disclosure Vulnerability
Reference: URL:http://www.cisco.com/warp/public/707/acmeweb-acsunix-dirtravers-vuln-pub.shtml
Reference: BID:2809
Reference: URL:http://www.securityfocus.com/bid/2809

Acme.Serve 1.7, as used in Cisco Secure ACS Unix and possibly other
products, allows remote attackers to read arbitrary files by
prepending several / (slash) characters to the URI.


Modifications:
  ADDREF XF:acme-serve-directory-traversal(6634)
  ADDREF CISCO:20020702 Cisco Secure ACS Unix Acme.server Information Disclosure Vulnerability
  DESC replace "." with "/"; change spelling
  ADDREF BID:2809

Analysis
--------
Vendor Acknowledgement: yes

INFERRED ACTION: CAN-2001-0748 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(1) Armstrong
   MODIFY(1) Frech
   NOOP(4) Wall, Foat, Cole, Christey

Voter Comments:
 Frech> XF:acme-serve-directory-traversal(6634)
 Christey> Change description to say "Acme.Serve".  The original
   discloser spelled it 2 different ways.
 Christey> Description: Is it . or slash?
 Christey> Acknowledged by Cisco (!):
   CISCO:20020702 Cisco Secure ACS Unix Acme.server Information Disclosure Vulnerability
   URL:http://www.cisco.com/warp/public/707/acmeweb-acsunix-dirtravers-vuln-pub.shtml
   This affects Cisco Secure ACS Unix installation, and Cisco
   reports that it's due to multiple / at the end.


======================================================
Candidate: CAN-2001-0763
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0763
Final-Decision:
Interim-Decision: 20030326
Modified: 20020821-03
Proposed: 20011012
Assigned: 20011012
Category: SF
Reference: BUGTRAQ:20010608 potential buffer overflow in xinetd-2.1.8.9pre11-1
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-06/0064.html
Reference: CONECTIVA:CLA-2001:404
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000404
Reference: DEBIAN:DSA-063
Reference: URL:http://www.debian.org/security/2001/dsa-063
Reference: SUSE:SA:2001:022
Reference: URL:http://lists.suse.com/archives/suse-security-announce/2001-Jun/0002.html
Reference: IMMUNIX:IMNX-2001-70-024-01
Reference: URL:http://download.immunix.org/ImmunixOS/7.0/updates/IMNX-2001-70-024-01
Reference: ENGARDE:ESA-20010621-01
Reference: URL:http://www.linuxsecurity.com/advisories/other_advisory-1469.html
Reference: CIAC:L-104
Reference: URL:http://www.ciac.org/ciac/bulletins/l-104.shtml
Reference: REDHAT:RHSA-2001:075
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-075.html
Reference: FREEBSD:FreeBSD-SA-01:47
Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:47.xinetd.asc
Reference: XF:xinetd-identd-bo(6670)
Reference: URL:http://xforce.iss.net/static/6670.php
Reference: BID:2840
Reference: URL:http://www.securityfocus.com/bid/2840

Buffer overflow in Linux xinetd 2.1.8.9pre11-1 and earlier may allow
remote attackers to execute arbitrary code via a long ident response,
which is not properly handled by the svc_logprint function.


Modifications:
  ADDREF XF:xinetd-identd-bo(6670)
  ADDREF BID:2840
  ADDREF IMMUNIX:IMNX-2001-70-029-01
  ADDREF ENGARDE:ESA-20010621-01
  ADDREF CIAC:L-104
  ADDREF REDHAT:RHSA-2001:075
  ADDREF FREEBSD:FreeBSD-SA-01:47
  ADDREF CONECTIVA:CLA-2001:404
  DELREF CONECTIVA:CLA-2001:406
  CHANGEREF IMMUNIX:IMNX-2001-70-024-01

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-0763 ACCEPT (5 accept, 5 ack, 0 review)

Current Votes:
   ACCEPT(4) Foat, Cole, Armstrong, Baker
   MODIFY(1) Frech
   NOOP(2) Wall, Christey

Voter Comments:
 Frech> XF:xinetd-identd-bo(6670)
 Christey> Need to sift through the references to make sure they're
   correct and appropriately distinguish from CAN-2001-0825.
 Christey> ADDREF CONECTIVA:CLA-2001:404
 Christey> ADDREF FREEBSD:FreeBSD-SA-01:47
   URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:47.xinetd.asc
   DELREF CONECTIVA:CLA-2001:406 (that's for CAN-2001-0825)
   ADDREF CONECTIVA:CLA-2001:404
   DELREF IMMUNIX:IMNX-2001-70-029-01 (that's for CAN-2001-0825)
   ADDREF IMMUNIX:IMNX-2001-70-024-01


======================================================
Candidate: CAN-2001-0873
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0873
Final-Decision:
Interim-Decision: 20030326
Modified: 20020818-01
Proposed: 20020131
Assigned: 20011206
Category: SF
Reference: BUGTRAQ:20010908 Multiple vendor 'Taylor UUCP' problems.
Reference: URL:http://www.securityfocus.com/archive/1/212892
Reference: BUGTRAQ:20011130 Redhat 7.0 local root (via uucp) (attempt 2)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100715446131820
Reference: CALDERA:CSSA-2001-033.0
Reference: URL:http://www.calderasystems.com/support/security/advisories/CSSA-2001-033.0.txt
Reference: CONECTIVA:CLA-2001:425
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000425
Reference: SUSE:SuSE-SA:2001:38
Reference: URL:http://www.suse.de/de/support/security/2001_038_uucp_txt.txt
Reference: BID:3312
Reference: URL:http://www.securityfocus.com/bid/3312
Reference: XF:uucp-argument-gain-privileges(7099)
Reference: URL:http://xforce.iss.net/static/7099.php
Reference: REDHAT:RHSA-2001:165
Reference: URL:http://rhn.redhat.com/errata/RHSA-2001-165.html

uuxqt in Taylor UUCP package does not properly remove dangerous long
options, which allows local users to gain privileges by calling uux
and specifying an alternate configuration file with the --config
option.


Modifications:
  ADDREF REDHAT:RHSA-2001:165

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-0873 ACCEPT (3 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Green, Baker
   NOOP(3) Wall, Foat, Christey

Voter Comments:
 Christey> ADDREF CONECTIVA:CLA-2002:463
 Christey> No wait, scratch CONECTIVA:CLA-2002:463...  It only mentions this
   older vulnerability.
 Christey> REDHAT:RHSA-2001:165 (per Mark Cox)


======================================================
Candidate: CAN-2001-0891
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0891
Final-Decision:
Interim-Decision: 20030326
Modified: 20020616-01
Proposed: 20020131
Assigned: 20020116
Category: SF
Reference: BUGTRAQ:20011127 UNICOS LOCAL HOLE ALL VERSIONS
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100695627423924&w=2
Reference: SGI:20020101-01-I
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020101-01-I
Reference: XF:unicos-nqsd-format-string(7618)

Format string vulnerability in NQS daemon (nqsdaemon) in NQE 3.3.0.16
for CRAY UNICOS and SGI IRIX allows a local user to gain root
privileges by using qsub to submit a batch job whose name contains
formatting characters.


Modifications:
  ADDREF XF:unicos-nqsd-format-string(7618)
  DESC Add SGI IRIX versions

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-0891 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Christey

Voter Comments:
 Frech> XF:unicos-nqsd-format-string(7618)
 Christey> Change desc to include SGI versions


======================================================
Candidate: CAN-2001-0921
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0921
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20011121 Mac Netscape password fields
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100638816318705&w=2
Reference: XF:macos-netscape-print-passwords(7593)
Reference: URL:http://xforce.iss.net/static/7593.php
Reference: BID:3565
Reference: URL:http://www.securityfocus.com/bid/3565

Netscape 4.79 and earlier for MacOS allows an attacker with access to
the browser to obtain passwords from form fields by printing the
document into which the password has been typed, which is printed in
cleartext.

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2001-0921 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Foat, Cole, Frech
   NOOP(2) Wall, Armstrong


======================================================
Candidate: CAN-2001-0959
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0959
Final-Decision:
Interim-Decision: 20030326
Modified: 20030325-01
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010915 ARCserve 6.61 Share Access Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-09/0137.html
Reference: MISC:http://support.ca.com/Download/patches/asitnt/QO00945.html
Reference: BID:3342
Reference: URL:http://www.securityfocus.com/bid/3342
Reference: XF:arcserve-aremote-plaintext(7122)
Reference: URL:http://www.iss.net/security_center/static/7122.php

Computer Associates ARCserve for NT 6.61 SP2a and ARCserve 2000 7.0
creates a hidden share named ARCSERVE$, which allows remote attackers
to obtain sensitive information and overwrite critical files.


Modifications:
  ADDREF XF:arcserve-aremote-plaintext(7122)

Analysis
--------
Vendor Acknowledgement: unknown vague

ACKNOWLEDGEMENT: document QO00945, dated September 14, states that it
"addresses a potential security vulnerability in ARCserve 2000 when
performing full backups," which may be a vague acknowledgement of the
problem. Followup posts to the original Bugtraq post do not say that
the patch does NOT fix the problem, so the combination of these
implicit or vague clues may be sufficient to determine that the vendor
has fixed the problem and, by extension, acknowledged it.

INFERRED ACTION: CAN-2001-0959 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Cole
   MODIFY(2) Green, Frech
   NOOP(2) Wall, Foat

Voter Comments:
 Green> VENDOR ACKNOWLEDGEMENT VAGUE
 Frech> XF:arcserve-aremote-plaintext(7122)


======================================================
Candidate: CAN-2001-0960
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0960
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020131
Assigned: 20020131
Category: CF
Reference: BUGTRAQ:20010915 ARCserve 6.61 Share Access Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-09/0137.html
Reference: MISC:http://support.ca.com/Download/patches/asitnt/QO00945.html
Reference: XF:arcserve-aremote-plaintext(7122)
Reference: URL:http://xforce.iss.net/static/7122.php
Reference: BID:3343
Reference: URL:http://www.securityfocus.com/bid/3343

Computer Associates ARCserve for NT 6.61 SP2a and ARCserve 2000 7.0
stores the backup agent user name and password in cleartext in the
aremote.dmp file in the ARCSERVE$ hidden share, which allows local and
remote attackers to gain privileges.

Analysis
--------
Vendor Acknowledgement: unknown vague

ACKNOWLEDGEMENT: document QO00945, dated September 14, states that it
"addresses a potential security vulnerability in ARCserve 2000 when
performing full backups," which may be a vague acknowledgement of the
problem. Followup posts to the original Bugtraq post do not say that
the patch does NOT fix the problem, so the combination of these
implicit or vague clues may be sufficient to determine that the vendor
has fixed the problem and, by extension, acknowledged it.

INFERRED ACTION: CAN-2001-0960 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Frech
   MODIFY(1) Green
   NOOP(2) Wall, Foat

Voter Comments:
 Green> VENDOR ACKNOWLEDGEMENT MISSING


======================================================
Candidate: CAN-2001-0978
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0978
Final-Decision:
Interim-Decision: 20030326
Modified: 20030318-01
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: HPBUG:PHCO_17719
Reference: URL:http://archives.neohapsis.com/archives/hp/2001-q3/0052.html
Reference: HPBUG:PHCO_24454
Reference: BID:3289
Reference: URL:http://www.securityfocus.com/bid/3289
Reference: XF:hpux-login-btmp(8632)
Reference: URL:http://www.iss.net/security_center/static/8632.php

login in HP-UX 10.26 does not record failed login attempts in
/var/adm/btmp, which could allow attackers to conduct brute force
password guessing attacks without being detected or observed using the
lastb program.


Modifications:
  ADDREF XF:hpux-login-btmp(8632)

Analysis
--------
Vendor Acknowledgement: yes patch

INFERRED ACTION: CAN-2001-0978 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Green, Baker
   MODIFY(1) Frech
   NOOP(2) Wall, Foat

Voter Comments:
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:hpux-login-btmp(8632)


======================================================
Candidate: CAN-2001-1008
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1008
Final-Decision:
Interim-Decision: 20030326
Modified: 20030325-01
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010824 Java Plugin 1.4 with JRE 1.3 -> Ignores certificates.
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-08/0359.html
Reference: BID:3245
Reference: URL:http://www.securityfocus.com/bid/3245
Reference: XF:javaplugin-jre-expired-certificate(7048)
Reference: URL:http://www.iss.net/security_center/static/7048.php

Java Plugin 1.4 for JRE 1.3 executes signed applets even if the
certificate is expired, which could allow remote attackers to conduct
unauthorized activities via an applet that has been signed by an
expired certificate.


Modifications:
  ADDREF XF:javaplugin-jre-expired-certificate(7048)

Analysis
--------
Vendor Acknowledgement:

INFERRED ACTION: CAN-2001-1008 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Green
   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Armstrong

Voter Comments:
 Frech> XF:javaplugin-jre-expired-certificate(7048)


======================================================
Candidate: CAN-2001-1028
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1028
Final-Decision:
Interim-Decision: 20030326
Modified: 20020817-01
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: REDHAT:RHSA-2001:072
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-072.html
Reference: XF:man-ultimate-source-bo(8622)
Reference: URL:http://www.iss.net/security_center/static/8622.php

Buffer overflow in ultimate_source function of man 1.5 and earlier
allows local users to gain privileges.


Modifications:
  ADDREF XF:man-ultimate-source-bo(8622)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1028 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Green, Baker
   MODIFY(1) Frech
   NOOP(2) Wall, Foat

Voter Comments:
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:man-ultimate-source-bo(8622)


======================================================
Candidate: CAN-2001-1036
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1036
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010801 Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate
Reference: URL:http://www.securityfocus.com/archive/1/200991
Reference: XF:locate-command-execution(6932)
Reference: URL:http://xforce.iss.net/static/6932.php
Reference: BID:3127
Reference: URL:http://www.securityfocus.com/bid/3127

GNU locate in findutils 4.1 on Slackware 7.1 and 8.0 allows local
users to gain privileges via an old formatted filename database
(locatedb) that contains an entry with an out-of-range offset, which
causes locate to write to arbitrary process memory.

Analysis
--------
Vendor Acknowledgement:

INFERRED ACTION: CAN-2001-1036 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Green, Frech
   NOOP(3) Wall, Foat, Armstrong


======================================================
Candidate: CAN-2001-1059
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1059
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020131
Assigned: 20020131
Category: CF
Reference: BUGTRAQ:20010730 vmware bug?
Reference: URL:http://www.securityfocus.com/archive/1/200455
Reference: BID:3119
Reference: URL:http://www.securityfocus.com/bid/3119
Reference: XF:vmware-obtain-license-info(6925)
Reference: URL:http://xforce.iss.net/static/6925.php

VMWare creates a temporary file vmware-log.USERNAME with insecure
permissions, which allows local users to read or modify license
information.

Analysis
--------
Vendor Acknowledgement:

INFERRED ACTION: CAN-2001-1059 ACCEPT (4 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(4) Foat, Cole, Green, Frech
   NOOP(2) Wall, Armstrong


======================================================
Candidate: CAN-2001-1106
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1106
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20010725 Sambar Server password decryption
Reference: URL:http://www.securityfocus.com/archive/1/199418
Reference: BID:3095
Reference: URL:http://www.securityfocus.com/bid/3095
Reference: XF:sambar-insecure-passwords(6909)
Reference: URL:http://xforce.iss.net/static/6909.php

The default configuration of Sambar Server 5 and earlier uses a
symmetric key that is compiled into the binary program for encrypting
passwords, which could allow local users to break all user passwords
by cracking the key or modifying a copy of the sambar program to call
the decryption procedure.

Analysis
--------
Vendor Acknowledgement: unknown discloser-claimed

INFERRED ACTION: CAN-2001-1106 ACCEPT (4 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(4) Green, Baker, Frech, Ziese
   NOOP(5) Wall, Foat, Cole, Armstrong, Christey

Voter Comments:
 Green> There is vendor acknowledgement in http://www.security.nnov.ru/advisories/sambarpass.asp
 Christey> For CVE's purposes, I do not count a vendor quote or excerpt
   from a third party as acknowledgement.


======================================================
Candidate: CAN-2001-1145
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1145
Final-Decision:
Interim-Decision: 20030326
Modified: 20030318-01
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: NETBSD:NetBSD-SA2001-016
Reference: URL:http://archives.neohapsis.com/archives/netbsd/2001-q3/0204.html
Reference: FREEBSD:FreeBSD-SA-01:40
Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:40.fts.v1.1.asc
Reference: OPENBSD:20010530 029: SECURITY FIX: May 30, 2001
Reference: URL:http://www.openbsd.org/errata28.html
Reference: BID:3205
Reference: URL:http://online.securityfocus.com/bid/3205
Reference: XF:bsd-fts-race-condition(8715)
Reference: URL:http://www.iss.net/security_center/static/8715.php

fts routines in FreeBSD 4.3 and earlier, NetBSD before 1.5.2, and
OpenBSD 2.9 and earlier can be forced to change (chdir) into a
different directory than intended when the directory above the current
directory is moved, which could cause scripts to perform dangerous
actions on the wrong directories.


Modifications:
  ADDREF XF:bsd-fts-race-condition(8715)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1145 ACCEPT (6 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(5) Cole, Armstrong, Green, Baker, Ziese
   MODIFY(1) Frech
   NOOP(2) Wall, Foat

Voter Comments:
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:bsd-fts-race-condition(8715)


======================================================
Candidate: CAN-2001-1251
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1251
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20010629 4 New vulns. vWebServer and SmallHTTP
Reference: URL:http://online.securityfocus.com/archive/1/194418
Reference: BID:2980
Reference: URL:http://online.securityfocus.com/bid/2980
Reference: XF:vwebserver-long-url-dos(6771)
Reference: URL:http://www.iss.net/security_center/static/6771.php

SmallHTTP 1.204 through 3.00 beta 8 allows remote attackers to cause a
denial of service via multiple long URL requests.

Analysis
--------
Vendor Acknowledgement: unknown discloser-claimed

Discloser claims "all versions vulnerable" but only lists 2.x and 3.x,
not 1.x.  The lowest version listed (1.204) and the highest
version up to the post date (3.00 beta 8) were chosen.

INFERRED ACTION: CAN-2001-1251 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Green, Frech
   NOOP(3) Wall, Foat, Cox


======================================================
Candidate: CAN-2001-1291
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1291
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20010712 3Com TelnetD
Reference: URL:http://www.securityfocus.com/archive/1/196957
Reference: XF:3com-telnetd-brute-force(6855)
Reference: URL:http://xforce.iss.net/static/6855.php
Reference: BID:3034
Reference: URL:http://www.securityfocus.com/bid/3034

The telnet server for 3Com hardware such as PS40 SuperStack II does
not delay or disconnect remote attackers who provide an incorrect
username or password, which makes it easier to break into the server
via brute force password guessing.

Analysis
--------
Vendor Acknowledgement:

INFERRED ACTION: CAN-2001-1291 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Green, Frech
   NOOP(3) Wall, Foat, Cox


======================================================
Candidate: CAN-2001-1296
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1296
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20011002 results of semi-automatic source code audit
Reference: URL:http://www.securityfocus.com/archive/1/218000
Reference: MISC:http://www.moregroupware.org/index.php?action=detail&news_id=24
Reference: XF:php-includedir-code-execution(7215)
Reference: URL:http://www.iss.net/security_center/static/7215.php
Reference: BID:3383
Reference: URL:http://www.securityfocus.com/bid/3383

More.groupware PHP script allows remote attackers to include arbitrary
files from remote web sites via an HTTP request that sets the
includedir variable.

Analysis
--------
Vendor Acknowledgement: unknown vague

ACKNOWLEDGEMENT: the release notes dated October 31, 2001 say that the
new release includes "some neat security fixes," but it is unclear
whether the vendor is fixing *this* issue.

INFERRED ACTION: CAN-2001-1296 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Green, Frech
   NOOP(3) Wall, Foat, Cox


======================================================
Candidate: CAN-2001-1301
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1301
Final-Decision:
Interim-Decision: 20030326
Modified: 20030325-01
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20010807 rcs2log
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-08/0093.html
Reference: CONFIRM:http://savannah.gnu.org/cgi-bin/viewcvs/emacs/emacs/lib-src/rcs2log?only_with_tag=EMACS_PRETEST_21_0_95
Reference: XF:rcs2log-tmp-symlink(11210)
Reference: URL:http://www.iss.net/security_center/static/11210.php

rcs2log, as used in Emacs 20.4, xemacs 21.1.10 and other versions
before 21.4, and possibly other packages, allows local users to modify
files of other users via a symlink attack on a temporary file.


Modifications:
  ADDREF CONFIRM:http://savannah.gnu.org/cgi-bin/viewcvs/emacs/emacs/lib-src/rcs2log?only_with_tag=EMACS_PRETEST_21_0_95
  ADDREF XF:rcs2log-tmp-symlink(11210)
  DESC change versions

Analysis
--------
Vendor Acknowledgement: yes cve-vote

INFERRED ACTION: CAN-2001-1301 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(1) Green
   MODIFY(2) Frech, Cox
   NOOP(3) Wall, Foat, Cole

Voter Comments:
 Frech> Task xxxx.
 CHANGE> [Cox changed vote from REVIEWING to MODIFY]
 Cox> Addref:
   http://savannah.gnu.org/cgi-bin/viewcvs/emacs/emacs/lib-src/rcs2log?only_with_tag=EMACS_PRETEST_21_0_95

   This was public at least as far back as 28 September 1998, this is the
   date that the Red Hat emacs package was given a patch for this issue.
 Cox> Description currently says "xemacs 21.1.10" and it would be
   more correct to say "xemacs before version 21.4"
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:rcs2log-tmp-symlink(11210)


======================================================
Candidate: CAN-2001-1303
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1303
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020502
Assigned: 20020501
Category: CF
Reference: BUGTRAQ:20010718 Firewall-1 Information leak
Reference: URL:http://www.securityfocus.com/archive/1/197566
Reference: BID:3058
Reference: URL:http://online.securityfocus.com/bid/3058
Reference: XF:fw1-securemote-gain-information(6857)
Reference: URL:http://xforce.iss.net/static/6857.php

The default configuration of SecuRemote for Check Point Firewall-1
allows remote attackers to obtain sensitive configuration information
for the protected network without authentication.

Analysis
--------
Vendor Acknowledgement:

INFERRED ACTION: CAN-2001-1303 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Green, Frech
   NOOP(3) Wall, Foat, Cox


======================================================
Candidate: CAN-2001-1327
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1327
Final-Decision:
Interim-Decision: 20030326
Modified: 20030318-01
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: TURBO:TLSA2001024
Reference: URL:http://www.turbolinux.com/pipermail/tl-security-announce/2001-May/000313.html
Reference: XF:pmake-binary-gain-privileges(9988)
Reference: URL:http://www.iss.net/security_center/static/9988.php

pmake before 2.1.35 in Turbolinux 6.05 and earlier is installed with
setuid root privileges, which could allow local users to gain
privileges by exploiting vulnerabilities in pmake or programs that are
used by pmake.


Modifications:
  ADDREF XF:pmake-binary-gain-privileges(9988)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1327 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Green
   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cox

Voter Comments:
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:pmake-binary-gain-privileges(9988)


======================================================
Candidate: CAN-2001-1334
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1334
Final-Decision:
Interim-Decision: 20030326
Modified: 20030318-01
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20010515 PHPSlash : potential vulnerability in URL blocks
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-05/0126.html
Reference: CONFIRM:http://marc.theaimsgroup.com/?l=phpslash&m=99029398904419&w=2
Reference: BID:2724
Reference: URL:http://online.securityfocus.com/bid/2724
Reference: XF:phpslash-block-read-files(9990)
Reference: URL:http://www.iss.net/security_center/static/9990.php

Block_render_url.class in PHPSlash 0.6.1 allows remote attackers with
PHPSlash administrator privileges to read arbitrary files by creating
a block and specifying the target file as the source URL.


Modifications:
  ADDREF XF:phpslash-block-read-files(9990)

Analysis
--------
Vendor Acknowledgement: yes

INFERRED ACTION: CAN-2001-1334 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Green
   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cox

Voter Comments:
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:phpslash-block-read-files(9990)


======================================================
Candidate: CAN-2001-1349
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1349
Final-Decision:
Interim-Decision: 20030326
Modified: 20030318-01
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BINDVIEW:20010528 Unsafe Signal Handling in Sendmail
Reference: URL:http://razor.bindview.com/publish/advisories/adv_sm8120.html
Reference: BUGTRAQ:20010529 sendmail 8.11.4 and 8.12.0.Beta10 available (fwd)
Reference: URL:http://www.securityfocus.com/archive/1/187127
Reference: REDHAT:RHSA-2001:106
Reference: URL:http://rhn.redhat.com/errata/RHSA-2001-106.html
Reference: CONFIRM:http://archives.neohapsis.com/archives/sendmail/2001-q2/0001.html
Reference: BID:2794
Reference: URL:http://www.securityfocus.com/bid/2794
Reference: XF:sendmail-signal-handling(6633)
Reference: URL:http://www.iss.net/security_center/static/6633.php

Sendmail before 8.11.4, and 8.12.0 before 8.12.0.Beta10, allows local
users to cause a denial of service and possibly corrupt the heap and
gain privileges via race conditions in signal handlers.


Modifications:
  ADDREF REDHAT:RHSA-2001:106
  ADDREF XF:sendmail-signal-handling(6633)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1349 ACCEPT (5 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(4) Wall, Cole, Green, Cox
   MODIFY(1) Frech
   NOOP(1) Foat

Voter Comments:
 CHANGE> [Cox changed vote from REVIEWING to ACCEPT]
 Cox> ADDREF: RHSA-2001:106
 Frech> XF:sendmail-signal-handling(6633)


======================================================
Candidate: CAN-2001-1359
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1359
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020611
Assigned: 20020607
Category: CF
Reference: CALDERA:CSSA-2001-021.0
Reference: URL:http://www.caldera.com/support/security/advisories/CSSA-2001-021.0.txt
Reference: BID:2850
Reference: URL:http://www.securityfocus.com/bid/2850
Reference: XF:volution-authentication-failure-access(6672)
Reference: URL:http://xforce.iss.net/static/6672.php

Volution clients 1.0.7 and earlier attempt to contact the computer
creation daemon (CCD) when an LDAP authentication failure occurs,
which allows remote attackers to fully control clients via a Trojan
horse Volution server.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1359 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Wall, Cole, Alderson, Green, Frech
   NOOP(2) Foat, Cox


======================================================
Candidate: CAN-2001-1369
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1369
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: FREEBSD:FreeBSD-SA-02:14
Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:14.pam-pgsql.asc
Reference: BID:3319
Reference: URL:http://online.securityfocus.com/bid/3319
Reference: XF:postgresql-pam-authentication-module(7110)
Reference: URL:http://www.iss.net/security_center/static/7110.php

Leon J Breedt pam-pgsql before 0.5.2 allows remote attackers to
execute arbitrary SQL code and bypass authentication or modify user
account records by injecting SQL statements into user or password
fields.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1369 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Alderson, Green, Frech
   NOOP(3) Wall, Foat, Cox


======================================================
Candidate: CAN-2001-1370
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1370
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20010722 [SEC] Hole in PHPLib 7.2 prepend.php3
Reference: URL:http://www.securityfocus.com/archive/1/198768
Reference: BUGTRAQ:20010726 TSLSA-2001-0014 - PHPLib
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=99616122712122&w=2
Reference: BUGTRAQ:20010721 IMP 2.2.6 (SECURITY) released
Reference: URL:http://online.securityfocus.com/archive/1/198495
Reference: CONECTIVA:CLA-2001:410
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000410
Reference: CALDERA:CSSA-2001-027.0
Reference: URL:http://www.calderasystems.com/support/security/advisories/CSSA-2001-027.0.txt
Reference: DEBIAN:DSA-073
Reference: URL:http://www.debian.org/security/2001/dsa-073
Reference: BID:3079
Reference: URL:http://www.securityfocus.com/bid/3079
Reference: XF:phplib-script-execution(6892)
Reference: URL:http://www.iss.net/security_center/static/6892.php

prepend.php3 in PHPLib before 7.2d, when register_globals is enabled
for PHP, allows remote attackers to execute arbitrary scripts via an
HTTP request that modifies $_PHPLIB[libdir] to point to malicious code
on another server, as seen in Horde 1.2.5 and earlier, IMP before
2.2.6, and other packages that use PHPLib.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1370 ACCEPT (4 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Alderson, Green, Frech
   NOOP(3) Wall, Foat, Cox


======================================================
Candidate: CAN-2001-1371
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1371
Final-Decision:
Interim-Decision: 20030326
Modified: 20030318-01
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020206 Hackproofing Oracle Application Server paper
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101301813117562&w=2
Reference: MISC:http://www.nextgenss.com/papers/hpoas.pdf
Reference: CERT-VN:VU#736923
Reference: URL:http://www.kb.cert.org/vuls/id/736923
Reference: CERT:CA-2002-08
Reference: URL:http://www.cert.org/advisories/CA-2002-08.html
Reference: CONFIRM:http://technet.oracle.com/deploy/security/pdf/ias_soap_alert.pdf
Reference: BID:4289
Reference: URL:http://www.securityfocus.com/bid/4289
Reference: XF:oracle-appserver-soap-components(8449)
Reference: URL:http://www.iss.net/security_center/static/8449.php

The default configuration of Oracle Application Server 9iAS 1.0.2.2
enables SOAP and allows anonymous users to deploy applications by
default via urn:soap-service-manager and urn:soap-provider-manager.


Modifications:
  ADDREF XF:oracle-appserver-soap-components(8449)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1371 ACCEPT (6 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(5) Wall, Foat, Cole, Alderson, Green
   MODIFY(1) Frech
   NOOP(1) Cox

Voter Comments:
 Frech> XF:oracle-appserver-soap-components(8449)


======================================================
Candidate: CAN-2001-1372
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1372
Final-Decision:
Interim-Decision: 20030326
Modified: 20021116-01
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20010917 Yet another path disclosure vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100074087824021&w=2
Reference: BUGTRAQ:20010921 Response to "Path disclosure vulnerability in Oracle 9i and 8i
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100119633925473&w=2
Reference: MISC:http://www.nii.co.in/research.html
Reference: CERT:CA-2002-08
Reference: URL:http://www.cert.org/advisories/CA-2002-08.html
Reference: CERT-VN:VU#278971
Reference: URL:http://www.kb.cert.org/vuls/id/278971
Reference: CONFIRM:http://otn.oracle.com/deploy/security/pdf/jspexecute_alert.pdf
Reference: BID:3341
Reference: URL:http://www.securityfocus.com/bid/3341
Reference: XF:oracle-jsp-reveal-path(7135)
Reference: URL:http://xforce.iss.net/static/7135.php

Oracle 9i Application Server 1.0.2 allows remote attackers to obtain
the physical path of a file under the server root via a request for a
non-existent .JSP file, which leaks the pathname in an error message.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1372 ACCEPT (5 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(5) Wall, Cole, Alderson, Green, Frech
   NOOP(3) Foat, Christey, Cox

Voter Comments:
 Christey> ADDREF MISC:http://www.nii.co.in/research.html


======================================================
Candidate: CAN-2001-1373
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1373
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20010718 ZoneAlarm Pro
Reference: URL:http://www.securityfocus.com/archive/1/197681
Reference: CONFIRM:http://www.zonelabs.com/products/zap/rel_history.html#2.6.362
Reference: XF:zonealarm-bypass-mailsafe(6877)
Reference: URL:http://xforce.iss.net/static/6877.php
Reference: BID:3055
Reference: URL:http://www.securityfocus.com/bid/3055

MailSafe in Zone Labs ZoneAlarm 2.6 and earlier and ZoneAlarm Pro 2.6
and 2.4 does not block prohibited file types with long file names,
which allows remote attackers to send potentially dangerous
attachments.

Analysis
--------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: the product's release history includes a heading
titled "New and improved features in ZoneAlarm Pro version 2.6.231,"
which states: "MailSafe improvements to better handle attachments of
long file names"

INFERRED ACTION: CAN-2001-1373 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Wall, Cole, Alderson, Green, Frech
   NOOP(2) Foat, Cox


======================================================
Candidate: CAN-2001-1374
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1374
Final-Decision:
Interim-Decision: 20030326
Modified: 20030318-02
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: CONFIRM:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=22187
Reference: CONFIRM:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=28224
Reference: CONECTIVA:CLA-2001:409
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000409
Reference: XF:expect-insecure-library-search(6870)
Reference: URL:http://xforce.iss.net/static/6870.php
Reference: BID:3074
Reference: URL:http://www.securityfocus.com/bid/3074
Reference: REDHAT:RHSA-2002:148
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-148.html
Reference: MANDRAKE:MDKSA-2002:060
Reference: URL:http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2002:060

expect before 5.32 searches for its libraries in /var/tmp before other
directories, which could allow local users to gain root privileges via
a Trojan horse library that is accessed by mkpasswd.


Modifications:
  ADDREF REDHAT:RHSA-2002:148
  ADDREF MANDRAKE:MDKSA-2002:060

Analysis
--------
Vendor Acknowledgement: yes changelog

INFERRED ACTION: CAN-2001-1374 ACCEPT (6 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(6) Wall, Cole, Alderson, Green, Frech, Cox
   NOOP(2) Foat, Christey

Voter Comments:
 CHANGE> [Cox changed vote from REVIEWING to ACCEPT]
 Christey> REDHAT:RHSA-2002:148
 Christey> MANDRAKE:MDKSA-2002:060


======================================================
Candidate: CAN-2001-1375
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1375
Final-Decision:
Interim-Decision: 20030326
Modified: 20030318-02
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: CONFIRM:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=28226
Reference: CONECTIVA:CLA-2001:409
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000409
Reference: XF:tcltk-insecure-library-search(6869)
Reference: URL:http://www.iss.net/security_center/static/6869.php
Reference: BID:3073
Reference: URL:http://www.securityfocus.com/bid/3073
Reference: REDHAT:RHSA-2002:148
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-148.html
Reference: MANDRAKE:MDKSA-2002:060
Reference: URL:http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2002:060

tcl/tk package (tcltk) 8.3.1 searches for its libraries in the current
working directory before other directories, which could allow local
users to execute arbitrary code via a Trojan horse library that is
under a user-controlled directory.


Modifications:
  ADDREF REDHAT:RHSA-2002:148
  ADDREF MANDRAKE:MDKSA-2002:060

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1375 ACCEPT (6 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(6) Foat, Cole, Alderson, Green, Frech, Cox
   NOOP(2) Wall, Christey

Voter Comments:
 CHANGE> [Cox changed vote from REVIEWING to ACCEPT]
 Christey> REDHAT:RHSA-2002:148
 Christey> MANDRAKE:MDKSA-2002:060


======================================================
Candidate: CAN-2001-1378
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1378
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020726
Assigned: 20020715
Category: SF
Reference: MISC:http://lists.ccil.org/pipermail/fetchmail-announce/2001-March/000015.html
Reference: REDHAT:RHSA-2001:103
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-103.html

fetchmailconf in fetchmail before 5.7.4 allows local users to
overwrite files of other users via a symlink attack on temporary
files.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1378 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Armstrong, Baker, Cox
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-1380
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1380
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020726
Assigned: 20020725
Category: SF
Reference: BUGTRAQ:20011018 Immunix OS update for OpenSSH
Reference: BUGTRAQ:20011017 TSLSA-2001-0023 - OpenSSH
Reference: BUGTRAQ:20010926 OpenSSH Security Advisory (adv.option)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100154541809940&w=2
Reference: BUGTRAQ:20011019 TSLSA-2001-0026 - OpenSSH
Reference: REDHAT:RHSA-2001:114
Reference: URL:http://rhn.redhat.com/errata/RHSA-2001-114.html
Reference: MANDRAKE:MDKSA-2001:081
Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-081.php

OpenSSH before 2.9.9, while using keypairs and multiple keys of
different types in the ~/.ssh/authorized_keys2 file, may not properly
handle the "from" option associated with a key, which could allow
remote attackers to login from unauthorized IP addresses.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1380 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Armstrong, Baker, Cox
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-1382
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1382
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020726
Assigned: 20020725
Category: SF
Reference: CONFIRM:http://www.openwall.com/Owl/CHANGES-stable.shtml

The "echo simulation" traffic analysis countermeasure in OpenSSH
before 2.9.9p2 sends an additional echo packet after the password and
carriage return is entered, which could allow remote attackers to
determine that the countermeasure is being used.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1382 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Armstrong, Baker, Cox
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-1383
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1383
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020726
Assigned: 20020725
Category: SF
Reference: REDHAT:RHSA-2001:110
Reference: URL:http://rhn.redhat.com/errata/RHSA-2001-110.html
Reference: XF:linux-setserial-initscript-symlink(7177)
Reference: URL:http://www.iss.net/security_center/static/7177.php
Reference: BID:3367
Reference: URL:http://online.securityfocus.com/bid/3367

initscript in setserial 2.17-4 and earlier uses predictable temporary
file names, which could allow local users to conduct unauthorized
operations on files.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1383 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Wall, Cole, Armstrong, Baker, Cox
   NOOP(1) Foat


======================================================
Candidate: CAN-2001-1385
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1385
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020830
Assigned: 20020729
Category: SF
Reference: BUGTRAQ:20010112 PHP Security Advisory - Apache Module bugs
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97957961212852
Reference: REDHAT:RHSA-2000:136
Reference: URL:http://www.redhat.com/support/errata/RHSA-2000-136.html
Reference: MANDRAKE:MDKSA-2001:013
Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-013.php3
Reference: CONECTIVA:CLA-2001:373
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000373
Reference: DEBIAN:DSA-020
Reference: URL:http://www.debian.org/security/2001/dsa-020
Reference: BID:2205
Reference: URL:http://online.securityfocus.com/bid/2205
Reference: XF:php-view-source-code(5939)
Reference: URL:http://www.iss.net/security_center/static/5939.php

The Apache module for PHP 4.0.0 through PHP 4.0.4, when disabled with
the 'engine = off' option for a virtual host, may disable PHP for
other virtual hosts, which could cause Apache to serve the source code
of PHP scripts.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1385 ACCEPT (7 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(7) Wall, Cole, Armstrong, Green, Baker, Frech, Cox
   NOOP(1) Foat


======================================================
Candidate: CAN-2001-1406
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1406
Final-Decision:
Interim-Decision: 20030326
Modified: 20030318-01
Proposed: 20020830
Assigned: 20020830
Category: SF
Reference: BUGTRAQ:20010829 Security Advisory for Bugzilla v2.13 and older
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=99912899900567
Reference: CONFIRM:http://bugzilla.mozilla.org/show_bug.cgi?id=66235
Reference: REDHAT:RHSA-2001:107
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-107.html
Reference: XF:bugzilla-processbug-old-restrictions(10478)
Reference: URL:http://www.iss.net/security_center/static/10478.php

process_bug.cgi in Bugzilla before 2.14 does not set the "groupset"
bit when a bug is moved between product groups, which will cause the
bug to have the old group's restrictions, which might not be as
stringent.


Modifications:
  ADDREF XF:bugzilla-processbug-old-restrictions(10478)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1406 ACCEPT (6 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(5) Cole, Armstrong, Green, Baker, Cox
   MODIFY(1) Frech
   NOOP(2) Wall, Foat

Voter Comments:
 Frech> XF:bugzilla-processbug-old-restrictions(10478)


======================================================
Candidate: CAN-2001-1407
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1407
Final-Decision:
Interim-Decision: 20030326
Modified: 20030318-01
Proposed: 20020830
Assigned: 20020830
Category: SF
Reference: BUGTRAQ:20010829 Security Advisory for Bugzilla v2.13 and older
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=99912899900567
Reference: CONFIRM:http://bugzilla.mozilla.org/show_bug.cgi?id=96085
Reference: REDHAT:RHSA-2001:107
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-107.html
Reference: XF:bugzilla-duplicate-view-restricted(10479)
Reference: URL:http://www.iss.net/security_center/static/10479.php

Bugzilla before 2.14 allows Bugzilla users to bypass group security
checks by marking a bug as the duplicate of a restricted bug, which
adds the user to the CC list of the restricted bug and allows the user
to view the bug.


Modifications:
  ADDREF XF:bugzilla-duplicate-view-restricted(10479)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1407 ACCEPT (6 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(5) Cole, Armstrong, Green, Baker, Cox
   MODIFY(1) Frech
   NOOP(2) Wall, Foat

Voter Comments:
 Frech> XF:bugzilla-duplicate-view-restricted(10479)


======================================================
Candidate: CAN-2002-0006
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0006
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020611
Assigned: 20020108
Category: SF
Reference: BUGTRAQ:20020109 xchat IRC session hijacking vulnerability (versions 1.4.1, 1.4.2)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101060676210255&w=2
Reference: DEBIAN:DSA-099
Reference: URL:http://www.debian.org/security/2002/dsa-099
Reference: REDHAT:RHSA-2002:005
Reference: URL:http://rhn.redhat.com/errata/RHSA-2002-005.html
Reference: HP:HPSBTL0201-016
Reference: URL:http://online.securityfocus.com/advisories/3806
Reference: CONECTIVA:CLA-2002:453
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000453
Reference: XF:xchat-ctcp-ping-command(7856)
Reference: URL:http://xforce.iss.net/static/7856.php
Reference: BID:3830
Reference: URL:http://www.securityfocus.com/bid/3830

XChat 1.8.7 and earlier, including default configurations of 1.4.2 and
1.4.3, allows remote attackers to execute arbitrary IRC commands as
other clients via encoded characters in a PRIVMSG command that calls
CTCP PING, which expands the characters in the client response when
the percascii variable is set.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0006 ACCEPT (6 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(6) Baker, Frech, Cox, Wall, Cole, Alderson
   NOOP(2) Foat, Christey

Voter Comments:
 Christey> Consider adding BID:3830


======================================================
Candidate: CAN-2002-0009
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0009
Final-Decision:
Interim-Decision: 20030326
Modified: 20030319-01
Proposed: 20020131
Assigned: 20020109
Category: SF
Reference: BUGTRAQ:20020105 Security Advisory for Bugzilla v2.15 (cvs20020103) and older
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-01/0034.html
Reference: CONFIRM:http://www.bugzilla.org/security2_14_1.html
Reference: MISC:http://bugzilla.mozilla.org/show_bug.cgi?id=102141
Reference: XF:bugzilla-showbug-reveal-bugs(7802)
Reference: URL:http://www.iss.net/security_center/static/7802.php
Reference: BID:3798
Reference: URL:http://www.securityfocus.com/bid/3798

show_bug.cgi in Bugzilla before 2.14.1 allows a user with "Bugs
Access" privileges to see other products that are not accessible to
the user, by submitting a bug and reading the resulting Product
pulldown menu.


Modifications:
  ADDREF XF:bugzilla-showbug-reveal-bugs(7802)
  ADDREF BID:3798

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0009 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Cole, Green
   MODIFY(1) Frech
   NOOP(2) Wall, Foat

Voter Comments:
 Frech> XF:bugzilla-showbug-reveal-bugs(7802)


======================================================
Candidate: CAN-2002-0011
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0011
Final-Decision:
Interim-Decision: 20030326
Modified: 20030319-01
Proposed: 20020131
Assigned: 20020109
Category: SF
Reference: BUGTRAQ:20020105 Security Advisory for Bugzilla v2.15 (cvs20020103) and older
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-01/0034.html
Reference: CONFIRM:http://www.bugzilla.org/security2_14_1.html
Reference: MISC:http://bugzilla.mozilla.org/show_bug.cgi?id=98146
Reference: XF:bugzilla-doeditvotes-login-information(7803)
Reference: URL:http://www.iss.net/security_center/static/7803.php
Reference: BID:3800
Reference: URL:http://www.securityfocus.com/bid/3800

Information leak in doeditvotes.cgi in Bugzilla before 2.14.1 may
allow remote attackers to more easily conduct attacks on the login.


Modifications:
  ADDREF XF:bugzilla-doeditvotes-login-information(7803)
  ADDREF BID:3800

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0011 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Cole, Green
   MODIFY(1) Frech
   NOOP(2) Wall, Foat

Voter Comments:
 Frech> XF:bugzilla-doeditvotes-login-information(7803)


======================================================
Candidate: CAN-2002-0014
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0014
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020726
Assigned: 20020110
Category: SF
Reference: BUGTRAQ:20020105 Pine 4.33 (at least) URL handler allows embedded commands.
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101027841605918&w=2
Reference: REDHAT:RHSA-2002:009
Reference: URL:http://rhn.redhat.com/errata/RHSA-2002-009.html
Reference: ENGARDE:ESA-20020114-002
Reference: CONECTIVA:CLA-2002:460
Reference: FREEBSD:FreeBSD-SA-02:05
Reference: HP:HPSBTL0201-015
Reference: BID:3815
Reference: URL:http://online.securityfocus.com/bid/3815

URL-handling code in Pine 4.43 and earlier allows remote attackers to
execute arbitrary commands via a URL enclosed in single quotes and
containing shell metacharacters (&).

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0014 ACCEPT (5 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(5) Baker, Cox, Wall, Cole, Armstrong
   NOOP(2) Foat, Christey

Voter Comments:
 Christey> Consider adding BID:3815


======================================================
Candidate: CAN-2002-0017
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0017
Final-Decision:
Interim-Decision: 20030326
Modified: 20030319-01
Proposed: 20020502
Assigned: 20020111
Category: SF
Reference: ISS:20020403 Remote Buffer Overflow Vulnerability in IRIX SNMP Daemon
Reference: URL:http://www.iss.net/security_center/alerts/advise113.php
Reference: SGI:20020201-01-P
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020201-01-P
Reference: BID:4421
Reference: URL:http://www.securityfocus.com/bid/4421
Reference: XF:irix-snmp-bo(7846)
Reference: URL:http://www.iss.net/security_center/static/7846.php

Buffer overflow in SNMP daemon (snmpd) on SGI IRIX 6.5 through 6.5.15m
allows remote attackers to execute arbitrary code via an SNMP request.


Modifications:
  ADDREF BID:4421
  ADDREF XF:irix-snmp-bo(7846)

Analysis
--------
Vendor Acknowledgement: yes advisory

ABSTRACTION: while this issue may appear to be the same as
CAN-2002-0012 or CAN-2002-0013, it is addressed by a different patch,
so CD:SF-LOC suggests keeping this SPLIT.

INFERRED ACTION: CAN-2002-0017 ACCEPT (4 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(4) Levy, Cole, Armstrong, Green
   MODIFY(1) Frech
   NOOP(4) Cox, Wall, Foat, Christey

Voter Comments:
 Christey> Consider adding BID:4421
 Levy> BID 4421
 Frech> XF:irix-snmp-bo(7846)


======================================================
Candidate: CAN-2002-0024
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0024
Final-Decision:
Interim-Decision: 20030326
Modified: 20030319-01
Proposed: 20020315
Assigned: 20020114
Category: SF
Reference: MS:MS02-005
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-005.asp
Reference: BID:4087
Reference: URL:http://www.securityfocus.com/bid/4087

File Download box in Internet Explorer 5.01, 5.5 and 6.0 allows an
attacker to use the Content-Disposition and Content-Type HTML header
fields to modify how the name of the file is displayed, which could
trick a user into believing that a file is safe to download.


Modifications:
  ADDREF BID:4087

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0024 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Ziese, Wall, Foat, Cole, Green
   NOOP(1) Christey

Voter Comments:
 Christey> Consider adding BID:4087


======================================================
Candidate: CAN-2002-0032
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0032
Final-Decision:
Interim-Decision: 20030326
Modified: 20030319-01
Proposed: 20020611
Assigned: 20020116
Category: SF
Reference: BUGTRAQ:20020527 Yahoo Messenger - Multiple Vulnerabilities
Reference: URL:http://online.securityfocus.com/archive/1/274223
Reference: CERT:CA-2002-16
Reference: URL:http://www.cert.org/advisories/CA-2002-16.html
Reference: CERT-VN:VU#172315
Reference: URL:http://www.kb.cert.org/vuls/id/172315
Reference: BID:4838
Reference: URL:http://www.securityfocus.com/bid/4838
Reference: XF:yahoo-messenger-script-injection(9184)
Reference: URL:http://www.iss.net/security_center/static/9184.php

Yahoo! Messenger 5,0,0,1064 and earlier allows remote attackers to
execute arbitrary script as other users via the addview parameter of a
ymsgr URI.


Modifications:
  ADDREF XF:yahoo-messenger-script-injection(9184)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0032 ACCEPT (5 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Wall, Cole, Armstrong
   MODIFY(1) Frech
   NOOP(3) Cox, Foat, Christey

Voter Comments:
 Christey> XF:yahoo-messenger-script-injection(9184)
   URL:http://www.iss.net/security_center/static/9184.php
 Frech> XF:yahoo-messenger-script-injection(9184)


======================================================
Candidate: CAN-2002-0033
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0033
Final-Decision:
Interim-Decision: 20030326
Modified: 20030319-01
Proposed: 20020611
Assigned: 20020116
Category: SF
Reference: BUGTRAQ:20020505 [LSD] Solaris cachefsd remote buffer overflow vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-05/0026.html
Reference: CERT:CA-2002-11
Reference: URL:http://www.cert.org/advisories/CA-2002-11.html
Reference: CONFIRM:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F44309
Reference: CERT-VN:VU#635811
Reference: URL:http://www.kb.cert.org/vuls/id/635811
Reference: BID:4674
Reference: URL:http://www.securityfocus.com/bid/4674
Reference: XF:solaris-cachefsd-name-bo(8999)
Reference: URL:http://www.iss.net/security_center/static/8999.php

Heap-based buffer overflow in cfsd_calloc function of Solaris cachefsd
allows remote attackers to execute arbitrary code via a request with a
long directory and cache name.


Modifications:
  ADDREF XF:solaris-cachefsd-name-bo(8999)
  DESC change "heap overflow" to "heap-based buffer overflow"

Analysis
--------
Vendor Acknowledgement: yes

INFERRED ACTION: CAN-2002-0033 ACCEPT (6 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(5) Baker, Wall, Foat, Cole, Armstrong
   MODIFY(1) Frech
   NOOP(2) Cox, Christey

Voter Comments:
 Christey> Note: this is a different vulnerability than CAN-2002-0084.
   However, if there are different patches for the 2 issues, then
   they may need to be merged per CD:SF-LOC.
 Frech> XF:solaris-cachefsd-name-bo(8999)


======================================================
Candidate: CAN-2002-0042
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0042
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020611
Assigned: 20020116
Category: SF
Reference: SGI:20020402-01-P
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020402-01-P
Reference: XF:irix-xfs-dos(8839)
Reference: URL:http://www.iss.net/security_center/static/8839.php
Reference: BID:4511
Reference: URL:http://www.securityfocus.com/bid/4511

Vulnerability in the XFS file system for SGI IRIX before 6.5.12 allows
local users to cause a denial of service (hang) by creating a file
that is not properly processed by XFS.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0042 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Frech, Cole
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-0054
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0054
Final-Decision:
Interim-Decision: 20030326
Modified: 20030319-01
Proposed: 20020315
Assigned: 20020202
Category: SF
Reference: MS:MS02-011
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-011.asp
Reference: BID:4205
Reference: URL:http://www.securityfocus.com/bid/4205
Reference: BUGTRAQ:20020301 IIS SMTP component allows mail relaying via Null Session
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101501580409373&w=2

SMTP service in (1) Microsoft Windows 2000 and (2) Internet Mail
Connector (IMC) in Exchange Server 5.5 does not properly handle
responses to NTLM authentication, which allows remote attackers to
perform mail relaying via an SMTP AUTH command using null session
credentials.


Modifications:
  ADDREF BID:4205
  ADDREF BUGTRAQ:20020301 IIS SMTP component allows mail relaying via Null Session
  DESC add "SMTP AUTH" and null session info to desc

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0054 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Ziese, Wall, Foat, Cole, Green
   NOOP(1) Christey

Voter Comments:
 Christey> Consider adding BID:4205
 Christey> BUGTRAQ:20020301 IIS SMTP component allows mail relaying via Null Session
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101501580409373&w=2

   Add details to desc, specifically that the issue is related
   to null sessions and SMTP AUTH.


======================================================
Candidate: CAN-2002-0061
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0061
Final-Decision:
Interim-Decision: 20030326
Modified: 20030319-01
Proposed: 20020611
Assigned: 20020213
Category: SF
Reference: BUGTRAQ:20020321 Vulnerability in Apache for Win32 batch file processing - Remote command execution
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101674082427358&w=2
Reference: BUGTRAQ:20020325 Apache 1.3.24 Released! (fwd)
Reference: URL:http://online.securityfocus.com/archive/1/263927
Reference: XF:apache-dos-batch-command-execution(8589)
Reference: URL:http://www.iss.net/security_center/static/8589.php
Reference: BID:4335
Reference: URL:http://www.securityfocus.com/bid/4335
Reference: CONFIRM:http://www.apacheweek.com/issues/02-03-29#apache1324

Apache for Win32 before 1.3.24, and 2.0.x before 2.0.34-beta, allows
remote attackers to execute arbitrary commands via shell
metacharacters (a | pipe character) provided as arguments to batch
(.bat) or .cmd scripts, which are sent unfiltered to the shell
interpreter, typically cmd.exe.


Modifications:
  ADDREF CONFIRM:http://www.apacheweek.com/issues/02-03-29#apache1324

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0061 ACCEPT (6 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Baker, Wall, Foat, Cole, Green
   MODIFY(1) Cox
   NOOP(1) Christey

Voter Comments:
 Christey> Consider adding BID:4335
 Christey> XF:apache-dos-batch-command-execution(8589)
   URL:http://www.iss.net/security_center/static/8589.php
 Cox> ADDREF: http://www.apacheweek.com/issues/02-03-29#apache1324


======================================================
Candidate: CAN-2002-0062
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0062
Final-Decision:
Interim-Decision: 20030326
Modified: 20030319-02
Proposed: 20020315
Assigned: 20020213
Category: SF
Reference: REDHAT:RHSA-2002:020
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-020.html
Reference: DEBIAN:DSA-113
Reference: URL:http://www.debian.org/security/2002/dsa-113
Reference: BID:2116
Reference: URL:http://online.securityfocus.com/bid/2116
Reference: XF:gnu-ncurses-window-bo(8222)
Reference: URL:http://www.iss.net/security_center/static/8222.php

Buffer overflow in ncurses 5.0, and the ncurses4 compatibility package
as used in Red Hat Linux, allows local users to gain privileges,
related to "routines for moving the physical cursor and scrolling."


Modifications:
  ADDREF BID:2116
  DESC clarify ncurses4 package
  ADDREF XF:gnu-ncurses-window-bo(8222)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0062 ACCEPT (4 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(4) Ziese, Wall, Cole, Green
   NOOP(3) Jones, Foat, Christey

Voter Comments:
 Christey> BID:2116
   URL:http://online.securityfocus.com/bid/2116
   Also need to add other vendor advisories.
 Christey> Consider adding BID:2116
 Christey> Specifically state that the ncurses4 compatibility package
   is Red Hat's.  Also say that the problem is in the
   "routines for moving the physical cursor and scrolling"
   as stated by Daniel Jacobowitz.


======================================================
Candidate: CAN-2002-0067
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0067
Final-Decision:
Interim-Decision: 20030326
Modified: 20020817-01
Proposed: 20020315
Assigned: 20020219
Category: SF
Reference: BUGTRAQ:20020221 Squid HTTP Proxy Security Update Advisory 2002:1
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101431040422095&w=2
Reference: CONFIRM:http://www.squid-cache.org/Versions/v2/2.4/bugs/
Reference: REDHAT:RHSA-2002:029
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-029.html
Reference: BUGTRAQ:20020222 TSLSA-2002-0031 - squid
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101443252627021&w=2
Reference: MANDRAKE:MDKSA-2002:016
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-016.php
Reference: CALDERA:CSSA-2002-SCO.7
Reference: URL:http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0014.html
Reference: CONECTIVA:CLA-2002:464
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000464
Reference: FREEBSD:FreeBSD-SA-02:12
Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:12.squid.asc
Reference: XF:squid-htcp-enabled(8261)
Reference: URL:http://www.iss.net/security_center/static/8261.php
Reference: BID:4150
Reference: URL:http://www.securityfocus.com/bid/4150

Squid 2.4 STABLE3 and earlier does not properly disable HTCP, even
when "htcp_port 0" is specified in squid.conf, which could allow
remote attackers to bypass intended access restrictions.


Modifications:
  ADDREF BUGTRAQ:20020221 Squid HTTP Proxy Security Update Advisory 2002:1
  ADDREF BUGTRAQ:20020222 TSLSA-2002-0031 - squid
  ADDREF MANDRAKE:MDKSA-2002:016
  CHANGEREF REDHAT [normalize]
  ADDREF CALDERA:CSSA-2002-SCO.7
  ADDREF CONECTIVA:CLA-2002:464
  ADDREF FREEBSD:FreeBSD-SA-02:12
  ADDREF XF:squid-htcp-enabled(8261)
  ADDREF BID:4150
  DESC change version from STABLE2 to STABLE3

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0067 ACCEPT (6 accept, 4 ack, 0 review)

Current Votes:
   ACCEPT(4) Ziese, Wall, Cole, Green
   MODIFY(2) Cox, Jones
   NOOP(2) Foat, Christey

Voter Comments:
 Christey> BUGTRAQ:20020221 Squid HTTP Proxy Security Update Advisory 2002:1
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101431040422095&w=2
 Christey> BUGTRAQ:20020222 TSLSA-2002-0031 - squid
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101443252627021&w=2
 Christey> MANDRAKE:MDKSA-2002:016
 Christey> Fix ref: REDHAT:REDHAT:RHSA-2002:029
 Jones> Change description to "Squid 2.4 STABLE3 and earlier" (vice
   STABLE2).  Change description from "...which could allow
   remote attackers to bypass intended access restrictions" to
   "...which could allow remote attackers to access and/or modify
   cached data".
 Christey> CALDERA:CSSA-2002-SCO.7
   URL:http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0014.html
   CONECTIVA:CLA-2002:464
   URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000464
   BUGTRAQ:20020222 TSLSA-2002-0031 - squid
   URL:http://archives.neohapsis.com/archives/bugtraq/2002-02/0257.html
   MANDRAKE:MDKSA-2002:016
   URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-016.php3
   FREEBSD:FreeBSD-SA-02:12
   URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:12.squid.asc
   XF:squid-htcp-enabled(8261)
   URL:http://www.iss.net/security_center/static/8261.php
   BID:4150
   URL:http://www.securityfocus.com/bid/4150
 Cox> This references REDHAT:REDHAT:RHSA-2002:029 instead of
   REDHAT:RHSA-2002:029


======================================================
Candidate: CAN-2002-0068
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0068
Final-Decision:
Interim-Decision: 20030326
Modified: 20030319-02
Proposed: 20020315
Assigned: 20020219
Category: SF
Reference: BUGTRAQ:20020221 Squid HTTP Proxy Security Update Advisory 2002:1
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101431040422095&w=2
Reference: CONFIRM:http://www.squid-cache.org/Versions/v2/2.4/bugs/
Reference: BUGTRAQ:20020222 Squid buffer overflow
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101440163111826&w=2
Reference: REDHAT:RHSA-2002:029
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-029.html
Reference: BUGTRAQ:20020222 TSLSA-2002-0031 - squid
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101443252627021&w=2
Reference: MANDRAKE:MDKSA-2002:016
Reference: CALDERA:CSSA-2002-010.0
Reference: URL:http://www.caldera.com/support/security/advisories/CSSA-2002-010.0.txt
Reference: CALDERA:CSSA-2002-SCO.7
Reference: URL:http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0014.html
Reference: CONECTIVA:CLA-2002:464
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000464
Reference: SUSE:SuSE-SA:2002:008
Reference: URL:http://www.suse.com/de/support/security/2002_008_squid_txt.html
Reference: FREEBSD:FreeBSD-SA-02:12
Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:12.squid.asc
Reference: BID:4148
Reference: URL:http://www.securityfocus.com/bid/4148
Reference: XF:squid-ftpbuildtitleurl-bo(8258)
Reference: URL:http://www.iss.net/security_center/static/8258.php

Squid 2.4 STABLE3 and earlier allows remote attackers to cause a
denial of service (core dump) and possibly execute arbitrary code with
an ftp:// URL with a larger number of special characters, which exceed
the buffer when Squid URL-escapes the characters.


Modifications:
  ADDREF BUGTRAQ:20020221 Squid HTTP Proxy Security Update Advisory 2002:1
  ADDREF BUGTRAQ:20020222 TSLSA-2002-0031 - squid
  ADDREF MANDRAKE:MDKSA-2002:016
  CHANGEREF REDHAT [normalize]
  ADDREF CALDERA:CSSA-2002-010.0
  ADDREF CALDERA:CSSA-2002-SCO.7
  ADDREF CONECTIVA:CLA-2002:464
  ADDREF SUSE:SuSE-SA:2002:008
  ADDREF BUGTRAQ:20020222 Squid buffer overflow
  ADDREF FREEBSD:FreeBSD-SA-02:12
  ADDREF BID:4148
  ADDREF XF:squid-ftpbuildtitleurl-bo(8258)
  DESC add that the problem occurs during escape processing

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0068 ACCEPT (6 accept, 5 ack, 0 review)

Current Votes:
   ACCEPT(4) Ziese, Wall, Cole, Green
   MODIFY(2) Cox, Jones
   NOOP(2) Foat, Christey

Voter Comments:
 Christey> BUGTRAQ:20020221 Squid HTTP Proxy Security Update Advisory 2002:1
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101431040422095&w=2
 Christey> BUGTRAQ:20020222 TSLSA-2002-0031 - squid
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101443252627021&w=2
 Christey> MANDRAKE:MDKSA-2002:016
 Christey> Fix ref: REDHAT:REDHAT:RHSA-2002:029
 Jones> Drop "malformed" from description; legitimate FTP URL with
   reasonable userid and password may cause crash.  Add enough detail
   to distinguish this vulnerability (i.e., the flaw is in
   authenticated FTP URL handling).
   Reference: BUGTRAQ:20020222 - Squid buffer overflow.
   Suggest: "Squid 2.4 STABLE3 and earlier contains a flaw in
   handling authenticated FTP URLs (FTP URLs with userID and
   passwords) which allows remote attackers to cause a denial of
   service (core dump) and possibly execute arbitrary code via
   ftp:// URLs."
 Christey> fix typo: "possible" should be "possibly"
   CALDERA:CSSA-2002-010.0
   URL:http://www.caldera.com/support/security/advisories/CSSA-2002-010.0.txt
   CALDERA:CSSA-2002-SCO.7
   URL:http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0014.html
   CONECTIVA:CLA-2002:464
   URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000464
   SUSE:SuSE-SA:2002:008
   URL:http://www.suse.com/de/support/security/2002_008_squid_txt.html
   BUGTRAQ:20020222 TSLSA-2002-0031 - squid
   URL:http://archives.neohapsis.com/archives/bugtraq/2002-02/0257.html
   MANDRAKE:MDKSA-2002:016
   URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-016.php3
   BUGTRAQ:20020222 Squid buffer overflow
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101440163111826&w=2
   FREEBSD:FreeBSD-SA-02:12
   URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:12.squid.asc
   BID:4148
   URL:http://www.securityfocus.com/bid/4148
   XF:squid-ftpbuildtitleurl-bo(8258)
   URL:http://www.iss.net/security_center/static/8258.php
 Cox> This references REDHAT:REDHAT:RHSA-2002:029 instead of
   REDHAT:RHSA-2002:029
 Christey> See Bugtraq post for more information... the problem isn't
   a malformed URL, it's that the string exceeds the buffer
   size when it is URL-escaped.


======================================================
Candidate: CAN-2002-0069
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0069
Final-Decision:
Interim-Decision: 20030326
Modified: 20020817-01
Proposed: 20020315
Assigned: 20020219
Category: SF
Reference: CONFIRM:http://www.squid-cache.org/Versions/v2/2.4/bugs/
Reference: REDHAT:RHSA-2002:029
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-029.html
Reference: BUGTRAQ:20020221 Squid HTTP Proxy Security Update Advisory 2002:1
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101431040422095&w=2
Reference: BUGTRAQ:20020222 TSLSA-2002-0031 - squid
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101443252627021&w=2
Reference: MANDRAKE:MDKSA-2002:016
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-016.php
Reference: CALDERA:CSSA-2002-SCO.7
Reference: URL:http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0014.html
Reference: CONECTIVA:CLA-2002:464
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000464
Reference: FREEBSD:FreeBSD-SA-02:12
Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:12.squid.asc
Reference: XF:squid-snmp-dos(8260)
Reference: URL:http://www.iss.net/security_center/static/8260.php
Reference: BID:4146
Reference: URL:http://www.securityfocus.com/bid/4146

Memory leak in SNMP in Squid 2.4 STABLE3 and earlier allows remote
attackers to cause a denial of service.


Modifications:
  DESC change STABLE2 to STABLE3
  ADDREF BUGTRAQ:20020221 Squid HTTP Proxy Security Update Advisory 2002:1
  ADDREF BUGTRAQ:20020222 TSLSA-2002-0031 - squid
  ADDREF MANDRAKE:MDKSA-2002:016
  CHANGEREF REDHAT [normalize]
  ADDREF CALDERA:CSSA-2002-SCO.7
  ADDREF CONECTIVA:CLA-2002:464
  ADDREF FREEBSD:FreeBSD-SA-02:12
  ADDREF XF:squid-snmp-dos(8260)
  ADDREF BID:4146

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0069 ACCEPT (6 accept, 4 ack, 0 review)

Current Votes:
   ACCEPT(4) Ziese, Wall, Cole, Green
   MODIFY(2) Cox, Jones
   NOOP(2) Foat, Christey

Voter Comments:
 Christey> BUGTRAQ:20020221 Squid HTTP Proxy Security Update Advisory 2002:1
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101431040422095&w=2
   Need to add version number to description (2.4)
 Christey> BUGTRAQ:20020222 TSLSA-2002-0031 - squid
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101443252627021&w=2
 Christey> MANDRAKE:MDKSA-2002:016
 Christey> Fix ref: REDHAT:REDHAT:RHSA-2002:029
 Jones> Add version info to description (like 2002-0068): Squid 2.4
   STABLE3 and earlier.
 Christey> CALDERA:CSSA-2002-SCO.7
   URL:http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0014.html
   CONECTIVA:CLA-2002:464
   URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000464
   BUGTRAQ:20020222 TSLSA-2002-0031 - squid
   URL:http://archives.neohapsis.com/archives/bugtraq/2002-02/0257.html
   MANDRAKE:MDKSA-2002:016
   URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-016.php3
   FREEBSD:FreeBSD-SA-02:12
   URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:12.squid.asc
   XF:squid-snmp-dos(8260)
   URL:http://www.iss.net/security_center/static/8260.php
   BID:4146
   URL:http://www.securityfocus.com/bid/4146
 Cox> This references REDHAT:REDHAT:RHSA-2002:029 instead of
   REDHAT:RHSA-2002:029


======================================================
Candidate: CAN-2002-0071
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0071
Final-Decision:
Interim-Decision: 20030326
Modified: 20030319-03
Proposed: 20020502
Assigned: 20020221
Category: SF
Reference: ATSTAKE:A041002-1
Reference: URL:http://www.atstake.com/research/advisories/2002/a041002-1.txt
Reference: BUGTRAQ:20020411 KPMG-2002010: Microsoft IIS .htr ISAPI buffer overrun
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101854087828265&w=2
Reference: VULNWATCH:20020411 [VulnWatch] KPMG-2002010: Microsoft IIS .htr ISAPI buffer overrun
Reference: MS:MS02-018
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-018.asp
Reference: CERT:CA-2002-09
Reference: URL:http://www.cert.org/advisories/CA-2002-09.html
Reference: CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018
Reference: URL:http://www.cisco.com/warp/public/707/Microsoft-IIS-vulnerabilities-MS02-018.shtml
Reference: CERT-VN:VU#363715
Reference: URL:http://www.kb.cert.org/vuls/id/363715
Reference: XF:iis-htr-isapi-bo(8799)
Reference: URL:http://www.iss.net/security_center/static/8799.php
Reference: BID:4474
Reference: URL:http://www.securityfocus.com/bid/4474

Buffer overflow in the ism.dll ISAPI extension that implements HTR
scripting in Internet Information Server (IIS) 4.0 and 5.0 allows
attackers to cause a denial of service or execute arbitrary code via
HTR requests with long variable names.


Modifications:
  ADDREF CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018
  ADDREF XF:iis-htr-isapi-bo(8799)
  ADDREF BID:4474
  ADDREF CERT-VN:VU#363715

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0071 ACCEPT (6 accept, 4 ack, 0 review)

Current Votes:
   ACCEPT(5) Wall, Foat, Cole, Armstrong, Green
   MODIFY(1) Frech
   NOOP(2) Cox, Christey

Voter Comments:
 Christey> CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018
   URL:http://www.cisco.com/warp/public/707/Microsoft-IIS-vulnerabilities-MS02-018.shtml
 Frech> XF:iis-htr-isapi-bo(8799)


======================================================
Candidate: CAN-2002-0072
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0072
Final-Decision:
Interim-Decision: 20030326
Modified: 20030319-01
Proposed: 20020502
Assigned: 20020221
Category: SF
Reference: BUGTRAQ:20020411 KPMG-2002009: Microsoft IIS W3SVC Denial of Service
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101853851025208&w=2
Reference: MS:MS02-018
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-018.asp
Reference: CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018
Reference: URL:http://www.cisco.com/warp/public/707/Microsoft-IIS-vulnerabilities-MS02-018.shtml
Reference: CERT:CA-2002-09
Reference: URL:http://www.cert.org/advisories/CA-2002-09.html
Reference: CERT-VN:VU#521059
Reference: URL:http://www.kb.cert.org/vuls/id/521059
Reference: XF:iis-isapi-filter-error-dos(8800)
Reference: URL:http://www.iss.net/security_center/static/8800.php
Reference: BID:4479
Reference: URL:http://www.securityfocus.com/bid/4479

The w3svc.dll ISAPI filter in Front Page Server Extensions and ASP.NET
for Internet Information Server (IIS) 4.0, 5.0, and 5.1 does not
properly handle the error condition when a long URL is provided, which
allows remote attackers to cause a denial of service (crash) when the
URL parser accesses a null pointer.


Modifications:
  ADDREF CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018
  ADDREF CERT-VN:VU#521059
  ADDREF XF:iis-isapi-filter-error-dos(8800)
  ADDREF BID:4479

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0072 ACCEPT (6 accept, 4 ack, 0 review)

Current Votes:
   ACCEPT(5) Wall, Foat, Cole, Armstrong, Green
   MODIFY(1) Frech
   NOOP(2) Cox, Christey

Voter Comments:
 Christey> CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018
   URL:http://www.cisco.com/warp/public/707/Microsoft-IIS-vulnerabilities-MS02-018.shtml
 Christey> CERT-VN:VU#521059
   URL:http://www.kb.cert.org/vuls/id/521059
   XF:iis-isapi-filter-error-dos(8800)
   URL:http://www.iss.net/security_center/static/8800.php
   BID:4479
   URL:http://www.securityfocus.com/bid/4479
 Frech> XF:iis-isapi-filter-error-dos(8800)


======================================================
Candidate: CAN-2002-0073
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0073
Final-Decision:
Interim-Decision: 20030326
Modified: 20030319-02
Proposed: 20020502
Assigned: 20020221
Category: SF
Reference: VULNWATCH:20020416 [VulnWatch] Microsoft FTP Service STAT Globbing DoS
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0023.html
Reference: BUGTRAQ:20020417 Microsoft FTP Service STAT Globbing DoS
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101901273810598&w=2
Reference: MISC:http://www.digitaloffense.net/msftpd/advisory.txt
Reference: MS:MS02-018
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-018.asp
Reference: CERT:CA-2002-09
Reference: URL:http://www.cert.org/advisories/CA-2002-09.html
Reference: CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018
Reference: URL:http://www.cisco.com/warp/public/707/Microsoft-IIS-vulnerabilities-MS02-018.shtml
Reference: XF:iis-ftp-session-status-dos(8801)
Reference: URL:http://www.iss.net/security_center/static/8801.php

The FTP service in Internet Information Server (IIS) 4.0, 5.0 and 5.1
allows attackers who have established an FTP session to cause a denial
of service via a specially crafted status request containing glob
characters.


Modifications:
  ADDREF CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018
  ADDREF VULNWATCH:20020416 [VulnWatch] Microsoft FTP Service STAT Globbing DoS
  ADDREF XF:iis-ftp-session-status-dos(8801)
  DESC add details as given in Vulnwatch post
  ADDREF BUGTRAQ:20020417 Microsoft FTP Service STAT Globbing DoS
  ADDREF MISC:http://www.digitaloffense.net/msftpd/advisory.txt

Analysis
--------
Vendor Acknowledgement: yes advisory

ACCURACY: Microsft confirmed via e-mail that this is the issue
described in the VulnWatch post of April 16, 2002.

INFERRED ACTION: CAN-2002-0073 ACCEPT (6 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(5) Wall, Foat, Cole, Armstrong, Green
   MODIFY(1) Frech
   NOOP(2) Cox, Christey

Voter Comments:
 Christey> CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018
   URL:http://www.cisco.com/warp/public/707/Microsoft-IIS-vulnerabilities-MS02-018.shtml
 Christey> Looks like this might be related to:
   VULNWATCH:20020416 [VulnWatch] Microsoft FTP Service STAT Globbing DoS
   URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0023.html
 Christey> Yep, confirmed by MS.
 Frech> XF:iis-ftp-session-status-dos(8801)


======================================================
Candidate: CAN-2002-0074
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0074
Final-Decision:
Interim-Decision: 20030326
Modified: 20030320-02
Proposed: 20020502
Assigned: 20020221
Category: SF
Reference: BUGTRAQ:20020410 Cgisecurity Advisory #9: Novell Websearch, and Microsoft IIS XSS Issues
Reference: URL:http://online.securityfocus.com/archive/1/266888
Reference: MISC:http://www.cgisecurity.com/advisory/9.txt
Reference: MS:MS02-018
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-018.asp
Reference: CERT:CA-2002-09
Reference: URL:http://www.cert.org/advisories/CA-2002-09.html
Reference: CERT-VN:VU#883091
Reference: URL:http://www.kb.cert.org/vuls/id/883091
Reference: CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018
Reference: URL:http://www.cisco.com/warp/public/707/Microsoft-IIS-vulnerabilities-MS02-018.shtml
Reference: XF:iis-help-file-css(8802)
Reference: URL:http://www.iss.net/security_center/static/8802.php
Reference: BID:4483
Reference: URL:http://www.securityfocus.com/bid/4483

Cross-site scripting vulnerability in Help File search facility for
Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote
attackers to embed scripts into another user's session.


Modifications:
  ADDREF MISC:http://www.cgisecurity.com/advisory/9.txt
  ADDREF BUGTRAQ:20020410 Cgisecurity Advisory #9: Novell Websearch, and Microsoft IIS XSS Issues
  ADDREF CERT-VN:VU#883091
  ADDREF CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018
  ADDREF XF:iis-help-file-css(8802)
  ADDREF BID:4483

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0074 ACCEPT (6 accept, 4 ack, 0 review)

Current Votes:
   ACCEPT(5) Wall, Foat, Cole, Armstrong, Green
   MODIFY(1) Frech
   NOOP(2) Cox, Christey

Voter Comments:
 Christey> MISC:http://www.cgisecurity.com/advisory/9.txt
   BUGTRAQ:20020410 Cgisecurity Advisory #9: Novell Websearch, and Microsoft IIS XSS Issues
   URL:http://online.securityfocus.com/archive/1/266888
   CERT-VN:VU#883091
   URL:http://www.kb.cert.org/vuls/id/883091
 Christey> CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018
   URL:http://www.cisco.com/warp/public/707/Microsoft-IIS-vulnerabilities-MS02-018.shtml
 Frech> XF:iis-help-file-css(8802)


======================================================
Candidate: CAN-2002-0075
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0075
Final-Decision:
Interim-Decision: 20030326
Modified: 20030320-02
Proposed: 20020502
Assigned: 20020221
Category: SF
Reference: BUGTRAQ:20020411 [SNS Advisory No.49] A Possibility of Internet Information Server/Services Cross Site Scripting
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101854677802990&w=2
Reference: MS:MS02-018
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-018.asp
Reference: CERT:CA-2002-09
Reference: URL:http://www.cert.org/advisories/CA-2002-09.html
Reference: CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018
Reference: URL:http://www.cisco.com/warp/public/707/Microsoft-IIS-vulnerabilities-MS02-018.shtml
Reference: CERT-VN:VU#520707
Reference: URL:http://www.kb.cert.org/vuls/id/520707
Reference: XF:iis-redirected-url-error-css(8804)
Reference: URL:http://www.iss.net/security_center/static/8804.php
Reference: BID:4487
Reference: URL:http://www.securityfocus.com/bid/4487

Cross-site scripting vulnerability for Internet Information Server
(IIS) 4.0, 5.0 and 5.1 allows remote attackers to execute arbitrary
script as other web users via the error message used in a URL redirect
(""302 Object Moved") message.


Modifications:
  ADDREF CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018
  ADDREF XF:iis-redirected-url-error-css(8804)
  ADDREF CERT-VN:VU#520707
  ADDREF BID:4487

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0075 ACCEPT (6 accept, 4 ack, 0 review)

Current Votes:
   ACCEPT(5) Wall, Foat, Cole, Armstrong, Green
   MODIFY(1) Frech
   NOOP(2) Cox, Christey

Voter Comments:
 Christey> CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018
   URL:http://www.cisco.com/warp/public/707/Microsoft-IIS-vulnerabilities-MS02-018.shtml
 Frech> XF:iis-redirected-url-error-css(8804)


======================================================
Candidate: CAN-2002-0076
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0076
Final-Decision:
Interim-Decision: 20030326
Modified: 20030320-02
Proposed: 20020502
Assigned: 20020221
Category: SF
Reference: MS:MS02-013
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-013.asp
Reference: SUN:00218
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/218
Reference: COMPAQ:SSRT0822
Reference: BID:4313
Reference: XF:java-vm-verifier-variant(8480)
Reference: URL:http://www.iss.net/security_center/static/8480.php

Java Runtime Environment (JRE) Bytecode Verifier allows remote
attackers to escape the Java sandbox and execute commands via an
applet containing an illegal cast operation, as seen in (1) Microsoft
VM build 3802 and earlier as used in Internet Explorer 4.x and 5.x,
(2) Netscape 6.2.1 and earlier, and possibly other implementations
that use vulnerable versions of SDK or JDK, aka a variant of the
"Virtual Machine Verifier" vulnerability.


Modifications:
  ADDREF BID:4313
  ADDREF COMPAQ:SSRT0822
  ADDREF XF:java-vm-verifier-variant(8480)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0076 ACCEPT (5 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(4) Wall, Cole, Armstrong, Green
   MODIFY(1) Frech
   NOOP(3) Cox, Foat, Christey

Voter Comments:
 Christey> Consider adding BID:4313
 Christey> ADDREF COMPAQ:SSRT0822
 Christey> COMPAQ:SSRT0822
 Frech> XF:java-vm-verifier-variant(8480)


======================================================
Candidate: CAN-2002-0079
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0079
Final-Decision:
Interim-Decision: 20030326
Modified: 20030320-02
Proposed: 20020502
Assigned: 20020221
Category: SF
Reference: BUGTRAQ:20020410 Windows 2000 and NT4 IIS .ASP Remote Buffer Overflow
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101846993304518&w=2
Reference: MS:MS02-018
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-018.asp
Reference: CERT:CA-2002-09
Reference: URL:http://www.cert.org/advisories/CA-2002-09.html
Reference: CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018
Reference: URL:http://www.cisco.com/warp/public/707/Microsoft-IIS-vulnerabilities-MS02-018.shtml
Reference: CERT-VN:VU#610291
Reference: URL:http://www.kb.cert.org/vuls/id/610291
Reference: XF:iis-asp-chunked-encoding-bo(8795)
Reference: URL:http://www.iss.net/security_center/static/8795.php
Reference: BID:4485
Reference: URL:http://www.securityfocus.com/bid/4485

Buffer overflow in the chunked encoding transfer mechanism in Internet
Information Server (IIS) 4.0 and 5.0 Active Server Pages allows
attackers to cause a denial of service or execute arbitrary code.


Modifications:
  ADDREF CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018
  ADDREF CERT-VN:VU#610291
  ADDREF BID:4485
  ADDREF XF:iis-asp-chunked-encoding-bo(8795)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0079 ACCEPT (6 accept, 4 ack, 0 review)

Current Votes:
   ACCEPT(5) Wall, Foat, Cole, Armstrong, Green
   MODIFY(1) Frech
   NOOP(2) Cox, Christey

Voter Comments:
 Christey> CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018
   URL:http://www.cisco.com/warp/public/707/Microsoft-IIS-vulnerabilities-MS02-018.shtml
 Christey> XF:iis-asp-chunked-encoding-bo(8795)
   URL:http://www.iss.net/security_center/static/8795.php
   BID:4485
   URL:http://www.securityfocus.com/bid/4485
   CERT-VN:VU#610291
   URL:http://www.kb.cert.org/vuls/id/610291
 Frech> XF:iis-asp-chunked-encoding-bo(8795)


======================================================
Candidate: CAN-2002-0094
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0094
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20020102 BSCW: Vulnerabilities and Problems
Reference: URL:http://www.securityfocus.com/archive/1/248000
Reference: MISC:http://bscw.gmd.de/WhatsNew.html
Reference: BID:3776
Reference: URL:http://www.securityfocus.com/bid/3776
Reference: XF:bscw-remote-shell-execution(7774)
Reference: URL:http://www.iss.net/security_center/static/7774.php

config_converters.py in BSCW (Basic Support for Cooperative Work) 3.x
and versions before 4.06 allows remote attackers to execute arbitrary
commands via shell metacharacters in the file name during filename
conversion.

Analysis
--------
Vendor Acknowledgement: unknown vague

ACKNOWLEDGEMENT: The entry dated December 21, 2001 on the vendor's
"What's New" page states "The new release fixes a number of bugs and
security issues," but this is too vague to be certain that the vendor
has fixed *this* problem.

INFERRED ACTION: CAN-2002-0094 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Frech, Cole, Green
   NOOP(3) Ziese, Wall, Foat


======================================================
Candidate: CAN-2002-0095
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0095
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20020102 BSCW: Vulnerabilities and Problems
Reference: URL:http://www.securityfocus.com/archive/1/248000
Reference: BID:3777
Reference: URL:http://www.securityfocus.com/bid/3777
Reference: XF:bscw-default-installation-registration(7775)
Reference: URL:http://www.iss.net/security_center/static/7775.php

The default configuration of BSCW (Basic Support for Cooperative Work)
3.x and possibly version 4 enables user self registration, which could
allow remote attackers to upload files and possibly join a user
community that was intended to be closed.

Analysis
--------
Vendor Acknowledgement: unknown vague

ACKNOWLEDGEMENT: The entry dated December 21, 2001 on the vendor's
"What's New" page states "The new release fixes a number of bugs and
security issues," but this is too vague to be certain that the vendor
has fixed *this* problem.

INFERRED ACTION: CAN-2002-0095 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Frech, Cole, Green
   NOOP(3) Ziese, Wall, Foat


======================================================
Candidate: CAN-2002-0120
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0120
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20020112 Palm Desktop 4.0b76-77 for Mac OS X
Reference: URL:http://online.securityfocus.com/archive/1/250093
Reference: BID:3863
Reference: URL:http://online.securityfocus.com/bid/3863
Reference: XF:palm-macos-backup-permissions(7937)
Reference: URL:http://www.iss.net/security_center/static/7937.php

Apple Palm Desktop 4.0b76 and 4.0b77 creates world-readable backup
files and folders when a hotsync is performed, which could allow a
local user to obtain sensitive information.

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2002-0120 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Frech, Foat, Green
   NOOP(2) Wall, Cole


======================================================
Candidate: CAN-2002-0123
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0123
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20020114 Web Server 4D/eCommerce 3.5.3 DoS Vulnerability
Reference: URL:http://online.securityfocus.com/archive/1/250242
Reference: BID:3874
Reference: URL:http://online.securityfocus.com/bid/3874
Reference: XF:ws4d-long-url-dos(7879)
Reference: URL:http://www.iss.net/security_center/static/7879.php

MDG Computer Services Web Server 4D WS4D/eCommerce 3.0 and earlier,
and possibly 3.5.3, allows remote attackers to cause a denial of
service and possibly execute arbitrary commands via a long HTTP
request.

Analysis
--------
Vendor Acknowledgement: yes via-email

ACKNOWLEDGEMENT: inquiry sent to support@mdg.com on 3/11/2002.
Response received on 3/12/2002 states "This vulnerability was not in
3.5.3, but rather version 3.0 or earlier.  It was from some time ago."
So, it is not entirely clear whether the discloser correctly reported
the version, or if the problem was re-introduced, or appears in a
slightly different distribution.

INFERRED ACTION: CAN-2002-0123 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Frech, Cole, Green
   NOOP(4) Ziese, Balinsky, Wall, Foat

Voter Comments:
 Green> website is very vague regarding vulnerabilities, but the upgrade message is clear enough.


======================================================
Candidate: CAN-2002-0146
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0146
Final-Decision:
Interim-Decision: 20030326
Modified: 20020817-01
Proposed: 20020611
Assigned: 20020318
Category: SF
Reference: REDHAT:RHSA-2002:047
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-047.html
Reference: CALDERA:CSSA-2002-027.0
Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-027.0.txt
Reference: HP:HPSBTL0205-042
Reference: URL:http://online.securityfocus.com/advisories/4145
Reference: MANDRAKE:MDKSA-2002:036
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-036.php
Reference: BID:4788
Reference: URL:http://www.securityfocus.com/bid/4788
Reference: XF:fetchmail-imap-msgnum-bo(9133)
Reference: URL:http://www.iss.net/security_center/static/9133.php

fetchmail email client before 5.9.10 does not properly limit the
maximum number of messages available, which allows a remote IMAP
server to overwrite memory via a message count that exceeds the
boundaries of an array.


Modifications:
  ADDREF CALDERA:CSSA-2002-027.0
  ADDREF HP:HPSBTL0205-042
  ADDREF MANDRAKE:MDKSA-2002:036
  ADDREF BID:4788
  ADDREF XF:fetchmail-imap-msgnum-bo(9133)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0146 ACCEPT (6 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(5) Baker, Cox, Wall, Cole, Armstrong
   MODIFY(1) Frech
   NOOP(2) Christey, Foat

Voter Comments:
 Christey> CALDERA:CSSA-2002-027.0
   URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-027.0.txt
   HP:HPSBTL0205-042
   URL:http://online.securityfocus.com/advisories/4145
   MANDRAKE:MDKSA-2002:036
   URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-036.php
   BID:4788
   URL:http://www.securityfocus.com/bid/4788
   XF:fetchmail-imap-msgnum-bo(9133)
   URL:http://www.iss.net/security_center/static/9133.php
 Frech> XF:fetchmail-imap-msgnum-bo(9133)


======================================================
Candidate: CAN-2002-0147
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0147
Final-Decision:
Interim-Decision: 20030326
Modified: 20030320-02
Proposed: 20020502
Assigned: 20020319
Category: SF
Reference: MS:MS02-018
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-018.asp
Reference: CERT:CA-2002-09
Reference: URL:http://www.cert.org/advisories/CA-2002-09.html
Reference: CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018
Reference: URL:http://www.cisco.com/warp/public/707/Microsoft-IIS-vulnerabilities-MS02-018.shtml
Reference: CERT-VN:VU#669779
Reference: URL:http://www.kb.cert.org/vuls/id/669779
Reference: BID:4490
Reference: URL:http://www.securityfocus.com/bid/4490
Reference: XF:iis-asp-data-transfer-bo(8796)
Reference: URL:http://www.iss.net/security_center/static/8796.php

Buffer overflow in the ASP data transfer mechanism in Internet
Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to
cause a denial of service or execute code, aka "Microsoft-discovered
variant of Chunked Encoding buffer overrun."


Modifications:
  ADDREF CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018
  ADDREF CERT-VN:VU#669779
  ADDREF BID:4490
  ADDREF XF:iis-asp-data-transfer-bo(8796)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0147 ACCEPT (6 accept, 4 ack, 0 review)

Current Votes:
   ACCEPT(5) Wall, Foat, Cole, Armstrong, Green
   MODIFY(1) Frech
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018
   URL:http://www.cisco.com/warp/public/707/Microsoft-IIS-vulnerabilities-MS02-018.shtml
 Christey> CERT-VN:VU#669779
   URL:http://www.kb.cert.org/vuls/id/669779
   BID:4490
   URL:http://www.securityfocus.com/bid/4490
 Frech> XF:iis-asp-data-transfer-bo(8796)


======================================================
Candidate: CAN-2002-0148
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0148
Final-Decision:
Interim-Decision: 20030326
Modified: 20030320-02
Proposed: 20020502
Assigned: 20020319
Category: SF
Reference: BUGTRAQ:20020410 IIS allows universal CrossSiteScripting
Reference: MS:MS02-018
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-018.asp
Reference: CERT:CA-2002-09
Reference: URL:http://www.cert.org/advisories/CA-2002-09.html
Reference: CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018
Reference: URL:http://www.cisco.com/warp/public/707/Microsoft-IIS-vulnerabilities-MS02-018.shtml
Reference: XF:iis-http-error-page-css(8803)
Reference: URL:http://www.iss.net/security_center/static/8803.php
Reference: CERT-VN:VU#886699
Reference: URL:http://www.kb.cert.org/vuls/id/886699
Reference: BID:4486
Reference: URL:http://www.securityfocus.com/bid/4486

Cross-site scripting vulnerability in Internet Information Server
(IIS) 4.0, 5.0 and 5.1 allows remote attackers to execute arbitrary
script as other users via an HTTP error page.


Modifications:
  ADDREF CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018
  ADDREF XF:iis-http-error-page-css(8803)
  ADDREF CERT-VN:VU#886699
  ADDREF BID:4486

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0148 ACCEPT (6 accept, 4 ack, 0 review)

Current Votes:
   ACCEPT(5) Wall, Foat, Cole, Armstrong, Green
   MODIFY(1) Frech
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018
   URL:http://www.cisco.com/warp/public/707/Microsoft-IIS-vulnerabilities-MS02-018.shtml
 Frech> XF:iis-http-error-page-css(8803)


======================================================
Candidate: CAN-2002-0149
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0149
Final-Decision:
Interim-Decision: 20030326
Modified: 20030320-02
Proposed: 20020502
Assigned: 20020319
Category: SF
Reference: MS:MS02-018
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-018.asp
Reference: CERT:CA-2002-09
Reference: URL:http://www.cert.org/advisories/CA-2002-09.html
Reference: CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018
Reference: URL:http://www.cisco.com/warp/public/707/Microsoft-IIS-vulnerabilities-MS02-018.shtml
Reference: CERT-VN:VU#721963
Reference: URL:http://www.kb.cert.org/vuls/id/721963
Reference: XF:iis-ssi-safety-check-bo(8798)
Reference: URL:http://www.iss.net/security_center/static/8798.php
Reference: BID:4478
Reference: URL:http://www.securityfocus.com/bid/4478

Buffer overflow in ASP Server-Side Include Function in IIS 4.0, 5.0
and 5.1 allows remote attackers to cause a denial of service and
possibly execute arbitrary code via long file names.


Modifications:
  ADDREF CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018
  ADDREF XF:iis-ssi-safety-check-bo(8798)
  ADDREF CERT-VN:VU#721963
  ADDREF BID:4478

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0149 ACCEPT (6 accept, 4 ack, 0 review)

Current Votes:
   ACCEPT(5) Wall, Foat, Cole, Armstrong, Green
   MODIFY(1) Frech
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018
   URL:http://www.cisco.com/warp/public/707/Microsoft-IIS-vulnerabilities-MS02-018.shtml
 Frech> XF:iis-ssi-safety-check-bo(8798)


======================================================
Candidate: CAN-2002-0150
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0150
Final-Decision:
Interim-Decision: 20030326
Modified: 20030320-02
Proposed: 20020502
Assigned: 20020319
Category: SF
Reference: MS:MS02-018
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-018.asp
Reference: CERT:CA-2002-09
Reference: URL:http://www.cert.org/advisories/CA-2002-09.html
Reference: CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018
Reference: URL:http://www.cisco.com/warp/public/707/Microsoft-IIS-vulnerabilities-MS02-018.shtml
Reference: CERT-VN:VU#454091
Reference: URL:http://www.kb.cert.org/vuls/id/454091
Reference: XF:iis-asp-http-header-bo(8797)
Reference: URL:http://www.iss.net/security_center/static/8797.php
Reference: BID:4476
Reference: URL:http://www.securityfocus.com/bid/4476

Buffer overflow in Internet Information Server (IIS) 4.0, 5.0, and 5.1
allows remote attackers to spoof the safety check for HTTP headers and
cause a denial of service or execute arbitrary code via HTTP header
field values.


Modifications:
  ADDREF CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018
  ADDREF XF:iis-asp-http-header-bo(8797)
  ADDREF CERT-VN:VU#454091

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0150 ACCEPT (6 accept, 4 ack, 0 review)

Current Votes:
   ACCEPT(5) Wall, Foat, Cole, Armstrong, Green
   MODIFY(1) Frech
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> CISCO:20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018
   URL:http://www.cisco.com/warp/public/707/Microsoft-IIS-vulnerabilities-MS02-018.shtml
 Frech> XF:iis-asp-http-header-bo(8797)


======================================================
Candidate: CAN-2002-0155
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0155
Final-Decision:
Interim-Decision: 20030326
Modified: 20030320-01
Proposed: 20020611
Assigned: 20020319
Category: SF
Reference: BUGTRAQ:20020508 ADVISORY: MSN Messenger OCX Buffer Overflow
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102089960531919&w=2
Reference: VULNWATCH:20020508 [VulnWatch] ADVISORY: MSN Messenger OCX Buffer Overflow
Reference: MS:MS02-022
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-022.asp
Reference: CERT:CA-2002-13
Reference: URL:http://www.cert.org/advisories/CA-2002-13.html
Reference: XF:msn-chatcontrol-resdll-bo(9041)
Reference: URL:http://www.iss.net/security_center/static/9041.php
Reference: BID:4707
Reference: URL:http://www.securityfocus.com/bid/4707

Buffer overflow in Microsoft MSN Chat ActiveX Control, as used in MSN
Messenger 4.5 and 4.6, and Exchange Instant Messenger 4.5 and 4.6,
allows remote attackers to execute arbitrary code via a long ResDLL
parameter in the MSNChat OCX.


Modifications:
  ADDREF XF:msn-chatcontrol-resdll-bo(9041)
  ADDREF BID:4707

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0155 ACCEPT (6 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(5) Baker, Wall, Foat, Cole, Armstrong
   MODIFY(1) Frech
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> XF:msn-chatcontrol-resdll-bo(9041)
   URL:http://www.iss.net/security_center/static/9041.php
   BID:4707
   URL:http://www.securityfocus.com/bid/4707
 Frech> XF:msn-chatcontrol-resdll-bo(9041)


======================================================
Candidate: CAN-2002-0157
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0157
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020611
Assigned: 20020325
Category: SF
Reference: BUGTRAQ:20020502 R7-0003: Nautilus Symlink Vulnerability
Reference: URL:http://online.securityfocus.com/archive/1/270691/2002-04-29/2002-05-05/0
Reference: REDHAT:RHSA-2002:064
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-064.html
Reference: XF:nautilus-metafile-xml-symlink(8995)
Reference: URL:http://www.iss.net/security_center/static/8995.php
Reference: BID:4373
Reference: URL:http://www.securityfocus.com/bid/4373

Nautilus 1.0.4 and earlier allows local users to overwrite arbitrary
files via a symlink attack on the .nautilus-metafile.xml metadata
file.


Modifications:
  ADDREF XF:nautilus-metafile-xml-symlink(8995)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0157 ACCEPT (6 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Baker, Cox, Wall, Cole, Armstrong
   MODIFY(1) Frech
   NOOP(1) Foat

Voter Comments:
 Frech> XF:nautilus-metafile-xml-symlink(8995)


======================================================
Candidate: CAN-2002-0163
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0163
Final-Decision:
Interim-Decision: 20030326
Modified: 20030320-02
Proposed: 20020502
Assigned: 20020328
Category: SF
Reference: CONFIRM:http://www.squid-cache.org/Advisories/SQUID-2002_2.txt
Reference: FREEBSD:FreeBSD-SA-02:19
Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:19.squid.asc
Reference: MANDRAKE:MDKSA-2002:027
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-027.php
Reference: BUGTRAQ:20020326 updated squid advisory
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101716495023226&w=2
Reference: CALDERA:CSSA-2002-017.1
Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-017.1.txt
Reference: CALDERA:CSSA-2002-SCO.26
Reference: REDHAT:RHSA-2002:051
Reference: URL:http://rhn.redhat.com/errata/RHSA-2002-051.html
Reference: BID:4363
Reference: URL:http://www.securityfocus.com/bid/4363
Reference: XF:squid-dns-reply-dos(8628)
Reference: URL:http://www.iss.net/security_center/static/8628.php

Heap-based buffer overflow in Squid before 2.4 STABLE4, and Squid 2.5
and 2.6 until March 12, 2002 distributions, allows remote attackers to
cause a denial of service, and possibly execute arbitrary code, via
compressed DNS responses.


Modifications:
  ADDREF BID:4363
  ADDREF XF:squid-dns-reply-dos(8628)
  ADDREF BUGTRAQ:20020326 updated squid advisory
  ADDREF CALDERA:CSSA-2002-017.0
  ADDREF FREEBSD:FreeBSD-SA-02:19
  ADDREF CALDERA:CSSA-2002-SCO.26
  ADDREF REDHAT:RHSA-2002:051
  DESC change "heap overflow" to "heap-based buffer overflow"

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0163 ACCEPT (5 accept, 4 ack, 0 review)

Current Votes:
   ACCEPT(4) Cox, Cole, Armstrong, Green
   MODIFY(1) Frech
   NOOP(3) Christey, Wall, Foat

Voter Comments:
 Christey> BID:4363
   URL:http://www.securityfocus.com/bid/4363
   XF:squid-dns-reply-dos(8628)
   URL:http://www.iss.net/security_center/static/8628.php
   BUGTRAQ:20020326 updated squid advisory
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101716495023226&w=2
   CALDERA:CSSA-2002-017.0
   MANDRAKE:MDKSA-2002:027
   FREEBSD:FreeBSD-SA-02:19
 Christey> CALDERA:CSSA-2002-017.1
   URL:http://www.caldera.com/support/security/advisories/CSSA-2002-017.1.txt
   BID:4363
   URL:http://www.securityfocus.com/bid/4363
 Christey> CALDERA:CSSA-2002-SCO.26
 Christey> REDHAT:RHSA-2002:051 (per Mark Cox)
 Frech> XF:squid-dns-reply-dos(8628)


======================================================
Candidate: CAN-2002-0169
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0169
Final-Decision:
Interim-Decision: 20030326
Modified: 20020817-01
Proposed: 20020611
Assigned: 20020411
Category: CF
Reference: REDHAT:RHSA-2002:062
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-062.html
Reference: HP:HPSBTL0205-038
Reference: URL:http://online.securityfocus.com/advisories/4095
Reference: XF:linux-docbook-stylesheet-insecure(8983)
Reference: URL:http://www.iss.net/security_center/static/8983.php
Reference: BID:4654
Reference: URL:http://online.securityfocus.com/bid/4654

The default stylesheet for DocBook on Red Hat Linux 6.2 through 7.2 is
installed with an insecure option enabled, which could allow users to
overwrite files outside of the current directory from an untrusted
document by using a full pathname as an element identifier.


Modifications:
  ADDREF HP:HPSBTL0205-038
  ADDREF XF:linux-docbook-stylesheet-insecure(8983)
  ADDREF BID:4654

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0169 ACCEPT (6 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(5) Baker, Cox, Wall, Cole, Armstrong
   MODIFY(1) Frech
   NOOP(1) Foat

Voter Comments:
 Frech> XF:linux-docbook-stylesheet-insecure(8983)


======================================================
Candidate: CAN-2002-0170
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0170
Final-Decision:
Interim-Decision: 20030326
Modified: 20030320-01
Proposed: 20020502
Assigned: 20020411
Category: SF
Reference: BUGTRAQ:20020301 [matt@zope.com: [Zope-Annce] Zope Hotfix 2002-03-01 (Ownership Roles Enforcement)]
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101503023511996&w=2
Reference: CONFIRM:http://www.zope.org/Products/Zope/hotfixes/
Reference: REDHAT:RHSA-2002:060
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-060.html
Reference: XF:zope-proxy-role-privileges(8334)
Reference: URL:http://www.iss.net/security_center/static/8334.php
Reference: BID:4229
Reference: URL:http://www.securityfocus.com/bid/4229

Zope 2.2.0 through 2.5.1 does not properly verify the access for
objects with proxy roles, which could allow some users to access
documents in violation of the intended configuration.


Modifications:
  ADDREF REDHAT:RHSA-2002:060
  ADDREF XF:zope-proxy-role-privileges(8334)
  ADDREF BID:4229

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0170 ACCEPT (5 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(4) Cox, Cole, Armstrong, Green
   MODIFY(1) Frech
   NOOP(3) Christey, Wall, Foat

Voter Comments:
 Frech> XF:zope-proxy-role-privileges(8334)
 Christey> REDHAT:RHSA-2002:060
   URL:http://www.redhat.com/support/errata/RHSA-2002-060.html


======================================================
Candidate: CAN-2002-0171
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0171
Final-Decision:
Interim-Decision: 20030326
Modified: 20030320-01
Proposed: 20020502
Assigned: 20020411
Category: SF
Reference: SGI:20020406-01-P
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020406-01-P
Reference: XF:irix-irisconsole-icadmin-access(8933)
Reference: URL:http://www.iss.net/security_center/static/8933.php
Reference: BID:4588
Reference: URL:http://www.securityfocus.com/bid/4588

IRISconsole 2.0 may allow users to log into the icadmin account with
an incorrect password in some circumstances, which could allow users
to gain privileges.


Modifications:
  ADDREF XF:irix-irisconsole-icadmin-access(8933)
  ADDREF BID:4588

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0171 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Green
   MODIFY(1) Frech
   NOOP(3) Cox, Wall, Foat

Voter Comments:
 Frech> XF:irix-irisconsole-icadmin-access(8933)


======================================================
Candidate: CAN-2002-0172
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0172
Final-Decision:
Interim-Decision: 20030326
Modified: 20030320-01
Proposed: 20020502
Assigned: 20020411
Category: CF
Reference: SGI:20020408-01-I
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020408-01-I
Reference: XF:irix-ipfilter-dos(8960)
Reference: URL:http://www.iss.net/security_center/static/8960.php
Reference: BID:4648
Reference: URL:http://online.securityfocus.com/bid/4648

/dev/ipfilter on SGI IRIX 6.5 is installed by /dev/MAKEDEV with
insecure default permissions (644), which could allow a local user to
cause a denial of service (traffic disruption).


Modifications:
  ADDREF XF:irix-ipfilter-dos(8960)
  ADDREF BID:4648

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0172 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Green
   MODIFY(1) Frech
   NOOP(4) Christey, Cox, Wall, Foat

Voter Comments:
 Christey> BID:4648
   URL:http://online.securityfocus.com/bid/4648
 Frech> XF:irix-ipfilter-dos(8960)


======================================================
Candidate: CAN-2002-0173
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0173
Final-Decision:
Interim-Decision: 20030326
Modified: 20030320-01
Proposed: 20020502
Assigned: 20020411
Category: SF
Reference: SGI:20020409-01-I
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020409-01-I
Reference: BID:4644
Reference: URL:http://www.securityfocus.com/bid/4644
Reference: XF:irix-cpr-bo(8959)
Reference: URL:http://www.iss.net/security_center/static/8959.php

Buffer overflow in cpr for the eoe.sw.cpr SGI Checkpoint-Restart
Software package on SGI IRIX 6.5.10 and earlier may allow local users
to gain root privileges.


Modifications:
  ADDREF BID:4644
  ADDREF XF:irix-cpr-bo(8959)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0173 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Green
   MODIFY(1) Frech
   NOOP(4) Christey, Cox, Wall, Foat

Voter Comments:
 Christey> BID:4644
   URL:http://www.securityfocus.com/bid/4644
 Frech> XF:irix-cpr-bo(8959)


======================================================
Candidate: CAN-2002-0174
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0174
Final-Decision:
Interim-Decision: 20030326
Modified: 20030320-01
Proposed: 20020611
Assigned: 20020411
Category: SF
Reference: SGI:20020501-01-I
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020501-01-I
Reference: XF:irix-nsd-symlink(8981)
Reference: URL:http://www.iss.net/security_center/static/8981.php
Reference: BID:4655
Reference: URL:http://www.securityfocus.com/bid/4655

nsd on SGI IRIX before 6.5.11 allows local users to overwrite
arbitrary files and gain root privileges via a symlink attack on the
nsd.dump file.


Modifications:
  ADDREF XF:irix-nsd-symlink(8981)
  ADDREF BID:4655

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0174 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Cole, Armstrong
   MODIFY(1) Frech
   NOOP(3) Cox, Wall, Foat

Voter Comments:
 Frech> XF:irix-nsd-symlink(8981)


======================================================
Candidate: CAN-2002-0178
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0178
Final-Decision:
Interim-Decision: 20030326
Modified: 20030320-02
Proposed: 20020611
Assigned: 20020417
Category: SF
Reference: MISC:http://www.aerasec.de/security/index.html?id=ae-200204-033&lang=en
Reference: REDHAT:RHSA-2002:065
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-065.html
Reference: HP:HPSBTL0205-040
Reference: URL:http://online.securityfocus.com/advisories/4132
Reference: MANDRAKE:MDKSA-2002:052
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-052.php
Reference: XF:sharutils-uudecode-symlink(9075)
Reference: URL:http://www.iss.net/security_center/static/9075.php
Reference: BID:4742
Reference: URL:http://www.securityfocus.com/bid/4742
Reference: BUGTRAQ:20021030 GLSA: sharutils
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103599320902432&w=2
Reference: CERT-VN:VU#336083
Reference: URL:http://www.kb.cert.org/vuls/id/336083
Reference: CALDERA:CSSA-2002-040.0
Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-040.0.txt
Reference: COMPAQ:SSRT2301

uudecode, as available in the sharutils package before 4.2.1, does not
check whether the filename of the uudecoded file is a pipe or symbolic
link, which could allow attackers to overwrite files or execute
commands.


Modifications:
  ADDREF HP:HPSBTL0205-040
  ADDREF MANDRAKE:MDKSA-2002:052
  ADDREF XF:sharutils-uudecode-symlink(9075)
  ADDREF BID:4742
  ADDREF MISC:http://www.aerasec.de/security/index.html?id=ae-200204-033&lang=en
  ADDREF BUGTRAQ:20021030 GLSA: sharutils
  ADDREF CERT-VN:VU#336083
  ADDREF CALDERA:CSSA-2002-040.0
  ADDREF COMPAQ:SSRT2301

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0178 ACCEPT (6 accept, 5 ack, 0 review)

Current Votes:
   ACCEPT(5) Baker, Wall, Foat, Cole, Green
   MODIFY(1) Cox
   NOOP(1) Christey

Voter Comments:
 Cox> ADDREF: http://www.aerasec.de/security/index.html?id=ae-200204-033&lang=en
 Christey> HP:HPSBTL0205-040
   URL:http://online.securityfocus.com/advisories/4132
   XF:sharutils-uudecode-symlink(9075)
   URL:http://www.iss.net/security_center/static/9075.php
   BID:4742
   URL:http://www.securityfocus.com/bid/4742
 Christey> MANDRAKE:MDKSA-2002:052
 Christey> BUGTRAQ:20021030 GLSA: sharutils
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103599320902432&w=2
   CERT-VN:VU#336083
   URL:http://www.kb.cert.org/vuls/id/336083
 Christey> CALDERA:CSSA-2002-040.0
 Christey> COMPAQ:SSRT2301
   CERT-VN:VU#336083
   URL:http://www.kb.cert.org/vuls/id/336083


======================================================
Candidate: CAN-2002-0181
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0181
Final-Decision:
Interim-Decision: 20030326
Modified: 20020817-01
Proposed: 20020502
Assigned: 20020417
Category: SF
Reference: BUGTRAQ:20020406 IMP 2.2.8 (SECURITY) released
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101828033830744&w=2
Reference: DEBIAN:DSA-126
Reference: URL:http://www.debian.org/security/2002/dsa-126
Reference: CALDERA:CSSA-2002-016.1
Reference: URL:http://www.calderasystems.com/support/security/advisories/CSSA-2002-016.1.txt
Reference: CONECTIVA:CLA-2001:473
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000473
Reference: MISC:http://bugs.horde.org/show_bug.cgi?id=916
Reference: XF:imp-status-php3-css(8769)
Reference: URL:http://www.iss.net/security_center/static/8769.php
Reference: BID:4444
Reference: URL:http://www.securityfocus.com/bid/4444

Cross-site scripting vulnerability in status.php3 for IMP 2.2.8 and
HORDE 1.2.7 allows remote attackers to execute arbitrary web script
and steal cookies of other IMP/HORDE users via the script parameter.


Modifications:
  DESC rephrase
  CHANGEREF CALDERA [new version number]
  ADDREF CONECTIVA:CLA-2001:473
  ADDREF MISC:http://bugs.horde.org/show_bug.cgi?id=916
  ADDREF XF:imp-status-php3-css(8769)
  ADDREF BID:4444

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0181 ACCEPT (5 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Green
   MODIFY(2) Frech, Cox
   NOOP(3) Christey, Wall, Foat

Voter Comments:
 Cox> "execute script" sounds like local execution - it's just cross
   site scripting
 Christey> Try this desc: "Cross-site scripting vulnerability in
   status.php3 for IMP 2.2.8 and HORDE 1.2.7 allows remote attackers to
   execute arbitrary script and steal cookies of other IMP/HORDE users
   via the script parameter."
   CONECTIVA:CLA-2001:473
   URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000473
   MISC:http://bugs.horde.org/show_bug.cgi?id=916
   XF:imp-status-php3-css(8769)
   URL:http://www.iss.net/security_center/static/8769.php
   BID:4444
   URL:http://www.securityfocus.com/bid/4444
   CHANGEREF CALDERA:CSSA-2002-016.1  (new version #)
 Frech> XF:imp-status-php3-css(8769)


======================================================
Candidate: CAN-2002-0184
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0184
Final-Decision:
Interim-Decision: 20030326
Modified: 20030320-02
Proposed: 20020502
Assigned: 20020419
Category: SF
Reference: BUGTRAQ:20020425 [Global InterSec 2002041701] Sudo Password Prompt
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101974610509912&w=2
Reference: BUGTRAQ:20020425 Sudo version 1.6.6 now available (fwd)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101975443619600&w=2
Reference: MANDRAKE:MDKSA-2002:028
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-028.php3
Reference: DEBIAN:DSA-128
Reference: URL:http://www.debian.org/security/2002/dsa-128
Reference: REDHAT:RHSA-2002:071
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-071.html
Reference: REDHAT:RHSA-2002:072
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-072.html
Reference: ENGARDE:ESA-20020429-010
Reference: URL:http://www.linuxsecurity.com/advisories/other_advisory-2040.html
Reference: BUGTRAQ:20020425 [slackware-security] sudo upgrade fixes a potential vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101979472822196&w=2
Reference: CONECTIVA:CLA-2002:475
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000475
Reference: TRUSTIX:TSLSA-2002-0046
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102010164413135&w=2
Reference: BUGTRAQ:20020429 TSLSA-2002-0046 - sudo
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102010164413135&w=2
Reference: SUSE:SuSE-SA:2002:014
Reference: URL:http://www.suse.de/de/security/2002_014_sudo_txt.html
Reference: CERT-VN:VU#820083
Reference: URL:http://www.kb.cert.org/vuls/id/820083
Reference: XF:sudo-password-expansion-overflow(8936)
Reference: URL:http://www.iss.net/security_center/static/8936.php
Reference: BID:4593
Reference: URL:http://www.securityfocus.com/bid/4593

Heap-based buffer overflow in sudo before 1.6.6 may allow local users
to gain root privileges via special characters in the -p (prompt)
argument, which are not properly expanded.


Modifications:
  ADDREF BUGTRAQ:20020429 TSLSA-2002-0046 - sudo
  ADDREF SUSE:SuSE-SA:2002:014
  ADDREF XF:sudo-password-expansion-overflow(8936)
  DESC change terms to "heap-based buffer overflow"
  ADDREF BID:4593
  ADDREF CERT-VN:VU#820083

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0184 ACCEPT (7 accept, 4 ack, 0 review)

Current Votes:
   ACCEPT(6) Cox, Wall, Foat, Cole, Armstrong, Green
   MODIFY(1) Frech
   NOOP(1) Christey

Voter Comments:
 Christey> BUGTRAQ:20020429 TSLSA-2002-0046 - sudo
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102010164413135&w=2
   SUSE:SuSE-SA:2002:014
 Frech> XF:sudo-password-expansion-overflow(8936)


======================================================
Candidate: CAN-2002-0185
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0185
Final-Decision:
Interim-Decision: 20030326
Modified: 20030320-01
Proposed: 20020502
Assigned: 20020419
Category: SF
Reference: MISC:http://www.modpython.org/pipermail/mod_python/2002-April/001991.html
Reference: MISC:http://www.modpython.org/pipermail/mod_python/2002-April/002003.html
Reference: REDHAT:RHSA-2002:070
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-070.html
Reference: CONECTIVA:CLA-2002:477
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000477
Reference: XF:modpython-imported-module-access(8997)
Reference: URL:http://www.iss.net/security_center/static/8997.php
Reference: BID:4656
Reference: URL:http://www.securityfocus.com/bid/4656

mod_python version 2.7.6 and earlier allows a module indirectly
imported by a published module to then be accessed via the publisher,
which allows remote attackers to call possibly dangerous functions
from the imported module.


Modifications:
  ADDREF REDHAT:RHSA-2002:070
  ADDREF CONECTIVA:CLA-2002:477
  ADDREF XF:modpython-imported-module-access(8997)
  ADDREF BID:4656

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0185 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Baker, Cox
   MODIFY(1) Frech
   NOOP(6) Christey, Wall, Foat, Cole, Armstrong, Green

Voter Comments:
 Cox> ADDREF: RHSA-2002:070
 Christey> ADDREF REDHAT:RHSA-2002:070
 Christey> CONECTIVA:CLA-2002:477
   URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000477
 Frech> XF:modpython-imported-module-access(8997)


======================================================
Candidate: CAN-2002-0186
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0186
Final-Decision:
Interim-Decision: 20030326
Modified: 20030320-01
Proposed: 20020726
Assigned: 20020420
Category: SF
Reference: BUGTRAQ:20020613 wp-02-0007: Microsoft SQLXML ISAPI Overflow and Cross Site Scripting
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102397345410856&w=2
Reference: VULNWATCH:20020613 [VulnWatch] wp-02-0007: Microsoft SQLXML ISAPI Overflow and Cross Site Scripting
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0100.html
Reference: MS:MS02-030
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-030.asp
Reference: CERT-VN:VU#811371
Reference: URL:http://www.kb.cert.org/vuls/id/811371
Reference: BID:5004
Reference: URL:http://www.securityfocus.com/bid/5004
Reference: XF:mssql-sqlxml-isapi-bo(9328)
Reference: URL:http://www.iss.net/security_center/static/9328.php

Buffer overflow in the SQLXML ISAPI extension of Microsoft SQL Server
2000 allows remote attackers to execute arbitrary code via data
queries with a long content-type parameter, aka "Unchecked Buffer in
SQLXML ISAPI Extension."


Modifications:
  ADDREF CERT-VN:VU#811371
  ADDREF BID:5004
  ADDREF XF:mssql-sqlxml-isapi-bo(9328)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0186 ACCEPT (4 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Wall, Foat, Cole
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> CERT-VN:VU#811371
   URL:http://www.kb.cert.org/vuls/id/811371
   BID:5004
   URL:http://www.securityfocus.com/bid/5004
   XF:mssql-sqlxml-isapi-bo(9328)
   URL:http://www.iss.net/security_center/static/9328.php


======================================================
Candidate: CAN-2002-0187
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0187
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020726
Assigned: 20020420
Category: SF
Reference: BUGTRAQ:20020613 wp-02-0007: Microsoft SQLXML ISAPI Overflow and Cross Site Scripting
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102397345410856&w=2
Reference: VULNWATCH:20020613 [VulnWatch] wp-02-0007: Microsoft SQLXML ISAPI Overflow and Cross Site Scripting
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0100.html
Reference: MS:MS02-030
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-030.asp

Cross-site scripting vulnerability in the SQLXML component of
Microsoft SQL Server 2000 allows an attacker to execute arbitrary
script via the root parameter as part of an XML SQL query, aka "Script
Injection via XML Tag."

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0187 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Wall, Foat, Cole
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> CERT-VN:VU#139931
   URL:http://www.kb.cert.org/vuls/id/139931
   XF:mssql-sqlxml-script-injection(9329)
   URL:http://www.iss.net/security_center/static/9329.php
   BID:5005
   URL:http://www.securityfocus.com/bid/5005


======================================================
Candidate: CAN-2002-0190
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0190
Final-Decision:
Interim-Decision: 20030326
Modified: 20030320-01
Proposed: 20020611
Assigned: 20020420
Category: SF
Reference: MS:MS02-023
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-023.asp
Reference: CERT-VN:VU#242891
Reference: URL:http://www.kb.cert.org/vuls/id/242891
Reference: XF:ie-netbios-incorrect-security-zone(9084)
Reference: URL:http://www.iss.net/security_center/static/9084.php
Reference: BID:4753
Reference: URL:http://www.securityfocus.com/bid/4753

Microsoft Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers
to execute arbitrary code under fewer security restrictions via a
malformed web page that requires NetBIOS connectivity, aka "Zone
Spoofing through Malformed Web Page" vulnerability.


Modifications:
  ADDREF XF:ie-netbios-incorrect-security-zone(9084)
  ADDREF BID:4753
  ADDREF CERT-VN:VU#242891

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0190 ACCEPT (6 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(5) Baker, Wall, Foat, Cole, Armstrong
   MODIFY(1) Frech
   NOOP(1) Cox

Voter Comments:
 Frech> XF:ie-netbios-incorrect-security-zone(9084)


======================================================
Candidate: CAN-2002-0191
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0191
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020611
Assigned: 20020420
Category: SF
Reference: BUGTRAQ:20020402 Reading portions of local files in IE, depending on structure (GM#004-IE)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101778302030981&w=2
Reference: MS:MS02-023
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-023.asp
Reference: XF:ie-css-read-files (8740)
Reference: URL:http://www.iss.net/security_center/static/8740.php
Reference: BID:4411
Reference: URL:http://online.securityfocus.com/bid/4411

Microsoft Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers
to view arbitrary files that contain the "{" character via script
containing the cssText property of the stylesheet object, aka "Local
Information Disclosure through HTML Object" vulnerability.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0191 ACCEPT (6 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(6) Baker, Frech, Wall, Foat, Cole, Armstrong
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-0213
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0213
Final-Decision:
Interim-Decision: 20030326
Modified: 20030320-01
Proposed: 20020502
Assigned: 20020501
Category: CF
Reference: BUGTRAQ:20020128 [ Hackerslab bug_paper ] Xkas application vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101223525118717&w=2
Reference: SGI:20020604-01-I
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020604-01-I
Reference: BID:3969
Reference: URL:http://online.securityfocus.com/bid/3969
Reference: XF:kashare-xkas-icon-symlink(8002)
Reference: URL:http://www.iss.net/security_center/static/8002.php

xkas in Xinet K-AShare 0.011.01 for IRIX allows local users to read
arbitrary files via a symlink attack on the VOLICON file, which copied
to the .HSicon file in a shared directory.


Modifications:
  ADDREF SGI:20020604-01-I

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0213 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Baker, Green
   NOOP(4) Christey, Wall, Foat, Cole

Voter Comments:
 Christey> SGI:20020604-01-I


======================================================
Candidate: CAN-2002-0241
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0241
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: CISCO:20020207 Cisco Secure Access Control Server Novell Directory Service Expired/Disabled User Authentication Vulnerability
Reference: URL:http://www.cisco.com/warp/public/707/ciscosecure-acs-nds-authentication-vuln-pub.shtml
Reference: XF:ciscosecure-nds-authentication(8106)
Reference: URL:http://www.iss.net/security_center/static/8106.php
Reference: BID:4048
Reference: URL:http://www.securityfocus.com/bid/4048

NDSAuth.DLL in Cisco Secure Authentication Control Server (ACS) 3.0.1
does not check the Expired or Disabled state of users in the Novell
Directory Services (NDS), which could allow those users to
authenticate to the server.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0241 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Frech, Cole, Armstrong
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-0246
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0246
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20020210 Unixware Message catalog exploit code
Reference: URL:http://online.securityfocus.com/archive/1/255414
Reference: CALDERA:CSSA-2002-SCO.3
Reference: URL:ftp://stage.caldera.com/pub/security/unixware/CSSA-2002-SCO.3/CSSA-2002-SCO.3.txt
Reference: BID:4060
Reference: URL:http://online.securityfocus.com/bid/4060
Reference: XF:unixware-msg-catalog-format-string(8113)
Reference: URL:http://www.iss.net/security_center/static/8113.php

Format string vulnerability in the message catalog library functions
in UnixWare 7.1.1 allows local users to gain privileges by modifying
the LC_MESSAGE environment variable to read other message catalogs
containing format strings from setuid programs such as vxprint.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0246 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Frech, Cole, Armstrong
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-0250
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0250
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20020208 Hewlett Packard AdvanceStack Switch Managment Authentication Bypass Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101318469216213&w=2
Reference: HP:HPSBUX0202-185
Reference: URL:http://online.securityfocus.com/advisories/3870
Reference: BID:4062
Reference: URL:http://www.securityfocus.com/bid/4062
Reference: XF:hp-advancestack-bypass-auth(8124)
Reference: URL:http://www.iss.net/security_center/static/8124.php

Web configuration utility in HP AdvanceStack hubs J3200A through
J3210A with firmware version A.03.07 and earlier, allows unauthorized
users to bypass authentication via a direct HTTP request to the
web_access.html file, which allows the user to change the switch's
configuration and modify the administrator password.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0250 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Frech, Cole, Armstrong
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-0267
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0267
Final-Decision:
Interim-Decision: 20030326
Modified: 20030320-01
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20020212 SIPS - vulnerable to anyone gaining admin access.
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101363233905645&w=2
Reference: CONFIRM:http://sips.sourceforge.net/adminvul.html
Reference: BID:4097
Reference: URL:http://online.securityfocus.com/bid/4097
Reference: XF:sips-theme-admin-access(8193)
Reference: URL:http://www.iss.net/security_center/static/8193.php

preferences.php in Simple Internet Publishing System (SIPS) before
0.3.1 allows remote attackers to gain administrative privileges via a
linebreak in the "theme" field followed by the Status::admin command,
which causes the Status line to be entered into the password file.


Modifications:
  ADDREF XF:sips-theme-admin-access(8193)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0267 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Armstrong
   MODIFY(1) Frech
   NOOP(3) Cox, Wall, Foat

Voter Comments:
 Frech> XF:sips-theme-admin-access(8193)


======================================================
Candidate: CAN-2002-0274
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0274
Final-Decision:
Interim-Decision: 20030326
Modified: 20030320-01
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20020213 Exim 3.34 and lower (fwd)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101362618118598&w=2
Reference: CONFIRM:http://www.exim.org/pipermail/exim-announce/2002q1/000053.html
Reference: XF:exim-config-arg-bo(8194)
Reference: URL:http://www.iss.net/security_center/static/8194.php
Reference: BID:4096
Reference: URL:http://www.securityfocus.com/bid/4096

Exim 3.34 and earlier may allow local users to gain privileges via a
buffer overflow in long -C (configuration file) and other command line
arguments.


Modifications:
  ADDREF XF:exim-config-arg-bo(8194)

Analysis
--------
Vendor Acknowledgement: yes

ACKNOWLEDGEMENT: A post to the Exim-announce mailing list on February
19th refers to problems "raised by the bugtraq posting last week."

INFERRED ACTION: CAN-2002-0274 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Cox, Cole
   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Armstrong

Voter Comments:
 Frech> XF:exim-config-arg-bo(8194)
 CHANGE> [Cox changed vote from REVIEWING to ACCEPT]


======================================================
Candidate: CAN-2002-0276
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0276
Final-Decision:
Interim-Decision: 20030326
Modified: 20030320-01
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20020213 [NGSEC-2002-1] Ettercap, remote root compromise
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101370874219511&w=2
Reference: CONFIRM:http://ettercap.sourceforge.net/index.php?s=history
Reference: BID:4104
Reference: URL:http://online.securityfocus.com/bid/4104
Reference: XF:ettercap-memcpy-bo(8200)
Reference: URL:http://www.iss.net/security_center/static/8200.php

Buffer overflow in various decoders in Ettercap 0.6.3.1 and earlier,
when running on networks with an MTU greater than 2000, allows remote
attackers to execute arbitrary code via large packets.


Modifications:
  ADDREF XF:ettercap-memcpy-bo(8200)

Analysis
--------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: the entry for version 0.6.4 in the vendor's history
file states "Fixed the possibility of remote exploitation on interface
with MTU > 1500"

INFERRED ACTION: CAN-2002-0276 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Armstrong
   MODIFY(1) Frech
   NOOP(3) Cox, Wall, Foat

Voter Comments:
 Frech> XF:ettercap-memcpy-bo(8200)


======================================================
Candidate: CAN-2002-0287
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0287
Final-Decision:
Interim-Decision: 20030326
Modified: 20030320-01
Proposed: 20020502
Assigned: 20020501
Category: CF
Reference: BUGTRAQ:20020216 pforum: mysql-injection-bug
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101389284625019&w=2
Reference: CONFIRM:http://www.powie.de/news/index.php
Reference: BID:4114
Reference: URL:http://online.securityfocus.com/bid/4114
Reference: XF:pforum-quotes-sql-injection(8203)
Reference: URL:http://www.iss.net/security_center/static/8203.php

pforum 1.14 and earlier does no explicitly enable PHP magic quotes,
which allows remote attackers to bypass authentication and gain
administrator privileges via an SQL injection attack when the PHP
server is not configured to use magic quotes by default.


Modifications:
  ADDREF XF:pforum-quotes-sql-injection(8203)

Analysis
--------
Vendor Acknowledgement: yes

ACKNOWLEDGEMENT: While the comment on the News page is in German, it
is clear that the vendor's statement on 20020214 constitutes
sufficient acknowledgement, even when viewed using basic translation
software: "Hiermit m?chte ich alle User des PFORUM auf eine schwere
Sicherheitsl?cke aufmerksam machen... Diese Sicherheitsl?cke tritt nur
auf, wenn auf den entsprechenden Webserver in der PHP.INI
magic_quotes_gpc = Off sind."

INFERRED ACTION: CAN-2002-0287 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Armstrong
   MODIFY(1) Frech
   NOOP(3) Cox, Wall, Foat

Voter Comments:
 Frech> XF:pforum-quotes-sql-injection(8203)


======================================================
Candidate: CAN-2002-0290
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0290
Final-Decision:
Interim-Decision: 20030326
Modified: 20030320-01
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20020218 Netwin Webnews Buffer Overflow Vulnerability (#NISR18022002)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101413521417638&w=2
Reference: CONFIRM:ftp://netwinsite.com/pub/webnews/beta/webnews11m_solaris.tar.Z
Reference: BID:4124
Reference: URL:http://online.securityfocus.com/bid/4124
Reference: XF:webnews-cgi-group-bo(8220)
Reference: URL:http://www.iss.net/security_center/static/8220.php

Buffer overflow in Netwin WebNews CGI program 1.1, Webnews.exe, allows
remote attackers to execute arbitrary code via a long group argument.


Modifications:
  ADDREF XF:webnews-cgi-group-bo(8220)

Analysis
--------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: the "webnews/manuals/update.htm" file in the WebNews
distribution has an entry dated February 21, which states: "Fixed:
Buffer Overflow Vulnerability reported by NGSSoftware Insight Security
Research."

INFERRED ACTION: CAN-2002-0290 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Armstrong
   MODIFY(1) Frech
   NOOP(3) Cox, Wall, Foat

Voter Comments:
 Frech> XF:webnews-cgi-group-bo(8220)


======================================================
Candidate: CAN-2002-0292
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0292
Final-Decision:
Interim-Decision: 20030326
Modified: 20030320-01
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20020219 [SA-2002:01] Slashcode login vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101414005501708&w=2
Reference: BID:4116
Reference: URL:http://online.securityfocus.com/bid/4116
Reference: XF:slashcode-site-xss(8221)
Reference: URL:http://www.iss.net/security_center/static/8221.php

Cross-site scripting vulnerability in Slash before 2.2.5, as used in
Slashcode and elsewhere, allows remote attackers to steal cookies and
authentication information from other users via Javascript in a URL,
possibly in the formkey field.


Modifications:
  ADDREF XF:slashcode-site-xss(8221)

Analysis
--------
Vendor Acknowledgement: yes

INFERRED ACTION: CAN-2002-0292 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Baker, Cole
   MODIFY(1) Frech
   NOOP(3) Cox, Wall, Foat

Voter Comments:
 Frech> XF:slashcode-site-xss(8221)


======================================================
Candidate: CAN-2002-0299
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0299
Final-Decision:
Interim-Decision: 20030326
Modified: 20030320-01
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20020220 CNet CatchUp arbitrary code execution
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101438631921749&w=2
Reference: BID:3975
Reference: URL:http://online.securityfocus.com/bid/3975
Reference: XF:cnet-catchup-gain-privileges(8035)
Reference: URL:http://www.iss.net/security_center/static/8035.php

CNet CatchUp before 1.3.1 allows attackers to execute arbitrary code
via a .RVP file that creates a file with an arbitrary extension (such
as .BAT), which is executed during a scan.


Modifications:
  ADDREF XF:cnet-catchup-gain-privileges(8035)

Analysis
--------
Vendor Acknowledgement: yes

INFERRED ACTION: CAN-2002-0299 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Baker, Cole
   MODIFY(1) Frech
   NOOP(3) Cox, Wall, Foat

Voter Comments:
 Frech> XF:cnet-catchup-gain-privileges(8035)


======================================================
Candidate: CAN-2002-0300
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0300
Final-Decision:
Interim-Decision: 20030326
Modified: 20020817-01
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20020219 gnujsp: dir- and script-disclosure
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101415804625292&w=2
Reference: BUGTRAQ:20020220 Re: gnujsp: dir- and script-disclosure
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101422432123898&w=2
Reference: DEBIAN:DSA-114
Reference: URL:http://www.debian.org/security/2002/dsa-114
Reference: BID:4125
Reference: URL:http://online.securityfocus.com/bid/4125
Reference: XF:gnujsp-jserv-information-disclosure(8240)
Reference: URL:http://www.iss.net/security_center/static/8240.php

gnujsp 1.0.0 and 1.0.1 allows remote attackers to list directories,
read source code of certain scripts, and bypass access restrictions by
directly requesting the target file from the gnujsp servlet, which
does not work around a limitation of JServ and does not process the
requested file.


Modifications:
  ADDREF XF:gnujsp-jserv-information-disclosure(8240)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0300 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Baker, Cole
   MODIFY(1) Frech
   NOOP(3) Cox, Wall, Foat

Voter Comments:
 Frech> XF:gnujsp-jserv-information-disclosure(8240)


======================================================
Candidate: CAN-2002-0302
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0302
Final-Decision:
Interim-Decision: 20030326
Modified: 20030320-01
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20020220 Symantec Enterprise Firewall (SEF) Notify Daemon data loss via SN MP
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101424225814604&w=2
Reference: CONFIRM:http://securityresponse.symantec.com/avcenter/security/Content/2002.02.20a.html
Reference: BID:4139
Reference: URL:http://online.securityfocus.com/bid/4139
Reference: XF:sef-smtp-proxy-information(8251)
Reference: URL:http://www.iss.net/security_center/static/8251.php

The Notify daemon for Symantec Enterprise Firewall (SEF) 6.5.x drops
large alerts when SNMP is used as the transport, which could prevent
some alerts from being sent in the event of an attack.


Modifications:
  ADDREF XF:sef-smtp-proxy-information(8251)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0302 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Prosser, Baker, Cole
   MODIFY(1) Frech
   NOOP(3) Cox, Wall, Foat

Voter Comments:
 Frech> XF:sef-smtp-proxy-information(8251)
 Prosser> http://securityresponse.symantec.com/avcenter/security/Content/2002.02.20a.html


======================================================
Candidate: CAN-2002-0309
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0309
Final-Decision:
Interim-Decision: 20030326
Modified: 20030320-01
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20020221 Symantec Enterprise Firewall (SEF) SMTP proxy inconsistencies
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101430810813853&w=2
Reference: BUGTRAQ:20020220 Symantec Enterprise Firewall (SEF) SMTP proxy inconsistencies
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101424307617060&w=2
Reference: CONFIRM:http://securityresponse.symantec.com/avcenter/security/Content/2002.02.20.html
Reference: BID:4141
Reference: URL:http://online.securityfocus.com/bid/4141
Reference: XF:sef-smtp-proxy-information(8251)
Reference: URL:http://www.iss.net/security_center/static/8251.php

SMTP proxy in Symantec Enterprise Firewall (SEF) 6.5.x includes the
firewall's physical interface name and address in an SMTP protocol
exchange when NAT translation is made to an address other than the
firewall, which could allow remote attackers to determine certain
firewall configuration information.


Modifications:
  ADDREF CONFIRM:http://securityresponse.symantec.com/avcenter/security/Content/2002.02.20.html
  ADDREF XF:sef-smtp-proxy-information(8251)

Analysis
--------
Vendor Acknowledgement: yes followup

INFERRED ACTION: CAN-2002-0309 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Prosser, Baker, Cole
   MODIFY(1) Frech
   NOOP(3) Cox, Wall, Foat

Voter Comments:
 Frech> XF:sef-smtp-proxy-information(8251)
 Prosser> http://securityresponse.symantec.com/avcenter/security/Content/2002.02.20.html


======================================================
Candidate: CAN-2002-0318
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0318
Final-Decision:
Interim-Decision: 20030326
Modified: 20030320-01
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20020221 DoS Attack against many RADIUS servers
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101440113410083&w=2
Reference: XF:freeradius-access-request-dos(9968)
Reference: URL:http://www.iss.net/security_center/static/9968.php

FreeRADIUS RADIUS server allows remote attackers to cause a denial of
service (CPU consumption) via a flood of Access-Request packets.


Modifications:
  ADDREF XF:freeradius-access-request-dos(9968)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0318 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Baker, Cole
   MODIFY(1) Frech
   NOOP(3) Cox, Wall, Foat

Voter Comments:
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:freeradius-access-request-dos(9968)
   http://www.freeradius.org/radiusd/doc/ChangeLog
   Possibly: Fix a bug which would hang the server when many SQL
   connections were open.


======================================================
Candidate: CAN-2002-0329
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0329
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20020227 RE: Open Bulletin Board javascript bug.
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101485184605149&w=2
Reference: BUGTRAQ:20020227 Snitz 2000 Code Patch (was RE: Open Bulletin Board javascript bug.)
Reference: URL:http://online.securityfocus.com/archive/1/258981
Reference: CONFIRM:http://forum.snitz.com/forum/link.asp?TOPIC_ID=23660
Reference: BID:4192
Reference: URL:http://www.securityfocus.com/bid/4192
Reference: XF:snitz-img-css(8309)
Reference: URL:http://www.iss.net/security_center/static/8309.php

Cross-site scripting vulnerability in Snitz Forums 2000 3.3.03 and
earlier allows remote attackers to execute arbitrary script as other
Forums 2000 users via Javascript in an IMG tag.

Analysis
--------
Vendor Acknowledgement: yes

INFERRED ACTION: CAN-2002-0329 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Frech, Cole
   NOOP(4) Christey, Cox, Wall, Foat

Voter Comments:
 Christey> DELREF one BID:4192 (mentioned twice)


======================================================
Candidate: CAN-2002-0330
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0330
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20020225 Open Bulletin Board  javascript bug.
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101466092601554&w=2
Reference: CONFIRM:http://community.iansoft.net/read.php?TID=5159
Reference: BID:4171
Reference: URL:http://online.securityfocus.com/bid/4171
Reference: XF:openbb-img-css(8278)
Reference: URL:http://www.iss.net/security_center/static/8278.php

Cross-site scripting vulnerability in codeparse.php of Open Bulletin
Board (OpenBB) 1.0.0 allows remote attackers to execute arbitrary
script and steal cookies via Javascript in the IMG tag.

Analysis
--------
Vendor Acknowledgement: yes

INFERRED ACTION: CAN-2002-0330 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Frech, Cole
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-0339
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0339
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: CISCO:20020227 Cisco Security Advisory: Data Leak with Cisco Express Forwarding
Reference: URL:http://www.cisco.com/warp/public/707/IOS-CEF-pub.shtml
Reference: XF:ios-cef-information-leak(8296)
Reference: URL:http://www.iss.net/security_center/static/8296.php
Reference: BID:4191
Reference: URL:http://www.securityfocus.com/bid/4191

Cisco IOS 11.1CC through 12.2 with Cisco Express Forwarding (CEF)
enabled includes portions of previous packets in the padding of a MAC
level packet when the MAC packet's length is less than the IP level
packet length.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0339 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Frech, Cole
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-0355
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0355
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020611
Assigned: 20020502
Category: SF
Reference: SGI:20020503-01-I
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020503-01-I
Reference: BID:4682
Reference: URL:http://www.securityfocus.com/bid/4682
Reference: XF:irix-netstat-file-existence(9023)
Reference: URL:http://www.iss.net/security_center/static/9023.php

netstat in SGI IRIX before 6.5.12 allows local users to determine the
existence of files on the system, even if the users do not have the
appropriate permissions.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0355 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Frech, Cole, Armstrong
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-0356
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0356
Final-Decision:
Interim-Decision: 20030326
Modified: 20030320-01
Proposed: 20020611
Assigned: 20020502
Category: SF
Reference: SGI:20020504-01-I
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020504-01-I
Reference: XF:irix-fsrxfs-gain-privileges(9042)
Reference: URL:http://www.iss.net/security_center/static/9042.php
Reference: BID:4706
Reference: URL:http://www.securityfocus.com/bid/4706

Vulnerability in XFS filesystem reorganizer (fsr_xfs) in SGI IRIX
6.5.10 and earlier allows local users to gain root privileges by
overwriting critical system files.


Modifications:
  ADDREF XF:irix-fsrxfs-gain-privileges(9042)
  ADDREF BID:4706

Analysis
--------
Vendor Acknowledgement: yes advisory

NOTE: CAN-2002-0356 was incorrectly used in a report for the sgdynamo
product.  The correct identifier for the sgdynamo vulnerability is
CAN-2002-0375.

INFERRED ACTION: CAN-2002-0356 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Cole, Armstrong
   MODIFY(1) Frech
   NOOP(4) Christey, Cox, Wall, Foat

Voter Comments:
 Christey> NOTE: CAN-2002-0356 was mistakenly referenced in a report
   for the sgdynamo product.  The correct identifier for the
   sgdynamo vulnerability is CAN-2002-0375.
 Christey> XF:irix-fsrxfs-gain-privileges(9042)
   URL:http://www.iss.net/security_center/static/9042.php
   BID:4706
   URL:http://www.securityfocus.com/bid/4706
 Frech> XF:irix-fsrxfs-gain-privileges(9042)


======================================================
Candidate: CAN-2002-0358
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0358
Final-Decision:
Interim-Decision: 20030326
Modified: 20030320-01
Proposed: 20020611
Assigned: 20020502
Category: SF
Reference: SGI:20020602-01-I
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020602-01-I
Reference: XF:irix-mediamail-core-dump(9292)
Reference: URL:http://www.iss.net/security_center/static/9292.php
Reference: BID:4959
Reference: URL:http://www.securityfocus.com/bid/4959

MediaMail and MediaMail Pro in SGI IRIX 6.5.16 and earlier allows
local users to force the program to dump core via certain arguments,
which could allow the users to read sensitive data or gain privileges.


Modifications:
  DESC Fix typo: "Medial" Mail
  ADDREF BID:4959
  ADDREF XF:irix-mediamail-core-dump(9292)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0358 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Cole, Armstrong
   MODIFY(1) Frech
   NOOP(4) Christey, Cox, Wall, Foat

Voter Comments:
 Christey> Fix typo: "Medial" Mail
   XF:irix-mediamail-core-dump(9292)
   URL:http://www.iss.net/security_center/static/9292.php
   BID:4959
   URL:http://www.securityfocus.com/bid/4959
 Frech> XF:irix-mediamail-core-dump(9292)


======================================================
Candidate: CAN-2002-0359
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0359
Final-Decision:
Interim-Decision: 20030326
Modified: 20030320-01
Proposed: 20020726
Assigned: 20020502
Category: SF
Reference: BUGTRAQ:20020620 [LSD] IRIX rpc.xfsmd multiple remote root vulnerabilities
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102459162909825&w=2
Reference: SGI:20020606-01-I
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020606-01-I
Reference: CERT-VN:VU#521147
Reference: URL:http://www.kb.cert.org/vuls/id/521147
Reference: XF:irix-xfsmd-bypass-authentication(9401)
Reference: URL:http://www.iss.net/security_center/static/9401.php
Reference: BID:5072
Reference: URL:http://www.securityfocus.com/bid/5072

xfsmd for IRIX 6.5 through 6.5.16 uses weak authentication, which
allows remote attackers to call dangerous RPC functions, including
those that can mount or unmount xfs file systems, to gain root
privileges.


Modifications:
  ADDREF XF:irix-xfsmd-bypass-authentication(9401)
  ADDREF BID:5072
  ADDREF CERT-VN:VU#521147
  DELREF SGI:20020605-01-I

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0359 ACCEPT_ACK (2 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(2) Baker, Cole
   NOOP(4) Christey, Cox, Wall, Foat

Voter Comments:
 Christey> XF:irix-xfsmd-bypass-authentication(9401)
   URL:http://www.iss.net/security_center/static/9401.php
   BID:5072
   URL:http://www.securityfocus.com/bid/5072
 Christey> DELREF SGI:20020605-01-I (that one is for CAN-2003-0392)


======================================================
Candidate: CAN-2002-0363
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0363
Final-Decision:
Interim-Decision: 20030326
Modified: 20020817-01
Proposed: 20020611
Assigned: 20020507
Category: SF
Reference: MISC:http://www.ghostscript.com/pipermail/gs-code-review/2002-January/001801.html
Reference: MISC:http://www.ghostscript.com/pipermail/gs-code-review/2002-February/001900.html
Reference: REDHAT:RHSA-2002:083
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-083.html
Reference: CALDERA:CSSA-2002-026.0
Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-026.0.txt
Reference: XF:ghostscript-postscript-command-execution(9254)
Reference: URL:http://www.iss.net/security_center/static/9254.php
Reference: BID:4937
Reference: URL:http://www.securityfocus.com/bid/4937

ghostscript before 6.53 allows attackers to execute arbitrary commands
by using .locksafe or .setsafe to reset the current pagedevice.


Modifications:
  ADDREF CALDERA:CSSA-2002-026.0
  ADDREF XF:ghostscript-postscript-command-execution(9254)
  ADDREF BID:4937

Analysis
--------
Vendor Acknowledgement: yes

INFERRED ACTION: CAN-2002-0363 ACCEPT (5 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Cox, Cole, Alderson
   MODIFY(1) Frech
   NOOP(3) Christey, Wall, Foat

Voter Comments:
 Christey> CALDERA:CSSA-2002-026.0
 Christey> XF:ghostscript-postscript-command-execution(9254)
   URL:http://www.iss.net/security_center/static/9254.php
   BID:4937
   URL:http://www.securityfocus.com/bid/4937
 Frech> XF:ghostscript-postscript-command-execution(9254)


======================================================
Candidate: CAN-2002-0364
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0364
Final-Decision:
Interim-Decision: 20030326
Modified: 20030320-01
Proposed: 20020726
Assigned: 20020508
Category: SF
Reference: BUGTRAQ:20020612 ADVISORY: Windows 2000 and NT4 IIS .HTR Remote Buffer Overflow [AD20020612]
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102392069305962&w=2
Reference: NTBUGTRAQ:20020612 ADVISORY: Windows 2000 and NT4 IIS .HTR Remote Buffer Overflow
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=102392308608100&w=2
Reference: VULNWATCH:20020612 ADVISORY: Windows 2000 and NT4 IIS .HTR Remote Buffer Overflow [AD20020612]
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0099.html
Reference: BUGTRAQ:20020613 VNA - .HTR HEAP OVERFLOW
Reference: URL:http://online.securityfocus.com/archive/1/276767
Reference: CERT-VN:VU#313819
Reference: URL:http://www.kb.cert.org/vuls/id/313819
Reference: MS:MS02-028
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-028.asp
Reference: BID:4855
Reference: URL:http://www.securityfocus.com/bid/4855
Reference: XF:iis-htr-chunked-encoding-bo(9327)
Reference: URL:http://www.iss.net/security_center/static/9327.php

Buffer overflow in the chunked encoding transfer mechanism in IIS 4.0
and 5.0 allows attackers to execute arbitrary code via the processing
of HTR request sessions, aka "Heap Overrun in HTR Chunked Encoding
Could Enable Web Server Compromise."


Modifications:
  ADDREF BID:4855
  ADDREF BUGTRAQ:20020613 VNA - .HTR HEAP OVERFLOW
  ADDREF CERT-VN:VU#313819
  ADDREF XF:iis-htr-chunked-encoding-bo(9327)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0364 ACCEPT (4 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Wall, Foat, Cole
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> BID:4855
   URL:http://www.securityfocus.com/bid/4855
   BUGTRAQ:20020613 VNA - .HTR HEAP OVERFLOW
   URL:http://online.securityfocus.com/archive/1/276767
   CERT-VN:VU#313819
   URL:http://www.kb.cert.org/vuls/id/313819
   XF:iis-htr-chunked-encoding-bo(9327)
   URL:http://www.iss.net/security_center/static/9327.php


======================================================
Candidate: CAN-2002-0366
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0366
Final-Decision:
Interim-Decision: 20030326
Modified: 20030320-01
Proposed: 20020726
Assigned: 20020508
Category: SF
Reference: BUGTRAQ:20020613 Microsoft RASAPI32.DLL
Reference: URL:http://online.securityfocus.com/archive/1/276776
Reference: BUGTRAQ:20020620 VPN and Q318138
Reference: URL:http://online.securityfocus.com/archive/1/278145
Reference: MISC:http://www.nextgenss.com/vna/ms-ras.txt
Reference: MS:MS02-029
Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS02-029.asp
Reference: BID:4852
Reference: URL:http://www.securityfocus.com/bid/4852

Buffer overflow in Remote Access Service (RAS) phonebook for Windows
NT 4.0, 2000, XP, and Routing and Remote Access Server (RRAS) allows
local users to execute arbitrary code by modifying the rasphone.pbk
file to use a long dial-up entry.


Modifications:
  ADDREF BUGTRAQ:20020613 Microsoft RASAPI32.DLL
  ADDREF BUGTRAQ:20020620 VPN and Q318138

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0366 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Wall, Foat, Cole
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> Add: a long script name is the issue.
   BUGTRAQ:20020613 Microsoft RASAPI32.DLL
   URL:http://online.securityfocus.com/archive/1/276776
   BUGTRAQ:20020620 VPN and Q318138
   URL:http://online.securityfocus.com/archive/1/278145


======================================================
Candidate: CAN-2002-0367
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0367
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020611
Assigned: 20020508
Category: SF
Reference: BUGTRAQ:20020314 Fwd: DebPloit (exploit)
Reference: URL:http://www.securityfocus.com/archive/1/262074
Reference: BUGTRAQ:20020326 Re: DebPloit (exploit)
Reference: URL:http://www.securityfocus.com/archive/1/264441
Reference: BUGTRAQ:20020327 Local Security Vulnerability in Windows NT and Windows 2000
Reference: URL:http://www.securityfocus.com/archive/1/264927
Reference: NTBUGTRAQ:20020314 DebPloit (exploit)
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=101614320402695&w=2
Reference: BID:4287
Reference: URL:http://www.securityfocus.com/bid/4287
Reference: XF:win-debug-duplicate-handles(8462)
Reference: URL:http://www.iss.net/security_center/static/8462.php
Reference: MS:MS02-024
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-024.asp

smss.exe debugging subsystem in Windows NT and Windows 2000 does not
properly authenticate programs that connect to other programs, which
allows local users to gain administrator or SYSTEM privileges by
duplicating a handle to a privileged process, as demonstrated by
DebPloit.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0367 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Baker, Wall, Foat, Cole, Green
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-0368
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0368
Final-Decision:
Interim-Decision: 20030326
Modified: 20030320-01
Proposed: 20020611
Assigned: 20020508
Category: SF
Reference: MS:MS02-025
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-025.asp
Reference: XF:exchange-msg-attribute-dos(9195)
Reference: URL:http://www.iss.net/security_center/static/9195.php
Reference: BID:4881
Reference: URL:http://www.securityfocus.com/bid/4881

The Store Service in Microsoft Exchange 2000 allows remote attackers
to cause a denial of service (CPU consumption) via a mail message with
a malformed RFC message attribute, aka "Malformed Mail Attribute can
Cause Exchange 2000 to Exhaust CPU Resources."


Modifications:
  ADDREF XF:exchange-msg-attribute-dos(9195)
  ADDREF BID:4881

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0368 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Wall, Cole, Armstrong
   MODIFY(1) Frech
   NOOP(3) Christey, Cox, Foat

Voter Comments:
 Christey> XF:exchange-msg-attribute-dos(9195)
   URL:http://www.iss.net/security_center/static/9195.php
   BID:4881
   URL:http://www.securityfocus.com/bid/4881
 Frech> XF:exchange-msg-attribute-dos(9195)


======================================================
Candidate: CAN-2002-0369
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0369
Final-Decision:
Interim-Decision: 20030326
Modified: 20030320-01
Proposed: 20020611
Assigned: 20020508
Category: SF
Reference: MS:MS02-026
Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS02-026.asp
Reference: XF:ms-aspdotnet-stateserver-bo(9276)
Reference: URL:http://www.iss.net/security_center/static/9276.php
Reference: BID:4958
Reference: URL:http://www.securityfocus.com/bid/4958

Buffer overflow in ASP.NET Worker Process allows remote attackers to
cause a denial of service (restart) and possibly execute arbitrary
code via a routine that processes cookies while in StateServer mode.


Modifications:
  ADDREF XF:ms-aspdotnet-stateserver-bo(9276)
  ADDREF BID:4958

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0369 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Wall, Cole, Armstrong
   MODIFY(1) Frech
   NOOP(3) Christey, Cox, Foat

Voter Comments:
 Christey> XF:ms-aspdotnet-stateserver-bo(9276)
   http://www.iss.net/security_center/static/9276.php
   BID:4958
   URL:http://www.securityfocus.com/bid/4958
 Frech> XF:ms-aspdotnet-stateserver-bo(9276)


======================================================
Candidate: CAN-2002-0372
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0372
Final-Decision:
Interim-Decision: 20030326
Modified: 20030320-01
Proposed: 20020726
Assigned: 20020508
Category: SF
Reference: MS:MS02-032
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-032.asp
Reference: XF:mediaplayer-cache-code-execution(9420)
Reference: URL:http://www.iss.net/security_center/static/9420.php
Reference: BID:5107
Reference: URL:http://www.securityfocus.com/bid/5107

Microsoft Windows Media Player versions 6.4 and 7.1 and Media Player
for Windows XP allow remote attackers to bypass Internet Explorer's
(IE) security mechanisms and run code via an executable .wma media
file with a license installation requirement stored in the IE cache,
aka the "Cache Path Disclosure via Windows Media Player".


Modifications:
  ADDREF XF:mediaplayer-cache-code-execution(9420)
  ADDREF BID:5107

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0372 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Wall, Foat, Cole
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> XF:mediaplayer-cache-code-execution(9420)
   URL:http://www.iss.net/security_center/static/9420.php
   BID:5107
   URL:http://www.securityfocus.com/bid/5107


======================================================
Candidate: CAN-2002-0373
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0373
Final-Decision:
Interim-Decision: 20030326
Modified: 20030320-01
Proposed: 20020726
Assigned: 20020508
Category: SF
Reference: MS:MS02-032
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-032.asp
Reference: XF:mediaplayer-wmdm-privilege-elevation(9421)
Reference: URL:http://www.iss.net/security_center/static/9421.php
Reference: BID:5109
Reference: URL:http://www.securityfocus.com/bid/5109

The Windows Media Device Manager (WMDM) Service in Microsoft Windows
Media Player 7.1 on Windows 2000 systems allows local users to obtain
LocalSystem rights via a program that calls the WMDM service to
connect to an invalid local storage device, aka "Privilege Elevation
through Windows Media Device Manager Service".


Modifications:
  ADDREF XF:mediaplayer-wmdm-privilege-elevation(9421)
  ADDREF BID:5109

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0373 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Wall, Cole
   NOOP(3) Christey, Cox, Foat

Voter Comments:
 Christey> XF:mediaplayer-wmdm-privilege-elevation(9421)
   URL:http://www.iss.net/security_center/static/9421.php
   BID:5109
   URL:http://www.securityfocus.com/bid/5109


======================================================
Candidate: CAN-2002-0374
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0374
Final-Decision:
Interim-Decision: 20030326
Modified: 20020817-01
Proposed: 20020611
Assigned: 20020508
Category: SF
Reference: BUGTRAQ:20020506 ldap vulnerabilities
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102070762606525&w=2
Reference: VULNWATCH:20020506 ldap vulnerabilities
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0053.html
Reference: CALDERA:CSSA-2002-041.0
Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-041.0.txt
Reference: MANDRAKE:MDKSA-2002:075
Reference: URL:http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2002:075
Reference: REDHAT:RHSA-2002:084
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-084.html
Reference: REDHAT:RHSA-2002:175
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-175.html
Reference: BUGTRAQ:20021030 GLSA: pam_ldap
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103601912505261&w=2
Reference: XF:pamldap-config-format-string(9018)
Reference: URL:http://www.iss.net/security_center/static/9018.php
Reference: BID:4679
Reference: URL:http://online.securityfocus.com/bid/4679

Format string vulnerability in the logging function for the pam_ldap
PAM LDAP module before version 144 allows attackers to execute
arbitrary code via format strings in the configuration file name.


Modifications:
  ADDREF XF:pamldap-config-format-string(9018)
  ADDREF BID:4679
  ADDREF BUGTRAQ:20021030 GLSA: pam_ldap
  ADDREF CALDERA:CSSA-2002-041.0
  ADDREF MANDRAKE:MDKSA-2002:075
  ADDREF REDHAT:RHSA-2002:175

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0374 ACCEPT (6 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(5) Baker, Cox, Wall, Cole, Armstrong
   MODIFY(1) Frech
   NOOP(2) Christey, Foat

Voter Comments:
 Christey> XF:pamldap-config-format-string(9018)
   URL:http://www.iss.net/security_center/static/9018.php
   BID:4679
   URL:http://online.securityfocus.com/bid/4679
 Frech> XF:pamldap-config-format-string(9018)
 Christey> REDHAT:RHSA-2002:084
 Christey> BUGTRAQ:20021030 GLSA: pam_ldap
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103601912505261&w=2
   CALDERA:CSSA-2002-041.0
 Christey> MANDRAKE:MDKSA-2002:075
 Christey> REDHAT:RHSA-2002:175
   URL:http://www.redhat.com/support/errata/RHSA-2002-175.html
   CALDERA:CSSA-2002-041.0
   URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-041.0.txt


======================================================
Candidate: CAN-2002-0377
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0377
Final-Decision:
Interim-Decision: 20030326
Modified: 20030320-01
Proposed: 20020611
Assigned: 20020514
Category: SF
Reference: BUGTRAQ:20020512 Gaim abritary Email Reading
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102130733815285&w=2
Reference: VULN-DEV:20020511 Gaim abritary Email Reading
Reference: URL:http://archives.neohapsis.com/archives/vuln-dev/2002-q2/0584.html
Reference: CONFIRM:http://gaim.sourceforge.net/ChangeLog
Reference: XF:gaim-email-access(9061)
Reference: URL:http://www.iss.net/security_center/static/9061.php
Reference: BID:4730
Reference: URL:http://www.securityfocus.com/bid/4730

Gaim 0.57 stores sensitive information in world-readable and
group-writable files in the /tmp directory, which allows local users
to access MSN web email accounts of other users who run Gaim by
reading authentication information from the files.


Modifications:
  ADDREF VULN-DEV:20020511 Gaim abritary Email Reading
  ADDREF XF:gaim-email-access(9061)
  ADDREF BID:4730

Analysis
--------
Vendor Acknowledgement: yes

ACKNOWLEDGEMENT: The Change Log for Gaim version 0.58, dated May 13,
says "Tempfiles used for secure MSN/HotMail login (added in 0.57) are
now themselves created securely."  In addition to a statement on the
vendor's News page, dated May 14, regarding "the fix to the recent
BugTraq posting about Gaim," this is sufficient acknowledgement.

INFERRED ACTION: CAN-2002-0377 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Cox, Cole, Armstrong
   MODIFY(1) Frech
   NOOP(3) Christey, Wall, Foat

Voter Comments:
 Christey> VULN-DEV:20020511 Gaim abritary Email Reading
   URL:http://archives.neohapsis.com/archives/vuln-dev/2002-q2/0584.html
 Frech> XF:gaim-email-access(9061)
 Christey> XF:gaim-email-access(9061)
   URL:http://www.iss.net/security_center/static/9061.php
   BID:4730
   URL:http://www.securityfocus.com/bid/4730


======================================================
Candidate: CAN-2002-0379
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0379
Final-Decision:
Interim-Decision: 20030326
Modified: 20020817-01
Proposed: 20020611
Assigned: 20020517
Category: SF
Reference: BUGTRAQ:20020510 wu-imap buffer overflow condition
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102107222100529&w=2
Reference: REDHAT:RHSA-2002:092
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-092.html
Reference: CONECTIVA:CLA-2002:487
Reference: URL:http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000487
Reference: HP:HPSBTL0205-043
Reference: URL:http://online.securityfocus.com/advisories/4167
Reference: CALDERA:CSSA-2002-021.0
Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-021.0.txt
Reference: MANDRAKE:MDKSA-2002:034
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-034.php
Reference: ENGARDE:ESA-20020607-013
Reference: URL:http://www.linuxsecurity.com/advisories/other_advisory-2120.html
Reference: BID:4713
Reference: URL:http://www.securityfocus.com/bid/4713
Reference: XF:wuimapd-partial-mailbox-bo(9055)
Reference: URL:http://www.iss.net/security_center/static/9055.php

Buffer overflow in University of Washington imap server (uw-imapd)
imap-2001 (imapd 2001.315) and imap-2001a (imapd 2001.315) with legacy
RFC 1730 support, and imapd 2000.287 and earlier, allows remote
authenticated users to execute arbitrary code via a long BODY request.


Modifications:
  ADDREF CONECTIVA:CLA-2002:487
  ADDREF HP:HPSBTL0205-043
  ADDREF CALDERA:CSSA-2002-021.0
  ADDREF MANDRAKE:MDKSA-2002:034
  ADDREF ENGARDE:ESA-20020607-013
  ADDREF BID:4713
  ADDREF XF:wuimapd-partial-mailbox-bo(9055)

Analysis
--------
Vendor Acknowledgement: yes followup

INFERRED ACTION: CAN-2002-0379 ACCEPT (6 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(5) Baker, Cox, Wall, Cole, Armstrong
   MODIFY(1) Frech
   NOOP(2) Christey, Foat

Voter Comments:
 Christey> Add "long BODY request" to desc.
   CONECTIVA:CLA-2002:487
   URL:http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000487
   HP:HPSBTL0205-043
   URL:http://online.securityfocus.com/advisories/4167
   CALDERA:CSSA-2002-021.0
   URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-021.0.txt
   MANDRAKE:MDKSA-2002:034
   URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-034.php
   ENGARDE:ESA-20020607-013
   URL:http://www.linuxsecurity.com/advisories/other_advisory-2120.html
   BID:4713
   URL:http://www.securityfocus.com/bid/4713
   XF:wuimapd-partial-mailbox-bo(9055)
   URL:http://www.iss.net/security_center/static/9055.php
 Frech> XF:wuimapd-partial-mailbox-bo(9055)


======================================================
Candidate: CAN-2002-0381
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0381
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020611
Assigned: 20020517
Category: SF
Reference: MISC:http://www.FreeBSD.org/cgi/query-pr.cgi?pr=35022
Reference: BUGTRAQ:20020317 TCP Connections to a Broadcast Address on BSD-Based Systems
Reference: URL:http://online.securityfocus.com/archive/1/262733
Reference: CONFIRM:http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet/tcp_input.c.diff?r1=1.109&r2=1.110
Reference: CONFIRM:http://cvsweb.netbsd.org/bsdweb.cgi/syssrc/sys/netinet/tcp_input.c.diff?r1=1.136&r2=1.137
Reference: BID:4309
Reference: URL:http://online.securityfocus.com/bid/4309
Reference: XF:bsd-broadcast-address(8485)
Reference: URL:http://www.iss.net/security_center/static/8485.php

The TCP implementation in various BSD operating systems (tcp_input.c)
does not properly block connections to broadcast addresses, which
could allow remote attackers to bypass intended filters via packets
with a unicast link layer address and an IP broadcast address.

Analysis
--------
Vendor Acknowledgement: yes

INFERRED ACTION: CAN-2002-0381 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Cole, Green
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-0382
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0382
Final-Decision:
Interim-Decision: 20030326
Modified: 20030320-02
Proposed: 20020611
Assigned: 20020521
Category: SF
Reference: BUGTRAQ:20020327 Xchat /dns command execution vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101725430425490&w=2
Reference: REDHAT:RHSA-2002:097
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-097.html
Reference: MANDRAKE:MDKSA-2002:051
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-051.php
Reference: CONECTIVA:CLA-2002:526
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000526
Reference: XF:xchat-dns-execute-commands(8704)
Reference: URL:http://www.iss.net/security_center/static/8704.php
Reference: BID:4376
Reference: URL:http://www.securityfocus.com/bid/4376

XChat IRC client allows remote attackers to execute arbitrary commands
via a /dns command on a host whose DNS reverse lookup contains shell
metacharacters.


Modifications:
  DESC capitalize XChat properly
  ADDREF MANDRAKE:MDKSA-2002:051
  ADDREF CONECTIVA:CLA-2002:526

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0382 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Frech, Armstrong
   MODIFY(2) Cox, Foat
   NOOP(3) Christey, Wall, Cole

Voter Comments:
 Cox> Xchat should be XChat
 Foat> Agree with Cox modification
 Christey> MANDRAKE:MDKSA-2002:051
 Christey> CONECTIVA:CLA-2002:526


======================================================
Candidate: CAN-2002-0389
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0389
Final-Decision:
Interim-Decision: 20030326
Modified: 20030325-01
Proposed: 20020611
Assigned: 20020523
Category: SF
Reference: BUGTRAQ:20020417 Mailman/Pipermail private mailing list/local user vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101902003314968&w=2
Reference: MISC:http://sourceforge.net/tracker/?func=detail&atid=100103&aid=474616&group_id=103
Reference: XF:pipermail-view-archives(8874)
Reference: URL:http://www.iss.net/security_center/static/8874.php
Reference: BID:4538
Reference: URL:http://www.securityfocus.com/bid/4538

Pipermail in Mailman stores private mail messages with predictable
filenames in a world-executable directory, which allows local users to
read private mailing list archives.


Modifications:
  DESC fix typo
  ADDREF XF:pipermail-view-archives(8874)
  ADDREF BID:4538

Analysis
--------
Vendor Acknowledgement: no disputed

INCLUSION: In a response to the bug report, the vendor says "I'm not
inclined to fix this, since this arrangement is crucial to the web
security of private archives."

INFERRED ACTION: CAN-2002-0389 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Baker, Cox
   MODIFY(1) Frech
   NOOP(4) Christey, Wall, Foat, Cole

Voter Comments:
 Frech> XF: pipermail-view-archives(8874)
 Christey> Add period to the end of the description.


======================================================
Candidate: CAN-2002-0391
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0391
Final-Decision:
Interim-Decision: 20030326
Modified: 20030320-01
Proposed: 20020830
Assigned: 20020528
Category: SF
Reference: ISS:20020731 Remote Buffer Overflow Vulnerability in Sun RPC
Reference: URL:http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20823
Reference: BUGTRAQ:20020731 Remote Buffer Overflow Vulnerability in Sun RPC
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102813809232532&w=2
Reference: BUGTRAQ:20020801 RPC analysis
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102821785316087&w=2
Reference: BUGTRAQ:20020802 MITKRB5-SA-2002-001: Remote root vulnerability in MIT krb5 admin
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102831443208382&w=2
Reference: CERT:CA-2002-25
Reference: URL:http://www.cert.org/advisories/CA-2002-25.html
Reference: CERT-VN:VU#192995
Reference: URL:http://www.kb.cert.org/vuls/id/192995
Reference: AIXAPAR:IY34194
Reference: URL:http://archives.neohapsis.com/archives/aix/2002-q4/0002.html
Reference: CALDERA:CSSA-2002-055.0
Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-055.0.txt
Reference: CONECTIVA:CLA-2002:515
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000515
Reference: CONECTIVA:CLA-2002:535
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000535
Reference: DEBIAN:DSA-142
Reference: URL:http://www.debian.org/security/2002/dsa-142
Reference: DEBIAN:DSA-143
Reference: URL:http://www.debian.org/security/2002/dsa-143
Reference: DEBIAN:DSA-146
Reference: URL:http://www.debian.org/security/2002/dsa-146
Reference: DEBIAN:DSA-149
Reference: URL:http://www.debian.org/security/2002/dsa-149
Reference: ENGARDE:ESA-20021003-021
Reference: URL:http://www.linuxsecurity.com/advisories/other_advisory-2399.html
Reference: FREEBSD:FreeBSD-SA-02:34.rpc
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102821928418261&w=2
Reference: HP:HPSBTL0208-061
Reference: URL:http://online.securityfocus.com/advisories/4402
Reference: HP:HPSBUX0209-215
Reference: URL:http://archives.neohapsis.com/archives/hp/2002-q3/0077.html
Reference: MANDRAKE:MDKSA-2002:057
Reference: URL:http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2002:057
Reference: MS:MS02-057
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-057.asp
Reference: NETBSD:NetBSD-SA2002-011
Reference: URL:ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-011.txt.asc
Reference: REDHAT:RHSA-2002:166
Reference: URL:http://rhn.redhat.com/errata/RHSA-2002-166.html
Reference: REDHAT:RHSA-2002:172
Reference: URL:http://rhn.redhat.com/errata/RHSA-2002-172.html
Reference: REDHAT:RHSA-2002:167
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-167.html
Reference: SGI:20020801-01-A
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020801-01-A
Reference: SGI:20020801-01-P
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020801-01-A
Reference: SUSE:SuSE-SA:2002:031
Reference: BUGTRAQ:20020803 OpenAFS Security Advisory 2002-001: Remote root vulnerability in OpenAFS servers
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-07/0514.html
Reference: BUGTRAQ:20020802 kerberos rpc xdr_array
Reference: URL:http://online.securityfocus.com/archive/1/285740
Reference: BUGTRAQ:20020909 GLSA: glibc
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103158632831416&w=2
Reference: XF:sunrpc-xdr-array-bo(9170)
Reference: URL:http://www.iss.net/security_center/static/9170.php
Reference: BID:5356
Reference: URL:http://www.securityfocus.com/bid/5356

Integer overflow in xdr_array function in RPC servers for operating
systems that use libc, glibc, or other code based on SunRPC including
dietlibc, allows remote attackers to execute arbitrary code by passing
a large number of arguments to xdr_array through RPC services such as
rpc.cmsd and dmispd.


Modifications:
  ADDREF REDHAT:RHSA-2002:167
  ADDREF XF:sunrpc-xdr-array-bo(9170)
  ADDREF BID:5356
  ADDREF BUGTRAQ:20020803 OpenAFS Security Advisory 2002-001: Remote root vulnerability in OpenAFS servers
  ADDREF CONECTIVA:CLA-2002:515
  ADDREF HP:HPSBTL0208-061
  ADDREF BUGTRAQ:20020802 kerberos rpc xdr_array
  ADDREF BUGTRAQ:20020909 GLSA: glibc
  ADDREF SUSE:SuSE-SA:2002:031
  ADDREF MS:MS02-057
  ADDREF HP:HPSBUX0209-215
  ADDREF MANDRAKE:MDKSA-2002:057
  ADDREF ENGARDE:ESA-20021003-021
  ADDREF CALDERA:CSSA-2002-055.0
  ADDREF AIXAPAR:IY34194
  ADDREF CONECTIVA:CLA-2002:535

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0391 ACCEPT (4 accept, 13 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Wall, Cole
   MODIFY(1) Cox
   NOOP(2) Christey, Foat

Voter Comments:
 Cox> ADDREF: RHSA-2002:167
 Christey> XF:sunrpc-xdr-array-bo(9170)
   URL:http://www.iss.net/security_center/static/9170.php
   BID:5356
   URL:http://www.securityfocus.com/bid/5356
   BUGTRAQ:20020803 OpenAFS Security Advisory 2002-001: Remote root vulnerability in OpenAFS servers
   URL:http://archives.neohapsis.com/archives/bugtraq/2002-07/0514.html
   CONECTIVA:CLA-2002:515
   URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000515
   HP:HPSBTL0208-061
   URL:http://online.securityfocus.com/advisories/4402
   BUGTRAQ:20020802 kerberos rpc xdr_array
   URL:http://online.securityfocus.com/archive/1/285740
 Christey> BUGTRAQ:20020909 GLSA: glibc
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103158632831416&w=2
 Christey> SUSE:SuSE-SA:2002:031
 Christey> MS:MS02-057
 Christey> HP:HPSBUX0209-215
   URL:http://archives.neohapsis.com/archives/hp/2002-q3/0077.html
   MANDRAKE:MDKSA-2002:057
   ENGARDE:ESA-20021003-021
 Christey> CALDERA:CSSA-2002-055.0
 Christey> AIXAPAR:IY34194
   URL:http://archives.neohapsis.com/archives/aix/2002-q4/0002.html
   CONECTIVA:CLA-2002:535
   URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000535


======================================================
Candidate: CAN-2002-0392
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0392
Final-Decision:
Interim-Decision: 20030326
Modified: 20020817-01
Proposed: 20020726
Assigned: 20020530
Category: SF
Reference: CONFIRM:http://httpd.apache.org/info/security_bulletin_20020617.txt
Reference: VULNWATCH:20020617 [VulnWatch] Apache httpd: vulnerability with chunked encoding
Reference: ISS:20020617 Remote Compromise Vulnerability in Apache HTTP Server
Reference: BUGTRAQ:20020617 Re: ISS Advisory: Remote Compromise Vulnerability in Apache HTTP Server
Reference: BUGTRAQ:20020617 Re: Remote Compromise Vulnerability in Apache HTTP Server
Reference: BUGTRAQ:20020618 Fixed version of Apache 1.3 available
Reference: BUGTRAQ:20020619 Implications of Apache vuln for Oracle
Reference: BUGTRAQ:20020619 Remote Apache 1.3.x Exploit
Reference: BUGTRAQ:20020620 Apache Exploit
Reference: BUGTRAQ:20020620 TSLSA-2002-0056 - apache
Reference: BUGTRAQ:20020621 [SECURITY] Remote exploit for 32-bit Apache HTTP Server known
Reference: URL:http://online.securityfocus.com/archive/1/278149
Reference: BUGTRAQ:20020622 Ending a few arguments with one simple attachment.
Reference: BUGTRAQ:20020622 blowchunks - protecting existing apache servers until upgrades arrive
Reference: CERT:CA-2002-17
Reference: URL:http://www.cert.org/advisories/CA-2002-17.html
Reference: SGI:20020605-01-A
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020605-01-A
Reference: SGI:20020605-01-I
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020605-01-I
Reference: REDHAT:RHSA-2002:103
Reference: URL:http://rhn.redhat.com/errata/RHSA-2002-103.html
Reference: MANDRAKE:MDKSA-2002:039
Reference: CALDERA:CSSA-2002-029.0
Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-029.0.txt
Reference: CALDERA:CSSA-2002-SCO.31
Reference: URL:ftp://ftp.caldera.com/pub/updates/OpenUNIX/CSSA-2002-SCO.31
Reference: CALDERA:CSSA-2002-SCO.32
Reference: URL:ftp://ftp.caldera.com/pub/updates/OpenServer/CSSA-2002-SCO.32
Reference: COMPAQ:SSRT2253
Reference: CONECTIVA:CLSA-2002:498
Reference: URL:http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000498
Reference: DEBIAN:DSA-131
Reference: URL:http://www.debian.org/security/2002/dsa-131
Reference: DEBIAN:DSA-132
Reference: URL:http://www.debian.org/security/2002/dsa-132
Reference: DEBIAN:DSA-133
Reference: URL:http://www.debian.org/security/2002/dsa-133
Reference: ENGARDE:ESA-20020619-014
Reference: URL:http://www.linuxsecurity.com/advisories/other_advisory-2137.html
Reference: REDHAT:RHSA-2002:118
Reference: URL:http://rhn.redhat.com/errata/RHSA-2002-118.html
Reference: REDHAT:RHSA-2002:117
Reference: URL:http://rhn.redhat.com/errata/RHSA-2002-117.html
Reference: BUGTRAQ:20020619 [OpenPKG-SA-2002.004] OpenPKG Security Advisory (apache)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-06/0235.html
Reference: BUGTRAQ:20020621 [slackware-security] new apache/mod_ssl packages available
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-06/0266.html
Reference: SUSE:SuSE-SA:2002:022
Reference: URL:http://www.suse.com/de/security/2002_22_apache.html
Reference: CERT-VN:VU#944335
Reference: URL:http://www.kb.cert.org/vuls/id/944335
Reference: HP:HPSBTL0206-049
Reference: URL:http://online.securityfocus.com/advisories/4240
Reference: HP:HPSBUX0207-197
Reference: URL:http://online.securityfocus.com/advisories/4257
Reference: BID:5033
Reference: URL:http://online.securityfocus.com/bid/5033
Reference: XF:apache-chunked-encoding-bo(9249)
Reference: URL:http://www.iss.net/security_center/static/9249.php

Apache 1.3 through 1.3.24, and Apache 2.0 through 2.0.36, allows remote
attackers to cause a denial of service and possibly execute arbitrary
code via a chunk-encoded HTTP request that causes Apache to use an
incorrect size.


Modifications:
  ADDREF CALDERA:CSSA-2002-029.0
  ADDREF CALDERA:CSSA-2002-SCO.31
  ADDREF CALDERA:CSSA-2002-SCO.32
  ADDREF COMPAQ:SSRT2253
  ADDREF CONECTIVA:CLSA-2002:498
  ADDREF DEBIAN:DSA-131
  ADDREF DEBIAN:DSA-132
  ADDREF DEBIAN:DSA-133
  ADDREF ENGARDE:ESA-20020619-014
  ADDREF REDHAT:RHSA-2002:118
  ADDREF REDHAT:RHSA-2002:117
  ADDREF BUGTRAQ:20020619 [OpenPKG-SA-2002.004] OpenPKG Security Advisory (apache)
  ADDREF BUGTRAQ:20020621 [slackware-security] new apache/mod_ssl packages available
  ADDREF SUSE:SuSE-SA:2002:022
  ADDREF CERT-VN:VU#944335
  ADDREF HP:HPSBTL0206-049
  ADDREF HP:HPSBUX0207-197
  ADDREF BID:5033
  ADDREF XF:apache-chunked-encoding-bo(9249)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0392 ACCEPT (5 accept, 11 ack, 0 review)

Current Votes:
   ACCEPT(5) Baker, Cox, Wall, Foat, Cole
   NOOP(1) Christey

Voter Comments:
 Christey> CALDERA:CSSA-2002-029.0
   URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-029.0.txt
   CALDERA:CSSA-2002-SCO.31
   URL:ftp://ftp.caldera.com/pub/updates/OpenUNIX/CSSA-2002-SCO.31
   CALDERA:CSSA-2002-SCO.32
   URL:ftp://ftp.caldera.com/pub/updates/OpenServer/CSSA-2002-SCO.32
   COMPAQ:SSRT2253
   CONECTIVA:CLSA-2002:498
   URL:http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000498
   DEBIAN:DSA-131
   URL:http://www.debian.org/security/2002/dsa-131
   DEBIAN:DSA-132
   URL:http://www.debian.org/security/2002/dsa-132
   DEBIAN:DSA-133
   URL:http://www.debian.org/security/2002/dsa-133
   ENGARDE:ESA-20020619-014
   URL:http://www.linuxsecurity.com/advisories/other_advisory-2137.html
   REDHAT:RHSA-2002:118
   URL:http://rhn.redhat.com/errata/RHSA-2002-118.html
   REDHAT:RHSA-2002:117
   URL:http://rhn.redhat.com/errata/RHSA-2002-117.html
   BUGTRAQ:20020619 [OpenPKG-SA-2002.004] OpenPKG Security Advisory (apache)
   URL:http://archives.neohapsis.com/archives/bugtraq/2002-06/0235.html
   BUGTRAQ:20020621 [slackware-security] new apache/mod_ssl packages available
   URL:http://archives.neohapsis.com/archives/bugtraq/2002-06/0266.html
   SUSE:SuSE-SA:2002:022
   URL:http://www.suse.com/de/security/2002_22_apache.html
   CERT-VN:VU#944335
   URL:http://www.kb.cert.org/vuls/id/944335
   BID:5033
   URL:http://online.securityfocus.com/bid/5033
   XF:apache-chunked-encoding-bo(9249)
   URL:http://www.iss.net/security_center/static/9249.php
   HP:HPSBTL0206-049
   URL:http://online.securityfocus.com/advisories/4240
   HP:HPSBUX0207-197
   URL:http://online.securityfocus.com/advisories/4257


======================================================
Candidate: CAN-2002-0394
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0394
Final-Decision:
Interim-Decision: 20030326
Modified: 20030325-01
Proposed: 20020611
Assigned: 20020530
Category: SF
Reference: ATSTAKE:A060502-1
Reference: URL:http://www.atstake.com/research/advisories/2002/a060502-1.txt
Reference: XF:redm-1050ap-insecure-passwords(9263)
Reference: URL:http://www.iss.net/security_center/static/9263.php

Red-M 1050 (Bluetooth Access Point) uses case insensitive passwords,
which makes it easier for attackers to conduct a brute force guessing
attack due to the smaller space of possible passwords.


Modifications:
  ADDREF XF:redm-1050ap-insecure-passwords(9263)

Analysis
--------
Vendor Acknowledgement:

INFERRED ACTION: CAN-2002-0394 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Baker, Foat
   MODIFY(1) Frech
   NOOP(4) Cox, Wall, Cole, Armstrong

Voter Comments:
 Frech> XF:redm-1050ap-insecure-passwords(9263)
 Baker> The vendor response does not dispute any of the issues, stating the remaining issues will be resolved in a future firmware update.  Sounds like confirmation to me.


======================================================
Candidate: CAN-2002-0401
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0401
Final-Decision:
Interim-Decision: 20030326
Modified: 20030321-02
Proposed: 20020611
Assigned: 20020603
Category: SF
Reference: BUGTRAQ:20020529 Potential security issues in Ethereal
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102268626526119&w=2
Reference: CONFIRM:http://www.ethereal.com/appnotes/enpa-sa-00004.html
Reference: DEBIAN:DSA-130
Reference: URL:http://www.debian.org/security/2002/dsa-130
Reference: REDHAT:RHSA-2002:088
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-088.html
Reference: CONECTIVA:CLSA-2002:505
Reference: URL:http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000505
Reference: CALDERA:CSSA-2002-037.0
Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-037.0.txt
Reference: BID:4806
Reference: URL:http://online.securityfocus.com/bid/4806
Reference: XF:ethereal-smb-dissector-dos(9204)
Reference: URL:http://www.iss.net/security_center/static/9204.php

SMB dissector in Ethereal 0.9.3 and earlier allows remote attackers to
cause a denial of service (crash) or execute arbitrary code via
malformed packets that cause Ethereal to dereference a NULL pointer.


Modifications:
  ADDREF REDHAT:RHSA-2002:088
  ADDREF XF:ethereal-smb-dissector-dos(9204)
  ADDREF CONECTIVA:CLSA-2002:505
  ADDREF CALDERA:CSSA-2002-037.0

Analysis
--------
Vendor Acknowledgement: yes

INFERRED ACTION: CAN-2002-0401 ACCEPT (6 accept, 4 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Foat, Cole, Armstrong
   MODIFY(2) Frech, Cox
   NOOP(2) Christey, Wall

Voter Comments:
 Cox> ADDREF: RHSA-2002:088
 Christey> Fix version: 0.9.3 is also affected (thanks to Mark Cox for
   noticing this)
 Christey> XF:ethereal-smb-dissector-dos(9204)
   URL:http://www.iss.net/security_center/static/9204.php
   CONECTIVA:CLSA-2002:505
   URL:http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000505
 Frech> XF:ethereal-smb-dissector-dos(9204)
 Christey> CALDERA:CSSA-2002-037.0
   URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-037.0.txt


======================================================
Candidate: CAN-2002-0402
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0402
Final-Decision:
Interim-Decision: 20030326
Modified: 20030321-02
Proposed: 20020611
Assigned: 20020603
Category: SF
Reference: CONFIRM:http://www.ethereal.com/appnotes/enpa-sa-00004.html
Reference: DEBIAN:DSA-130
Reference: URL:http://www.debian.org/security/2002/dsa-130
Reference: BUGTRAQ:20020529 Potential security issues in Ethereal
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102268626526119&w=2
Reference: REDHAT:RHSA-2002:088
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-088.html
Reference: CONECTIVA:CLSA-2002:505
Reference: URL:http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000505
Reference: CALDERA:CSSA-2002-037.0
Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-037.0.txt
Reference: XF:ethereal-x11-dissector-bo(9203)
Reference: URL:http://www.iss.net/security_center/static/9203.php
Reference: BID:4805
Reference: URL:http://online.securityfocus.com/bid/4805

Buffer overflow in X11 dissector in Ethereal 0.9.3 and earlier allows
remote attackers to cause a denial of service (crash) and possibly
execute arbitrary code while Ethereal is parsing keysyms.


Modifications:
  ADDREF REDHAT:RHSA-2002:088
  ADDREF CONECTIVA:CLSA-2002:505
  ADDREF XF:ethereal-x11-dissector-bo(9203)
  ADDREF CALDERA:CSSA-2002-037.0

Analysis
--------
Vendor Acknowledgement: yes

INFERRED ACTION: CAN-2002-0402 ACCEPT (6 accept, 4 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Foat, Cole, Armstrong
   MODIFY(2) Frech, Cox
   NOOP(2) Christey, Wall

Voter Comments:
 Cox> ADDREF: RHSA-2002:088
 Christey> Fix version: 0.9.3 is also affected (thanks to Mark Cox for
   noticing this)
 Christey> XF:ethereal-x11-dissector-bo(9203)
   URL:http://www.iss.net/security_center/static/9203.php
   CONECTIVA:CLSA-2002:505
   URL:http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000505
 Frech> XF:ethereal-x11-dissector-bo(9203)
 Christey> CALDERA:CSSA-2002-037.0
   URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-037.0.txt


======================================================
Candidate: CAN-2002-0403
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0403
Final-Decision:
Interim-Decision: 20030326
Modified: 20030321-02
Proposed: 20020611
Assigned: 20020603
Category: SF
Reference: CONFIRM:http://www.ethereal.com/appnotes/enpa-sa-00004.html
Reference: DEBIAN:DSA-130
Reference: URL:http://www.debian.org/security/2002/dsa-130
Reference: BUGTRAQ:20020529 Potential security issues in Ethereal
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102268626526119&w=2
Reference: REDHAT:RHSA-2002:088
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-088.html
Reference: CONECTIVA:CLSA-2002:505
Reference: URL:http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000505
Reference: CALDERA:CSSA-2002-037.0
Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-037.0.txt
Reference: BID:4807
Reference: URL:http://online.securityfocus.com/bid/4807
Reference: XF:ethereal-dns-dissector-dos(9205)
Reference: URL:http://www.iss.net/security_center/static/9205.php

DNS dissector in Ethereal before 0.9.3 allows remote attackers to
cause a denial of service (CPU consumption) via a malformed packet
that causes Ethereal to enter an infinite loop.


Modifications:
  ADDREF REDHAT:RHSA-2002:088
  ADDREF CONECTIVA:CLSA-2002:505
  ADDREF XF:ethereal-dns-dissector-dos(9205)
  ADDREF CALDERA:CSSA-2002-037.0

Analysis
--------
Vendor Acknowledgement: yes

INFERRED ACTION: CAN-2002-0403 ACCEPT (6 accept, 4 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Foat, Cole, Armstrong
   MODIFY(2) Frech, Cox
   NOOP(2) Christey, Wall

Voter Comments:
 Cox> ADDREF: RHSA-2002:088
 Christey> Fix version: 0.9.3 is also affected (thanks to Mark Cox for
   noticing this)
 Christey> XF:ethereal-dns-dissector-dos(9205)
   URL:http://www.iss.net/security_center/static/9205.php
   CONECTIVA:CLSA-2002:505
   URL:http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000505
 Frech> XF:ethereal-dns-dissector-dos(9205)
 Christey> CALDERA:CSSA-2002-037.0
   URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-037.0.txt


======================================================
Candidate: CAN-2002-0404
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0404
Final-Decision:
Interim-Decision: 20030326
Modified: 20030321-02
Proposed: 20020611
Assigned: 20020603
Category: SF
Reference: CONFIRM:http://www.ethereal.com/appnotes/enpa-sa-00004.html
Reference: DEBIAN:DSA-130
Reference: URL:http://www.debian.org/security/2002/dsa-130
Reference: BUGTRAQ:20020529 Potential security issues in Ethereal
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102268626526119&w=2
Reference: REDHAT:RHSA-2002:088
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-088.html
Reference: CONECTIVA:CLSA-2002:505
Reference: URL:http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000505
Reference: CALDERA:CSSA-2002-037.0
Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-037.0.txt
Reference: BID:4808
Reference: URL:http://online.securityfocus.com/bid/4808
Reference: XF:ethereal-giop-dissector-dos(9206)
Reference: URL:http://www.iss.net/security_center/static/9206.php

Vulnerability in GIOP dissector in Ethereal before 0.9.3 allows remote
attackers to cause a denial of service (memory consumption).


Modifications:
  ADDREF REDHAT:RHSA-2002:088
  ADDREF CONECTIVA:CLSA-2002:505
  ADDREF XF:ethereal-giop-dissector-dos(9206)
  ADDREF CALDERA:CSSA-2002-037.0

Analysis
--------
Vendor Acknowledgement: yes

INFERRED ACTION: CAN-2002-0404 ACCEPT (6 accept, 4 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Foat, Cole, Armstrong
   MODIFY(2) Frech, Cox
   NOOP(2) Christey, Wall

Voter Comments:
 Cox> ADDREF: RHSA-2002:088
 Christey> Fix version: 0.9.3 is also affected (thanks to Mark Cox for
   noticing this)
 Christey> XF:ethereal-giop-dissector-dos(9206)
   URL:http://www.iss.net/security_center/static/9206.php
 Frech> XF:ethereal-giop-dissector-dos(9206)
 Christey> CALDERA:CSSA-2002-037.0
   URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-037.0.txt


======================================================
Candidate: CAN-2002-0406
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0406
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020302 Denial of Service in Sphereserver
Reference: URL:http://online.securityfocus.com/archive/1/259334
Reference: XF:sphereserver-connections-dos(8338)
Reference: URL:http://www.iss.net/security_center/static/8338.php
Reference: BID:4258
Reference: URL:http://www.securityfocus.com/bid/4258

Menasoft SPHERE server 0.99x and 0.5x allows remote attackers to cause
a denial of service by establishing a large number of connections to
the server without providing login credentials, which prevents other
users from being able to log in.

Analysis
--------
Vendor Acknowledgement:

INFERRED ACTION: CAN-2002-0406 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Frech, Cole, Alderson
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-0412
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0412
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020304 [H20020304]: Remotely exploitable format string vulnerability in ntop
Reference: URL:http://online.securityfocus.com/archive/1/259642
Reference: BUGTRAQ:20020411 ALERT ALERT ALERT ALERT ALERT ALERT ALERT ALERT ALERT ALERT ALERT
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101854261030453&w=2
Reference: BUGTRAQ:20020411 re: gobbles ntop alert
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101856541322245&w=2
Reference: BUGTRAQ:20020417 segfault in ntop
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101908224609740&w=2
Reference: VULNWATCH:20020304 [VulnWatch] [H20020304]: Remotely exploitable format string vulnerability in ntop
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0056.html
Reference: CONFIRM:http://snapshot.ntop.org/
Reference: MISC:http://listmanager.unipi.it/pipermail/ntop-dev/2002-February/000489.html
Reference: XF:ntop-traceevent-format-string(8347)
Reference: URL:http://www.iss.net/security_center/static/8347.php
Reference: BID:4225
Reference: URL:http://www.securityfocus.com/bid/4225

Format string vulnerability in TraceEvent function for ntop before 2.1
allows remote attackers to execute arbitrary code by causing format
strings to be injected into calls to the syslog function, via (1) an
HTTP GET request, (2) a user name in HTTP authentication, or (3) a
password in HTTP authentication.

Analysis
--------
Vendor Acknowledgement: yes advisory

ACKNOWLEDGEMENT: On the front page, the vendor has an item dated March
5, 2002, which states "A security exposure (remote code execution) in
ntop was reported to bugtraq (bugtraq@securityfocus.com) by
'hologram'" - the original discloser to Bugtraq.

INFERRED ACTION: CAN-2002-0412 ACCEPT (6 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Baker, Frech, Wall, Cole, Alderson
   MODIFY(1) Cox
   NOOP(1) Foat

Voter Comments:
 Cox> I believe this only apples to ntop version 2 not version 1


======================================================
Candidate: CAN-2002-0414
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0414
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020304 BSD: IPv4 forwarding doesn't consult inbound SPD in KAME-derived IPsec
Reference: URL:http://www.securityfocus.com/archive/1/259598
Reference: CONFIRM:http://orange.kame.net/dev/cvsweb.cgi/kame/CHANGELOG
Reference: BID:4224
Reference: URL:http://www.securityfocus.com/bid/4224
Reference: XF:kame-forged-packet-forwarding(8416)
Reference: URL:http://www.iss.net/security_center/static/8416.php
Reference: VULNWATCH:20020304 [VulnWatch] BSD: IPv4 forwarding doesn't consult inbound SPD in KAME-derived IPsec
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0057.html

KAME-derived implementations of IPsec on NetBSD 1.5.2, FreeBSD 4.5,
and other operating systems, does not properly consult the Security
Policy Database (SPD), which could cause a Security Gateway (SG) that
does not use Encapsulating Security Payload (ESP) to forward forged
IPv4 packets.

Analysis
--------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: In a changelog item dated "Mon Feb 25 2:00:06 2002,"
the vendor says "enforce ipsec policy checking on forwarding case" and
credits the Bugtraq poster.

INFERRED ACTION: CAN-2002-0414 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Frech, Cole, Alderson
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-0423
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0423
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020306 efingerd remote buffer overflow and a dangerous feature
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-03/0050.html
Reference: CONFIRM:http://melkor.dnp.fmph.uniba.sk/~garabik/efingerd/efingerd_1.5.tar.gz
Reference: BID:4239
Reference: URL:http://www.securityfocus.com/bid/4239
Reference: XF:efingerd-reverse-lookup-bo(8380)
Reference: URL:http://www.iss.net/security_center/static/8380.php

Buffer overflow in efingerd 1.5 and earlier, and possibly up to 1.61,
allows remote attackers to cause a denial of service and possibly
execute arbitrary code via a finger request from an IP address with a
long hostname that is obtained via a reverse DNS lookup.

Analysis
--------
Vendor Acknowledgement: yes patch

ACKNOWLEDGEMENT: an examination of the source code for 1.6.2 has a
child.c file, dated several weeks after initial disclosure, whose only
change was to terminate the string that is copied. But the source code
shows a strncpy call, as opposed to a strcpy as claimed by the
discloser. Looking back at the source code for older versions, it
appears that the first attempt to fix the overflow was made in version
1.5, where the strcpy was replaced by strncpy. However, since the
string was not null terminated until 1.6.2, the discloser may have
believed that the overflow still existed since they were probably
still able to at least trigger a crash. It is unclear whether the
unterminated string in versions 1.5 through 1.6.2 is actually
exploitable.

INFERRED ACTION: CAN-2002-0423 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Frech, Cole, Alderson
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-0424
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0424
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020306 efingerd remote buffer overflow and a dangerous feature
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-03/0050.html
Reference: CONFIRM:http://melkor.dnp.fmph.uniba.sk/~garabik/efingerd/efingerd_1.6.2.tar.gz
Reference: BID:4240
Reference: URL:http://www.securityfocus.com/bid/4240
Reference: XF:efingerd-file-execution(8381)
Reference: URL:http://www.iss.net/security_center/static/8381.php

efingerd 1.61 and earlier, when configured without the -u option,
executes .efingerd files as the efingerd user (typically "nobody"),
which allows local users to gain privileges as the efingerd user by
modifying their own .efingerd file and running finger.

Analysis
--------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: the vendor acknowledges but does not fix the problem
in 1.6.2. The README file for efingerd 1.6.2 includes a new "Security
Notes" section that states: "unless run with option -u, efingerd
executes ... [the .efingerd file] under the same UID as the efingerd
daemon... This means that users could gain access to this UID very
easily." For the purposes of CVE, vendor acknowledgement is all that
is necessary.

INFERRED ACTION: CAN-2002-0424 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Frech, Cole, Alderson
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-0425
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0425
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020306 mIRC DCC Server Security Flaw
Reference: URL:http://online.securityfocus.com/archive/1/260244
Reference: XF:mirc-dcc-reveal-info(8393)
Reference: URL:http://www.iss.net/security_center/static/8393.php
Reference: BID:4247
Reference: URL:http://www.securityfocus.com/bid/4247

mIRC DCC server protocol allows remote attackers to gain sensitive
information such as alternate IRC nicknames via a "100 testing"
message in a DCC connection request that cannot be ignored or canceled
by the user, which may leak the alternate nickname in a response
message.

Analysis
--------
Vendor Acknowledgement:

INFERRED ACTION: CAN-2002-0425 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Frech, Cole, Alderson
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-0429
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0429
Final-Decision:
Interim-Decision: 20030326
Modified: 20030321-01
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020308 linux <=2.4.18 x86 traps.c problem
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101561298818888&w=2
Reference: CONFIRM:http://www.openwall.com/linux/
Reference: REDHAT:RHSA-2002:158
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-158.html
Reference: BID:4259
Reference: URL:http://online.securityfocus.com/bid/4259
Reference: XF:linux-ibcs-lcall-process(8420)
Reference: URL:http://www.iss.net/security_center/static/8420.php

The iBCS routines in arch/i386/kernel/traps.c for Linux kernels 2.4.18
and earlier on x86 systems allow local users to kill arbitrary
processes via a a binary compatibility interface (lcall).


Modifications:
  ADDREF REDHAT:RHSA-2002:158
  ADDREF XF:linux-ibcs-lcall-process(8420)

Analysis
--------
Vendor Acknowledgement: yes

ACKNOWLEDGEMENT: the Openwall home page has an item dated March 3,
2002, which states "Linux 2.2.20-ow2 fixes an x86-specific
vulnerability in the Linux kernel discovered by Stephan Springl where
local users could abuse a binary compatibility interface (lcall) to
kill processes not belonging to them ."

INFERRED ACTION: CAN-2002-0429 ACCEPT (5 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Cox, Cole, Alderson
   MODIFY(1) Frech
   NOOP(2) Wall, Foat

Voter Comments:
 Frech> XF:linux-ibcs-lcall-process(8420)
 CHANGE> [Cox changed vote from REVIEWING to ACCEPT]
 Cox> Addref: RHSA-2002:158


======================================================
Candidate: CAN-2002-0431
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0431
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020309 xtux server DoS.
Reference: URL:http://online.securityfocus.com/archive/1/260912
Reference: MISC:https://sourceforge.net/tracker/index.php?func=detail&aid=529046&group_id=206&atid=100206
Reference: BID:4260
Reference: URL:http://www.securityfocus.com/bid/4260
Reference: XF:xtux-server-dos(8422)
Reference: URL:http://www.iss.net/security_center/static/8422.php

XTux allows remote attackers to cause a denial of service (CPU
consumption) via random inputs in the initial connection.

Analysis
--------
Vendor Acknowledgement:

ACKNOWLEDGEMENT: as of this writing (20020514), a bug report was filed
on 20020319, but the vendor had not responded.

INFERRED ACTION: CAN-2002-0431 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Frech, Cole, Alderson
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-0435
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0435
Final-Decision:
Interim-Decision: 20030326
Modified: 20030321-02
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020310 GNU fileutils - recursive directory removal race condition
Reference: URL:http://www.securityfocus.com/archive/1/260936
Reference: CONFIRM:http://mail.gnu.org/archive/html/bug-fileutils/2002-03/msg00028.html
Reference: CALDERA:CSSA-2002-018.1
Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-018.1.txt
Reference: XF:gnu-fileutils-race-condition(8432)
Reference: URL:http://www.iss.net/security_center/static/8432.php
Reference: BID:4266
Reference: URL:http://www.securityfocus.com/bid/4266
Reference: MANDRAKE:MDKSA-2002:031
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-031.php

Race condition in the recursive (1) directory deletion and (2)
directory move in GNU File Utilities (fileutils) 4.1 and earlier
allows local users to delete directories as the user running fileutils
by moving a low-level directory to a higher level as it is being
deleted, which causes fileutils to chdir to a ".." directory that is
higher than expected, possibly up to the root file system.


Modifications:
  ADDREF MANDRAKE:MDKSA-2002:032
  CHANGEREF CONFIRM [URL changed]
  CHANGEREF MANDRAKE [wrong number]

Analysis
--------
Vendor Acknowledgement: yes

INFERRED ACTION: CAN-2002-0435 ACCEPT (5 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(5) Green, Baker, Cox, Foat, Cole
   NOOP(2) Christey, Wall

Voter Comments:
 Christey> MANDRAKE:MDKSA-2002:032
 CHANGE> [Cox changed vote from REVIEWING to ACCEPT]
 Cox> CONFIRM:http://mail.gnu.org/pipermail/bug-fileutils/2002-March/002440.html
   is a dead link, I traced the message to the new live link here
   http://mail.gnu.org/archive/html/bug-fileutils/2002-03/msg00028.html
 Christey> Mandrake reference should be MANDRAKE:MDKSA-2002:031 (032
   is for tcpdump)


======================================================
Candidate: CAN-2002-0437
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0437
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020311 SMStools vulnerabilities in release before 1.4.8
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-03/0103.html
Reference: CONFIRM:http://www.isis.de/members/~s.frings/smstools/history.html
Reference: BID:4268
Reference: URL:http://www.securityfocus.com/bid/4268
Reference: XF:sms-tools-format-string(8433)
Reference: URL:http://www.iss.net/security_center/static/8433.php

Smsd in SMS Server Tools (SMStools) before 1.4.8 allows remote
attackers to execute arbitrary commands via shell metacharacters
(backquotes) in message text, as described with the term "string
format vulnerability" by some sources.

Analysis
--------
Vendor Acknowledgement: yes changelog

ACCURACY: The original discloser (probably a non-native English
speaker) says the problem is due to "string format vulnerabilities,"
which makes it sound like format string vulnerabilities; but the
impact is described as "arbitrary command injection," and the vendor's
change log says "disable execution of programs by using backquotes in
the message text," which makes it sound like a shell metacharacter
problem. In addition, a source code review of 1.4.9 indicates that the
problem is with shell metacharacters. getSMSdata() in smsd.c removes
the quote from a text field, which is then provided to sendsms(),
which is then fed into my_system(), which then calls system().  A
followup email to the discloser confirms that the discloser was
dealing with a metacharacter issue.
ACKNOWLEDGEMENT: In a "thanks" page, the vendor credits the
researcher, and in the change log, described security issues that
match the dates and affected versions from the initial disclosure.

INFERRED ACTION: CAN-2002-0437 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Baker, Cole
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-0441
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0441
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020311 Directory traversal vulnerability in phpimglist
Reference: URL:http://www.securityfocus.com/archive/1/261221
Reference: CONFIRM:http://www.liquidpulse.net/get.lp?id=17
Reference: XF:phpimglist-dot-directory-traversal(8441)
Reference: URL:http://www.iss.net/security_center/static/8441.php
Reference: BID:4276
Reference: URL:http://www.securityfocus.com/bid/4276

Directory traversal vulnerability in imlist.php for Php Imglist allows
remote attackers to read arbitrary code via a .. (dot dot) in the cwd
parameter.

Analysis
--------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: The CHANGELOG for version 1.2.2 identifies a bug fix
that "stops people from browsing outside of your specified directory."

INFERRED ACTION: CAN-2002-0441 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Baker, Cole
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-0442
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0442
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020611
Assigned: 20020607
Category:
Reference: CALDERA:CSSA-2002-SCO.8
Reference: URL:ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.8/CSSA-2002-SCO.8.txt
Reference: XF:openserver-dlvraudit-bo(8442)
Reference: URL:http://www.iss.net/security_center/static/8442.php
Reference: BID:4273
Reference: URL:http://www.securityfocus.com/bid/4273

Buffer overflow in dlvr_audit for Caldera OpenServer 5.0.5 and 5.0.6
allows local users to gain root privileges.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0442 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Baker, Cole
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-0451
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0451
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020313 Command execution in phprojekt.
Reference: URL:http://www.securityfocus.com/archive/1/261676
Reference: CONFIRM:http://www.phprojekt.com/modules.php?op=modload&name=News&file=article&sid=19&mode=&order=
Reference: BID:4284
Reference: URL:http://www.securityfocus.com/bid/4284
Reference: XF:phpprojekt-filemanager-include-files(8448)
Reference: URL:http://www.iss.net/security_center/static/8448.php

filemanager_forms.php in PHProjekt 3.1 and 3.1a allows remote
attackers to execute arbitrary PHP code by specifying the URL to the
code in the lib_path parameter.

Analysis
--------
Vendor Acknowledgement: yes

INFERRED ACTION: CAN-2002-0451 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Baker, Cole
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-0454
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0454
Final-Decision:
Interim-Decision: 20030326
Modified: 20030321-01
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020315 Bug in QPopper (All Versions?)
Reference: URL:http://www.securityfocus.com/archive/1/262213
Reference: CONFIRM:ftp://ftp.qualcomm.com/eudora/servers/unix/popper/qpopper4.0.4.tar.gz
Reference: XF:qpopper-qpopper-dos(8458)
Reference: URL:http://www.iss.net/security_center/static/8458.php
Reference: BID:4295
Reference: URL:http://www.securityfocus.com/bid/4295
Reference: CALDERA:CSSA-2002-SCO.20
Reference: URL:ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.20

Qpopper (aka in.qpopper or popper) 4.0.3 and earlier allows remote
attackers to cause a denial of service (CPU consumption) via a very
large string, which causes an infinite loop.


Modifications:
  ADDREF CALDERA:CSSA-2002-SCO.20

Analysis
--------
Vendor Acknowledgement: yes patch

ACKNOWLEDGEMENT: the change log for version 4.0.4 says "Fixed DOS
attack seen on some systems," but the description itself is too vague
to be certain that the vendor has fixed *this* issue. However, a diff
of popper/popper.c in versions 4.0.4 and 4.0.3 reveals a new comment:
"getline() now clears out storage buffer when giving up after
discarding bytes. Fixes looping DOS attack seen on some systems." That
would be consistent with the behavior that was originally reported.

INFERRED ACTION: CAN-2002-0454 ACCEPT (4 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(4) Green, Baker, Wall, Cole
   NOOP(3) Christey, Cox, Foat

Voter Comments:
 Christey> CALDERA:CSSA-2002-SCO.20


======================================================
Candidate: CAN-2002-0462
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0462
Final-Decision:
Interim-Decision: 20030326
Modified: 20030321-01
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020318 [ARL02-A11] Big Sam (Built-In Guestbook Stand-Alone Module) Multiple Vulnerabilities
Reference: URL:http://www.securityfocus.com/archive/1/262735
Reference: CONFIRM:http://www.gezzed.net/bigsam/bigsam.1_1_12.php.txt
Reference: XF:bigsam-displaybegin-dos(8478)
Reference: URL:http://www.iss.net/security_center/static/8478.php
Reference: XF:bigsam-safemode-path-disclosure(8479)
Reference: URL:http://www.iss.net/security_center/static/8479.php
Reference: BID:4312
Reference: URL:http://www.securityfocus.com/bid/4312

bigsam_guestbook.php for Big Sam (Built-In Guestbook Stand-Alone
Module) 1.1.08 and earlier allows remote attackers to cause a denial
of service (CPU consumption) or obtain the absolute path of the web
server via a displayBegin parameter with a very large number, which
leaks the web path in an error message when PHP safe_mode is enabled,
or consumes resources when safe_mode is not enabled.


Modifications:
  DESC rephrase to clarify

Analysis
--------
Vendor Acknowledgement: yes

ACKNOWLEDGEMENT: in the source code for the program, the vendor has a
comment that states "Checks if $displayBegin is not too large," and
credits the discloser.

INFERRED ACTION: CAN-2002-0462 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Green, Baker, Foat, Cole
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-0463
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0463
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020319 Re: [ARL02-A07] ARSC Really Simple Chat System Information Path    Disclosure Vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/262802
Reference: BUGTRAQ:20020316 [ARL02-A07] ARSC Really Simple Chat System Information Path Disclosure Vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/262652
Reference: BID:4307
Reference: URL:http://www.securityfocus.com/bid/4307
Reference: XF:arsc-language-path-disclosure(8472)
Reference: URL:http://www.iss.net/security_center/static/8472.php

home.php in ARSC (Really Simple Chat) 1.0.1 and earlier allows remote
attackers to determine the full pathname of the web server via an
invalid language in the arsc_language parameter, which leaks the
pathname in an error message.

Analysis
--------
Vendor Acknowledgement: yes followup

INFERRED ACTION: CAN-2002-0463 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Baker, Cole
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-0464
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0464
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020318 Hosting Directory Traversal madness...
Reference: URL:http://www.securityfocus.com/archive/1/262734
Reference: CONFIRM:http://www.hostingcontroller.com/english/patches/ForAll/download/dot-slash.zip
Reference: BID:4311
Reference: URL:http://www.securityfocus.com/bid/4311

Directory traversal vulnerability in Hosting Controller 1.4.1 and
earlier allows remote attackers to read and modify arbitrary files and
directories via a .. (dot dot) in arguments to (1) file_editor.asp,
(2) folderactions.asp, or (3) editoractions.asp.

Analysis
--------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: the readme.txt file in a patch labeled "Infamous
Dot-Slash Bug Fix," dated March 22, 2002, states: "Folder Manager was
vulnerable to infamous ../ bug, if an alternate path was sent using
the query string variables, the altered path could be deleted or
renamed."
ABSTRACTION: Although another directory traversal vulnerability was
discovered shortly before this one (January 2002), CD:SF-LOC suggests
keeping separate CVE items for them because separate patches were
produced.

INFERRED ACTION: CAN-2002-0464 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Baker, Cole
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-0473
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0473
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: VULN-DEV:20020318 phpBB2 remote execution command
Reference: URL:http://online.securityfocus.com/archive/82/262600
Reference: BUGTRAQ:20020318 Re: phpBB2 remote execution command (fwd)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-03/0221.html
Reference: BUGTRAQ:20020318 phpBB2 remote execution command
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-03/0229.html
Reference: CONFIRM:http://prdownloads.sourceforge.net/phpbb/phpBB-2.0.1.zip
Reference: MISC:http://phpbb.sourceforge.net/phpBB2/viewtopic.php?t=9483
Reference: BID:4380
Reference: URL:http://www.securityfocus.com/bid/4380
Reference: XF:phpbb-db-command-execution(8476)
Reference: URL:http://www.iss.net/security_center/static/8476.php

db.php in phBB 2.0 (aka phBB2) RC-3 and earlier allows remote
attackers to execute arbitrary code from remote servers via the
phpbb_root_path parameter.

Analysis
--------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: a followup post to Bugtraq points to a URL that could
contain acknowledgement, but no longer exists. A post from the
developer to a web forum, dated March 23, 2002, is titled "Security
vulnerability in phpBB 2.0" and implies that any "CVS version dated
before March 19th 2002" is vulnerable. The comments in the changelog
in docs/README.html say that version RC4 "Addressed serious security
issue with included files," which would be consistent with the
slightly vague Bugtraq post, which says "some backdoor server [is]
needed to launch the attack," which implies that the problem is in PHP
include files or the rough equivalent. A "diff" between 2.0.1 and
2.0.0 RC3 indicates that the only change to db.php was a check for the
IN_PHPBB variable, which (a) does not exist in RC3, (b) is defined in
all top-level PHP programs in 2.0.1, and (c) dies with the phrase
"Hacking attempt" if IN_PHPBB is not defined.

INFERRED ACTION: CAN-2002-0473 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Baker, Cole
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-0484
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0484
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020321 Re: move_uploaded_file breaks safe_mode restrictions in PHP
Reference: URL:http://online.securityfocus.com/archive/1/263259
Reference: BUGTRAQ:20020317 move_uploaded_file breaks safe_mode restrictions in PHP
Reference: URL:http://online.securityfocus.com/archive/1/262999
Reference: BUGTRAQ:20020322 Re: move_uploaded_file breaks safe_mode restrictions in PHP
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101683938806677&w=2
Reference: CONFIRM:http://bugs.php.net/bug.php?id=16128
Reference: XF:php-moveuploadedfile-create-files(8591)
Reference: URL:http://www.iss.net/security_center/static/8591.php
Reference: BID:4325
Reference: URL:http://www.securityfocus.com/bid/4325

move_uploaded_file in PHP does not does not check for the base
directory (open_basedir), which could allow remote attackers to upload
files to unintended locations on the system.

Analysis
--------
Vendor Acknowledgement: yes followup

INFERRED ACTION: CAN-2002-0484 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Green, Baker, Cox, Cole
   NOOP(2) Wall, Foat

Voter Comments:
 CHANGE> [Cox changed vote from REVIEWING to ACCEPT]


======================================================
Candidate: CAN-2002-0488
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0488
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020321 PHP script: Penguin Traceroute, Remote Command Execution
Reference: URL:http://www.securityfocus.com/archive/1/263285
Reference: CONFIRM:http://www.linux-directory.com/scripts/traceroute.pl
Reference: XF:penguin-traceroute-command-execution(8600)
Reference: URL:http://www.iss.net/security_center/static/8600.php
Reference: BID:4332
Reference: URL:http://www.securityfocus.com/bid/4332

Linux Directory Penguin traceroute.pl CGI script 1.0 allows remote
attackers to execute arbitrary code via shell metacharacters in the
host parameter.

Analysis
--------
Vendor Acknowledgement: yes patch

ACKNOWLEDGEMENT: in the source code, the vendor cleanses the host
parameter, adding a comment dated 20020321 that says the line was
added.

INFERRED ACTION: CAN-2002-0488 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Green, Baker, Wall, Foat, Cole
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-0490
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0490
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020323 Instant Web Mail additional POP3 commands and mail headers
Reference: URL:http://www.securityfocus.com/archive/1/264041
Reference: CONFIRM:http://instantwebmail.sourceforge.net/#changeLog
Reference: XF:instant-webmail-pop-commands(8650)
Reference: URL:http://www.iss.net/security_center/static/8650.php
Reference: BID:4361
Reference: URL:http://www.securityfocus.com/bid/4361

Instant Web Mail before 0.60 does not properly filter CR/LF sequences,
which allows remote attackers to (1) execute arbitrary POP commands
via the id parameter in message.php, or (2) modify certain mail
message headers via numerous parameters in write.php.

Analysis
--------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: the change log for version 0.60, dated March 17,
2002, says "For security reasons it is no longer possible to write
extra headers besides the normal ones when composing messages."

INFERRED ACTION: CAN-2002-0490 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Frech, Cole, Armstrong
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-0493
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0493
Final-Decision:
Interim-Decision: 20030326
Modified: 20030325-01
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020325 re: Tomcat Security Exposure
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101709002410365&w=2
Reference: MISC:http://www.apachelabs.org/tomcat-dev/200108.mbox/%3C20010810000819.6350.qmail@icarus.apache.org%3E
Reference: XF:tomcat-xml-bypass-restrictions(9863)
Reference: URL:http://www.iss.net/security_center/static/9863.php

Apache Tomcat may be started without proper security settings if
errors are encountered while reading the web.xml file, which could
allow attackers to bypass intended restrictions.


Modifications:
  ADDREF XF:tomcat-xml-bypass-restrictions(9863)

Analysis
--------
Vendor Acknowledgement:

INFERRED ACTION: CAN-2002-0493 ACCEPT (4 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Cole, Armstrong
   MODIFY(1) Frech
   NOOP(3) Cox, Wall, Foat

Voter Comments:
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:tomcat-xml-bypass-restrictions(9863)


======================================================
Candidate: CAN-2002-0494
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0494
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020325 WebSight Directory System: cross-site-scripting bug
Reference: URL:http://www.securityfocus.com/archive/1/263914
Reference: CONFIRM:http://sourceforge.net/forum/forum.php?forum_id=163389
Reference: BID:4357
Reference: URL:http://www.securityfocus.com/bid/4357
Reference: XF:websight-directory-system-css(8624)
Reference: URL:http://www.iss.net/security_center/static/8624.php

Cross-site scripting vulnerability in WebSight Directory System 0.1
allows remote attackers to execute arbitrary Javascript and gain
access to the WebSight administrator via a new link submission
containing the script in a website name.

Analysis
--------
Vendor Acknowledgement: yes

ACKNOWLEDGEMENT: A news item posted by the vendor titled "Important
security fix!", dated 20020325, says "the problem was that in the
administration area, there was no prevention from javascripts etc to
being executed," and credits the poster.

INFERRED ACTION: CAN-2002-0494 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Frech, Cole, Armstrong
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-0495
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0495
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020325 CGIscript.net - csSearch.cgi - Remote Code Execution (up to 17,000 sites vulnerable)
Reference: URL:http://www.securityfocus.com/archive/1/264169
Reference: MISC:http://www.cgiscript.net/cgi-script/csNews/csNews.cgi?database=cgi.db&command=viewone&id=7
Reference: BID:4368
Reference: URL:http://www.securityfocus.com/bid/4368
Reference: XF:cssearch-url-execute-commands(8636)
Reference: URL:http://www.iss.net/security_center/static/8636.php

csSearch.cgi in csSearch 2.3 and earlier allows remote attackers to
execute arbitrary Perl code via the savesetup command and the setup
parameter, which overwrites the setup.cgi configuration file that is
loaded by csSearch.cgi.

Analysis
--------
Vendor Acknowledgement: unknown vague

ACKNOWLEDGEMENT: On the csSearch Pro web page, the vendor states
"Security Alert: We recently discovered vulnerabilities in csSearch
versions 2.3 and below. Please download and install csSearch 2.5 to
correct the problem." This is not enough detail to be certain that the
vendor is addressing this particular vulnerability.

INFERRED ACTION: CAN-2002-0495 ACCEPT (4 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Frech, Foat, Cole
   NOOP(3) Cox, Wall, Armstrong

Voter Comments:
 Frech> http://online.securityfocus.com/archive/1/266432


======================================================
Candidate: CAN-2002-0497
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0497
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020306 mtr 0.45, 0.46
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-03/0048.html
Reference: DEBIAN:DSA-124
Reference: URL:http://www.debian.org/security/2002/dsa-124
Reference: BID:4217
Reference: URL:http://www.securityfocus.com/bid/4217
Reference: XF:mtr-options-bo(8367)
Reference: URL:http://www.iss.net/security_center/static/8367.php

Buffer overflow in mtr 0.46 and earlier, when installed setuid root,
allows local users to access a raw socket via a long MTR_OPTIONS
environment variable.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0497 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Frech, Cox, Cole
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2002-0501
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0501
Final-Decision:
Interim-Decision: 20030326
Modified: 20030321-01
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020327 Format String Bug in Posadis DNS Server
Reference: URL:http://online.securityfocus.com/archive/1/264450
Reference: CONFIRM:http://sourceforge.net/forum/forum.php?forum_id=165094
Reference: XF:posadis-logging-format-string(8653)
Reference: URL:http://www.iss.net/security_center/static/8653.php
Reference: BID:4378
Reference: URL:http://www.securityfocus.com/bid/4378

Format string vulnerability in log_print() function of Posadis DNS
server before version m5pre2 allows local users and possibly remote
attackers to execute arbitrary code via format strings that are
inserted into logging messages.


Modifications:
  DESC fix typo

Analysis
--------
Vendor Acknowledgement: yes

ACKNOWLEDGEMENT: a vendor announcement fixes the vulnerability "As
reported on Bugtraq March 27 2002."

INFERRED ACTION: CAN-2002-0501 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Baker, Frech, Foat, Cole, Armstrong
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-0505
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0505
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: CISCO:20020327 LDAP Connection Leak in CTI when User Authentication Fails
Reference: URL:http://www.cisco.com/warp/public/707/callmanager-ctifw-leak-pub.shtml
Reference: XF:cisco-cti-memory-leak(8655)
Reference: URL:http://www.iss.net/security_center/static/8655.php
Reference: BID:4370
Reference: URL:http://www.securityfocus.com/bid/4370

Memory leak in the Call Telephony Integration (CTI) Framework
authentication for Cisco CallManager 3.0 and 3.1 before 3.1(3) allows
remote attackers to cause a denial of service (crash and reload) via a
series of authentication failures, e.g. via incorrect passwords.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0505 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Frech, Cole, Armstrong
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-0506
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0506
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020328 A possible buffer overflow in libnewt
Reference: URL:http://online.securityfocus.com/archive/1/264699
Reference: XF:libnewt-bo(8700)
Reference: URL:http://www.iss.net/security_center/static/8700.php
Reference: BID:4393
Reference: URL:http://www.securityfocus.com/bid/4393

Buffer overflow in newt.c of newt windowing library (libnewt) 0.50.33
and earlier may allow attackers to cause a denial of service or
execute arbitrary code in setuid programs that use libnewt.


Modifications:
  DESC emphasize setuid programs only

Analysis
--------
Vendor Acknowledgement: yes cve-vote

INFERRED ACTION: CAN-2002-0506 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Frech, Cox, Cole
   NOOP(3) Wall, Foat, Armstrong

Voter Comments:
 Cox> (although only really a problem if you have setuid programs
   that use libnewt)


======================================================
Candidate: CAN-2002-0511
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0511
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: CALDERA:CSSA-2002-013.0
Reference: URL:http://www.calderasystems.com/support/security/advisories/CSSA-2002-013.0.txt
Reference: XF:nscd-dns-ptr-validation(8745)
Reference: URL:http://www.iss.net/security_center/static/8745.php
Reference: BID:4399
Reference: URL:http://www.securityfocus.com/bid/4399

The default configuration of Name Service Cache Daemon (nscd) in
Caldera OpenLinux 3.1 and 3.1.1 uses cached PTR records instead of
consulting the authoritative DNS server for the A record, which could
make it easier for remote attackers to bypass applications that
restrict access based on host names.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0511 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Baker, Frech, Foat, Cole, Armstrong
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-0512
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0512
Final-Decision:
Interim-Decision: 20030326
Modified: 20020817-01
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: CALDERA:CSSA-2002-005.0
Reference: URL:http://www.calderasystems.com/support/security/advisories/CSSA-2002-005.0.txt
Reference: BID:4400
Reference: URL:http://www.securityfocus.com/bid/4400
Reference: XF:kde-startkde-search-directory(8737)
Reference: URL:http://www.iss.net/security_center/static/8737.php

startkde in KDE for Caldera OpenLinux 2.3 through 3.1.1 sets the
LD_LIBRARY_PATH environment variable to include the current working
directory, which could allow local users to gain privileges of other
users running startkde via Trojan horse libraries.


Modifications:
  ADDREF XF:kde-startkde-search-directory(8737)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0512 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Cole, Armstrong
   MODIFY(1) Frech
   NOOP(4) Christey, Cox, Wall, Foat

Voter Comments:
 Frech> XF:kde-startkde-search-directory(8737)
 Christey> There's a long history of overflows via long -xrm arguments.
   Need to make sure there's no overlap with other separate
   vulnerability reports.


======================================================
Candidate: CAN-2002-0513
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0513
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020330 popper_mod 1.2.1 and previous accounts compromise
Reference: URL:http://online.securityfocus.com/archive/1/265438
Reference: CONFIRM:http://www.symatec-computer.com/forums/viewtopic.php?t=14
Reference: XF:symatec-popper-admin-access(8746)
Reference: URL:http://www.iss.net/security_center/static/8746.php
Reference: BID:4412
Reference: URL:http://www.securityfocus.com/bid/4412

The PHP administration script in popper_mod 1.2.1 and earlier relies
on Apache .htaccess authentication, which allows remote attackers to
gain privileges if the script is not appropriately configured by the
administrator.

Analysis
--------
Vendor Acknowledgement: yes

INCLUSION: Whether this dependency on .htaccess is a design problem or
a configuration problem, this issue meets the definition of
vulnerability and should be included in CVE.

INFERRED ACTION: CAN-2002-0513 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Frech, Cole, Armstrong
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-0516
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0516
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020327 squirrelmail 1.2.5 email user can execute command
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-03/0350.html
Reference: BUGTRAQ:20020331 Re: squirrelmail 1.2.5 email user can execute command
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-03/0386.html
Reference: BID:4385
Reference: URL:http://www.securityfocus.com/bid/4385
Reference: XF:squirrelmail-theme-command-execution(8671)
Reference: URL:http://www.iss.net/security_center/static/8671.php

SquirrelMail 1.2.5 and earlier allows authenticated SquirrelMail users
to execute arbitrary commands by modifying the THEME variable in a
cookie.

Analysis
--------
Vendor Acknowledgement: yes followup

INFERRED ACTION: CAN-2002-0516 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Frech, Cole, Armstrong
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-0531
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0531
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020403 emumail.cgi
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-04/0066.html
Reference: CONFIRM:http://www.emumail.com/downloads/download_unix.html/
Reference: XF:emumail-cgi-view-files(8766)
Reference: URL:http://www.iss.net/security_center/static/8766.php
Reference: BID:4435
Reference: URL:http://www.securityfocus.com/bid/4435

Directory traversal vulnerability in emumail.cgi in EMU Webmail 4.5.x
and 5.1.0 allows remote attackers to read arbitrary files or list
arbitrary directories via a .. (dot dot) in the type parameter.

Analysis
--------
Vendor Acknowledgement: yes

ACKNOWLEDGEMENT: the download page for Webmail includes a statement
dated April 11, 2002, which says "This patch corrects a security flaw
in EMU Webmail which may allow remote users to exploit emumail.cgi
under certain conditions to read files on the remote system."

INFERRED ACTION: CAN-2002-0531 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Frech, Cole, Armstrong
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-0532
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0532
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020410 Re: emumail.cgi, one more local vulnerability (not verified)
Reference: URL:http://online.securityfocus.com/archive/1/266930
Reference: XF:emumail-http-host-execute(8836)
Reference: URL:http://www.iss.net/security_center/static/8836.php
Reference: BID:4488
Reference: URL:http://www.securityfocus.com/bid/4488

EMU Webmail allows local users to execute arbitrary programs via a ..
(dot dot) in the HTTP Host header that points to a Trojan horse
configuration file that contains a pageroot specifier that contains
shell metacharacters.

Analysis
--------
Vendor Acknowledgement: yes via-email

ACKNOWLEDGEMENT: an inquiry was posted to
http://www.emumail.com/support/tech_inquiry.html on June 3, 2002.
WIthin 24 hours, techprod@emumail.com confirmed the vulnerability:
"Yes this has been fixed...there is an update patch for 4.5 and 5.1 on
our website.  Known versions that are affected are 4.5 and 5.x, 4.0
and earlier version may be affected/"

INFERRED ACTION: CAN-2002-0532 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Frech, Cole, Armstrong
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-0536
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0536
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020403 SQL injection in PHPGroupware
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-04/0036.html
Reference: BUGTRAQ:20020411 Re: SQL injection in PHPGroupware
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-04/0143.html
Reference: XF:phpgroupware-sql-injection(8755)
Reference: URL:http://www.iss.net/security_center/static/8755.php
Reference: BID:4424
Reference: URL:http://www.securityfocus.com/bid/4424

PHPGroupware 0.9.12 and earlier, when running with the
magic_quotes_gpc feature disabled, allows remote attackers to
compromise the database via a SQL injection attack.

Analysis
--------
Vendor Acknowledgement: yes followup

INCLUSION: a followup from the vendor indicates that the issue is due
to a non-default configuration of magic_quotes_gpc in phpGroupWare's
configuration file. While this could be attributed to an apparent
limitation of PHP itself (since the quotes apparently can't be cleanly
enabled within the PHP programs themselves?), this vendor did not work
around this issue, so the problem should be included in CVE.

INFERRED ACTION: CAN-2002-0536 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Frech, Cole
   NOOP(4) Cox, Wall, Foat, Armstrong


======================================================
Candidate: CAN-2002-0538
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0538
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020415 Raptor Firewall FTP Bounce vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-04/0166.html
Reference: BUGTRAQ:20020417 Re: Raptor Firewall FTP Bounce vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-04/0224.html
Reference: CONFIRM:http://securityresponse.symantec.com/avcenter/security/Content/2002.04.17.html
Reference: XF:raptor-firewall-ftp-bounce(8847)
Reference: URL:http://www.iss.net/security_center/static/8847.php
Reference: BID:4522
Reference: URL:h ttp://www.securityfocus.com/bid/4522

FTP proxy in Symantec Raptor Firewall 6.5.3 and Enterprise 7.0
rewrites an FTP server's "FTP PORT" responses in a way that allows
remote attackers to redirect FTP data connections to arbitrary ports,
a variant of the "FTP bounce" vulnerability.

Analysis
--------
Vendor Acknowledgement: yes followup

INFERRED ACTION: CAN-2002-0538 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Frech, Cole
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-0539
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0539
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020415 Demarc PureSecure 1.05 may be other (user can bypass login)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-04/0168.html
Reference: BUGTRAQ:20020417 Demarc Security Update Advisory
Reference: URL:http://online.securityfocus.com/archive/1/267941
Reference: XF:puresecure-sql-injection(8854)
Reference: URL:http://www.iss.net/security_center/static/8854.php
Reference: BID:4520
Reference: URL:http://www.securityfocus.com/bid/4520

Demarc PureSecure 1.05 allows remote attackers to gain administrative
privileges via a SQL injection attack in a session ID that is stored
in the s_key cookie.

Analysis
--------
Vendor Acknowledgement: yes followup

INFERRED ACTION: CAN-2002-0539 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Frech, Cole
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-0542
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0542
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020411 local root compromise in openbsd 3.0 and below
Reference: URL:http://online.securityfocus.com/archive/1/267089
Reference: BUGTRAQ:20020411 OpenBSD Local Root Compromise
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101855467811695&w=2
Reference: CONFIRM:http://www.openbsd.org/errata30.html#mail
Reference: XF:openbsd-mail-root-privileges(8818)
Reference: URL:http://www.iss.net/security_center/static/8818.php
Reference: BID:4495
Reference: URL:http://www.securityfocus.com/bid/4495

mail in OpenBSD 2.9 and 3.0 processes a tilde (~) escape character in
a message even when it is not in interactive mode, which could allow
local users to gain root privileges via calls to mail in cron.

Analysis
--------
Vendor Acknowledgement: yes

INFERRED ACTION: CAN-2002-0542 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Frech, Cole
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-0543
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0543
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020409 Abyss Webserver 1.0 Administration password file retrieval exploit
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-04/0110.html
Reference: CONFIRM:http://www.aprelium.com/forum/viewtopic.php?t=24
Reference: BID:4466
Reference: URL:http://www.securityfocus.com/bid/4466
Reference: XF:abyss-unicode-directory-traversal(8805)
Reference: URL:http://www.iss.net/security_center/static/8805.php

Directory traversal vulnerability in Aprelium Abyss Web Server
(abyssws) before 1.0.0.2 allows remote attackers to read files outside
the web root, including the abyss.conf file, via URL-encoded .. (dot
dot) sequences in the HTTP request.

Analysis
--------
Vendor Acknowledgement: yes

ACKNOWLEDGEMENT: a posting to a vendor forum titled "Patched release
1.0.0.2" and dated 20020408 says that the patch is "against some form
of dot-dot URLs refering to an aliased directory and that can allow
people to read abyss.conf file."

INFERRED ACTION: CAN-2002-0543 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Frech, Cole
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-0545
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0545
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: CISCO:20020409 Aironet Telnet Vulnerability
Reference: URL:http://www.cisco.com/warp/public/707/Aironet-Telnet.shtml
Reference: BID:4461
Reference: URL:http://www.securityfocus.com/bid/4461
Reference: XF:cisco-aironet-telnet-dos(8788)
Reference: URL:http://www.iss.net/security_center/static/8788.php

Cisco Aironet before 11.21 with Telnet enabled allows remote attackers
to cause a denial of service (reboot) via a series of login attempts
with invalid usernames and passwords.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0545 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Frech, Cole, Armstrong
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-0553
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0553
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020413 SunSop: cross-site-scripting bug
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-04/0154.html
Reference: XF:sunshop-new-cust-css(8840)
Reference: URL:http://www.iss.net/security_center/static/8840.php
Reference: BID:4506
Reference: URL:http://www.securityfocus.com/bid/4506

Cross-site scripting vulnerability in SunShop 2.5 and earlier allows
remote attackers to gain administrative privileges to SunShop by
injecting the script into fields during new customer registration.

Analysis
--------
Vendor Acknowledgement: yes via-email

ACKNOWLEDGEMENT: An e-mail inquiry sent to support@turnkeywebtools.com
on June 3, 2002.  A response was sent within an hour, saying "a patch
was released before that vulnerability was released.  If you upgrade
to 2.6 you will have no worries."

INFERRED ACTION: CAN-2002-0553 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Frech, Cole
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-0567
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0567
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020206 Remote Compromise in Oracle 9i Database Server
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101301332402079&w=2
Reference: CERT-VN:VU#180147
Reference: URL:http://www.kb.cert.org/vuls/id/180147
Reference: CERT:CA-2002-08
Reference: URL:http://www.cert.org/advisories/CA-2002-08.html
Reference: CONFIRM:http://otn.oracle.com/deploy/security/pdf/plsextproc_alert.pdf
Reference: BID:4033
Reference: URL:http://www.securityfocus.com/bid/4033
Reference: XF:oracle-plsql-remote-access(8089)
Reference: URL:http://xforce.iss.net/static/8089.php

Oracle 8i and 9i with PL/SQL package for External Procedures (EXTPROC)
allows remote attackers to bypass authentication and execute arbitrary
functions by using the TNS Listener to directly connect to the EXTPROC
process.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0567 ACCEPT (5 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(5) Baker, Frech, Wall, Cole, Alderson
   NOOP(2) Cox, Foat


======================================================
Candidate: CAN-2002-0569
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0569
Final-Decision:
Interim-Decision: 20030326
Modified: 20030321-01
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020206 Hackproofing Oracle Application Server paper
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101301813117562&w=2
Reference: CERT-VN:VU#977251
Reference: URL:http://www.kb.cert.org/vuls/id/977251
Reference: CERT:CA-2002-08
Reference: URL:http://www.cert.org/advisories/CA-2002-08.html
Reference: MISC:http://www.nextgenss.com/papers/hpoas.pdf
Reference: BID:4298
Reference: URL:http://www.securityfocus.com/bid/4298
Reference: XF:oracle-appserver-config-file-access(8453)
Reference: URL:http://www.iss.net/security_center/static/8453.php

Oracle 9i Application Server allows remote attackers to bypass access
restrictions for configuration files via a direct request to the XSQL
Servlet (XSQLServlet).


Modifications:
  ADDREF XF:oracle-appserver-config-file-access(8453)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0569 ACCEPT (5 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Wall, Cole, Alderson
   MODIFY(1) Frech
   NOOP(2) Cox, Foat

Voter Comments:
 Frech> XF:oracle-appserver-config-file-access(8453)


======================================================
Candidate: CAN-2002-0571
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0571
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020611
Assigned: 20020611
Category: SF
Reference: BUGTRAQ:20020416 ansi outer join syntax in Oracle allows access to any data
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-04/0175.html
Reference: CIAC:M-071
Reference: URL:http://www.ciac.org/ciac/bulletins/m-071.shtml
Reference: CONFIRM:http://otn.oracle.com/deploy/security/pdf/sql_joins_alert.pdf
Reference: XF:oracle-ansi-sql-bypass-acl(8855)
Reference: URL:http://www.iss.net/security_center/static/8855.php
Reference: BID:4523
Reference: URL:http://www.securityfocus.com/bid/4523

Oracle Oracle9i database server 9.0.1.x allows local users to access
restricted data via a SQL query using ANSI outer join syntax.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0571 ACCEPT (4 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Frech, Wall, Cole
   NOOP(2) Cox, Foat


======================================================
Candidate: CAN-2002-0573
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0573
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020611
Assigned: 20020611
Category: SF
Reference: BUGTRAQ:20020430 Adivosry + Exploit for Remote Root Hole in Default Installation of Popular Commercial Operating System
Reference: URL:http://online.securityfocus.com/archive/1/270268
Reference: VULNWATCH:20020430 [VulnWatch] Adivosry + Exploit for Remote Root Hole in Default Installation of Popular Commercial Operating System
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0049.html
Reference: CERT:CA-2002-10
Reference: URL:http://www.cert.org/advisories/CA-2002-10.html
Reference: CERT-VN:VU#638099
Reference: URL:http://www.kb.cert.org/vuls/id/638099
Reference: XF:solaris-rwall-format-string(8971)
Reference: URL:http://www.iss.net/security_center/static/8971.php
Reference: BID:4639
Reference: URL:http://www.securityfocus.com/bid/4639

Format string vulnerability in RPC wall daemon (rpc.rwalld) for
Solaris 2.5.1 through 8 allows remote attackers to execute arbitrary
code via format strings in a message that is not properly provided to
the syslog function when the wall command cannot be executed.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0573 ACCEPT (4 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Frech, Foat, Cole
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-0574
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0574
Final-Decision:
Interim-Decision: 20030326
Modified: 20020817-01
Proposed: 20020611
Assigned: 20020611
Category: SF
Reference: FREEBSD:FreeBSD-SA-02:21
Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:21.tcpip.asc
Reference: BID:4539
Reference: URL:http://www.securityfocus.com/bid/4539
Reference: XF:freebsd-icmp-echo-reply-dos(8893)
Reference: URL:http://www.iss.net/security_center/static/8893.php

Memory leak in FreeBSD 4.5 and earlier allows remote attackers to
cause a denial of service (memory exhaustion) via ICMP echo packets
that trigger a bug in ip_output() in which the reference count for a
routing table entry is not decremented, which prevents the entry from
being removed.


Modifications:
  ADDREF XF:freebsd-icmp-echo-reply-dos(8893)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0574 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Baker, Cole
   MODIFY(1) Frech
   NOOP(3) Cox, Wall, Foat

Voter Comments:
 Frech> XF:freebsd-icmp-echo-reply-dos(8893)


======================================================
Candidate: CAN-2002-0575
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0575
Final-Decision:
Interim-Decision: 20030326
Modified: 20030321-01
Proposed: 20020611
Assigned: 20020611
Category: SF
Reference: BUGTRAQ:20020426 Revised OpenSSH Security Advisory (adv.token)
Reference: URL:http://online.securityfocus.com/archive/1/269701
Reference: BUGTRAQ:20020419 OpenSSH 2.2.0 - 3.1.0 server contains a locally exploitable buffer overflow
Reference: URL:http://online.securityfocus.com/archive/1/268718
Reference: VULN-DEV:20020419 OpenSSH 2.2.0 - 3.1.0 server contains a locally exploitable buffer overflow
Reference: URL:http://marc.theaimsgroup.com/?l=vuln-dev&m=101924296115863&w=2
Reference: BUGTRAQ:20020517 OpenSSH 3.2.2 released (fwd)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102167972421837&w=2
Reference: BUGTRAQ:20020429 TSLSA-2002-0047 - openssh
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-04/0394.html
Reference: BUGTRAQ:20020420 OpenSSH Security Advisory (adv.token)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-04/0298.html
Reference: CALDERA:CSSA-2002-022.2
Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-022.2.txt
Reference: BID:4560
Reference: URL:http://www.securityfocus.com/bid/4560
Reference: XF:openssh-sshd-kerberos-bo(8896)
Reference: URL:http://www.iss.net/security_center/static/8896.php

Buffer overflow in OpenSSH before 2.9.9, and 3.x before 3.2.1, with
Kerberos/AFS support and KerberosTgtPassing or AFSTokenPassing
enabled, allows remote and local authenticated users to gain
privileges.


Modifications:
  ADDREF BUGTRAQ:20020419 OpenSSH 2.2.0 - 3.1.0 server contains a locally exploitable buffer overflow
  ADDREF VULN-DEV:20020419 OpenSSH 2.2.0 - 3.1.0 server contains a locally exploitable buffer overflow
  ADDREF BUGTRAQ:20020517 OpenSSH 3.2.2 released (fwd)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0575 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Frech, Cox, Cole
   NOOP(3) Christey, Wall, Foat

Voter Comments:
 Christey> BUGTRAQ:20020419 OpenSSH 2.2.0 - 3.1.0 server contains a locally exploitable buffer overflow
   URL:http://online.securityfocus.com/archive/1/268718
   VULN-DEV:20020419 OpenSSH 2.2.0 - 3.1.0 server contains a locally exploitable buffer overflow
   URL:http://marc.theaimsgroup.com/?l=vuln-dev&m=101924296115863&w=2
   BUGTRAQ:20020517 OpenSSH 3.2.2 released (fwd)
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102167972421837&w=2


======================================================
Candidate: CAN-2002-0576
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0576
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020611
Assigned: 20020611
Category: SF
Reference: BUGTRAQ:20020418 KPMG-2002013: Coldfusion Path Disclosure
Reference: URL:http://online.securityfocus.com/archive/1/268263
Reference: VULNWATCH:20020418 [VulnWatch] KPMG-2002013: Coldfusion Path Disclosure
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0028.html
Reference: CONFIRM:http://www.macromedia.com/v1/handlers/index.cfm?ID=22906
Reference: BID:4542
Reference: URL:http://www.securityfocus.com/bid/4542
Reference: XF:coldfusion-dos-device-path-disclosure(8866)
Reference: URL:http://www.iss.net/security_center/static/8866.php

ColdFusion 5.0 and earlier on Windows systems allows remote attackers
to determine the absolute pathname of .cfm or .dbm files via an HTTP
request that contains an MS-DOS device name such as NUL, which leaks
the pathname in an error message.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0576 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Frech, Wall, Cole
   NOOP(2) Cox, Foat


======================================================
Candidate: CAN-2002-0594
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0594
Final-Decision:
Interim-Decision: 20030326
Modified: 20030321-01
Proposed: 20020611
Assigned: 20020611
Category: SF
Reference: BUGTRAQ:20020430 RE: Reading local files in Netscape 6 and Mozilla (GM#001-NS)
Reference: URL:http://online.securityfocus.com/archive/1/270249
Reference: CONECTIVA:CLA-2002:490
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000490
Reference: BID:4640
Reference: URL:http://www.securityfocus.com/bid/4640
Reference: XF:mozilla-css-files-exist(8977)
Reference: URL:http://www.iss.net/security_center/static/8977.php

Netscape 6 and Mozilla 1.0 RC1 and earlier allows remote attackers to
determine the existence of files on the client system via a LINK
element in a Cascading Style Sheet (CSS) page that causes an HTTP
redirect.


Modifications:
  ADDREF XF:mozilla-css-files-exist(8977)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0594 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Cox, Cole
   MODIFY(1) Frech
   NOOP(2) Wall, Foat

Voter Comments:
 Frech> XF:mozilla-css-files-exist(8977)
 CHANGE> [Cox changed vote from REVIEWING to ACCEPT]


======================================================
Candidate: CAN-2002-0597
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0597
Final-Decision:
Interim-Decision: 20030326
Modified: 20030325-01
Proposed: 20020611
Assigned: 20020611
Category: SF
Reference: BUGTRAQ:20020417 KPMG-2002011: Windows 2000 microsoft-ds Denial of Service
Reference: URL:http://online.securityfocus.com/archive/1/268066
Reference: VULNWATCH:20020417 [VulnWatch] KPMG-2002011: Windows 2000 microsoft-ds Denial of Service
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0025.html
Reference: MSKB:Q320751
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q320751
Reference: XF:win2k-lanman-dos(8867)
Reference: URL:http://www.iss.net/security_center/static/8867.php
Reference: BID:4532
Reference: URL:http://www.securityfocus.com/bid/4532

LANMAN service on Microsoft Windows 2000 allows remote attackers to
cause a denial of service (CPU/memory exhaustion) via a stream of
malformed data to microsoft-ds port 445.


Modifications:
  ADDREF MSKB:Q320751

Analysis
--------
Vendor Acknowledgement: yes patch

ACKNOWLEDGEMENT: a number of data sources suggest that KB article
Q320751 addresses this issue, and Q320751 specifically credits KPMG
for the discovery.

INFERRED ACTION: CAN-2002-0597 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Frech, Foat, Cole
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-0598
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0598
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020611
Assigned: 20020611
Category: SF
Reference: BUGTRAQ:20020419 KPMG-2002014: Foundstone Fscan Format String Bug
Reference: URL:http://online.securityfocus.com/archive/1/268581
Reference: VULNWATCH:20020419 [VulnWatch] KPMG-2002014: Foundstone Fscan Format String Bug
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0030.html
Reference: CONFIRM:http://www.foundstone.com/knowledge/fscan112_advisory.html
Reference: XF:fscan-banner-format-string(8895)
Reference: URL:http://www.iss.net/security_center/static/8895.php
Reference: BID:4549
Reference: URL:http://www.securityfocus.com/bid/4549

Format string vulnerability in Foundstone FScan 1.12 with banner
grabbing enabled allows remote attackers to execute arbitrary code on
the scanning system via format string specifiers in the server banner.

Analysis
--------
Vendor Acknowledgement: yes advisory

ACKNOWLEDGEMENT: in an advisory dated April 24, 2002, Foundstone
states "Using FScan with banner selected via the -b command line
switch could cause a problem if the banner received from the remote
host contained C-style printf format specifiers e.g. percent symbols
that matched string or numeric format specifiers."

INFERRED ACTION: CAN-2002-0598 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Frech, Foat, Cole
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-0599
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0599
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020611
Assigned: 20020611
Category: SF
Reference: BUGTRAQ:20020428 Blahz-DNS: Authentication bypass vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-04/0395.html
Reference: CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=87004
Reference: BID:4618
Reference: URL:http://www.securityfocus.com/bid/4618
Reference: XF:blahzdns-auth-bypass(8951)
Reference: URL:http://www.iss.net/security_center/static/8951.php

Blahz-DNS 0.2 and earlier allows remote attackers to bypass
authentication and modify configuration by directly requesting CGI
programs such as dostuff.php instead of going through the login
screen.

Analysis
--------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: the fix for 0.25 says "Fixed the ability to bypass
login security by sending commands directly to the backend php files."

INFERRED ACTION: CAN-2002-0599 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Frech, Foat, Cole
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-0601
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0601
Final-Decision:
Interim-Decision: 20030326
Modified: 20030321-01
Proposed: 20020611
Assigned: 20020611
Category: SF
Reference: ISS:20020430 Remote Denial of Service Vulnerability in RealSecure Network Sensor
Reference: URL:http://www.iss.net/security_center/alerts/advise116.php
Reference: BUGTRAQ:20020430 ISS Advisory: Remote Denial of Service Vulnerability in RealSecure Network Sensor
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-04/0420.html
Reference: XF:rs-ns-dhcp-dos(8961)
Reference: URL:http://www.iss.net/security_center/static/8961.php
Reference: BID:4649
Reference: URL:http://www.securityfocus.com/bid/4649

ISS RealSecure Network Sensor 5.x through 6.5 allows remote attackers
to cause a denial of service (crash) via malformed DHCP packets that
cause RealSecure to dereference a null pointer.


Modifications:
  ADDREF XF:rs-ns-dhcp-dos(8961)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0601 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Wall, Cole
   MODIFY(1) Frech
   NOOP(2) Cox, Foat

Voter Comments:
 Frech> XF:rs-ns-dhcp-dos(8961)


======================================================
Candidate: CAN-2002-0605
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0605
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020611
Assigned: 20020611
Category: SF
Reference: BUGTRAQ:20020503 Macromedia Flash Activex Buffer overflow
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102039374017185&w=2
Reference: VULN-DEV:20020503 Macromedia Flash Activex Buffer overflow
Reference: URL:http://marc.theaimsgroup.com/?l=vuln-dev&m=102038919414726&w=2
Reference: VULNWATCH:20020502 [VulnWatch] Macromedia Flash Activex Buffer overflow
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0051.html
Reference: NTBUGTRAQ:20020503 Macromedia Flash Activex Buffer overflow
Reference: CONFIRM:http://www.macromedia.com/support/flash/ts/documents/buf_ovflow_623.htm
Reference: XF:flash-activex-movie-bo(8993)
Reference: URL:http://www.iss.net/security_center/static/8993.php
Reference: BID:4664
Reference: URL:http://online.securityfocus.com/bid/4664

Buffer overflow in Flash OCX for Macromedia Flash 6 revision 23
(6,0,23,0) allows remote attackers to execute arbitrary code via a
long movie parameter.

Analysis
--------
Vendor Acknowledgement: yes advisory

ACKNOWLEDGEMENT: in an online advisory dated May 6, 2002, Macromedia
states "Macromedia has verified a vulnerability in the parameter
handling of the Macromedia Flash Player ActiveX control, version
6,0,23,0" and includes a reference to the discloser's original
advisory.

INFERRED ACTION: CAN-2002-0605 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Baker, Frech, Wall, Cole, Armstrong
   NOOP(2) Cox, Foat


======================================================
Candidate: CAN-2002-0613
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0613
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020611
Assigned: 20020611
Category: SF
Reference: BUGTRAQ:20020428 dnstools: authentication bypass vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-04/0390.html
Reference: CONFIRM:http://www.dnstools.com/dnstools_2.0.1.tar.gz
Reference: BID:4617
Reference: URL:http://www.securityfocus.com/bid/4617
Reference: XF:dnstools-auth-bypass(8948)
Reference: URL:http://www.iss.net/security_center/static/8948.php

dnstools.php for DNSTools 2.0 beta 4 and earlier allows remote
attackers to bypass authentication and gain privileges by setting the
user_logged_in or user_dnstools_administrator parameters.

Analysis
--------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: the changelog.txt for Release 2.0 Beta 5 includes an
entry dated 2002-04-27 which states: "Fixed major security hole in URL
spoofing. No longer trusts the variables $is_logged_in or
$user_dnstools_administrator."

INFERRED ACTION: CAN-2002-0613 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Frech, Foat, Cole
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-0616
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0616
Final-Decision:
Interim-Decision: 20030326
Modified: 20030321-01
Proposed: 20020726
Assigned: 20020612
Category: SF
Reference: MS:MS02-031
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-031.asp
Reference: XF:excel-inline-macro-execution(9397)
Reference: URL:http://www.iss.net/security_center/static/9397.php
Reference: BID:5063
Reference: URL:http://www.securityfocus.com/bid/5063

The Macro Security Model in Microsoft Excel 2000 and 2002 for Windows
allows remote attackers to execute code by attaching an inline macro
to an object within an Excel workbook, aka the "Excel Inline Macros
Vulnerability."


Modifications:
  ADDREF XF:excel-inline-macro-execution(9397)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0616 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Wall, Foat, Cole
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-0617
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0617
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020726
Assigned: 20020612
Category: SF
Reference: MS:MS02-031
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-031.asp

The Macro Security Model in Microsoft Excel 2000 and 2002 for Windows
allows remote attackers to execute code by creating a hyperlink on a
drawing shape in a source workbook that points to a destination
workbook containing an autoexecute macro, aka "Hyperlinked Excel
Workbook Macro Bypass."

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0617 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Wall, Foat, Cole
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-0618
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0618
Final-Decision:
Interim-Decision: 20030326
Modified: 20030321-01
Proposed: 20020726
Assigned: 20020612
Category: SF
Reference: NTBUGTRAQ:20020524 Excel XP xml stylesheet problems
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=102256054320377&w=2
Reference: MISC:http://www.guninski.com/ex$el2.html
Reference: MS:MS02-031
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-031.asp
Reference: BID:4821
Reference: URL:http://online.securityfocus.com/bid/4821
Reference: XF:excel-xsl-script-execution(9399)
Reference: URL:http://www.iss.net/security_center/static/9399.php

The Macro Security Model in Microsoft Excel 2000 and 2002 for Windows
allows remote attackers to execute code in the Local Computer zone by
embedding HTML scripts within an Excel workbook that contains an XSL
stylesheet, aka "Excel XSL Stylesheet Script Execution".


Modifications:
  ADDREF XF:excel-xsl-script-execution(9399)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0618 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Wall, Foat, Cole
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-0619
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0619
Final-Decision:
Interim-Decision: 20030326
Modified: 20030321-01
Proposed: 20020726
Assigned: 20020612
Category: SF
Reference: BUGTRAQ:20020514 dH team & SECURITY.NNOV: A variant of "Word Mail Merge" vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102139136019862&w=2
Reference: MS:MS02-031
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-031.asp
Reference: XF:word-mail-merge-variant(9077)
Reference: URL:http://www.iss.net/security_center/static/9077.php
Reference: BID:5066
Reference: URL:http://www.securityfocus.com/bid/5066

The Mail Merge Tool in Microsoft Word 2002 for Windows, when Microsoft
Access is present on a system, allows remote attackers to execute
Visual Basic (VBA) scripts within a mail merge document that is saved
in HTML format, aka a "Variant of MS00-071, Word Mail Merge
Vulnerability" (CVE-2000-0788).


Modifications:
  DESC rephrase
  ADDREF XF:word-mail-merge-variant(9077)
  ADDREF BID:5066

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0619 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Wall, Cole
   MODIFY(1) Foat
   NOOP(2) Christey, Cox

Voter Comments:
 Foat> The candidate is technically correct, but the wording is not
   grammatically correct. Suggest the following: An attacker's macro code can be
   run automatically if the user has Microsoft Access present on the system and
   choses to open a mail merge document that had been saved in HTML format, aka a
   "Variant of MS00-071, Word Mail Merge Vulnerabilty" (CVE-2000-0788).
 Christey> desc: missing "*WHEN* access is present..."


======================================================
Candidate: CAN-2002-0621
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0621
Final-Decision:
Interim-Decision: 20030326
Modified: 20030321-01
Proposed: 20020726
Assigned: 20020612
Category: SF
Reference: BUGTRAQ:20020703 Remotely Exploitable Buffer Overruns in Microsoft's Commerce Server 2000/2 (#NISRNISR03062002)
Reference: MS:MS02-033
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-033.asp
Reference: XF:mscs-owc-installer-bo(9424)
Reference: URL:http://www.iss.net/security_center/static/9424.php
Reference: BID:5108
Reference: URL:http://www.securityfocus.com/bid/5108

Buffer overflow in the Office Web Components (OWC) package installer
used by Microsoft Commerce Server 2000 allows remote attackers to
cause the process to fail or run arbitrary code in the LocalSystem
security context via certain input to the OWC package installer.


Modifications:
  DESC fix typos
  ADDREF XF:mscs-owc-installer-bo(9424)
  ADDREF BID:5108

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0621 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Wall, Foat, Cole
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> XF:mscs-owc-installer-bo(9424)
   URL:http://www.iss.net/security_center/static/9424.php
   BID:5108
   URL:http://www.securityfocus.com/bid/5108
 Christey> "arbitray"?  "by via"?


======================================================
Candidate: CAN-2002-0622
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0622
Final-Decision:
Interim-Decision: 20030326
Modified: 20030321-01
Proposed: 20020726
Assigned: 20020612
Category: SF
Reference: BUGTRAQ:20020703 Remotely Exploitable Buffer Overruns in Microsoft's Commerce Server 2000/2 (#NISRNISR03062002)
Reference: MS:MS02-033
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-033.asp
Reference: XF:mscs-owc-installer-permissions(9425)
Reference: URL:http://www.iss.net/security_center/static/9425.php
Reference: BID:5111
Reference: URL:http://www.securityfocus.com/bid/5111

The Office Web Components (OWC) package installer for Microsoft
Commerce Server 2000 allows remote attackers to execute commands by
passing the commands as input to the OWC package installer, aka "OWC
Package Command Execution".


Modifications:
  ADDREF XF:mscs-owc-installer-permissions(9425)
  ADDREF BID:5111

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0622 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Wall, Foat, Cole
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> XF:mscs-owc-installer-permissions(9425)
   URL:http://www.iss.net/security_center/static/9425.php
   BID:5111
   URL:http://www.securityfocus.com/bid/5111


======================================================
Candidate: CAN-2002-0623
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0623
Final-Decision:
Interim-Decision: 20030326
Modified: 20030321-01
Proposed: 20020726
Assigned: 20020612
Category: SF
Reference: MS:MS02-033
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-033.asp
Reference: BID:5112
Reference: URL:http://www.securityfocus.com/bid/5112
Reference: XF:mscs-authfilter-isapi-bo-variant(9426)
Reference: URL:http://www.iss.net/security_center/static/9426.php

Buffer overflow in AuthFilter ISAPI filter on Microsoft Commerce
Server 2000 and 2002 allows remote attackers to execute arbitrary code
via long authentication data, aka "New Variant of the ISAPI Filter
Buffer Overrun".


Modifications:
  ADDREF BID:5112
  ADDREF XF:mscs-authfilter-isapi-bo-variant(9426)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0623 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Wall, Foat, Cole
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> BID:5112
   URL:http://www.securityfocus.com/bid/5112
   XF:mscs-authfilter-isapi-bo-variant(9426)
   URL:http://www.iss.net/security_center/static/9426.php


======================================================
Candidate: CAN-2002-0631
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0631
Final-Decision:
Interim-Decision: 20030326
Modified: 20030321-01
Proposed: 20020726
Assigned: 20020621
Category: SF
Reference: SGI:20020607-02-I
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020607-02-I
Reference: BID:5092
Reference: URL:http://www.securityfocus.com/bid/5092
Reference: XF:irix-nveventd-file-write(9418)
Reference: URL:http://www.iss.net/security_center/static/9418.php

Unknown vulnerability in nveventd in NetVisualyzer on SGI IRIX 6.5
through 6.5.16 allows local users to write arbitrary files and gain
root privileges.


Modifications:
  DESC fix typo
  ADDREF BID:5092
  ADDREF XF:irix-nveventd-file-write(9418)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0631 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Baker, Cole
   NOOP(4) Christey, Cox, Wall, Foat

Voter Comments:
 Christey> fix typo: "root root"
   BID:5092
   URL:http://www.securityfocus.com/bid/5092
   XF:irix-nveventd-file-write(9418)
   URL:http://www.iss.net/security_center/static/9418.php


======================================================
Candidate: CAN-2002-0638
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0638
Final-Decision:
Interim-Decision: 20030326
Modified: 20030321-01
Proposed: 20020830
Assigned: 20020627
Category: SF
Reference: VULNWATCH:20020729 [VulnWatch] RAZOR advisory: Linux util-linux chfn local root vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-07/0357.html
Reference: BUGTRAQ:20020729 RAZOR advisory: Linux util-linux chfn local root vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102795787713996&w=2
Reference: CERT-VN:VU#405955
Reference: URL:http://www.kb.cert.org/vuls/id/405955
Reference: REDHAT:RHSA-2002:132
Reference: URL:http://rhn.redhat.com/errata/RHSA-2002-132.html
Reference: REDHAT:RHSA-2002:137
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-137.html
Reference: CONECTIVA:CLA-2002:523
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000523
Reference: CALDERA:CSSA-2002-043.0
Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-043.0.txt
Reference: MANDRAKE:MDKSA-2002:047
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-047.php
Reference: BUGTRAQ:20020730 TSLSA-2002-0064 - util-linux
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-07/0396.html
Reference: HP:HPSBTL0207-054
Reference: URL:http://online.securityfocus.com/advisories/4320
Reference: XF:utillinux-chfn-race-condition(9709)
Reference: URL:http://www.iss.net/security_center/static/9709.php
Reference: BID:5344
Reference: URL:http://www.securityfocus.com/bid/5344

setpwnam.c in the util-linux package, as included in Red Hat Linux 7.3
and earlier, and other operating systems, does not properly lock a
temporary file when modifying /etc/passwd, which may allow local users
to gain privileges via a complex race condition that uses an open file
descriptor in utility programs such as chfn and chsh.


Modifications:
  ADDREF REDHAT:RHSA-2002:137
  ADDREF CONECTIVA:CLA-2002:523
  ADDREF CALDERA:CSSA-2002-043.0

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0638 ACCEPT (5 accept, 4 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Wall, Foat, Cole
   MODIFY(1) Cox
   NOOP(1) Christey

Voter Comments:
 Cox> ADDREF:RHSA-2002:137
 Christey> CONECTIVA:CLA-2002:523
 Christey> CALDERA:CSSA-2002-043.0


======================================================
Candidate: CAN-2002-0639
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0639
Final-Decision:
Interim-Decision: 20030326
Modified: 20030321-02
Proposed: 20020726
Assigned: 20020628
Category: SF
Reference: ISS:20020626 OpenSSH Remote Challenge Vulnerability
Reference: BUGTRAQ:20020626 OpenSSH Security Advisory (adv.iss)
Reference: BUGTRAQ:20020626 Revised OpenSSH Security Advisory (adv.iss)
Reference: BUGTRAQ:20020627 How to reproduce OpenSSH Overflow.
Reference: NETBSD:2002-005
Reference: CERT-VN:VU#369347
Reference: CERT:CA-2002-18
Reference: HP:HPSBUX0206-195
Reference: CALDERA:CSSA-2002-030.0
Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-030.0.txt
Reference: BUGTRAQ:20020626 [OpenPKG-SA-2002.005] OpenPKG Security Advisory (openssh)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-06/0335.html
Reference: CONECTIVA:CLA-2002:502
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000502
Reference: ENGARDE:ESA-20020702-016
Reference: URL:http://www.linuxsecurity.com/advisories/other_advisory-2177.html
Reference: MANDRAKE:MDKSA-2002:040
Reference: URL:http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2002:040
Reference: BID:5093
Reference: XF:openssh-challenge-response-bo(9169)
Reference: URL:http://www.iss.net/security_center/static/9169.php

Integer overflow in sshd in OpenSSH 2.9.9 through 3.3 allows remote
attackers to execute arbitrary code during challenge response
authentication (ChallengeResponseAuthentication) when OpenSSH is using
SKEY or BSD_AUTH authentication.


Modifications:
  ADDREF CALDERA:CSSA-2002-030.0
  ADDREF BUGTRAQ:20020626 [OpenPKG-SA-2002.005] OpenPKG Security Advisory (openssh)
  ADDREF CONECTIVA:CLA-2002:502
  ADDREF ENGARDE:ESA-20020702-016
  ADDREF MANDRAKE:MDKSA-2002:040
  ADDREF XF:openssh-challenge-response-bo(9169)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0639 ACCEPT (4 accept, 6 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Cox, Foat, Cole
   NOOP(2) Christey, Wall

Voter Comments:
 Christey> CALDERA:CSSA-2002-030.0
   URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-030.0.txt
   BUGTRAQ:20020626 [OpenPKG-SA-2002.005] OpenPKG Security Advisory (openssh)
   URL:http://archives.neohapsis.com/archives/bugtraq/2002-06/0335.html
   CONECTIVA:CLA-2002:502
   URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000502
   ENGARDE:ESA-20020702-016
   URL:http://www.linuxsecurity.com/advisories/other_advisory-2177.html
 Christey> MANDRAKE:MDKSA-2002:040


======================================================
Candidate: CAN-2002-0640
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0640
Final-Decision:
Interim-Decision: 20030326
Modified: 20030321-02
Proposed: 20020726
Assigned: 20020628
Category: SF
Reference: BUGTRAQ:20020626 Revised OpenSSH Security Advisory (adv.iss)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102514631524575&w=2
Reference: BUGTRAQ:20020626 OpenSSH Security Advisory (adv.iss)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102514371522793&w=2
Reference: BUGTRAQ:20020627 How to reproduce OpenSSH Overflow.
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102521542826833&w=2
Reference: BUGTRAQ:20020628 Sun statement on the OpenSSH Remote Challenge Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102532054613894&w=2
Reference: CERT-VN:VU#369347
Reference: URL:http://www.kb.cert.org/vuls/id/369347
Reference: CERT:CA-2002-18
Reference: URL:http://www.cert.org/advisories/CA-2002-18.html
Reference: DEBIAN:DSA-134
Reference: URL:http://www.debian.org/security/2002/dsa-134
Reference: HP:HPSBUX0206-195
Reference: BID:5093
Reference: URL:http://www.securityfocus.com/bid/5093
Reference: REDHAT:RHSA-2002:131
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-131.html
Reference: CALDERA:CSSA-2002-030.0
Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-030.0.txt
Reference: CONECTIVA:CLA-2002:502
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000502
Reference: ENGARDE:ESA-20020702-016
Reference: URL:http://www.linuxsecurity.com/advisories/other_advisory-2177.html
Reference: MANDRAKE:MDKSA-2002:040
Reference: URL:http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2002:040
Reference: SUSE:SuSE-SA:2002:024
Reference: URL:http://www.suse.de/de/security/2002_024_openssh_txt.html
Reference: REDHAT:RHSA-2002:127
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-127.html

Buffer overflow in sshd in OpenSSH 2.3.1 through 3.3 may allow remote
attackers to execute arbitrary code via a large number of responses
during challenge response authentication when OpenBSD is using PAM
modules with interactive keyboard authentication
(PAMAuthenticationViaKbdInt).


Modifications:
  ADDREF REDHAT:RHSA-2002:131
  ADDREF CALDERA:CSSA-2002-030.0
  ADDREF CONECTIVA:CLA-2002:502
  ADDREF ENGARDE:ESA-20020702-016
  ADDREF SUSE:SuSE-SA:2002:024
  ADDREF REDHAT:RHSA-2002:127
  ADDREF MANDRAKE:MDKSA-2002:040

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0640 ACCEPT (4 accept, 7 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Foat, Cole
   MODIFY(1) Cox
   NOOP(2) Christey, Wall

Voter Comments:
 Cox> ADDREF:RHSA-2002:131
 Christey> CALDERA:CSSA-2002-030.0
   URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-030.0.txt
   CONECTIVA:CLA-2002:502
   URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000502
   ENGARDE:ESA-20020702-016
   URL:http://www.linuxsecurity.com/advisories/other_advisory-2177.html
   SUSE:SuSE-SA:2002:024
   URL:http://www.suse.de/de/security/2002_024_openssh_txt.html
   REDHAT:RHSA-2002:127
   URL:http://www.redhat.com/support/errata/RHSA-2002-127.html
 Christey> MANDRAKE:MDKSA-2002:040


======================================================
Candidate: CAN-2002-0642
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0642
Final-Decision:
Interim-Decision: 20030326
Modified: 20030321-01
Proposed: 20020726
Assigned: 20020628
Category: CF
Reference: MS:MS02-034
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-034.asp
Reference: CERT:CA-2002-22
Reference: URL:http://www.cert.org/advisories/CA-2002-22.html
Reference: CERT-VN:VU#796313
Reference: URL:http://www.kb.cert.org/vuls/id/796313
Reference: XF:mssql-registry-insecure-permissions(9523)
Reference: URL:http://www.iss.net/security_center/static/9523.php
Reference: BID:5205
Reference: URL:http://www.securityfocus.com/bid/5205

The registry key containing the SQL Server service account information
in Microsoft SQL Server 2000, including Microsoft SQL Server Desktop
Engine (MSDE) 2000, has insecure permissions, which allows local users
to gain privileges, aka "Incorrect Permission on SQL Server Service
Account Registry Key."


Modifications:
  ADDREF XF:mssql-registry-insecure-permissions(9523)
  ADDREF BID:5205
  ADDREF CERT:CA-2002-22
  ADDREF CERT-VN:VU#796313

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0642 ACCEPT (6 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(5) Baker, Wall, Foat, Cole, Armstrong
   MODIFY(1) Frech
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> XF:mssql-registry-insecure-permissions(9523)
   URL:http://www.iss.net/security_center/static/9523.php
   BID:5205
   URL:http://www.securityfocus.com/bid/5205
   CERT:CA-2002-22
   CERT-VN:VU#796313
 Frech> XF:mssql-registry-insecure-permissions(9523)


======================================================
Candidate: CAN-2002-0647
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0647
Final-Decision:
Interim-Decision: 20030326
Modified: 20030321-01
Proposed: 20020830
Assigned: 20020628
Category: SF
Reference: MS:MS02-047
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-047.asp
Reference: XF:ms-legacytext-activex-bo(9935)
Reference: URL:http://www.iss.net/security_center/static/9935.php
Reference: BID:5558
Reference: URL:http://www.securityfocus.com/bid/5558

Buffer overflow in a legacy ActiveX control used to display specially
formatted text in Microsoft Internet Explorer 5.01, 5.5, and 6.0
allows remote attackers to execute arbitrary code, aka "Buffer Overrun
in Legacy Text Formatting ActiveX Control".


Modifications:
  ADDREF XF:ms-legacytext-activex-bo(9935)
  ADDREF BID:5558

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0647 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Baker, Wall, Foat, Cole, Armstrong
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-0648
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0648
Final-Decision:
Interim-Decision: 20030326
Modified: 20030321-01
Proposed: 20020830
Assigned: 20020628
Category: SF
Reference: BUGTRAQ:20020823 Accessing remote/local content in IE (GM#009-IE)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103011639524314&w=2
Reference: MS:MS02-047
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-047.asp
Reference: XF:ie-xml-redirect-read-files(9936)
Reference: URL:http://www.iss.net/security_center/static/9936.php
Reference: BID:5560
Reference: URL:http://www.securityfocus.com/bid/5560

The legacy <script> data-island capability for XML in Microsoft
Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to read
arbitrary XML files, and portions of other files, via a URL whose
"src" attribute redirects to a local file.


Modifications:
  ADDREF XF:ie-xml-redirect-read-files(9936)
  ADDREF BID:5560

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0648 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Wall, Cole, Armstrong
   MODIFY(1) Foat
   NOOP(1) Cox

Voter Comments:
 Foat> The description varies somewhat from the detailed references provided.
   The description indicates that this could lead to compromise of local files,
   while the other references (including Microsoft) indicate the problem is broader
   in scope. Suggest modifying the description to replace "redirects to a local
   file" to "redirects to another domain".


======================================================
Candidate: CAN-2002-0650
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0650
Final-Decision:
Interim-Decision: 20030326
Modified: 20030321-01
Proposed: 20020726
Assigned: 20020628
Category: SF
Reference: BUGTRAQ:20020725 Microsoft SQL Server 2000 Unauthenticated System Compromise (#NISR25072002)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102760196931518&w=2
Reference: NTBUGTRAQ:20020725 Microsoft SQL Server 2000 Unauthenticated System Compromise (#NISR25072002)
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=102760479902411&w=2
Reference: MS:MS02-039
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-039.asp
Reference: XF:mssql-resolution-keepalive-dos(9662)
Reference: URL:http://www.iss.net/security_center/static/9662.php
Reference: BID:5312
Reference: URL:http://www.securityfocus.com/bid/5312

The keep-alive mechanism for Microsoft SQL Server 2000 allows remote
attackers to cause a denial of service (bandwidth consumption) via a
"ping" style packet to the Resolution Service (UDP port 1434) with a
spoofed IP address of another SQL Server system, which causes the two
servers to exchange packets in an infinite loop.


Modifications:
  ADDREF XF:mssql-resolution-keepalive-dos(9662)
  ADDREF BID:5312

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0650 ACCEPT (6 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Baker, Wall, Foat, Cole, Armstrong
   MODIFY(1) Frech
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> XF:mssql-resolution-keepalive-dos(9662)
   URL:http://www.iss.net/security_center/static/9662.php
   BID:5312
   URL:http://www.securityfocus.com/bid/5312
 Frech> XF:mssql-resolution-keepalive-dos(9662)


======================================================
Candidate: CAN-2002-0653
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0653
Final-Decision:
Interim-Decision: 20030326
Modified: 20020817-01
Proposed: 20020726
Assigned: 20020702
Category: SF
Reference: VULN-DEV:20020622 Another flaw in Apache?
Reference: URL:http://marc.theaimsgroup.com/?l=vuln-dev&m=102477330617604&w=2
Reference: BUGTRAQ:20020624 Apache mod_ssl off-by-one vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102513970919836&w=2
Reference: REDHAT:RHSA-2002:134
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-134.html
Reference: CALDERA:CSSA-2002-031.0
Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-031.0.txt
Reference: MANDRAKE:MDKSA-2002:048
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-048.php
Reference: DEBIAN:DSA-135
Reference: URL:http://www.debian.org/security/2002/dsa-135
Reference: ENGARDE:ESA-20020702-017
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102563469326072&w=2
Reference: SUSE:SuSE-SA:2002:028
Reference: URL:http://www.suse.de/de/security/2002_028_mod_ssl.html
Reference: CONECTIVA:CLA-2002:504
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000504
Reference: BUGTRAQ:20020628 TSL-2002-0058 - apache/mod_ssl
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-06/0350.html
Reference: HP:HPSBTL0207-052
Reference: URL:http://archives.neohapsis.com/archives/hp/2002-q3/0018.html
Reference: BID:5084
Reference: URL:http://online.securityfocus.com/bid/5084
Reference: XF:apache-modssl-htaccess-bo(9415)
Reference: URL:http://www.iss.net/security_center/static/9415.php

Off-by-one buffer overflow in rewrite_command hook for mod_ssl Apache
module 2.8.9 and earlier allows local users to execute arbitrary code
as the Apache server user via .htaccess files with long entries.


Modifications:
  ADDREF MANDRAKE:MDKSA-2002:048
  ADDREF DEBIAN:DSA-135
  ADDREF ENGARDE:ESA-20020702-017
  ADDREF SUSE:SuSE-SA:2002:028
  ADDREF CONECTIVA:CLA-2002:504
  ADDREF BID:5084
  ADDREF VULN-DEV:20020622 Another flaw in Apache?
  ADDREF BUGTRAQ:20020628 TSL-2002-0058 - apache/mod_ssl
  ADDREF XF:apache-modssl-htaccess-bo(9415)
  ADDREF HP:HPSBTL0207-052

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0653 ACCEPT (3 accept, 5 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Wall, Cole
   NOOP(3) Christey, Cox, Foat

Voter Comments:
 Christey> MANDRAKE:MDKSA-2002:048
 Christey> ADDREF DEBIAN:DSA-135
   ADDREF ENGARDE:ESA-20020702-017
   ADDREF SUSE:SuSE-SA:2002:028
   Add details to desc.
   ADDREF CONECTIVA:CLA-2002:504
   ADDREF BID:5084
   ADDREF VULN-DEV:20020622 Another flaw in Apache?
   BUGTRAQ:20020628 TSL-2002-0058 - apache/mod_ssl
   HP:HPSBTL0207-052


======================================================
Candidate: CAN-2002-0658
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0658
Final-Decision:
Interim-Decision: 20030326
Modified: 20030321-01
Proposed: 20020830
Assigned: 20020702
Category: SF
Reference: MANDRAKE:MDKSA-2002:045
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-045.php
Reference: REDHAT:RHSA-2002:153
Reference: URL:http://rhn.redhat.com/errata/RHSA-2002-153.html
Reference: REDHAT:RHSA-2002:154
Reference: URL:http://rhn.redhat.com/errata/RHSA-2002-154.html
Reference: REDHAT:RHSA-2002:156
Reference: URL:http://rhn.redhat.com/errata/RHSA-2002-156.html
Reference: REDHAT:RHSA-2002:164
Reference: URL:http://rhn.redhat.com/errata/RHSA-2002-164.html
Reference: CALDERA:CSSA-2002-032.0
Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-032.0.txt
Reference: DEBIAN:DSA-137
Reference: URL:http://www.debian.org/security/2002/dsa-137
Reference: BUGTRAQ:20020730 [OpenPKG-SA-2002.007] OpenPKG Security Advisory (mm)
Reference: HP:HPSBTL0208-056
Reference: URL:http://online.securityfocus.com/advisories/4392
Reference: FREEBSD:FreeBSD-SN-02:05
Reference: URL:http://online.securityfocus.com/advisories/4431
Reference: SUSE:SuSE-SA:2002:028
Reference: URL:http://www.suse.com/de/security/2002_028_mod_ssl.html
Reference: XF:mm-tmpfile-symlink(9719)
Reference: URL:http://www.iss.net/security_center/static/9719.php
Reference: BID:5352
Reference: URL:http://online.securityfocus.com/bid/5352

OSSP mm library (libmm) before 1.2.0 allows the local Apache user to
gain privileges via temporary files, possibly via a symbolic link attack.


Modifications:
  ADDREF REDHAT:RHSA-2002:156

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0658 ACCEPT (4 accept, 6 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Wall, Cole
   MODIFY(1) Cox
   NOOP(1) Foat

Voter Comments:
 Cox> ADDREF:RHSA-2002:163 RHSA-2002:156 RHSA-2002:154


======================================================
Candidate: CAN-2002-0663
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0663
Final-Decision:
Interim-Decision: 20030326
Modified: 20030321-01
Proposed: 20020726
Assigned: 20020702
Category: SF
Reference: ATSTAKE:A071502-1
Reference: URL:http://www.atstake.com/research/advisories/2002/a071502-1.txt
Reference: VULNWATCH:20020715 Re: [VulnWatch] Advisory Name: Norton Personal Internet Firewall HTTP Proxy Vulnerability
Reference: CONFIRM:http://securityresponse.symantec.com/avcenter/security/Content/2002.07.15.html
Reference: XF:norton-fw-http-bo(9579)
Reference: URL:http://www.iss.net/security_center/static/9579.php
Reference: BID:5237
Reference: URL:http://www.securityfocus.com/bid/5237

Buffer overflow in HTTP Proxy for Symantec Norton Personal Internet
Firewall 3.0.4.91 and Norton Internet Security 2001 allows remote
attackers to cause a denial of service and possibly execute arbitrary
code via a large outgoing HTTP request.


Modifications:
  ADDREF XF:norton-fw-http-bo(9579)
  ADDREF BID:5237
  ADDREF CONFIRM:http://securityresponse.symantec.com/avcenter/security/Content/2002.07.15.html

Analysis
--------
Vendor Acknowledgement: yes

INFERRED ACTION: CAN-2002-0663 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Prosser, Baker, Cole, Armstrong
   MODIFY(1) Frech
   NOOP(4) Christey, Cox, Wall, Foat

Voter Comments:
 Christey> XF:norton-fw-http-bo(9579)
   URL:http://www.iss.net/security_center/static/9579.php
   BID:5237
   URL:http://www.securityfocus.com/bid/5237
 Baker> http://securityresponse.symantec.com/avcenter/security/Content/2002.07.15.html
 Prosser> Validated with discovered and fixed by Symantec

   http://securityresponse.symantec.com/avcenter/security/Content/2002.07.15.html
 Frech> XF:norton-fw-http-bo(9579)


======================================================
Candidate: CAN-2002-0665
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0665
Final-Decision:
Interim-Decision: 20030326
Modified: 20030321-01
Proposed: 20020726
Assigned: 20020704
Category: SF
Reference: BUGTRAQ:20020628 wp-02-0009: Macromedia JRun Admin Server Authentication Bypass
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102529402127195&w=2
Reference: VULNWATCH:20020628 [VulnWatch] wp-02-0009: Macromedia JRun Admin Server Authentication Bypass
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0133.html
Reference: CONFIRM:http://www.macromedia.com/v1/handlers/index.cfm?ID=23164
Reference: XF:jrun-forwardslash-auth-bypass(9450)
Reference: URL:http://www.iss.net/security_center/static/9450.php
Reference: BID:5118
Reference: URL:http://www.securityfocus.com/bid/5118

Macromedia JRun Administration Server allows remote attackers to
bypass authentication on the login form via an extra slash (/) in the
URL.


Modifications:
  ADDREF XF:jrun-forwardslash-auth-bypass(9450)
  ADDREF BID:5118

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0665 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Wall, Cole
   NOOP(3) Christey, Cox, Foat

Voter Comments:
 Christey> XF:jrun-forwardslash-auth-bypass(9450)
   URL:http://www.iss.net/security_center/static/9450.php
   BID:5118
   URL:http://www.securityfocus.com/bid/5118


======================================================
Candidate: CAN-2002-0671
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0671
Final-Decision:
Interim-Decision: 20030326
Modified: 20030321-01
Proposed: 20020726
Assigned: 20020709
Category: SF
Reference: ATSTAKE:A071202-1
Reference: URL:http://www.atstake.com/research/advisories/2002/a071202-1.txt
Reference: CONFIRM:http://www.pingtel.com/PingtelAtStakeAdvisoryResponse.jsp
Reference: XF:pingtel-xpressa-dns-spoofing(9566)
Reference: URL:http://www.iss.net/security_center/static/9566.php
Reference: BID:5224
Reference: URL:http://www.securityfocus.com/bid/5224

Pingtel xpressa SIP-based voice-over-IP phone 1.2.5 through 1.2.7.4
downloads phone applications from a web site but can not verify the
integrity of the applications, which could allow remote attackers to
install Trojan horse applications via DNS spoofing.


Modifications:
  ADDREF XF:pingtel-xpressa-dns-spoofing(9566)
  ADDREF BID:5224

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0671 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Baker, Cole
   MODIFY(1) Frech
   NOOP(5) Cox, Balinsky, Wall, Foat, Armstrong

Voter Comments:
 Frech> XF:pingtel-xpressa-dns-spoofing(9566)


======================================================
Candidate: CAN-2002-0676
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0676
Final-Decision:
Interim-Decision: 20030326
Modified: 20030321-01
Proposed: 20020726
Assigned: 20020709
Category: SF
Reference: BUGTRAQ:20020706 MacOS X SoftwareUpdate Vulnerability
Reference: MISC:http://www.cunap.com/~hardingr/projects/osx/exploit.html
Reference: XF:macos-softwareupdate-no-auth(9502)
Reference: URL:http://www.iss.net/security_center/static/9502.php
Reference: BID:5176
Reference: URL:http://www.securityfocus.com/bid/5176

SoftwareUpdate for MacOS 10.1.x does not use authentication when
downloading a software update, which could allow remote attackers to
execute arbitrary code by posing as the Apple update server via
techniques such as DNS spoofing or cache poisoning, and supplying
Trojan Horse updates.


Modifications:
  ADDREF XF:macos-softwareupdate-no-auth(9502)
  ADDREF BID:5176

Analysis
--------
Vendor Acknowledgement: yes

INFERRED ACTION: CAN-2002-0676 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Balinsky, Cole, Armstrong
   MODIFY(1) Frech
   NOOP(4) Christey, Cox, Wall, Foat

Voter Comments:
 Christey> XF:macos-softwareupdate-no-auth(9502)
   URL:http://www.iss.net/security_center/static/9502.php
   BID:5176
   URL:http://www.securityfocus.com/bid/5176
 Balinsky> Vendor addressed the vulnerable application. It isn't clear that this is the same problem, but it is likely.
   http://docs.info.apple.com/article.html?artnum=75304
 Frech> XF:macos-softwareupdate-no-auth(9502)
 Christey> Since this CAN was reserved by Apple, I think we can safely
   say that they've acknowledged the bug ;-)


======================================================
Candidate: CAN-2002-0678
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0678
Final-Decision:
Interim-Decision: 20030326
Modified: 20030321-01
Proposed: 20020726
Assigned: 20020709
Category: SF
Reference: BUGTRAQ:20020710 [CORE-20020528] Multiple vulnerabilities in ToolTalk Database server
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102635906423617&w=2
Reference: CERT:CA-2002-20
Reference: URL:http://www.cert.org/advisories/CA-2002-20.html
Reference: CERT-VN:VU#299816
Reference: URL:http://www.kb.cert.org/vuls/id/299816
Reference: HP:HPSBUX0207-199
Reference: URL:http://archives.neohapsis.com/archives/hp/2002-q3/0011.html
Reference: AIXAPAR:IY32368
Reference: URL:http://archives.neohapsis.com/archives/aix/2002-q3/0002.html
Reference: AIXAPAR:IY32370
Reference: URL:http://archives.neohapsis.com/archives/aix/2002-q3/0002.html
Reference: CALDERA:CSSA-2002-SCO.28
Reference: URL:ftp://ftp.caldera.com/pub/updates/OpenUNIX/CSSA-2002-SCO.28/CSSA-2002-SCO.28.txt
Reference: SGI:20021101-01-P
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20021101-01-P
Reference: XF:tooltalk-ttdbserverd-tttransaction-symlink(9527)
Reference: URL:http://www.iss.net/security_center/static/9527.php
Reference: BID:5083
Reference: URL:http://www.securityfocus.com/bid/5083

CDE ToolTalk database server (ttdbserver) allows local users to
overwrite arbitrary files via a symlink attack on the transaction log
file used by the _TT_TRANSACTION RPC procedure.


Modifications:
  ADDREF XF:tooltalk-ttdbserverd-tttransaction-symlink(9527)
  ADDREF BID:5083
  ADDREF AIXAPAR:IY32368
  ADDREF AIXAPAR:IY32370
  ADDREF HP:HPSBUX0207-199
  ADDREF SGI:20021101-01-P

Analysis
--------
Vendor Acknowledgement: yes advisory

MAPPING: while the HP advisory discusses "buffer overflows," it
specifically mentions CA-2002-20, and the text of the advisory is
included in vendor statements for the CERT-VU's for both ToolTalk
issues covered by CA-2002-20.

INFERRED ACTION: CAN-2002-0678 ACCEPT (5 accept, 6 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Wall, Cole, Armstrong
   MODIFY(1) Frech
   NOOP(3) Christey, Cox, Foat

Voter Comments:
 Christey> XF:tooltalk-ttdbserverd-tttransaction-symlink(9527)
   URL:http://www.iss.net/security_center/static/9527.php
   BID:5083
   URL:http://www.securityfocus.com/bid/5083

   HP:HPSBUX0207-199
   URL:http://archives.neohapsis.com/archives/hp/2002-q3/0011.html
   Note: while the HP advisory discusses "buffer overflows,"
   it specifically mentions CA-2002-20, and the text of the
   advisory is included in vendor statements for the CERT-VU's for both
   ToolTalk issues covered by CA-2002-20.

   AIXAPAR:IY32368
   URL:http://archives.neohapsis.com/archives/aix/2002-q3/0002.html
   AIXAPAR:IY32370
   URL:http://archives.neohapsis.com/archives/aix/2002-q3/0002.html
 Christey> HP:HPSBUX0207-199
   URL:http://online.securityfocus.com/advisories/4290
 Christey> SGI:20021101-01-P
 Frech> XF:tooltalk-ttdbserverd-tttransaction-symlink(9527)


======================================================
Candidate: CAN-2002-0679
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0679
Final-Decision:
Interim-Decision: 20030326
Modified: 20030324-01
Proposed: 20020830
Assigned: 20020709
Category: SF
Reference: BUGTRAQ:20020812 ENTERCEPT RICOCHET ADVISORY: Multi-Vendor CDE ToolTalk Database
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102917002523536&w=2
Reference: CERT:CA-2002-26
Reference: URL:http://www.cert.org/advisories/CA-2002-26.html
Reference: CERT-VN:VU#387387
Reference: URL:http://www.kb.cert.org/vuls/id/387387
Reference: CALDERA:CSSA-2002-SCO.28.1
Reference: COMPAQ:SSRT2274
Reference: AIXAPAR:IY32792
Reference: AIXAPAR:IY32793
Reference: HP:HPSBUX0207-199
Reference: URL:http://online.securityfocus.com/advisories/4290
Reference: CONFIRM:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F46366&zone_32=category%3Asecurity
Reference: XF:tooltalk-ttdbserverd-ttcreatefile-bo(9822)
Reference: URL:http://www.iss.net/security_center/static/9822.php
Reference: BID:5444
Reference: URL:http://www.securityfocus.com/bid/5444

Buffer overflow in Common Desktop Environment (CDE) ToolTalk RPC
database server (rpc.ttdbserverd) allows remote attackers to execute
arbitrary code via an argument to the _TT_CREATE_FILE procedure.


Modifications:
  ADDREF XF:tooltalk-ttdbserverd-ttcreatefile-bo(9822)
  ADDREF BID:5444
  ADDREF HP:HPSBUX0207-199
  ADDREF CONFIRM:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F46366&zone_32=category%3Asecurity

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0679 ACCEPT (3 accept, 7 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Cole, Armstrong
   NOOP(4) Christey, Cox, Wall, Foat

Voter Comments:
 Christey> XF:tooltalk-ttdbserverd-ttcreatefile-bo(9822)
   URL:http://www.iss.net/security_center/static/9822.php
   BID:5444
   URL:http://www.securityfocus.com/bid/5444
   HP:HPSBUX0207-199
   URL:http://online.securityfocus.com/advisories/4290
   CONFIRM:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F46366&zone_32=category%3Asecurity


======================================================
Candidate: CAN-2002-0685
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0685
Final-Decision:
Interim-Decision: 20030326
Modified: 20030324-01
Proposed: 20020726
Assigned: 20020711
Category: SF
Reference: BUGTRAQ:20020710 EEYE: Remote PGP Outlook Encryption Plug-in Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102634756815773&w=2
Reference: NTBUGTRAQ:20020710 EEYE: Remote PGP Outlook Encryption Plug-in Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=102639521518942&w=2
Reference: CONFIRM:http://download.nai.com/products/licensed/pgp/desktop_security/windows/version_7.04/hotfix/ReadMe.txt
Reference: XF:pgp-outlook-heap-overflow(9525)
Reference: URL:http://www.iss.net/security_center/static/9525.php
Reference: BID:5202
Reference: URL:http://www.securityfocus.com/bid/5202

Heap-based buffer overflow in the message decoding functionality for
PGP Outlook Encryption Plug-In, as used in NAI PGP Desktop Security
7.0.4, Personal Security 7.0.3, and Freeware 7.0.3, allows remote
attackers to modify the heap and gain privileges via a large,
malformed mail message.


Modifications:
  ADDREF XF:pgp-outlook-heap-overflow(9525)
  ADDREF BID:5202
  DESC Add "heap-based" to overflow term

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0685 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Wall, Cole, Armstrong
   MODIFY(1) Frech
   NOOP(3) Christey, Cox, Foat

Voter Comments:
 Christey> XF:pgp-outlook-heap-overflow(9525)
   URL:http://www.iss.net/security_center/static/9525.php
   BID:5202
   URL:http://www.securityfocus.com/bid/5202
 Frech> XF:pgp-outlook-heap-overflow(9525)


======================================================
Candidate: CAN-2002-0687
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0687
Final-Decision:
Interim-Decision: 20030326
Modified: 20030324-01
Proposed: 20020726
Assigned: 20020712
Category: SF
Reference: CONFIRM:http://www.zope.org/Products/Zope/Hotfix_2002-04-15/security_alert
Reference: REDHAT:RHSA-2002:060
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-060.html
Reference: BID:5813
Reference: URL:http://www.securityfocus.com/bid/5813
Reference: XF:zope-inject-headers-dos(9621)
Reference: URL:http://www.iss.net/security_center/static/9621.php

The "through the web code" capability for Zope 2.0 through 2.5.1 b1
allows untrusted users to shut down the Zope server via certain
headers.


Modifications:
  ADDREF REDHAT:RHSA-2002:060
  ADDREF BID:5813
  ADDREF XF:zope-inject-headers-dos(9621)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0687 ACCEPT (4 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Cox, Cole, Armstrong
   NOOP(3) Christey, Wall, Foat

Voter Comments:
 Christey> REDHAT:RHSA-2002:060
   URL:http://www.redhat.com/support/errata/RHSA-2002-060.html
   BID:5813
   URL:http://www.securityfocus.com/bid/5813


======================================================
Candidate: CAN-2002-0688
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0688
Final-Decision:
Interim-Decision: 20030326
Modified: 20030324-01
Proposed: 20020726
Assigned: 20020712
Category: SF
Reference: CONFIRM:http://www.zope.org/Products/Zope/Hotfix_2002-06-14/security_alert
Reference: REDHAT:RHSA-2002:060
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-060.html
Reference: BID:5812
Reference: URL:http://www.securityfocus.com/bid/5812
Reference: XF:zope-zcatalog-index-bypass(9610)
Reference: URL:http://www.iss.net/security_center/static/9610.php

ZCatalog plug-in index support capability for Zope 2.4.0 through 2.5.1
allows anonymous users and untrusted code to bypass access
restrictions and call arbitrary methods of catalog indexes.


Modifications:
  ADDREF REDHAT:RHSA-2002:060
  ADDREF BID:5812
  ADDREF XF:zope-zcatalog-index-bypass(9610)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0688 ACCEPT_ACK (2 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(2) Baker, Cole
   NOOP(4) Christey, Cox, Wall, Foat

Voter Comments:
 Christey> REDHAT:RHSA-2002:060
   URL:http://www.redhat.com/support/errata/RHSA-2002-060.html
   BID:5812
   URL:http://www.securityfocus.com/bid/5812


======================================================
Candidate: CAN-2002-0691
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0691
Final-Decision:
Interim-Decision: 20030326
Modified: 20030324-01
Proposed: 20020830
Assigned: 20020712
Category: SF
Reference: MS:MS02-047
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-047.asp
Reference: XF:ie-local-resource-xss(9938)
Reference: URL:http://www.iss.net/security_center/static/9938.php
Reference: BID:5561
Reference: URL:http://www.securityfocus.com/bid/5561

Microsoft Internet Explorer 5.01 and 5.5 allows remote attackers to
execute scripts in the Local Computer zone via a URL that references a
local HTML resource file, a variant of "Cross-Site Scripting in Local
HTML Resource"as identified by CAN-2002-0189.


Modifications:
  ADDREF XF:ie-local-resource-xss(9938)
  ADDREF BID:5561

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0691 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Baker, Wall, Foat, Cole, Armstrong
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> XF:ie-local-resource-xss(9938)
   URL:http://www.iss.net/security_center/static/9938.php
   BID:5561
   URL:http://www.securityfocus.com/bid/5561


======================================================
Candidate: CAN-2002-0695
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0695
Final-Decision:
Interim-Decision: 20030326
Modified: 20030324-01
Proposed: 20020830
Assigned: 20020712
Category: SF
Reference: MS:MS02-040
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-040.asp
Reference: MISC:http://www.nextgenss.com/advisories/mssql-ors.txt
Reference: XF:mssql-mdac-openrowset-bo(9734)
Reference: URL:http://www.iss.net/security_center/static/9734.php
Reference: BID:5372
Reference: URL:http://online.securityfocus.com/bid/5372

Buffer overflow in the Transact-SQL (T-SQL) OpenRowSet component of
Microsoft Data Access Components (MDAC) 2.5 through 2.7 for SQL Server
7.0 or 2000 allows remote attackers to execute arbitrary code via a
query that calls the OpenRowSet command.


Modifications:
  ADDREF XF:mssql-mdac-openrowset-bo(9734)
  ADDREF MISC:http://www.nextgenss.com/advisories/mssql-ors.txt
  ADDREF BID:5372

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0695 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Wall, Foat, Cole
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> XF:mssql-mdac-openrowset-bo(9734)
   URL:http://www.iss.net/security_center/static/9734.php
   MISC:http://www.nextgenss.com/advisories/mssql-ors.txt
   BID:5372
   URL:http://online.securityfocus.com/bid/5372


======================================================
Candidate: CAN-2002-0697
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0697
Final-Decision:
Interim-Decision: 20030326
Modified: 20030324-01
Proposed: 20020726
Assigned: 20020712
Category: SF
Reference: MS:MS02-036
Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS02-036.asp
Reference: XF:mms-data-repository-access(9657)
Reference: URL:http://www.iss.net/security_center/static/9657.php
Reference: BID:5308
Reference: URL:http://www.securityfocus.com/bid/5308

Microsoft Metadirectory Services (MMS) 2.2 allows remote attackers to
bypass authentication and modify sensitive data by using an LDAP
client to directly connect to MMS and bypass the checks for MMS
credentials.


Modifications:
  ADDREF XF:mms-data-repository-access(9657)
  ADDREF BID:5308

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0697 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Wall, Cole, Armstrong
   MODIFY(1) Frech
   NOOP(3) Christey, Cox, Foat

Voter Comments:
 Christey> XF:mms-data-repository-access(9657)
   URL:http://www.iss.net/security_center/static/9657.php
   BID:5308
   URL:http://www.securityfocus.com/bid/5308
 CHANGE> [Armstrong changed vote from NOOP to ACCEPT]
 Frech> XF:mms-data-repository-access(9657)


======================================================
Candidate: CAN-2002-0698
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0698
Final-Decision:
Interim-Decision: 20030326
Modified: 20030324-01
Proposed: 20020726
Assigned: 20020712
Category: SF
Reference: ISS:20020724 Remote Buffer Overflow Vulnerability in Microsoft Exchange Server
Reference: URL:http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20759
Reference: MSKB:Q326322
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q326322
Reference: MS:MS02-037
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-037.asp
Reference: XF:exchange-imc-ehlo-bo(9658)
Reference: URL:http://www.iss.net/security_center/static/9658.php
Reference: BID:5306
Reference: URL:http://www.securityfocus.com/bid/5306

Buffer overflow in Internet Mail Connector (IMC) for Microsoft
Exchange Server 5.5 allows remote attackers to execute arbitrary code
via an EHLO request from a system with a long name as obtained through
a reverse DNS lookup, which triggers the overflow in IMC's hello
response.


Modifications:
  ADDREF XF:exchange-imc-ehlo-bo(9658)
  ADDREF BID:5306

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0698 ACCEPT (5 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(5) Baker, Wall, Foat, Cole, Armstrong
   MODIFY(1) Frech
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> XF:exchange-imc-ehlo-bo(9658)
   URL:http://www.iss.net/security_center/static/9658.php
   BID:5306
   URL:http://www.securityfocus.com/bid/5306
 Frech> XF:exchange-imc-ehlo-bo(9658)


======================================================
Candidate: CAN-2002-0700
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0700
Final-Decision:
Interim-Decision: 20030326
Modified: 20030324-01
Proposed: 20020830
Assigned: 20020712
Category: SF
Reference: MS:MS02-041
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-041.asp
Reference: XF:mcms-authentication-bo(9783)
Reference: URL:http://www.iss.net/security_center/static/9783.php
Reference: BID:5420
Reference: URL:http://www.securityfocus.com/bid/5420

Buffer overflow in a system function that performs user authentication
for Microsoft Content Management Server (MCMS) 2001 allows attackers
to execute code in the Local System context by authenticating to a web
page that calls the function, aka "Unchecked Buffer in MDAC Function
Could Enable SQL Server Compromise."


Modifications:
  ADDREF XF:mcms-authentication-bo(9783)
  ADDREF BID:5420

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0700 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Baker, Wall, Foat, Cole, Armstrong
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> XF:mcms-authentication-bo(9783)
   URL:http://www.iss.net/security_center/static/9783.php
   BID:5420
   URL:http://www.securityfocus.com/bid/5420


======================================================
Candidate: CAN-2002-0701
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0701
Final-Decision:
Interim-Decision: 20030326
Modified: 20030324-01
Proposed: 20020726
Assigned: 20020712
Category: SF
Reference: FREEBSD:FreeBSD-SA-02:30
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102650797504351&w=2
Reference: OPENBSD:20020627 009: SECURITY FIX: June 27, 2002
Reference: URL:http://www.openbsd.org/errata.html#ktrace
Reference: XF:openbsd-ktrace-gain-privileges(9474)
Reference: URL:http://www.iss.net/security_center/static/9474.php
Reference: BID:5133
Reference: URL:http://www.securityfocus.com/bid/5133

ktrace in BSD-based operating systems allows the owner of a process
with special privileges to trace the process after its privileges have
been lowered, which may allow the owner to obtain sensitive
information that the process obtained while it was running with the
extra privileges.


Modifications:
  ADDREF XF:openbsd-ktrace-gain-privileges(9474)
  ADDREF BID:5133

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0701 ACCEPT_ACK (2 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(2) Baker, Cole
   NOOP(4) Christey, Cox, Wall, Foat

Voter Comments:
 Christey> XF:openbsd-ktrace-gain-privileges(9474)
   URL:http://www.iss.net/security_center/static/9474.php
   BID:5133
   URL:http://www.securityfocus.com/bid/5133


======================================================
Candidate: CAN-2002-0703
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0703
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020726
Assigned: 20020716
Category: SF
Reference: REDHAT:RHSA-2002:081
Reference: URL:http://rhn.redhat.com/errata/RHSA-2002-081.html
Reference: MANDRAKE:MDKSA-2002:035
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-035.php
Reference: XF:linux-utf8-incorrect-md5(9051)
Reference: URL:http://www.iss.net/security_center/static/9051.php
Reference: BID:4716
Reference: URL:http://www.securityfocus.com/bid/4716

An interaction between the Perl MD5 module (perl-Digest-MD5) and Perl
could produce incorrect MD5 checksums for UTF-8 data, which could
prevent a system from properly verifying the integrity of the data.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0703 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Baker, Cox, Wall, Cole, Armstrong
   NOOP(1) Foat


======================================================
Candidate: CAN-2002-0704
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0704
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020726
Assigned: 20020716
Category: SF
Reference: BUGTRAQ:20020508 [CARTSA-20020402] Linux Netfilter NAT/ICMP code information leak
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102088521517722&w=2
Reference: REDHAT:RHSA-2002:086
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-086.html
Reference: MANDRAKE:MDKSA-2002:030
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-030.php
Reference: HP:HPSBTL0205-039
Reference: URL:http://online.securityfocus.com/advisories/4116
Reference: XF:linux-netfilter-information-leak(9043)
Reference: URL:http://www.iss.net/security_center/static/9043.php
Reference: BID:4699
Reference: URL:http://www.securityfocus.com/bid/4699

The Network Address Translation (NAT) capability for Netfilter
("iptables") 1.2.6a and earlier leaks translated IP addresses in ICMP
error messages.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0704 ACCEPT (5 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(5) Baker, Cox, Wall, Cole, Armstrong
   NOOP(1) Foat


======================================================
Candidate: CAN-2002-0710
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0710
Final-Decision:
Interim-Decision: 20030326
Modified: 20030324-01
Proposed: 20020830
Assigned: 20020718
Category: SF
Reference: BUGTRAQ:20020730 Directory traversal vulnerability in sendform.cgi
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102809084218422&w=2
Reference: VULNWATCH:20020731 [VulnWatch] Directory traversal vulnerability in sendform.cgi
Reference: CONFIRM:http://www.scn.org/~bb615/scripts/sendform.html
Reference: XF:sendform-blurbfile-directory-traversal(9725)
Reference: URL:http://www.iss.net/security_center/static/9725.php
Reference: BID:5286
Reference: URL:http://www.securityfocus.com/bid/5286

Directory traversal vulnerability in sendform.cgi 1.44 and earlier
allows remote attackers to read arbitrary files by specifying the
desired files in the BlurbFilePath parameter.


Modifications:
  ADDREF XF:sendform-blurbfile-directory-traversal(9725)
  ADDREF BID:5286

Analysis
--------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: On the vendor's home page, an item dated July 22,
2002, says "New: security fix: This limits reading world-readable
'blurb' files (that can be used with HTML forms with this script) to
certain directories defined in the script by the Web administrator."

INFERRED ACTION: CAN-2002-0710 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Baker, Cole
   NOOP(4) Christey, Cox, Wall, Foat

Voter Comments:
 Christey> XF:sendform-blurbfile-directory-traversal(9725)
   URL:http://www.iss.net/security_center/static/9725.php


======================================================
Candidate: CAN-2002-0714
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0714
Final-Decision:
Interim-Decision: 20030326
Modified: 20030324-01
Proposed: 20020726
Assigned: 20020720
Category: SF
Reference: CONFIRM:http://www.squid-cache.org/Advisories/SQUID-2002_3.txt
Reference: CONFIRM:http://www.squid-cache.org/Versions/v2/2.4/bugs/
Reference: REDHAT:RHSA-2002:051
Reference: URL:http://rhn.redhat.com/errata/RHSA-2002-051.html
Reference: REDHAT:RHSA-2002:130
Reference: URL:http://rhn.redhat.com/errata/RHSA-2002-130.html
Reference: SUSE:SuSE-SA:2002:025
Reference: CALDERA:CSSA-2002-046.0
Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-046.0.txt
Reference: CONECTIVA:CLA-2002:506
Reference: MANDRAKE:MDKSA-2002:044
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-044.php
Reference: BUGTRAQ:20020715 TSLSA-2002-0062 - squid
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102674543407606&w=2
Reference: XF:squid-ftp-data-injection(9479)
Reference: URL:http://www.iss.net/security_center/static/9479.php
Reference: BID:5158
Reference: URL:http://www.securityfocus.com/bid/5158

FTP proxy in Squid before 2.4.STABLE6 does not compare the IP
addresses of control and data connections with the FTP server, which
allows remote attackers to bypass firewall rules or spoof FTP server
responses.


Modifications:
  ADDREF XF:squid-ftp-data-injection(9479)
  ADDREF CALDERA:CSSA-2002-046.0
  ADDREF REDHAT:RHSA-2002:051

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0714 ACCEPT (6 accept, 4 ack, 0 review)

Current Votes:
   ACCEPT(5) Baker, Cox, Wall, Cole, Armstrong
   MODIFY(1) Frech
   NOOP(2) Christey, Foat

Voter Comments:
 Frech> XF:squid-ftp-data-injection(9479)
 Christey> REDHAT:RHSA-2002:051
   URL:http://rhn.redhat.com/errata/RHSA-2002-051.html


======================================================
Candidate: CAN-2002-0716
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0716
Final-Decision:
Interim-Decision: 20030326
Modified: 20030324-01
Proposed: 20020726
Assigned: 20020722
Category: SF
Reference: BUGTRAQ:20020604 SRT Security Advisory (SRT2002-06-04-1711): SCO crontab
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102323070305101&w=2
Reference: VULN-DEV:20020604 SRT Security Advisory (SRT2002-06-04-1711): SCO crontab
Reference: URL:http://marc.theaimsgroup.com/?l=vuln-dev&m=102323386107641&w=2
Reference: CALDERA:CSSA-2002-SCO.35
Reference: BID:4938
Reference: URL:http://www.securityfocus.com/bid/4938
Reference: XF:openserver-crontab-format-string(9271)
Reference: URL:http://www.iss.net/security_center/static/9271.php

Format string vulnerability in crontab for SCO OpenServer 5.0.5 and
5.0.6 allows local users to gain privileges via format string
specifiers in the file name argument.


Modifications:
  ADDREF BID:4938
  ADDREF XF:openserver-crontab-format-string(9271)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0716 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Baker, Cole
   NOOP(4) Christey, Cox, Wall, Foat

Voter Comments:
 Christey> BID:4938
   URL:http://www.securityfocus.com/bid/4938
   XF:openserver-crontab-format-string(9271)
   URL:http://www.iss.net/security_center/static/9271.php


======================================================
Candidate: CAN-2002-0718
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0718
Final-Decision:
Interim-Decision: 20030326
Modified: 20030324-01
Proposed: 20020830
Assigned: 20020722
Category: SF
Reference: MS:MS02-041
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-041.asp
Reference: BID:5421
Reference: URL:http://www.securityfocus.com/bid/5421
Reference: XF:mcms-authoring-file-execution(9784)
Reference: URL:http://www.iss.net/security_center/static/9784.php

Web authoring command in Microsoft Content Management Server (MCMS)
2001 allows attackers to authenticate and upload executable content,
by modifying the upload location, aka "Program Execution via MCMS
Authoring Function."


Modifications:
  ADDREF BID:5421
  ADDREF XF:mcms-authoring-file-execution(9784)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0718 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Baker, Wall, Foat, Cole, Armstrong
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> BID:5421
   URL:http://www.securityfocus.com/bid/5421
   XF:mcms-authoring-file-execution(9784)
   URL:http://www.iss.net/security_center/static/9784.php


======================================================
Candidate: CAN-2002-0719
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0719
Final-Decision:
Interim-Decision: 20030326
Modified: 20030324-01
Proposed: 20020830
Assigned: 20020722
Category: SF
Reference: MS:MS02-041
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-041.asp
Reference: BID:5422
Reference: URL:http://www.securityfocus.com/bid/5422
Reference: XF:mcms-resource-sql-injection(9785)
Reference: URL:http://www.iss.net/security_center/static/9785.php

SQL injection vulnerability in the function that services for
Microsoft Content Management Server (MCMS) 2001 allows remote
attackers to execute arbitrary commands via an MCMS resource request
for image files or other files.


Modifications:
  ADDREF BID:5422
  ADDREF XF:mcms-resource-sql-injection(9785)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0719 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Baker, Wall, Foat, Cole, Armstrong
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> BID:5422
   URL:http://www.securityfocus.com/bid/5422
   XF:mcms-resource-sql-injection(9785)
   URL:http://www.iss.net/security_center/static/9785.php


======================================================
Candidate: CAN-2002-0720
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0720
Final-Decision:
Interim-Decision: 20030326
Modified: 20030324-01
Proposed: 20020830
Assigned: 20020722
Category: SF
Reference: MS:MS02-042
Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS02-042.asp
Reference: XF:win2k-ncm-gain-privileges(9856)
Reference: URL:http://www.iss.net/security_center/static/9856.php
Reference: BID:5480
Reference: URL:http://www.securityfocus.com/bid/5480

A handler routine for the Network Connection Manager (NCM) in Windows
2000 allows local users to gain privileges via a complex attack that
causes the handler to run in the LocalSystem context with
user-specified code.


Modifications:
  ADDREF XF:win2k-ncm-gain-privileges(9856)
  ADDREF BID:5480
  DESC add OS

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0720 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Baker, Wall, Foat, Cole, Armstrong
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> XF:win2k-ncm-gain-privileges(9856)
   URL:http://www.iss.net/security_center/static/9856.php
   BID:5480
   URL:http://www.securityfocus.com/bid/5480


======================================================
Candidate: CAN-2002-0722
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0722
Final-Decision:
Interim-Decision: 20030326
Modified: 20030324-01
Proposed: 20020830
Assigned: 20020722
Category: SF
Reference: BUGTRAQ:20020828 Origin of downloaded files can be spoofed in MSIE
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103054692223380&w=2
Reference: MS:MS02-047
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-047.asp
Reference: XF:ie-file-origin-spoofing(9937)
Reference: URL:http://www.iss.net/security_center/static/9937.php
Reference: BID:5559
Reference: URL:http://www.securityfocus.com/bid/5559

Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers
to misrepresent the source of a file in the File Download dialogue box
to trick users into thinking that the file type is safe to download,
aka "File Origin Spoofing."


Modifications:
  ADDREF XF:ie-file-origin-spoofing(9937)
  ADDREF BID:5559

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0722 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Baker, Wall, Foat, Cole, Armstrong
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> XF:ie-file-origin-spoofing(9937)
   URL:http://www.iss.net/security_center/static/9937.php
   BID:5559
   URL:http://www.securityfocus.com/bid/5559


======================================================
Candidate: CAN-2002-0726
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0726
Final-Decision:
Interim-Decision: 20030326
Modified: 20030324-01
Proposed: 20020830
Assigned: 20020722
Category: SF
Reference: ATSTAKE:A082802-1
Reference: URL:http://www.atstake.com/research/advisories/2002/a082802-1.txt
Reference: MS:MS02-046
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-046.asp
Reference: XF:ms-tsac-activex-bo(9934)
Reference: URL:http://www.iss.net/security_center/static/9934.php
Reference: BID:5554
Reference: URL:http://www.securityfocus.com/bid/5554

Buffer overflow in Microsoft Terminal Services Advanced Client (TSAC)
ActiveX control allows remote attackers to execute arbitrary code via
a long server name field.


Modifications:
  ADDREF XF:ms-tsac-activex-bo(9934)
  ADDREF BID:5554

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0726 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Baker, Wall, Foat, Cole, Armstrong
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> XF:ms-tsac-activex-bo(9934)
   URL:http://www.iss.net/security_center/static/9934.php
   BID:5554
   URL:http://www.securityfocus.com/bid/5554


======================================================
Candidate: CAN-2002-0727
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0727
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020830
Assigned: 20020722
Category: SF
Reference: MS:MS02-044
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-044.asp
Reference: BUGTRAQ:20020408 Scripting for the scriptless with OWC in IE (GM#005-IE)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101829645415486&w=2
Reference: XF:owc-spreadsheet-host-script-execution (8777)
Reference: URL:http://www.iss.net/security_center/static/8777.php
Reference: BID:4449
Reference: URL:http://online.securityfocus.com/bid/4449

The Host function in Microsoft Office Web Components (OWC) 2000 and
2002 is exposed in components that are marked as safe for scripting,
which allows remote attackers to execute arbitrary commands via the
setTimeout method.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0727 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Wall, Cole, Armstrong
   NOOP(2) Cox, Foat


======================================================
Candidate: CAN-2002-0733
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0733
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020726
Assigned: 20020725
Category: SF
Reference: VULNWATCH:20020417 Smalls holes on 5 products #1
Reference: URL:http://archives.neohapsis.com/archives/vuln-dev/2002-q2/0155.html
Reference: CONFIRM:http://www.acme.com/software/thttpd/#releasenotes
Reference: MISC:http://www.ifrance.com/kitetoua/tuto/5holes1.txt
Reference: XF:thttpd-error-page-css(9029)
Reference: URL:http://www.iss.net/security_center/static/9029.php
Reference: BID:4601
Reference: URL:http://www.securityfocus.com/bid/4601

Cross-site scripting vulnerability in thttpd 2.20 and earlier allows
remote attackers to execute arbitrary script via a URL to a
nonexistent page, which causes thttpd to insert the script into a 404
error message.

Analysis
--------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: In the release notes for 2.21, the vendor states
"Fixed cross-site scripting bug relating to the built-in error pages."

INFERRED ACTION: CAN-2002-0733 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Cole, Armstrong
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-0734
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0734
Final-Decision:
Interim-Decision: 20030326
Modified: 20030324-01
Proposed: 20020726
Assigned: 20020725
Category: SF
Reference: BUGTRAQ:20020506 b2 php remote command execution
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-05/0027.html
Reference: CONFIRM:http://cafelog.com/
Reference: BID:4673
Reference: URL:http://www.securityfocus.com/bid/4673
Reference: XF:b2-b2inc-command-execution(9013)
Reference: URL:http://www.iss.net/security_center/static/9013.php

b2edit.showposts.php in B2 2.0.6pre2 and earlier does not properly
load the b2config.php file in some configurations, which allows remote
attackers to execute arbitrary PHP code via a URL that sets the $b2inc
variable to point to a malicious program stored on a remote server.


Modifications:
  DESC remove "Trojan horse" terminology

Analysis
--------
Vendor Acknowledgement: yes

ACKNOWLEDGEMENT: On the vendor's home page, an item dated "04.05.02"
(May 4, 2002) states "Someone recently told me about a security hole
in b2... The fix for the security hole is very simple: create a file
named b2config.php and upload it in your b2-include folder." While
this in itself doesn't include enough details to be certain that the
vendor is fixing *this* problem, it would fix the problem, and later
comments on the vendor's page would line up with the date of public
announcement of this problem.

INFERRED ACTION: CAN-2002-0734 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Cole, Armstrong
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-0736
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0736
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020726
Assigned: 20020725
Category: SF
Reference: BUGTRAQ:20020416 Back Office Web Administrator Authentication Bypass (#NISR17042002A)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-04/0208.html
Reference: MSKB:Q316838
Reference: URL:http://support.microsoft.com/support/kb/articles/q316/8/38.asp
Reference: BID:4528
Reference: URL:http://www.securityfocus.com/bid/4528
Reference: XF:backoffice-bypass-authentication(8862)
Reference: URL:http://www.iss.net/security_center/static/8862.php

Microsoft BackOffice 4.0 and 4.5, when configured to be accessible by
other systems, allows remote attackers to bypass authentication and
access the administrative ASP pages via an HTTP request with an
authorization type (auth_type) that is not blank.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0736 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Baker, Wall, Foat, Cole, Armstrong
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-0737
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0737
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020726
Assigned: 20020725
Category: SF
Reference: BUGTRAQ:20020417 KPMG-2002012: Sambar Webserver Serverside Fileparse Bypass
Reference: URL:http://online.securityfocus.com/archive/1/268121
Reference: VULNWATCH:20020417 [VulnWatch] KPMG-2002012: Sambar Webserver Serverside Fileparse Bypass
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0026.html
Reference: CONFIRM:http://www.sambar.com/security.htm
Reference: XF:sambar-script-source-disclosure(8876)
Reference: URL:http://www.iss.net/security_center/static/8876.php
Reference: BID:4533
Reference: URL:http://www.securityfocus.com/bid/4533

Sambar web server before 5.2 beta 1 allows remote attackers to obtain
source code of server-side scripts, or cause a denial of service
(resource exhaustion) via DOS devices, using a URL that ends with a
space and a null character.

Analysis
--------
Vendor Acknowledgement: yes

ACKNOWLEDGEMENT: on the security page, last updated the day after the
initial disclosure, the vendor states that "All releases prior to the
5.2 beta 1 release are vulnerable to having the source code associated
with CGI scripts and JSP files exposed via an URL sequence."

INFERRED ACTION: CAN-2002-0737 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Cole, Armstrong
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-0738
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0738
Final-Decision:
Interim-Decision: 20030326
Modified: 20030324-01
Proposed: 20020726
Assigned: 20020725
Category: SF
Reference: BUGTRAQ:20020418 MHonArc v2.5.2 Script Filtering Bypass Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-04/0260.html
Reference: CONFIRM:http://www.mhonarc.org/MHonArc/CHANGES
Reference: DEBIAN:DSA-163
Reference: URL:http://www.debian.org/security/2002/dsa-163
Reference: XF:mhonarc-script-filtering-bypass(8894)
Reference: URL:http://www.iss.net/security_center/static/8894.php
Reference: BID:4546
Reference: URL:http://www.securityfocus.com/bid/4546

MHonArc 2.5.2 and earlier does not properly filter Javascript from
archived e-mail messages, which could allow remote attackers to
execute script in web clients by (1) splitting the SCRIPT tag into
smaller pieces, (2) including the script in a SRC argument to an IMG
tag, or (3) using "&={script}" syntax.


Modifications:
  ADDREF DEBIAN:DSA-163

Analysis
--------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: In the changelog for 2002/04/18 (version 2.5.3), the
vendor states "Beefed up HTML filtering in mhtxthtml.pl to eliminate
some security exploits" and credits the Bugtraq researchers.

INFERRED ACTION: CAN-2002-0738 ACCEPT (3 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Cole, Armstrong
   NOOP(4) Christey, Cox, Wall, Foat

Voter Comments:
 Christey> DEBIAN:DSA-163


======================================================
Candidate: CAN-2002-0741
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0741
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020726
Assigned: 20020725
Category: SF
Reference: BUGTRAQ:20020423 PsyBNC Remote Dos POC
Reference: URL:http://online.securityfocus.com/archive/1/269131
Reference: BUGTRAQ:20020422 Re: psyBNC 2.3 DoS / Bug
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-04/0322.html
Reference: BID:4570
Reference: URL:http://www.securityfocus.com/bid/4570
Reference: XF:psybnc-long-password-dos(8912)
Reference: URL:http://www.iss.net/security_center/static/8912.php

psyBNC 2.3 allows remote attackers to cause a denial of service (CPU
consumption and resource exhaustion) by sending a PASS command with a
long password argument and quickly killing the connection, which is
not properly terminated by psyBNC.

Analysis
--------
Vendor Acknowledgement: yes followup

INFERRED ACTION: CAN-2002-0741 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Baker, Cole
   NOOP(4) Cox, Wall, Foat, Armstrong


======================================================
Candidate: CAN-2002-0748
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0748
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020726
Assigned: 20020725
Category: SF
Reference: BUGTRAQ:20020423 LabVIEW Web Server DoS Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-04/0323.html
Reference: CONFIRM:http://digital.ni.com/public.nsf/websearch/4C3F86E655E5389886256BA00064B22F?OpenDocument
Reference: XF:labview-http-get-dos(8919)
Reference: URL:http://www.iss.net/security_center/static/8919.php
Reference: BID:4577
Reference: URL:http://www.securityfocus.com/bid/4577

LabVIEW Web Server 5.1.1 through 6.1 allows remote attackers to cause
a denial of service (crash) via an HTTP GET request that ends in two
newline characters, instead of the expected carriage return/newline
combinations.

Analysis
--------
Vendor Acknowledgement: yes

INFERRED ACTION: CAN-2002-0748 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Cole, Armstrong
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-0754
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0754
Final-Decision:
Interim-Decision: 20030326
Modified: 20030324-01
Proposed: 20020726
Assigned: 20020725
Category: SF
Reference: FREEBSD:FreeBSD-SA-02:07
Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:07.k5su.asc
Reference: BID:3919
Reference: URL:http://www.securityfocus.com/bid/3919
Reference: XF:kerberos5-k5su-elevate-privileges(7956)
Reference: URL:http://www.iss.net/security_center/static/7956.php

Kerberos 5 su (k5su) in FreeBSD 4.4 and earlier relies on the getlogin
system call to determine if the user running k5su is root, which could
allow a root-initiated process to regain its privileges after it has
dropped them.


Modifications:
  DESC clarify

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0754 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Cole, Armstrong
   NOOP(4) Christey, Cox, Wall, Foat

Voter Comments:
 Christey> need to rewrite desc to make a little more clear.


======================================================
Candidate: CAN-2002-0755
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0755
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020726
Assigned: 20020725
Category: SF
Reference: FREEBSD:FreeBSD-SA-02:24
Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:24.k5su.asc
Reference: BID:4777
Reference: URL:http://www.securityfocus.com/bid/4777
Reference: XF:freebsd-k5su-gain-privileges(9125)
Reference: URL:http://www.iss.net/security_center/static/9125.php

Kerberos 5 su (k5su) in FreeBSD 4.5 and earlier does not verify that a
user is a member of the wheel group before granting superuser
privileges, which could allow unauthorized users to execute commands
as root.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0755 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Cole, Armstrong
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-0758
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0758
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020726
Assigned: 20020725
Category: SF
Reference: SUSE:SuSE-SA:2002:016
Reference: URL:http://www.suse.de/de/support/security/2002_016_sysconfig_txt.html
Reference: BID:4695
Reference: URL:http://www.securityfocus.com/bid/4695
Reference: XF:suse-sysconfig-command-execution(9040)
Reference: URL:http://www.iss.net/security_center/static/9040.php

ifup-dhcp script in the sysconfig package for SuSE 8.0 allows remote
attackers to execute arbitrary commands via spoofed DHCP responses,
which are stored and executed in a file.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0758 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Cole, Armstrong
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-0759
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0759
Final-Decision:
Interim-Decision: 20030326
Modified: 20030324-01
Proposed: 20020726
Assigned: 20020725
Category: SF
Reference: FREEBSD:FreeBSD-SA-02:25
Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:25.bzip2.asc
Reference: CALDERA:CSSA-2002-039.0
Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-039.0.txt
Reference: XF:bzip2-decompression-file-overwrite(9126)
Reference: URL:http://www.iss.net/security_center/static/9126.php
Reference: BID:4774
Reference: URL:http://www.securityfocus.com/bid/4774

bzip2 before 1.0.2 in FreeBSD 4.5 and earlier, OpenLinux 3.1 and
3.1.1, and possibly other operating systems, does not use the O_EXCL
flag to create files during decompression and does not warn the user
if an existing file would be overwritten, which could allow attackers
to overwrite files via a bzip2 archive.


Modifications:
  ADDREF CALDERA:CSSA-2002-039.0
  DESC add OpenLinux to desc

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0759 ACCEPT (4 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Cox, Cole, Armstrong
   NOOP(3) Christey, Wall, Foat

Voter Comments:
 Christey> CALDERA:CSSA-2002-039.0


======================================================
Candidate: CAN-2002-0760
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0760
Final-Decision:
Interim-Decision: 20030326
Modified: 20030324-01
Proposed: 20020726
Assigned: 20020725
Category: SF
Reference: FREEBSD:FreeBSD-SA-02:25
Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:25.bzip2.asc
Reference: CALDERA:CSSA-2002-039.0
Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-039.0.txt
Reference: BID:4775
Reference: URL:http://www.securityfocus.com/bid/4775
Reference: XF:bzip2-decompression-race-condition(9127)
Reference: URL:http://www.iss.net/security_center/static/9127.php

Race condition in bzip2 before 1.0.2 in FreeBSD 4.5 and earlier,
OpenLinux 3.1 and 3.1.1, and possibly other operating systems,
decompresses files with world-readable permissions before setting the
permissions to what is specified in the bzip2 archive, which could
allow local users to read the files as they are being decompressed.


Modifications:
  DESC add OpenLinux
  ADDREF CALDERA:CSSA-2002-039.0

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0760 ACCEPT (4 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Cox, Cole, Armstrong
   NOOP(3) Christey, Wall, Foat

Voter Comments:
 Christey> CALDERA:CSSA-2002-039.0


======================================================
Candidate: CAN-2002-0761
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0761
Final-Decision:
Interim-Decision: 20030326
Modified: 20030324-01
Proposed: 20020726
Assigned: 20020725
Category: SF
Reference: FREEBSD:FreeBSD-SA-02:25
Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:25.bzip2.asc
Reference: CALDERA:CSSA-2002-039.0
Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-039.0.txt
Reference: XF:bzip2-compression-symlink(9128)
Reference: URL:http://www.iss.net/security_center/static/9128.php
Reference: BID:4776
Reference: URL:http://www.securityfocus.com/bid/4776

bzip2 before 1.0.2 in FreeBSD 4.5 and earlier, OpenLinux 3.1 and
3.1.1, and possibly systems, uses the permissions of symbolic links
instead of the actual files when creating an archive, which could
cause the files to be extracted with less restrictive permissions than
intended.


Modifications:
  DESC add OpenLinux
  ADDREF CALDERA:CSSA-2002-039.0

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0761 ACCEPT (4 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Cox, Cole, Armstrong
   NOOP(3) Christey, Wall, Foat

Voter Comments:
 Christey> CALDERA:CSSA-2002-039.0


======================================================
Candidate: CAN-2002-0762
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0762
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020726
Assigned: 20020725
Category: SF
Reference: SUSE:SuSE-SA:2002:017
Reference: URL:http://www.suse.de/de/support/security/2002_17_shadow.html
Reference: XF:suse-shadow-filesize-limits(9102)
Reference: URL:http://www.iss.net/security_center/static/9102.php
Reference: BID:4757
Reference: URL:http://www.securityfocus.com/bid/4757

shadow package in SuSE 8.0 allows local users to destroy the
/etc/passwd and /etc/shadow files or assign extra group privileges to
some users by changing filesize limits before calling programs that
modify the files.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0762 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Cole, Armstrong
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-0765
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0765
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020726
Assigned: 20020725
Category: SF
Reference: BUGTRAQ:20020527 OpenSSH 3.2.3 released (fwd)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-05/0235.html
Reference: OPENBSD:20020522 004: SECURITY FIX: May 22, 2002
Reference: URL:http://www.openbsd.org/errata.html#sshbsdauth
Reference: BID:4803
Reference: URL:http://www.securityfocus.com/bid/4803
Reference: XF:bsd-sshd-authentication-error(9215)
Reference: URL:http://www.iss.net/security_center/static/9215.php

sshd in OpenSSH 3.2.2, when using YP with netgroups and under certain
conditions, may allow users to successfully authenticate and log in
with another user's password.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0765 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Foat, Cole, Armstrong
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-0766
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0766
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020726
Assigned: 20020725
Category: SF
Reference: VULNWATCH:20020509 [VulnWatch] OpenBSD local DoS and root exploit
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0066.html
Reference: BUGTRAQ:20020509 OpenBSD local DoS and root exploit
Reference: URL:http://online.securityfocus.com/archive/1/271702
Reference: OPENBSD:20020508 003: SECURITY FIX: May 8, 2002
Reference: URL:http://www.openbsd.org/errata.html#fdalloc2
Reference: XF:openbsd-file-descriptor-dos(9048)
Reference: URL:http://www.iss.net/security_center/static/9048.php

OpenBSD 2.9 through 3.1 allows local users to cause a denial of
service (resource exhaustion) and gain root privileges by filling the
kernel's file descriptor table and closing file descriptors 0, 1, or 2
before executing a privileged process, which is not properly handled
when OpenBSD fails to open an alternate descriptor.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0766 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Cole, Armstrong
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-0768
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0768
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020726
Assigned: 20020725
Category:
Reference: SUSE:SuSE-SA:2002:018
Reference: URL:http://www.suse.com/de/support/security/2002_18_lukemftp.html
Reference: XF:lukemftp-pasv-bo(9130)
Reference: URL:http://www.iss.net/security_center/static/9130.php

Buffer overflow in lukemftp FTP client in SuSE 6.4 through 8.0, and
possibly other operating systems, allows a malicious FTP server to
execute arbitrary code via a long PASV command.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0768 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Cole, Armstrong
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-0776
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0776
Final-Decision:
Interim-Decision: 20030326
Modified: 20030324-01
Proposed: 20020726
Assigned: 20020725
Category: SF
Reference: BUGTRAQ:20020713 Hosting Controller Vulnerability
Reference: URL:http://online.securityfocus.com/archive/1/282129
Reference: CONFIRM:http://hostingcontroller.com/english/logs/sp2log.html
Reference: XF:hosting-controller-password-modification(9554)
Reference: URL:http://www.iss.net/security_center/static/9554.php
Reference: BID:5229
Reference: URL:http://www.securityfocus.com/bid/5229

getuserdesc.asp in Hosting Controller 2002 allows remote attackers to
change the passwords of arbitrary users and gain privileges by
modifying the username parameter, as addressed by the "UpdateUser" hot
fix.


Modifications:
  ADDREF XF:hosting-controller-password-modification(9554)
  ADDREF BID:5229

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0776 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Balinsky, Cole
   MODIFY(1) Frech
   NOOP(4) Cox, Wall, Foat, Armstrong

Voter Comments:
 Frech> XF:hosting-controller-password-modification(9554)


======================================================
Candidate: CAN-2002-0777
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0777
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020726
Assigned: 20020725
Category: SF
Reference: BUGTRAQ:20020520 Foundstone Advisory - Buffer Overflow in Ipswitch Imail 7.1 and prior (fwd)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-05/0172.html
Reference: XF:imail-ldap-bo(9116)
Reference: URL:http://www.iss.net/security_center/static/9116.php
Reference: BID:4780
Reference: URL:http://www.securityfocus.com/bid/4780

Buffer overflow in the LDAP component of Ipswitch IMail 7.1 and
earlier allows remote attackers to execute arbitrary code via a long
"bind DN" parameter.

Analysis
--------
Vendor Acknowledgement: yes via-email

ACKNOWLEDGEMENT: the only apparent information by the vendor that MAY
be related to this issue is at
http://support.ipswitch.com/kb/IM-20020703-DM01.htm; there are two
comments related to overflows: "Removed a buffer overflow error in Web
Calendaring" and "ILDAP: Fixed a buffer overflow which could be used
for a DOS attack." While the latter phrase might be related to the
LDAP issue, it is in direct conflict with Foundstone's claim that the
problem is exploitable, which may indicate that this is not really the
same vulnerability. Inquiry posted to
http://www.ipswitch.com/cgi/askatech.pl?action=build on July 17, 2002.
Tracking number: T200207180016.  Vendor confirmed the issue via an
E-mail reply from evalhelp@ipswitch.com on July 18: "Yes, this has
been repaired...  The conclusive evidence is in the knowledge base
article."

INFERRED ACTION: CAN-2002-0777 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Cole, Armstrong
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-0778
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0778
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020726
Assigned: 20020725
Category: CF
Reference: CISCO:20020528 Transparent Cache Engine and Content Engine TCP Relay Vulnerability
Reference: URL:http://www.cisco.com/warp/public/707/transparentcache-tcp-relay-vuln-pub.shtml
Reference: XF:cisco-cache-content-tcp-forward(9082)
Reference: URL:http://www.iss.net/security_center/static/9082.php
Reference: BID:4751
Reference: URL:http://www.securityfocus.com/bid/4751

The default configuration of the proxy for Cisco Cache Engine and
Content Engine allows remote attackers to use HTTPS to make TCP
connections to allowed IP addresses while hiding the actual source IP.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0778 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Foat, Cole, Armstrong
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-0785
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0785
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020726
Assigned: 20020725
Category: SF
Reference: BUGTRAQ:20020508 Hole in AOL Instant Messenger
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-05/0086.html
Reference: XF:aim-addbuddy-bo(9058)
Reference: URL:http://www.iss.net/security_center/static/9058.php
Reference: BID:4709
Reference: URL:http://www.securityfocus.com/bid/4709

AOL Instant Messenger (AIM) allows remote attackers to cause a denial
of service (crash) via an "AddBuddy" link with the ScreenName
parameter set to a large number of comma-separated values, possibly
triggering a buffer overflow.

Analysis
--------
Vendor Acknowledgement:

INFERRED ACTION: CAN-2002-0785 ACCEPT (4 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Wall, Cole, Armstrong
   NOOP(2) Cox, Foat


======================================================
Candidate: CAN-2002-0788
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0788
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020726
Assigned: 20020725
Category: SF
Reference: BUGTRAQ:20020508 NTFS and PGP interact to expose EFS encrypted data
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-05/0052.html
Reference: CONFIRM:http://download.nai.com/products/licensed/pgp/desktop_security/windows/version_7.1/hotfix/ReadMe.txt
Reference: XF:pgp-ntfs-reveal-data(9044)
Reference: URL:http://www.iss.net/security_center/static/9044.php
Reference: BID:4702
Reference: URL:http://www.securityfocus.com/bid/4702

An interaction between PGP 7.0.3 with the "wipe deleted files" option,
when used on Windows Encrypted File System (EFS), creates a cleartext
temporary files that cannot be wiped or deleted due to strong
permissions, which could allow certain local users or attackers with
physical access to obtain cleartext information.

Analysis
--------
Vendor Acknowledgement: yes advisory

ACKNOWLEDGEMENT: In the release notes for the hotfix, the vendor
states "There is a conflict between Microsoft's Encrypted File System
(EFS) on Windows 2000 and PGP's file wiping feature. When you encrypt
a file using EFS, Windows 2000 creates a temporary file that contains
the cleartext of the encrypted file."

INFERRED ACTION: CAN-2002-0788 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Cole, Armstrong
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-0789
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0789
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020726
Assigned: 20020725
Category: SF
Reference: BUGTRAQ:20020511 Bug in mnogosearch-3.1.19
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-05/0092.html
Reference: CONFIRM:http://www.mnogosearch.org/Download/mnogosearch-3.1.20.tar.gz
Reference: MISC:http://www.mnogosearch.org/history.html#log31
Reference: BID:4724
Reference: URL:http://www.securityfocus.com/bid/4724
Reference: XF:mnogosearch-search-cgi-bo(9060)
Reference: URL:http://www.iss.net/security_center/static/9060.php

Buffer overflow in search.cgi in mnoGoSearch 3.1.19 and earlier allows
remote attackers to execute arbitrary code via a long query (q)
parameter.

Analysis
--------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: a vague comment in the product history page includes
an item for version 3.1.20 dated "27 Jun 2002," which states "Security
bug has been fixed." This is not sufficient proof that the vendor has
fixed *this* issue. HOWEVER, the ChangeLog in the source code for
3.1.20 includes an item dated 27 Jun 2002, which says "A security bug
(trap on too long queries) fixed," which *does* qualify as sufficient
proof.

INFERRED ACTION: CAN-2002-0789 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Cole, Armstrong
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-0790
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0790
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020726
Assigned: 20020725
Category: SF
Reference: AIXAPAR:IY24556
Reference: URL:http://techsupport.services.ibm.com/server/aix.uhuic_getrec?args=DVsteamboat.boulder.ibm.com+DBAIX2+DA6854+STIY24556+USbin

clchkspuser and clpasswdremote in AIX expose an encrypted password in
the cspoc.log file, which could allow local users to gain privileges.

Analysis
--------
Vendor Acknowledgement: yes

INFERRED ACTION: CAN-2002-0790 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Baker, Cole
   NOOP(4) Cox, Wall, Foat, Armstrong


======================================================
Candidate: CAN-2002-0794
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0794
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020726
Assigned: 20020725
Category: SF
Reference: FREEBSD:FreeBSD-SA-02:26
Reference: URL:http://archives.neohapsis.com/archives/freebsd/2002-05/0349.html
Reference: BID:4879
Reference: URL:http://www.securityfocus.com/bid/4879
Reference: XF:freebsd-accept-filter-dos(9209)
Reference: URL:http://www.iss.net/security_center/static/9209.php

The accept_filter mechanism in FreeBSD 4 through 4.5 does not properly
remove entries from the incomplete listen queue when adding a
syncache, which allows remote attackers to cause a denial of service
(network service availability) via a large number of connection
attempts, which fills the queue.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0794 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Cole, Armstrong
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-0795
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0795
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020726
Assigned: 20020725
Category: SF
Reference: FREEBSD:FreeBSD-SA-02:27
Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:27.rc.asc
Reference: XF:freebsd-rc-delete-directories(9217)
Reference: URL:http://www.iss.net/security_center/static/9217.php
Reference: BID:4880
Reference: URL:http://www.securityfocus.com/bid/4880

The rc system startup script for FreeBSD 4 through 4.5 allows local
users to delete arbitrary files via a symlink attack on X Windows lock
files.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0795 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Cole, Armstrong
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-0801
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0801
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020726
Assigned: 20020725
Category: SF
Reference: VULNWATCH:20020529 [VulnWatch] FW: Macromedia JRUN Buffer overflow vulnerability (#NISR29052002)
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0085.html
Reference: BUGTRAQ:20020529 Addendum to advisory #NISR29052002 (JRun buffer overflow)
Reference: URL:http://online.securityfocus.com/archive/1/274601
Reference: BUGTRAQ:20020529 Macromedia JRUN Buffer overflow vulnerability (#NISR29052002)
Reference: URL:http://online.securityfocus.com/archive/1/274528
Reference: CERT-VN:VU#703835
Reference: URL:http://www.kb.cert.org/vuls/id/703835
Reference: CERT:CA-2002-14
Reference: URL:http://www.cert.org/advisories/CA-2002-14.html
Reference: XF:jrun-isapi-host-bo(9194)
Reference: URL:http://www.iss.net/security_center/static/9194.php
Reference: BID:4873
Reference: URL:http://www.securityfocus.com/bid/4873

Buffer overflow in the ISAPI DLL filter for Macromedia JRun 3.1 allows
remote attackers to execute arbitrary code via a direct request to the
filter with a long HTTP host header field in a URL for a .jsp file.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0801 ACCEPT (4 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Armstrong, Baker, Wall
   NOOP(2) Cox, Foat


======================================================
Candidate: CAN-2002-0802
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0802
Final-Decision:
Interim-Decision: 20030326
Modified: 20030324-01
Proposed: 20020830
Assigned: 20020729
Category: SF
Reference: MISC:http://marc.theaimsgroup.com/?l=postgresql-general&m=102032794322362
Reference: REDHAT:RHSA-2002:149
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-149.html
Reference: XF:postgresql-sqlascii-sql-injection(10328)
Reference: URL:http://www.iss.net/security_center/static/10328.php

The multibyte support in PostgreSQL 6.5.x with SQL_ASCII encoding
consumes an extra character when processing a character that cannot be
converted, which could remove an escape character from the query and
make the application subject to SQL injection attacks.


Modifications:
  ADDREF REDHAT:RHSA-2002:149
  ADDREF XF:postgresql-sqlascii-sql-injection(10328)

Analysis
--------
Vendor Acknowledgement: yes

INFERRED ACTION: CAN-2002-0802 ACCEPT (7 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Cole, Armstrong, Alderson, Baker, Jones
   MODIFY(2) Frech, Cox
   NOOP(1) Foat

Voter Comments:
 Cox> ADDREF:REDHAT:RHSA-2002:149
 Frech> XF:postgresql-sqlascii-sql-injection(10328)


======================================================
Candidate: CAN-2002-0804
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0804
Final-Decision:
Interim-Decision: 20030326
Modified: 20030324-01
Proposed: 20020830
Assigned: 20020729
Category: SF
Reference: BUGTRAQ:20020608 [BUGZILLA] Security Advisory For Versions of Bugzilla 2.14 Prior To 2.14.2, 2.16 Prior To 2.16rc2
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-06/0054.html
Reference: CONFIRM:http://bugzilla.mozilla.org/show_bug.cgi?id=129466
Reference: REDHAT:RHSA-2002:109
Reference: BID:4964
Reference: URL:http://online.securityfocus.com/bid/4964
Reference: XF:bugzilla-reversedns-hostname-spoof(9301)
Reference: URL:http://www.iss.net/security_center/static/9301.php

Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, when configured
to perform reverse DNS lookups, allows remote attackers to bypass IP
restrictions by connecting from a system with a spoofed reverse DNS
hostname.


Modifications:
  ADDREF XF:bugzilla-reversedns-hostname-spoof(9301)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0804 ACCEPT (4 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Baker, Wall
   MODIFY(1) Frech
   NOOP(1) Foat

Voter Comments:
 Frech> XF:bugzilla-reversedns-hostname-spoof(9301)


======================================================
Candidate: CAN-2002-0805
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0805
Final-Decision:
Interim-Decision: 20030326
Modified: 20030324-01
Proposed: 20020830
Assigned: 20020729
Category: SF
Reference: BUGTRAQ:20020608 [BUGZILLA] Security Advisory For Versions of Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-06/0054.html
Reference: CONFIRM:http://bugzilla.mozilla.org/show_bug.cgi?id=134575
Reference: REDHAT:RHSA-2002:109
Reference: BID:4964
Reference: URL:http://online.securityfocus.com/bid/4964
Reference: XF:bugzilla-world-writable-dir(9302)
Reference: URL:http://www.iss.net/security_center/static/9302.php

Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, (1) creates new
directories with world-writable permissions, and (2) creates the
params file with world-writable permissions, which allows local users
to modify the files and execute code.


Modifications:
  ADDREF XF:bugzilla-world-writable-dir(9302)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0805 ACCEPT (4 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Baker, Wall
   MODIFY(1) Frech
   NOOP(1) Foat

Voter Comments:
 Frech> XF:bugzilla-world-writable-dir(9302)


======================================================
Candidate: CAN-2002-0806
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0806
Final-Decision:
Interim-Decision: 20030326
Modified: 20030324-01
Proposed: 20020830
Assigned: 20020729
Category: SF
Reference: BUGTRAQ:20020608 [BUGZILLA] Security Advisory For Versions of Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-06/0054.html
Reference: CONFIRM:http://bugzilla.mozilla.org/show_bug.cgi?id=141557
Reference: REDHAT:RHSA-2002:109
Reference: BID:4964
Reference: URL:http://online.securityfocus.com/bid/4964
Reference: XF:bugzilla-edituser-user-delete(9303)
Reference: URL:http://www.iss.net/security_center/static/9303.php

Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, allows
authenticated users with editing privileges to delete other users by
directly calling the editusers.cgi script with the "del" option.


Modifications:
  ADDREF XF:bugzilla-edituser-user-delete(9303)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0806 ACCEPT (4 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Baker, Wall
   MODIFY(1) Frech
   NOOP(1) Foat

Voter Comments:
 Frech> XF:bugzilla-edituser-user-delete(9303)


======================================================
Candidate: CAN-2002-0808
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0808
Final-Decision:
Interim-Decision: 20030326
Modified: 20030324-01
Proposed: 20020830
Assigned: 20020729
Category: SF
Reference: BUGTRAQ:20020608 [BUGZILLA] Security Advisory For Versions of Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-06/0054.html
Reference: CONFIRM:http://bugzilla.mozilla.org/show_bug.cgi?id=107718
Reference: REDHAT:RHSA-2002:109
Reference: BID:4964
Reference: URL:http://online.securityfocus.com/bid/4964
Reference: XF:bugzilla-masschange-change-groupset(9305)
Reference: URL:http://www.iss.net/security_center/static/9305.php

Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, when performing
a mass change, sets the groupset of all bugs to the groupset of the
first bug, which could inadvertently cause insecure groupset
permissions to be assigned to some bugs.


Modifications:
  ADDREF XF:bugzilla-masschange-change-groupset(9305)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0808 ACCEPT (4 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Baker, Wall
   MODIFY(1) Frech
   NOOP(1) Foat

Voter Comments:
 Frech> XF:bugzilla-masschange-change-groupset(9305)


======================================================
Candidate: CAN-2002-0809
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0809
Final-Decision:
Interim-Decision: 20030326
Modified: 20030324-01
Proposed: 20020830
Assigned: 20020729
Category: SF
Reference: BUGTRAQ:20020608 [BUGZILLA] Security Advisory For Versions of Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-06/0054.html
Reference: CONFIRM:http://bugzilla.mozilla.org/show_bug.cgi?id=148674
Reference: REDHAT:RHSA-2002:109
Reference: BID:4964
Reference: URL:http://online.securityfocus.com/bid/4964
Reference: XF:bugzilla-group-permissions-removal(10141)
Reference: URL:http://www.iss.net/security_center/static/10141.php

Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, does not
properly handle URL-encoded field names that are generated by some
browsers, which could cause certain fields to appear to be unset,
which has the effect of removing group permissions on bugs when
buglist.cgi is provided with the encoded field names.


Modifications:
  ADDREF XF:bugzilla-group-permissions-removal(10141)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0809 ACCEPT (4 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Baker, Wall
   MODIFY(1) Frech
   NOOP(1) Foat

Voter Comments:
 Frech> XF: bugzilla-group-permissions-removal(10141)


======================================================
Candidate: CAN-2002-0810
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0810
Final-Decision:
Interim-Decision: 20030326
Modified: 20030324-01
Proposed: 20020830
Assigned: 20020729
Category: SF
Reference: BUGTRAQ:20020608 [BUGZILLA] Security Advisory For Versions of Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-06/0054.html
Reference: CONFIRM:http://bugzilla.mozilla.org/show_bug.cgi?id=92263
Reference: REDHAT:RHSA-2002:109
Reference: BID:4964
Reference: URL:http://online.securityfocus.com/bid/4964
Reference: XF:bugzilla-shadow-database-information(9306)
Reference: URL:http://www.iss.net/security_center/static/9306.php

Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, directs error
messages from the syncshadowdb command to the HTML output, which could
leak sensitive information, including plaintext passwords, if
syncshadowdb fails.


Modifications:
  ADDREF XF:bugzilla-shadow-database-information(9306)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0810 ACCEPT (4 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Baker, Wall
   MODIFY(1) Frech
   NOOP(1) Foat

Voter Comments:
 Frech> XF:bugzilla-shadow-database-information(9306)


======================================================
Candidate: CAN-2002-0813
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0813
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020830
Assigned: 20020730
Category: SF
Reference: BUGTRAQ:20020727 Phenoelit Advisory, 0815 ++ * - Cisco_tftp
Reference: URL:http://online.securityfocus.com/archive/1/284634
Reference: CISCO:20020730 TFTP Long Filename Vulnerability
Reference: URL:http://www.cisco.com/warp/public/707/ios-tftp-long-filename-pub.shtml
Reference: BUGTRAQ:20020822 Cisco IOS exploit PoC
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103002169829669&w=2
Reference: XF:cisco-tftp-filename-bo(9700)
Reference: URL:http://www.iss.net/security_center/static/9700.php
Reference: BID:5328
Reference: URL:http://www.securityfocus.com/bid/5328

Heap-based buffer overflow in the TFTP server capability in Cisco IOS
11.1, 11.2, and 11.3 allows remote attackers to cause a denial of
service (reset) or modify configuration via a long filename.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0813 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Baker, Wall
   NOOP(2) Cox, Foat


======================================================
Candidate: CAN-2002-0814
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0814
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020830
Assigned: 20020730
Category: SF
Reference: BUGTRAQ:20020724 VMware GSX Server Remote Buffer Overflow
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102752511030425&w=2
Reference: BUGTRAQ:20020726 Re: VMware GSX Server Remote Buffer Overflow
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102765223418716&w=2
Reference: NTBUGTRAQ:20020805 VMware GSX Server 2.0.1 Release and Security Alert
Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/2002-q3/0057.html
Reference: CONFIRM:http://www.vmware.com/download/gsx_security.html
Reference: XF:vmware-gsx-auth-bo(9663)
Reference: URL:http://www.iss.net/security_center/static/9663.php
Reference: BID:5294
Reference: URL:http://www.securityfocus.com/bid/5294

Buffer overflow in VMware Authorization Service for VMware GSX Server
2.0.0 build-2050 allows remote authenticated users to execute
arbitrary code via a long GLOBAL argument.

Analysis
--------
Vendor Acknowledgement: yes followup

INFERRED ACTION: CAN-2002-0814 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Baker, Foat
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-0816
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0816
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020830
Assigned: 20020731
Category: SF
Reference: BUGTRAQ:20020719 tru64 proof of concept /bin/su non-exec bypass
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102709593117171&w=2
Reference: COMPAQ:SSRT2257
Reference: URL:http://archives.neohapsis.com/archives/tru64/2002-q3/0019.html
Reference: BID:5272
Reference: URL:http://online.securityfocus.com/bid/5272
Reference: XF:tru64-su-bo(9640)
Reference: URL:http://www.iss.net/security_center/static/9640.php

Buffer overflow in su in Tru64 Unix 5.x allows local users to gain
root privileges via a long username and argument.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0816 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Baker
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-0817
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0817
Final-Decision:
Interim-Decision: 20030326
Modified: 20030324-01
Proposed: 20020830
Assigned: 20020801
Category: SF
Reference: BUGTRAQ:20020731 The SUPER Bug
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102812622416695&w=2
Reference: VULNWATCH:20020730 The SUPER Bug
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0045.html
Reference: DEBIAN:DSA-139
Reference: URL:http://www.debian.org/security/2002/dsa-139
Reference: XF:super-syslog-format-string(9741)
Reference: URL:http://www.iss.net/security_center/static/9741.php
Reference: BID:5367
Reference: URL:http://www.securityfocus.com/bid/5367

Format string vulnerability in super for Linux allows local users to
gain root privileges via a long command line argument.


Modifications:
  ADDREF VULNWATCH:20020730 [VulnWatch] The SUPER Bug
  ADDREF XF:super-syslog-format-string(9741)
  ADDREF BID:5367

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0817 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Baker, Wall
   NOOP(3) Christey, Cox, Foat

Voter Comments:
 Christey> XF:super-syslog-format-string(9741)
   URL:http://www.iss.net/security_center/static/9741.php
   VULNWATCH:20020730 [VulnWatch] The SUPER Bug
   URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0045.html
   BID:5367
   URL:http://www.securityfocus.com/bid/5367


======================================================
Candidate: CAN-2002-0818
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0818
Final-Decision:
Interim-Decision: 20030326
Modified: 20030324-01
Proposed: 20020830
Assigned: 20020801
Category: SF
Reference: BUGTRAQ:20020718 wwwoffle-2.7b and prior segfaults with negative Content-Length value
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-07/0194.html
Reference: SUSE:SuSE-SA:2002:029
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102821890317683&w=2
Reference: DEBIAN:DSA-144
Reference: URL:http://www.debian.org/security/2002/dsa-144
Reference: CALDERA:CSSA-2002-048.0
Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-048.0.txt
Reference: XF:wwwoffle-neg-length-bo(9619)
Reference: URL:http://www.iss.net/security_center/static/9619.php
Reference: BID:5260
Reference: URL:http://www.securityfocus.com/bid/5260

wwwoffled in World Wide Web Offline Explorer (WWWOFFLE) allows remote
attackers to cause a denial of service and possibly execute arbitrary
code via a negative Content-Length value.


Modifications:
  ADDREF CALDERA:CSSA-2002-048.0

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0818 ACCEPT (3 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   NOOP(4) Christey, Cox, Wall, Foat

Voter Comments:
 Christey> CALDERA:CSSA-2002-048.0


======================================================
Candidate: CAN-2002-0823
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0823
Final-Decision:
Interim-Decision: 20030326
Modified: 20030324-01
Proposed: 20020830
Assigned: 20020802
Category: SF
Reference: BUGTRAQ:20020801 Winhelp32 Remote Buffer Overrun
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102822806329440&w=2
Reference: NTBUGTRAQ:20020801 Winhlp32.exe Remote BufferOverrun
Reference: MSKB:Q293338
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;en-us;q293338
Reference: XF:htmlhelp-item-bo(9746)
Reference: URL:http://www.iss.net/security_center/static/9746.php
Reference: BID:4857
Reference: URL:http://www.securityfocus.com/bid/4857

Buffer overflow in Winhlp32.exe allows remote attackers to execute
arbitrary code via an HTML document that calls the HTML Help ActiveX
control (HHCtrl.ocx) with a long pathname in the Item parameter.


Modifications:
  ADDREF XF:htmlhelp-item-bo(9746)
  ADDREF BID:4857

Analysis
--------
Vendor Acknowledgement: yes

INFERRED ACTION: CAN-2002-0823 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Armstrong, Baker, Wall
   NOOP(3) Christey, Cox, Foat

Voter Comments:
 Christey> XF:htmlhelp-item-bo(9746)
   URL:http://www.iss.net/security_center/static/9746.php
   BID:4857
   URL:http://www.securityfocus.com/bid/4857
   MSKB:Q293338
   URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q293338


======================================================
Candidate: CAN-2002-0824
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0824
Final-Decision:
Interim-Decision: 20030326
Modified: 20030324-01
Proposed: 20020830
Assigned: 20020803
Category: SF
Reference: FREEBSD:FreeBSD-SA-02:32.pppd
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102812546815606&w=2
Reference: NETBSD:NetBSD-SA2002-010
Reference: URL:ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-010.txt.asc
Reference: OPENBSD:20020729 011: SECURITY FIX: July 29, 2002
Reference: URL:http://www.openbsd.org/errata31.html
Reference: XF:pppd-race-condition(9738)
Reference: URL:http://www.iss.net/security_center/static/9738.php
Reference: BID:5355
Reference: URL:http://www.securityfocus.com/bid/5355

BSD pppd allows local users to change the permissions of arbitrary
files via a symlink attack on a file that is specified as a tty
device.


Modifications:
  DESC Add "BSD"
  ADDREF XF:pppd-race-condition(9738)
  ADDREF BID:5355
  ADDREF OPENBSD:20020729 011: SECURITY FIX: July 29, 2002

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0824 ACCEPT (3 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Baker
   MODIFY(1) Cox
   NOOP(3) Christey, Wall, Foat

Voter Comments:
 Cox> change to "BSD pppd"
 Christey> XF:pppd-race-condition(9738)
   URL:http://www.iss.net/security_center/static/9738.php
   BID:5355
   URL:http://www.securityfocus.com/bid/5355


======================================================
Candidate: CAN-2002-0826
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0826
Final-Decision:
Interim-Decision: 20030326
Modified: 20030324-01
Proposed: 20020830
Assigned: 20020806
Category: SF
Reference: ATSTAKE:A080802-1
Reference: URL:http://www.atstake.com/research/advisories/2002/a080802-1.txt
Reference: CONFIRM:http://www.ipswitch.com/Support/WS_FTP-Server/patch-upgrades.html
Reference: XF:wsftp-site-cpwd-bo(9794)
Reference: URL:http://www.iss.net/security_center/static/9794.php
Reference: BID:5427
Reference: URL:http://www.securityfocus.com/bid/5427

Buffer overflow in WS_FTP FTP Server 3.1.1 allows remote authenticated
users to execute arbitrary code via a long SITE CPWD command.


Modifications:
  ADDREF XF:wsftp-site-cpwd-bo(9794)
  ADDREF BID:5427

Analysis
--------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: the vendor's patches/upgrades page includes an item
for 3.1.2 that "corrects a security issue relating to the processing
of the SITE CPWD command...  Fixed buffer overrun in CPWD command"

INFERRED ACTION: CAN-2002-0826 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Armstrong, Baker, Wall
   NOOP(3) Christey, Cox, Foat

Voter Comments:
 Christey> XF:wsftp-site-cpwd-bo(9794)
   URL:http://www.iss.net/security_center/static/9794.php
   BID:5427
   URL:http://www.securityfocus.com/bid/5427


======================================================
Candidate: CAN-2002-0829
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0829
Final-Decision:
Interim-Decision: 20030326
Modified: 20030324-01
Proposed: 20020830
Assigned: 20020806
Category: SF
Reference: FREEBSD:FreeBSD-SA-02:35.ffs
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102865404413458&w=2
Reference: XF:freebsd-ffs-integer-overflow(9771)
Reference: URL:http://www.iss.net/security_center/static/9771.php
Reference: BID:5399
Reference: URL:http://www.securityfocus.com/bid/5399

Integer overflow in the Berkeley Fast File System (FFS) in FreeBSD
4.6.1 RELEASE-p4 and earlier allows local users to access arbitrary
file contents within FFS to gain privileges by creating a file that is
larger than allowed by the virtual memory system.


Modifications:
  ADDREF XF:freebsd-ffs-integer-overflow(9771)
  ADDREF BID:5399

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0829 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   NOOP(4) Christey, Cox, Wall, Foat

Voter Comments:
 Christey> XF:freebsd-ffs-integer-overflow(9771)
   URL:http://www.iss.net/security_center/static/9771.php
   BID:5399
   URL:http://www.securityfocus.com/bid/5399


======================================================
Candidate: CAN-2002-0830
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0830
Final-Decision:
Interim-Decision: 20030326
Modified: 20030325-01
Proposed: 20020830
Assigned: 20020806
Category: SF
Reference: FREEBSD:FreeBSD-SA-02:36.nfs
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102865517214722&w=2
Reference: CONFIRM:http://www.info.apple.com/usen/security/security_updates.html
Reference: NETBSD:NetBSD-SA2002-013
Reference: URL:ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-013.txt.asc

Network File System (NFS) in FreeBSD 4.6.1 RELEASE-p7 and earlier,
NetBSD 1.5.3 and earlier, and possibly other operating systems, allows
remote attackers to cause a denial of service (hang) via an RPC
message with a zero length payload, which causes NFS to reference a
previous payload and enter an infinite loop.


Modifications:
  ADDREF CONFIRM:http://www.info.apple.com/usen/security/security_updates.html
  ADDREF NETBSD:NetBSD-SA2002-013
  DESC include other OSes

Analysis
--------
Vendor Acknowledgement: yes advisory

ACKNOWLEDGEMENT: Apple acknowledges this in its security update dated
2002-11-21 (a direct reference could not be found).

INFERRED ACTION: CAN-2002-0830 ACCEPT (3 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   NOOP(4) Christey, Cox, Wall, Foat

Voter Comments:
 Christey> CONFIRM:http://www.info.apple.com/usen/security/security_updates.html
   (Apple says "This is FreeBSD-SA-02:36.nfs")
 Christey> NETBSD:NetBSD-SA2002-013
   URL:ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-013.txt.asc


======================================================
Candidate: CAN-2002-0831
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0831
Final-Decision:
Interim-Decision: 20030326
Modified: 20030325-01
Proposed: 20020830
Assigned: 20020806
Category: SF
Reference: FREEBSD:FreeBSD-SA-02:37.kqueue
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102865142610126&w=2
Reference: XF:freebsd-kqueue-dos(9774)
Reference: URL:http://www.iss.net/security_center/static/9774.php
Reference: BID:5405
Reference: URL:http://www.securityfocus.com/bid/5405

The kqueue mechanism in FreeBSD 4.3 through 4.6 STABLE allows local
users to cause a denial of service (kernel panic) via a pipe call in
which one end is terminated and an EVFILT_WRITE filter is registered
for the other end.


Modifications:
  ADDREF XF:freebsd-kqueue-dos(9774)
  ADDREF BID:5405

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0831 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   NOOP(4) Christey, Cox, Wall, Foat

Voter Comments:
 Christey> XF:freebsd-kqueue-dos(9774)
   URL:http://www.iss.net/security_center/static/9774.php
   BID:5405
   URL:http://www.securityfocus.com/bid/5405


======================================================
Candidate: CAN-2002-0845
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0845
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020830
Assigned: 20020809
Category: SF
Reference: BUGTRAQ:20020808 EEYE: Sun(TM) ONE / iPlanet Web Server 4.1 and 6.0 Remote Buffer Overflow
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102890933623192&w=2
Reference: CONFIRM:http://www.sun.com/service/support/software/iplanet/alerts/transferencodingalert-23july2002.html
Reference: XF:iplanet-chunked-encoding-bo(9799)
Reference: URL:http://www.iss.net/security_center/static/9799.php
Reference: BID:5433
Reference: URL:http://www.securityfocus.com/bid/5433

Buffer overflow in Sun ONE / iPlanet Web Server 4.1 and 6.0 allows
remote attackers to execute arbitrary code via an HTTP request using
chunked transfer encoding.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0845 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Cole, Armstrong, Baker, Wall, Foat
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-0846
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0846
Final-Decision:
Interim-Decision: 20030326
Modified: 20030325-01
Proposed: 20020830
Assigned: 20020809
Category: SF
Reference: BUGTRAQ:20020808 EEYE: Macromedia Shockwave Flash Malformed Header Overflow
Reference: BUGTRAQ:20020830 RE:  Macromedia Shockwave Flash Malformed Header Overflow
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103072708329280&w=2
Reference: CONFIRM:http://www.macromedia.com/v1/handlers/index.cfm?ID=23293
Reference: XF:flash-swf-header-bo(9798)
Reference: URL:http://www.iss.net/security_center/static/9798.php
Reference: BID:5430
Reference: URL:http://www.securityfocus.com/bid/5430

The decoder for Macromedia Shockwave Flash allows remote attackers to
execute arbitrary code via a malformed SWF header that contains more
data than the specified length.


Modifications:
  ADDREF BUGTRAQ:20020830 RE:  Macromedia Shockwave Flash Malformed Header Overflow
  ADDREF XF:flash-swf-header-bo(9798)
  ADDREF BID:5430

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0846 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Cole, Armstrong, Baker, Cox, Wall
   NOOP(2) Christey, Foat

Voter Comments:
 Christey> BUGTRAQ:20020830 RE:  Macromedia Shockwave Flash Malformed Header Overflow
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103072708329280&w=2
 Christey> XF:flash-swf-header-bo(9798)
   URL:http://www.iss.net/security_center/static/9798.php
   BID:5430
   URL:http://www.securityfocus.com/bid/5430


======================================================
Candidate: CAN-2002-0847
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0847
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020830
Assigned: 20020809
Category: SF
Reference: DEBIAN:DSA-145
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102874450402924&w=2
Reference: CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=88790
Reference: XF:tinyproxy-memory-corruption(9079)
Reference: URL:http://www.iss.net/security_center/static/9079.php
Reference: BID:4731
Reference: URL:http://www.securityfocus.com/bid/4731

tinyproxy HTTP proxy 1.5.0, 1.4.3, and earlier allows remote attackers
to execute arbitrary code via memory that is freed twice
(double-free).

Analysis
--------
Vendor Acknowledgement: yes advisory

ACKNOWLEDGEMENT: the vendor's changelog for 1.5.0 states: "Fixed a
bunch of memory leaks, and situations where memory was being freed
twice (a potential security problem.)"

INFERRED ACTION: CAN-2002-0847 ACCEPT (3 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-0848
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0848
Final-Decision:
Interim-Decision: 20030326
Modified: 20030325-01
Proposed: 20020830
Assigned: 20020809
Category: SF
Reference: CISCO:20020807 Cisco VPN 5000 Series Concentrator RADIUS PAP Authentication Vulnerability
Reference: URL:http://www.cisco.com/warp/public/707/vpn5k-radius-pap-vuln-pub.shtml
Reference: XF:cisco-vpn5000-plaintext-password(9781)
Reference: URL:http://www.iss.net/security_center/static/9781.php
Reference: BID:5417
Reference: URL:http://www.securityfocus.com/bid/5417

Cisco VPN 5000 series concentrator hardware 6.0.21.0002 and earlier,
and 5.2.23.0003 and earlier, when using RADIUS with a challenge type
of Password Authentication Protocol (PAP) or Challenge, sends the user
password in cleartext in a validation retry request, which could allow
remote attackers to steal passwords via sniffing.


Modifications:
  ADDREF XF:cisco-vpn5000-plaintext-password(9781)
  ADDREF BID:5417

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0848 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Cole, Armstrong, Baker, Wall, Foat
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> XF:cisco-vpn5000-plaintext-password(9781)
   URL:http://www.iss.net/security_center/static/9781.php
   BID:5417
   URL:http://www.securityfocus.com/bid/5417


======================================================
Candidate: CAN-2002-0851
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0851
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020830
Assigned: 20020810
Category: SF
Reference: VULNWATCH:20020809 Local Root Exploit
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0068.html
Reference: SUSE:SuSE-SA:2002:030
Reference: XF:isdn4linux-ipppd-format-string(9811)
Reference: URL:http://www.iss.net/security_center/static/9811.php
Reference: BID:5437
Reference: URL:http://www.securityfocus.com/bid/5437

Format string vulnerability in ISDN Point to Point Protocol (PPP)
daemon (ipppd) in the ISDN4Linux (i4l) package allows local users to
gain root privileges via format strings in the device name command
line argument, which is not properly handled in a call to syslog.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0851 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Armstrong, Baker, Wall
   NOOP(2) Cox, Foat


======================================================
Candidate: CAN-2002-0853
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0853
Final-Decision:
Interim-Decision: 20030326
Modified: 20030325-01
Proposed: 20020830
Assigned: 20020812
Category: SF
Reference: CISCO:20020812 Cisco VPN Client Multiple Vulnerabilities
Reference: URL:http://www.cisco.com/warp/public/707/vpnclient-multiple-vuln-pub.shtml
Reference: CERT-VN:VU#287771
Reference: URL:http://www.kb.cert.org/vuls/id/287771
Reference: XF:cisco-vpn-zerolength-dos(9821)
Reference: URL:http://www.iss.net/security_center/static/9821.php
Reference: BID:5440
Reference: URL:http://www.securityfocus.com/bid/5440

Cisco Virtual Private Network (VPN) Client 3.5.4 and earlier allows
remote attackers to cause a denial of service (CPU consumption) via a
packet with a zero-length payload.


Modifications:
  ADDREF CERT-VN:VU#287771
  ADDREF XF:cisco-vpn-zerolength-dos(9821)
  ADDREF BID:5440

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0853 ACCEPT (5 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(5) Cole, Armstrong, Baker, Wall, Foat
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> CERT-VN:VU#287771
   URL:http://www.kb.cert.org/vuls/id/287771
   XF:cisco-vpn-zerolength-dos(9821)
   URL:http://www.iss.net/security_center/static/9821.php
   BID:5440
   URL:http://www.securityfocus.com/bid/5440


======================================================
Candidate: CAN-2002-0856
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0856
Final-Decision:
Interim-Decision: 20030326
Modified: 20030325-01
Proposed: 20020830
Assigned: 20020813
Category: SF
Reference: ISS:20020813 Remote Denial of Service Vulnerability in Oracle9i SQL*NET
Reference: URL:http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20941
Reference: VULNWATCH:20020813 ISS Security Brief: Remote Denial of Service Vulnerability in Oracle9i SQL*NET
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0072.html
Reference: CONFIRM:http://otn.oracle.com/deploy/security/pdf/2002alert38rev1.pdf
Reference: XF:oracle-listener-debug-dos(9237)
Reference: URL:http://www.iss.net/security_center/static/9237.php
Reference: BID:5457
Reference: URL:http://www.securityfocus.com/bid/5457

SQL*NET listener for Oracle Net Oracle9i 9.0.x and 9.2 allows remote
attackers to cause a denial of service (crash) via certain debug
requests that are not properly handled by the debugging feature.


Modifications:
  ADDREF BID:5457
  ADDREF VULNWATCH:20020813 ISS Security Brief: Remote Denial of Service Vulnerability in Oracle9i SQL*NET

Analysis
--------
Vendor Acknowledgement: yes

INFERRED ACTION: CAN-2002-0856 ACCEPT_ACK (2 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(2) Armstrong, Baker
   NOOP(5) Cole, Christey, Cox, Wall, Foat

Voter Comments:
 Christey> BID:5457
   URL:http://www.securityfocus.com/bid/5457
   VULNWATCH:20020813 ISS Security Brief: Remote Denial of Service Vulnerability in Oracle9i SQL*NET
   URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0072.html


======================================================
Candidate: CAN-2002-0859
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0859
Final-Decision:
Interim-Decision: 20030326
Modified: 20030325-01
Proposed: 20020830
Assigned: 20020815
Category: SF
Reference: BUGTRAQ:20020619 Microsoft SQL Server 2000 OpenDataSource Buffer Overflow (#NISR19062002)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102450188620081&w=2
Reference: MISC:http://www.nextgenss.com/advisories/mssql-ods.txt
Reference: XF:mssql-jet-ods-bo(9375)
Reference: URL:http://www.iss.net/security_center/static/9375.php
Reference: BID:5057
Reference: URL:http://www.securityfocus.com/bid/5057
Reference: MSKB:Q282010
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q282010

Buffer overflow in the OpenDataSource function of the Jet engine on
Microsoft SQL Server 2000 allows remote attackers to execute arbitrary
code.


Modifications:
  ADDREF XF:mssql-jet-ods-bo(9375)
  ADDREF MSKB:Q282010
  ADDREF BID:5057
  ADDREF MISC:http://www.nextgenss.com/advisories/mssql-ods.txt

Analysis
--------
Vendor Acknowledgement: yes via-email

ACKNOWLEDGEMENT: the KB article referenced by NGSSoftware does not
explicitly acknowledge the issue; however, Microsoft did acknowledge
the issue via an email inquiry.

INFERRED ACTION: CAN-2002-0859 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Green, Baker, Wall
   MODIFY(1) Frech
   NOOP(2) Cox, Foat

Voter Comments:
 Frech> XF:mssql-jet-ods-bo(9375)


======================================================
Candidate: CAN-2002-0860
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0860
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020830
Assigned: 20020815
Category: SF
Reference: MS:MS02-044
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-044.asp
Reference: BUGTRAQ:20020408 Reading local files with OWC in IE (GM#006-IE)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101829911018463&w=2
Reference: XF:owc-spreadsheet-loadtext-read-files (8778)
Reference: URL:http://www.iss.net/security_center/static/8778.php
Reference: BID:4453
Reference: URL:http://online.securityfocus.com/bid/4453

The LoadText method in the spreadsheet component in Microsoft Office
Web Components (OWC) 2000 and 2002 allows remote attackers to read
arbitrary files through Internet Explorer via a URL that redirects to
the target file.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0860 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Armstrong, Baker, Wall
   NOOP(2) Cox, Foat


======================================================
Candidate: CAN-2002-0871
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0871
Final-Decision:
Interim-Decision: 20030326
Modified: 20030325-01
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: DEBIAN:DSA-151
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102927065426172&w=2
Reference: MANDRAKE:MDKSA-2002:053
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-053.php
Reference: REDHAT:RHSA-2002:196
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-196.html
Reference: BUGTRAQ:20020814 GLSA: xinetd
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102935383506155&w=2
Reference: XF:xinetd-signal-leak-dos(9844)
Reference: URL:http://www.iss.net/security_center/static/9844.php
Reference: BID:5458
Reference: URL:http://www.securityfocus.com/bid/5458

xinetd 2.3.4 leaks file descriptors for the signal pipe to services
that are launched by xinetd, which could allow those services to cause
a denial of service via the pipe.


Modifications:
  DESC fix typo
  ADDREF MANDRAKE:MDKSA-2002:053
  ADDREF XF:xinetd-signal-leak-dos(9844)
  ADDREF BID:5458
  ADDREF REDHAT:RHSA-2002:196

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0871 ACCEPT (5 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(5) Cole, Armstrong, Baker, Cox, Foat
   NOOP(2) Christey, Wall

Voter Comments:
 Christey> MANDRAKE:MDKSA-2002:053
   URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-053.php
   XF:xinetd-signal-leak-dos(9844)
   URL:http://www.iss.net/security_center/static/9844.php
   BID:5458
   URL:http://www.securityfocus.com/bid/5458
 Christey> typo: "allow those services cause"
 Christey> REDHAT:RHSA-2002:196

   fix typo: say "to cause"


======================================================
Candidate: CAN-2002-0872
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0872
Final-Decision:
Interim-Decision: 20030326
Modified: 20030325-01
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: BUGTRAQ:20020813 New l2tpd release 0.68
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-08/0102.html
Reference: DEBIAN:DSA-152
Reference: URL:http://www.debian.org/security/2002/dsa-152
Reference: BID:5451
Reference: URL:http://www.securityfocus.com/bid/5451
Reference: XF:l2tpd-rand-number-predictable(9845)
Reference: URL:http://www.iss.net/security_center/static/9845.php

l2tpd 0.67 does not initialize the random number generator, which
allows remote attackers to hijack sessions.


Modifications:
  ADDREF BUGTRAQ:20020813 New l2tpd release 0.68
  ADDREF BID:5451
  ADDREF XF:l2tpd-rand-number-predictable(9845)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0872 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   NOOP(4) Christey, Cox, Wall, Foat

Voter Comments:
 Christey> BUGTRAQ:20020813 New l2tpd release 0.68
   URL:http://archives.neohapsis.com/archives/bugtraq/2002-08/0102.html
   BID:5451
   URL:http://www.securityfocus.com/bid/5451
   XF:l2tpd-rand-number-predictable(9845)
   URL:http://www.iss.net/security_center/static/9845.php


======================================================
Candidate: CAN-2002-0873
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0873
Final-Decision:
Interim-Decision: 20030326
Modified: 20030325-01
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: BUGTRAQ:20020813 New l2tpd release 0.68
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102925612907148&w=2
Reference: DEBIAN:DSA-152
Reference: URL:http://www.debian.org/security/2002/dsa-152
Reference: XF:l2tpd-vendor-field-bo(10460)
Reference: URL:http://www.iss.net/security_center/static/10460.php

Vulnerability in l2tpd 0.67 allows remote attackers to overwrite the
vendor field via a long value in an attribute/value pair, possibly via
a buffer overflow.


Modifications:
  ADDREF XF:l2tpd-vendor-field-bo(10460)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0873 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   NOOP(4) Christey, Cox, Wall, Foat

Voter Comments:
 Christey> Consider deleting the Bugtraq reference, as it doesn't seem
   to mention this issue, unless it's the one with the title
   "Fix some off by 6 errors in avp handling"


======================================================
Candidate: CAN-2002-0875
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0875
Final-Decision:
Interim-Decision: 20030326
Modified: 20030325-01
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: DEBIAN:DSA-154
Reference: URL:http://www.debian.org/security/2002/dsa-154
Reference: SGI:20000301-03-I
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20000301-03-I
Reference: FREEBSD:FreeBSD-SN-02:05
Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SN-02:05.asc
Reference: BID:5487
Reference: URL:http://online.securityfocus.com/bid/5487
Reference: XF:sgi-fam-insecure-permissions(9880)
Reference: URL:http://www.iss.net/security_center/static/9880.php

Vulnerability in FAM 2.6.8, 2.6.6, and other versions allows
unprivileged users to obtain the names of files whose access is
restricted to the root group.


Modifications:
  ADDREF SGI:20000301-03-I
  ADDREF FREEBSD:FreeBSD-SN-02:05
  ADDREF BID:5487
  ADDREF XF:sgi-fam-insecure-permissions(9880)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0875 ACCEPT (3 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   NOOP(4) Christey, Cox, Wall, Foat

Voter Comments:
 Christey> SGI:20000301-03-I
   FREEBSD:FreeBSD-SN-02:05
   URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SN-02:05.asc
   BID:5487
   URL:http://online.securityfocus.com/bid/5487
   XF:sgi-fam-insecure-permissions(9880)
   URL:http://www.iss.net/security_center/static/9880.php


======================================================
Candidate: CAN-2002-0887
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0887
Final-Decision:
Interim-Decision: 20030326
Modified: 20030325-01
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: BUGTRAQ:20010522 [SRT2001-10] - scoadmin /tmp issues
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=99057164129869&w=2
Reference: CALDERA:CSSA-2002-SCO.22
Reference: URL:ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.22/CSSA-2002-SCO.22.txt
Reference: BID:4875
Reference: URL:http://www.securityfocus.com/bid/4875
Reference: XF:openserver-scoadmin-symlink(9210)
Reference: URL:http://www.iss.net/security_center/static/9210.php

scoadmin for Caldera/SCO OpenServer 5.0.5 and 5.0.6 allows local users
to overwrite arbitrary files via a symlink attack on temporary files,
as demonstrated using log files.


Modifications:
  DESC clarify role of log files

Analysis
--------
Vendor Acknowledgement: yes advisory

ACKNOWLEDGEMENT: The Caldera advisory credits "Kevin Finisterre
(dotslash@snosoft.com)" with this issue, and he is credited by the
original poster to Bugtraq.

INFERRED ACTION: CAN-2002-0887 ACCEPT (6 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Cole, Armstrong, Alderson, Baker, Frech
   MODIFY(1) Jones
   NOOP(2) Cox, Foat

Voter Comments:
 Jones> Suggest removing "log" from CVE description (i.e., "... on
   temporary files.").  Caldera indicates "temporary files", which could be
   other than log files; log file was used by discoverer as a proof-of-concept,
   but problem is application's creation and use of temporary files in general.


======================================================
Candidate: CAN-2002-0889
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0889
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: VULN-DEV:20020428 QPopper 4.0.4 buffer overflow
Reference: URL:http://marc.theaimsgroup.com/?l=vuln-dev&m=102003707432457&w=2
Reference: BUGTRAQ:20020428 QPopper 4.0.4 buffer overflow
Reference: URL:http://online.securityfocus.com/archive/1/269969
Reference: CALDERA:CSSA-2002-SCO.20
Reference: URL:ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.20/CSSA-2002-SCO.20.txt
Reference: XF:qpopper-bulldir-bo(8949)
Reference: URL:http://www.iss.net/security_center/static/8949.php
Reference: BID:4614
Reference: URL:http://www.securityfocus.com/bid/4614

Buffer overflow in Qpopper (popper) 4.0.4 and earlier allows local
users to cause a denial of service and possibly execute arbitrary code
via a long bulldir argument in the user's .qpopper-options
configuration file.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0889 ACCEPT (6 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(6) Cole, Armstrong, Alderson, Baker, Frech, Jones
   NOOP(2) Cox, Foat


======================================================
Candidate: CAN-2002-0891
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0891
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: BUGTRAQ:20020527 Netscreen 25 unauthorised reboot issue
Reference: URL:http://online.securityfocus.com/archive/1/274240
Reference: CONFIRM:http://www.netscreen.com/support/ns25_reboot.html
Reference: XF:netscreen-screenos-username-dos(9186)
Reference: URL:http://www.iss.net/security_center/static/9186.php
Reference: BID:4842
Reference: URL:http://www.securityfocus.com/bid/4842

The web interface (WebUI) of NetScreen ScreenOS before 2.6.1r8, and
certain 2.8.x and 3.0.x versions before 3.0.3r1, allows remote
attackers to cause a denial of service (crash) via a long user name.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0891 ACCEPT (6 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Cole, Armstrong, Alderson, Baker, Frech
   MODIFY(1) Jones
   NOOP(3) Christey, Cox, Foat

Voter Comments:
 Jones> Per NetScreen Alert, vulnerable versions should be: "versions
   prior to 2.6.1r8, 2.8.0r2, 2.8.1r1, 3.0.1r2, 3.0.2r3, and 3.0.3r1."
 Christey> The NetScreen alert referenced in the CONFIRM URL, dated
   June 3, 2002, says that the problem was "addressed in all
   versions of ScreenOS released after April 23, 2002. This list
   includes versions 2.6.1r8 and later, 2.8.0r2 and later, 2.8.1r1 and
   later, 3.0.1r2 and later, 3.0.2r3 and later, 3.0.3r1 and
   later"

   I've modified the description to reflect these ranges, though
   not to the level of detail covered by the advisory.


======================================================
Candidate: CAN-2002-0892
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0892
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020830
Assigned: 20020816
Category: CF
Reference: BUGTRAQ:20020522 Multiple vulnerabilities in NewAtlanta ServletExec ISAPI 4.1
Reference: URL:http://online.securityfocus.com/archive/1/273615
Reference: VULNWATCH:20020522 [VulnWatch] Multiple vulnerabilities in NewAtlanta ServletExec ISAPI 4.1
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0077.html
Reference: CONFIRM:http://www.newatlanta.com/do/findFaq?faq_id=151
Reference: BID:4793
Reference: URL:http://www.securityfocus.com/bid/4793
Reference: XF:servletexec-jsp10servlet-path-disclosure(9139)
Reference: URL:http://www.iss.net/security_center/static/9139.php

The default configuration of NewAtlanta ServletExec ISAPI 4.1 allows
remote attackers to determine the path of the web root via a direct
request to com.newatlanta.servletexec.JSP10Servlet without a filename,
which leaks the pathname in an error message.

Analysis
--------
Vendor Acknowledgement: yes

ACKNOWLEDGEMENT: The ServletExec FAQ item 151 has the question "If I
request a JSP page that does not exist I receive a response in my
browser which discloses the absolute path to my web server's document
root or to the document root of my web application. Isn't this a
security risk?" The response is: "Use the errorPage init parameter
with the JSP10Servlet so that the JSP10Servlet will no longer use the
default response which discloses the path."

INFERRED ACTION: CAN-2002-0892 ACCEPT (6 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Cole, Armstrong, Alderson, Baker, Frech
   MODIFY(1) Jones
   NOOP(2) Cox, Foat

Voter Comments:
 Jones> CVE description should read "... via a direct request to
   /servlet/com.newatlanta.servletexec.JSP10Servlet/ without ..."


======================================================
Candidate: CAN-2002-0897
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0897
Final-Decision:
Interim-Decision: 20030326
Modified: 20030325-01
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: VULNWATCH:20020524 [SecurityOffice] LocalWeb2000 Web Server Protected File Access Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0079.html
Reference: BUGTRAQ:20020524 [SecurityOffice] LocalWeb2000 Web Server Protected File Access Vulnerability
Reference: URL:http://online.securityfocus.com/archive/1/274020
Reference: BID:4820
Reference: URL:http://www.securityfocus.com/bid/4820
Reference: XF:localweb2k-protection-bypass(9165)
Reference: URL:http://www.iss.net/security_center/static/9165.php

LocalWEB2000 2.1.0 web server allows remote attackers to bypass access
restrictions for restricted files via a URL that contains the "/./"
directory.


Modifications:
  CHANGEREF VULNWATCH [normalize]

Analysis
--------
Vendor Acknowledgement:

ACKNOWLEDGEMENT: email inquiry sent to bugalert@intranet-server.co.uk
on July 28, 2002.

INFERRED ACTION: CAN-2002-0897 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Alderson, Frech, Jones
   NOOP(4) Cole, Armstrong, Cox, Foat


======================================================
Candidate: CAN-2002-0898
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0898
Final-Decision:
Interim-Decision: 20030326
Modified: 20030325-01
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: NTBUGTRAQ:20020527 Reading ANY local file in Opera (GM#001-OP)
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=102256058220402&w=2
Reference: BUGTRAQ:20020527 Reading ANY local file in Opera (GM#001-OP)
Reference: URL:http://online.securityfocus.com/archive/1/274202
Reference: CONFIRM:http://www.opera.com/windows/changelog/log603.html
Reference: BID:4834
Reference: URL:http://www.securityfocus.com/bid/4834
Reference: XF:opera-browser-file-retrieval(9188)
Reference: URL:http://www.iss.net/security_center/static/9188.php

Opera 6.0.1 and 6.0.2 allows a remote web site to upload arbitrary
files from the client system, without prompting the client, via an
input type=file tag whose value contains a newline.


Modifications:
  DESC fix typo

Analysis
--------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: the change log for Opera 6.0.3 says "Fixed security
issue with file upload, as reported by GreyMagic Software," the
discoverers of the issue.

INFERRED ACTION: CAN-2002-0898 ACCEPT (6 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Cole, Armstrong, Alderson, Baker, Frech
   MODIFY(1) Jones
   NOOP(2) Cox, Foat

Voter Comments:
 Jones> "arbiotrary" should be "arbitrary".


======================================================
Candidate: CAN-2002-0900
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0900
Final-Decision:
Interim-Decision: 20030326
Modified: 20030325-01
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: BUGTRAQ:20020524 pks public key server DOS and remote execution
Reference: URL:http://online.securityfocus.com/archive/1/274107
Reference: CONFIRM:http://www.rubin.ch/pgp/src/patch_buffoverflow20020525
Reference: BID:4828
Reference: URL:http://www.securityfocus.com/bid/4828
Reference: XF:pgp-pks-search-bo(9171)
Reference: URL:http://www.iss.net/security_center/static/9171.php

Buffer overflow in pks PGP public key web server before 0.9.5 allows
remote attackers to cause a denial of service (crash) and possibly
execute arbitrary code via a long search argument to the lookup
capability.


Modifications:
  ADDREF CONFIRM:http://www.rubin.ch/pgp/src/patch_buffoverflow20020525

Analysis
--------
Vendor Acknowledgement: yes

ACKNOWLEDGEMENT: The PKS developer, Richard Laager, sent an email
February 25, 2003, saying that a patch was available.  He also said
that 0.9.5 and later versions were fixed.

INFERRED ACTION: CAN-2002-0900 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Alderson, Frech
   NOOP(6) Foat, Cole, Armstrong, Christey, Cox, Jones

Voter Comments:
 Jones> Unclear which versions are vulnerable.
 Christey> The PKS developer, Richard Laager, sent an email February 25,
   2003, saying that a patch was available.

   CONFIRM:http://www.rubin.ch/pgp/src/patch_buffoverflow20020525

   He also says that 0.9.5 and later versions were fixed.


======================================================
Candidate: CAN-2002-0904
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0904
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: VULN-DEV:20020529 New Kismet Packages available - SayText() and suid kismet_server issues
Reference: URL:http://marc.theaimsgroup.com/?l=vuln-dev&m=102269718506080&w=2
Reference: BUGTRAQ:20020528 New Kismet Packages available - SayText() and suid kismet_server issues
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-05/0259.html
Reference: CONFIRM:http://www.kismetwireless.net/CHANGELOG
Reference: BID:4883
Reference: URL:http://www.securityfocus.com/bid/4883
Reference: XF:kismet-saytext-command-execution(9213)
Reference: URL:http://www.iss.net/security_center/static/9213.php

SayText function in Kismet 2.2.1 and earlier allows remote attackers
to execute arbitrary commands via shell metacharacters (backtick or
pipe) in the essid argument.

Analysis
--------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: In the vendor changelog, an entry dated "May 27 2002"
says "Fixed remote-exploitable hole (ack!) with specially crafted
SSID's"

INFERRED ACTION: CAN-2002-0904 ACCEPT (6 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(6) Cole, Armstrong, Alderson, Baker, Frech, Jones
   NOOP(2) Foat, Cox


======================================================
Candidate: CAN-2002-0906
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0906
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: CERT-VN:VU#814627
Reference: URL:http://www.kb.cert.org/vuls/id/814627
Reference: CONFIRM:http://www.sendmail.org/8.12.5.html
Reference: BID:5122
Reference: URL:http://www.securityfocus.com/bid/5122
Reference: XF:sendmail-dns-txt-bo(9443)
Reference: URL:http://www.iss.net/security_center/static/9443.php

Buffer overflow in Sendmail before 8.12.5, when configured to use a
custom DNS map to query TXT records, allows remote attackers to cause
a denial of service and possibly execute arbitrary code via a
malicious DNS server.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0906 ACCEPT (7 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(7) Foat, Cole, Green, Baker, Frech, Cox, Wall


======================================================
Candidate: CAN-2002-0911
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0911
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: CALDERA:CSSA-2002-024.0
Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-024.0.txt
Reference: BID:4923
Reference: URL:http://www.securityfocus.com/bid/4923
Reference: XF:volution-manager-plaintext-password(9240)
Reference: URL:http://www.iss.net/security_center/static/9240.php

Caldera Volution Manager 1.1 stores the Directory Administrator
password in cleartext in the slapd.conf file, which could allow local
users to gain privileges.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0911 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Baker, Frech
   NOOP(2) Foat, Wall


======================================================
Candidate: CAN-2002-0914
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0914
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: BUGTRAQ:20020601 SECURITY.NNOV: Courier CPU exhaustion + bonus on imap-uw
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-05/0295.html
Reference: CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=93065
Reference: BID:4908
Reference: URL:http://www.securityfocus.com/bid/4908
Reference: XF:courier-mta-year-dos(9228)
Reference: URL:http://www.iss.net/security_center/static/9228.php

Double Precision Courier e-mail MTA allows remote attackers to cause a
denial of service (CPU consumption) via a message with an extremely
large or negative value for the year, which causes a tight loop.

Analysis
--------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: the changelog includes an item dated 2002-05-20 that
says "rfc822_parsedt.c (rfc822_parsedt): Ignore obviously invalid
years (someone else can worry about Y10K)."

INFERRED ACTION: CAN-2002-0914 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Baker, Frech
   NOOP(2) Foat, Wall


======================================================
Candidate: CAN-2002-0916
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0916
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: VULNWATCH:20020603 [VulnWatch] [DER #11] - Remotey exploitable fmt string bug in squid
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0087.html
Reference: BUGTRAQ:20020604 [DER #11] - Remotey exploitable fmt string bug in squid
Reference: URL:http://online.securityfocus.com/archive/1/275347
Reference: CONFIRM:http://www.squid-cache.org/Versions/v2/2.4/diff-2.4.STABLE6-2.4.STABLE7.gz
Reference: BID:4929
Reference: URL:http://www.securityfocus.com/bid/4929
Reference: XF:msntauth-squid-format-string(9248)
Reference: URL:http://www.iss.net/security_center/static/9248.php

Format string vulnerability in the allowuser code for the Stellar-X
msntauth authentication module, as distributed in Squid 2.4.STABLE6
and earlier, allows remote attackers to execute arbitrary code via
format strings in the user name, which are not properly handled in a
syslog call.

Analysis
--------
Vendor Acknowledgement: yes diff

ACKNOWLEDGEMENT: while there are no vendor advisories that explicitly
mention the format string issues, it is obvious from the diff (and via
e-mail confirmation) that major changes were made to the code, which
addressed the format string and buffer overflow issues as originally
reported. It should be noted that the Squid distribution is fixed, but
the original Stellar-X is not (as of July 29).

INFERRED ACTION: CAN-2002-0916 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Baker, Frech
   NOOP(2) Foat, Wall


======================================================
Candidate: CAN-2002-0935
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0935
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: VULNWATCH:20020620 [VulnWatch] KPMG-2002025: Apache Tomcat Denial of Service
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0120.html
Reference: BUGTRAQ:20020620 KPMG-2002025: Apache Tomcat Denial of Service
Reference: URL:http://online.securityfocus.com/archive/1/277940
Reference: XF:tomcat-null-thread-dos(9396)
Reference: URL:http://www.iss.net/security_center/static/9396.php
Reference: BID:5067
Reference: URL:http://www.securityfocus.com/bid/5067

Apache Tomcat 4.0.3, and possibly other versions before 4.1.3 beta,
allows remote attackers to cause a denial of service (resource
exhaustion) via a large number of requests to the server with null
characters, which causes the working threads to hang.

Analysis
--------
Vendor Acknowledgement: unknown discloser-claimed

INFERRED ACTION: CAN-2002-0935 ACCEPT (4 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Green, Baker, Frech
   NOOP(3) Foat, Cox, Wall

Voter Comments:
 Green> - SECURITYTRACKER REPORTS THAT THE ISSUE HAS BEEN ACKNOWLEDGED BY APACHE


======================================================
Candidate: CAN-2002-0938
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0938
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: BUGTRAQ:20020614 XSS in CiscoSecure ACS v3.0
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-06/0156.html
Reference: BUGTRAQ:20020621 Re: XSS in CiscoSecure ACS v3.0
Reference: URL:http://online.securityfocus.com/archive/1/278222
Reference: BID:5026
Reference: URL:http://www.securityfocus.com/bid/5026
Reference: XF:ciscosecure-web-css(9353)
Reference: URL:http://www.iss.net/security_center/static/9353.php

Cross-site scripting vulnerability in CiscoSecure ACS 3.0 allows
remote attackers to execute arbitrary script or HTML as other web
users via the action argument in a link to setup.exe.

Analysis
--------
Vendor Acknowledgement: yes followup

INFERRED ACTION: CAN-2002-0938 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Cole, Green, Baker, Frech, Wall
   NOOP(2) Foat, Cox


======================================================
Candidate: CAN-2002-0941
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0941
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: BUGTRAQ:20020617 nCipher Advisory #4: Console Java apps can leak passphrases on Windows
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-06/0172.html
Reference: BID:5024
Reference: URL:http://www.securityfocus.com/bid/5024
Reference: XF:ncipher-consolecallback-passphrase-leak(9354)
Reference: URL:http://www.iss.net/security_center/static/9354.php

The ConsoleCallBack class for nCipher running under JRE 1.4.0 and
1.4.0_01, as used by the TrustedCodeTool and possibly other
applications, may leak a passphrase when the user aborts an
application that is prompting for the passphrase, which could allow
attackers to gain privileges.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0941 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Green, Baker, Frech
   NOOP(3) Foat, Cox, Wall


======================================================
Candidate: CAN-2002-0945
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0945
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: BUGTRAQ:20020608 SeaNox Devwex - Denial of Service and Directory traversal
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-06/0056.html
Reference: CONFIRM:http://www.seanox.de/projects.devwex.php
Reference: XF:devwex-get-bo(9298)
Reference: URL:http://www.iss.net/security_center/static/9298.php
Reference: BID:4979
Reference: URL:http://www.securityfocus.com/bid/4979

Buffer overflow in SeaNox Devwex allows remote attackers to cause a
denial of service (crash) and possibly execute arbitrary code via a
long HTTP GET request.

Analysis
--------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: The vendor's "Historie" page (accessible on the left
hand menu) has an item dated June 1, 2002, which states (based on a
Google translation): "the directory handling [was] revised around a
safe and errortolerant path processing. The ms Java could be brought
by ueberladene [long?] Requests to VM to [cause a] crash."

INFERRED ACTION: CAN-2002-0945 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Baker, Frech
   NOOP(2) Foat, Wall


======================================================
Candidate: CAN-2002-0946
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0946
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: BUGTRAQ:20020608 SeaNox Devwex - Denial of Service and Directory traversal
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-06/0056.html
Reference: CONFIRM:http://www.seanox.de/projects.devwex.php
Reference: BID:4978
Reference: URL:http://www.securityfocus.com/bid/4978
Reference: XF:devwex-dotdot-directory-traversal(9299)
Reference: URL:http://www.iss.net/security_center/static/9299.php

Directory traversal vulnerability in SeaNox Devwex before 1.2002.0601
allows remote attackers to read arbitrary files via ..\ (dot dot)
sequences in an HTTP request.

Analysis
--------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: The vendor's "Historie" page (accessible on the left
hand menu) has an item dated June 1, 2002, which states (based on a
Google translation): "the directory handling [was] revised around a
safe and errortolerant path processing. The ms Java could be brought
by ueberladene [long?] Requests to VM to [cause a] crash."

INFERRED ACTION: CAN-2002-0946 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Baker, Frech
   NOOP(2) Foat, Wall


======================================================
Candidate: CAN-2002-0947
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0947
Final-Decision:
Interim-Decision: 20030326
Modified: 20030325-01
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: BUGTRAQ:20020612 Oracle Reports Server Buffer Overflow (#NISR12062002B)
Reference: URL:http://online.securityfocus.com/archive/1/276524
Reference: VULNWATCH:20020612 [VulnWatch] Oracle Reports Server Buffer Overflow (#NISR12062002B)
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0097.html
Reference: CERT-VN:VU#997403
Reference: URL:http://www.kb.cert.org/vuls/id/997403
Reference: CONFIRM:http://technet.oracle.com/deploy/security/pdf/reports6i_alert.pdf
Reference: MISC:http://www.nextgenss.com/vna/ora-reports.txt
Reference: BID:4848
Reference: URL:http://www.securityfocus.com/bid/4848
Reference: XF:oracle-reports-server-bo(9289)
Reference: URL:http://www.iss.net/security_center/static/9289.php

Buffer overflow in rwcgi60 CGI program for Oracle Reports Server
6.0.8.18.0 and earlier, as used in Oracle9iAS and other products,
allows remote attackers to execute arbitrary code via a long database
name parameter.


Modifications:
  DESC clarify role of Oracle9iAS

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0947 ACCEPT (6 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(5) Cole, Armstrong, Alderson, Baker, Frech
   MODIFY(1) Jones
   NOOP(2) Foat, Cox

Voter Comments:
 Jones> Suggest description read "...for Oracle Reports Server 6i Release
   6.0.8.18.0 and earlier...", removing "9iAS" since Oracle advisory states
   "any Oracle product" containing vulnerable version of the reports server.


======================================================
Candidate: CAN-2002-0952
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0952
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: CISCO:20020619 Cisco ONS15454 IP TOS Bit Vulnerability
Reference: URL:http://www.cisco.com/warp/public/707/ons-tos-vuln-pub.shtml
Reference: XF:cisco-ons-tcc-dos(9377)
Reference: URL:http://www.iss.net/security_center/static/9377.php
Reference: BID:5058
Reference: URL:http://www.securityfocus.com/bid/5058

Cisco ONS15454 optical transport platform running ONS 3.1.0 to 3.2.0
allows remote attackers to cause a denial of service (reset) by
sending IP packets with non-zero Type of Service (TOS) bits to the
Timing Control Card (TCC) LAN interface.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0952 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Cole, Green, Baker, Frech, Wall
   NOOP(2) Foat, Cox


======================================================
Candidate: CAN-2002-0953
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0953
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: BUGTRAQ:20020617 PHP source injection in PHPAddress
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-06/0182.html
Reference: BUGTRAQ:20020619 Source Injection into PHPAddress
Reference: URL:http://online.securityfocus.com/archive/1/277987
Reference: XF:phpaddress-include-remote-files(9379)
Reference: URL:http://www.iss.net/security_center/static/9379.php
Reference: BID:5039
Reference: URL:http://www.securityfocus.com/bid/5039

globals.php in PHP Address before 0.2f, with the PHP allow_url_fopen
and register_globals variables enabled, allows remote attackers to
execute arbitrary PHP code via a URL to the code in the LangCookie
parameter.

Analysis
--------
Vendor Acknowledgement: yes followup

INFERRED ACTION: CAN-2002-0953 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Green, Baker, Frech
   NOOP(3) Foat, Cox, Wall


======================================================
Candidate: CAN-2002-0958
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0958
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: BUGTRAQ:20020606 [ARL02-A12] PHP(Reactor) Cross Site Scripting Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-06/0034.html
Reference: CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=91877
Reference: XF:phpreactor-browse-xss(9280)
Reference: URL:http://www.iss.net/security_center/static/9280.php
Reference: BID:4952
Reference: URL:http://www.securityfocus.com/bid/4952

Cross-site scripting vulnerability in browse.php for PHP(Reactor)
1.2.7 allows remote attackers to execute script as other users via the
go parameter in the comments section.

Analysis
--------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: the vendor changelog for 1.2.7p1 says "fixed 2 XSS
errors." A source code diff of inc/global.inc.php in phpreactor-1.2.7
and phpreactor-1.2.7p1 shows that the only change was a call to
strip_tags() when setting the $go variable.

INFERRED ACTION: CAN-2002-0958 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Baker, Frech
   NOOP(2) Foat, Wall


======================================================
Candidate: CAN-2002-0964
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0964
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: BUGTRAQ:20020620 Half-life fake players bug
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-06/0248.html
Reference: XF:halflife-mulitple-player-dos(9412)
Reference: URL:http://www.iss.net/security_center/static/9412.php
Reference: BID:5076
Reference: URL:http://www.securityfocus.com/bid/5076

Half-Life Server 1.1.1.0 and earlier allows remote attackers to cause
a denial of service (resource exhaustion) via multiple responses to
the initial challenge with different cd_key values, which reaches the
player limit and prevents other players from connecting until the
original responses have timed out.

Analysis
--------
Vendor Acknowledgement:

INFERRED ACTION: CAN-2002-0964 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Baker, Frech
   NOOP(4) Foat, Cole, Cox, Wall


======================================================
Candidate: CAN-2002-0965
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0965
Final-Decision:
Interim-Decision: 20030326
Modified: 20030325-01
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: BUGTRAQ:20020612 Oracle TNS Listener Buffer Overflow (#NISR12062002A)
Reference: URL:http://online.securityfocus.com/archive/1/276526
Reference: VULNWATCH:20020612 [VulnWatch] Oracle TNS Listener Buffer Overflow (#NISR12062002A)
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0096.html
Reference: CONFIRM:http://otn.oracle.com/deploy/security/pdf/net9_dos_alert.pdf
Reference: BID:4845
Reference: URL:http://www.securityfocus.com/bid/4845
Reference: XF:oracle-listener-servicename-bo(9288)
Reference: URL:http://www.iss.net/security_center/static/9288.php

Buffer overflow in TNS Listener for Oracle 9i Database Server on
Windows systems, and Oracle 8 on VM, allows local users to execute
arbitrary code via a long SERVICE_NAME parameter, which is not
properly handled when writing an error message to a log file.


Modifications:
  DESC fix affected versions
  ADDREF XF:oracle-listener-servicename-bo(9288)

Analysis
--------
Vendor Acknowledgement: yes advisory

ACKNOWLEDGEMENT: while the Oracle advisory itself does not explicitly
mention a buffer overflow, the link to this document on Oracle's
advisory page says "Buffer Overflow Vulnerability in Oracle Net
(Oracle9i Database Server)." This, combined with the acknowledgement
to the disclosers and correlated dates, provides sufficient
information to indicate acknowledgement.

INFERRED ACTION: CAN-2002-0965 ACCEPT (6 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Armstrong, Alderson, Baker
   MODIFY(2) Frech, Jones
   NOOP(2) Foat, Cox

Voter Comments:
 Jones> Oracle 9i Database Server on Windows systems and Oracle 8 on VM allows local
   users to execute arbitrary code via a long SERVICE_NAME parameter, which is
   not properly handled when forming an error message prior to writing to a log
   file."
 Frech> XF:oracle-listener-servicename-bo(9288)


======================================================
Candidate: CAN-2002-0967
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0967
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: BUGTRAQ:20020606 eDonkey 2000 ed2k: URL Buffer Overflow
Reference: URL:http://online.securityfocus.com/archive/1/275708
Reference: CONFIRM:http://www.edonkey2000.com/
Reference: XF:edonkey2000-ed2k-filename-bo(9278)
Reference: URL:http://www.iss.net/security_center/static/9278.php
Reference: BID:4951
Reference: URL:http://www.securityfocus.com/bid/4951

Buffer overflow in eDonkey 2000 35.16.60 and earlier allows remote
attackers to cause a denial of service (crash) and possibly execute
arbitrary code via a long "ed2k:" URL.

Analysis
--------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: on the vendor's home page, an item dated 6.5.02
states "An security exploit in the windows GUI client has been
fixed... Thanks to Shane Hird [the notifier] for pointing it out to
us."

INFERRED ACTION: CAN-2002-0967 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Baker, Frech
   NOOP(2) Foat, Wall


======================================================
Candidate: CAN-2002-0968
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0968
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: BUGTRAQ:20020613 Remote DoS in AnalogX SimpleServer:www 1.16
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-06/0106.html
Reference: BUGTRAQ:20020702 Re: Remote DoS in AnlaogX SimpleServer:www 1.16
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102563702928443&w=2
Reference: CONFIRM:http://www.analogx.com/contents/download/network/sswww.htm
Reference: BID:5006
Reference: URL:http://www.securityfocus.com/bid/5006
Reference: XF:analogx-simpleserver-at-dos(9338)
Reference: URL:http://www.iss.net/security_center/static/9338.php

Buffer overflow in AnalogX SimpleServer:WWW 1.16 and earlier allows
remote attackers to cause a denial of service (crash) and execute code
via a long HTTP request method name.

Analysis
--------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: the change log for version 1.23 says "Fixed possible
exploit with large string commands."

INFERRED ACTION: CAN-2002-0968 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Green, Baker, Frech
   NOOP(3) Foat, Cox, Wall


======================================================
Candidate: CAN-2002-0981
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0981
Final-Decision:
Interim-Decision: 20030326
Modified: 20030325-01
Proposed: 20020830
Assigned: 20020822
Category: SF
Reference: CALDERA:CSSA-2002-SCO.36
Reference: URL:ftp://ftp.caldera.com/pub/updates/OpenUNIX/CSSA-2002-SCO.36/CSSA-2002-SCO.36.txt
Reference: XF:openunix-unixware-ndcfg-bo(9945)
Reference: URL:http://www.iss.net/security_center/static/9945.php
Reference: BID:5551
Reference: URL:http://www.securityfocus.com/bid/5551

Buffer overflow in ndcfg command for UnixWare 7.1.1 and Open UNIX
8.0.0 allows local users to execute arbitrary code via a long command
line.


Modifications:
  ADDREF XF:openunix-unixware-ndcfg-bo(9945)
  ADDREF BID:5551

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0981 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   NOOP(4) Foat, Christey, Cox, Wall

Voter Comments:
 Christey> XF:openunix-unixware-ndcfg-bo(9945)
   URL:http://www.iss.net/security_center/static/9945.php
   BID:5551
   URL:http://www.securityfocus.com/bid/5551


======================================================
Candidate: CAN-2002-0984
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0984
Final-Decision:
Interim-Decision: 20030326
Modified: 20030325-01
Proposed: 20020830
Assigned: 20020823
Category: SF
Reference: BUGTRAQ:20020822 Light Security Advisory: Remotely-exploitable code execution
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-08/0231.html
Reference: DEBIAN:DSA-156
Reference: URL:http://www.debian.org/security/2002/dsa-156
Reference: XF:light-channel-execute-script(9943)
Reference: URL:http://www.iss.net/security_center/static/9943.php
Reference: BID:5555
Reference: URL:http://www.securityfocus.com/bid/5555

The IRC script included in Light 2.7.x before 2.7.30p5, and 2.8.x
before 2.8pre10, running EPIC allows remote attackers to execute
arbitrary code if the user joins a channel whose topic includes EPIC4
code.


Modifications:
  ADDREF BUGTRAQ:20020822 Light Security Advisory: Remotely-exploitable code execution
  ADDREF XF:light-channel-execute-script(9943)
  ADDREF BID:5555

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0984 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   NOOP(4) Foat, Christey, Cox, Wall

Voter Comments:
 Christey> XF:light-channel-execute-script(9943)
   URL:http://www.iss.net/security_center/static/9943.php
   BID:5555
   URL:http://www.securityfocus.com/bid/5555
 Christey> BUGTRAQ:20020822 Light Security Advisory: Remotely-exploitable code execution
   URL:http://archives.neohapsis.com/archives/bugtraq/2002-08/0231.html
   XF:light-channel-execute-script(9943)
   URL:http://www.iss.net/security_center/static/9943.php
   BID:5555
   URL:http://www.securityfocus.com/bid/5555


======================================================
Candidate: CAN-2002-0987
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0987
Final-Decision:
Interim-Decision: 20030326
Modified: 20030325-01
Proposed: 20020830
Assigned: 20020826
Category: SF
Reference: CALDERA:CSSA-2002-SCO.38
Reference: URL:ftp://ftp.sco.com/pub/updates/OpenUNIX/CSSA-2002-SCO.38
Reference: XF:openunix-unixware-xsco-privileges(9976)
Reference: URL:http://www.iss.net/security_center/static/9976.php
Reference: BID:5575
Reference: URL:http://www.securityfocus.com/bid/5575

X server (Xsco) in OpenUNIX 8.0.0 and UnixWare 7.1.1 does not drop
privileges before calling programs such as xkbcomp using popen, which
could allow local users to gain privileges.


Modifications:
  ADDREF XF:openunix-unixware-xsco-privileges(9976)
  ADDREF BID:5575

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0987 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   NOOP(3) Foat, Cox, Wall


======================================================
Candidate: CAN-2002-0988
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0988
Final-Decision:
Interim-Decision: 20030326
Modified: 20030325-01
Proposed: 20020830
Assigned: 20020826
Category: SF
Reference: CALDERA:CSSA-2002-SCO.38
Reference: URL:ftp://ftp.sco.com/pub/updates/OpenUNIX/CSSA-2002-SCO.38
Reference: XF:openunix-unixware-xsco-bo(9977)
Reference: URL:http://www.iss.net/security_center/static/9977.php
Reference: BID:5577
Reference: URL:http://www.securityfocus.com/bid/5577

Buffer overflow in X server (Xsco) in OpenUNIX 8.0.0 and UnixWare
7.1.1, possibly related to XBM/xkbcomp capabilities.


Modifications:
  ADDREF XF:openunix-unixware-xsco-bo(9977)
  ADDREF BID:5577

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0988 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   NOOP(3) Foat, Cox, Wall


======================================================
Candidate: CAN-2002-0989
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0989
Final-Decision:
Interim-Decision: 20030326
Modified: 20030325-01
Proposed: 20020830
Assigned: 20020827
Category: SF
Reference: CONFIRM:http://gaim.sourceforge.net/ChangeLog
Reference: DEBIAN:DSA-158
Reference: URL:http://www.debian.org/security/2002/dsa-158
Reference: CONFIRM:http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=72728
Reference: MANDRAKE:MDKSA-2002:054
Reference: URL:http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2002:054
Reference: REDHAT:RHSA-2002:189
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-189.html
Reference: CONECTIVA:CLA-2002:521
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000521
Reference: HP:HPSBTL0209-067
Reference: URL:http://online.securityfocus.com/advisories/4471
Reference: FREEBSD:FreeBSD-SN-02:06
Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SN-02:06.asc
Reference: BUGTRAQ:20020827 GLSA: gaim
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103046442403404&w=2
Reference: BID:5574
Reference: URL:http://www.securityfocus.com/bid/5574
Reference: XF:gaim-url-handler-command-execution(9978)
Reference: URL:http://www.iss.net/security_center/static/9978.php

The URL handler in the manual browser option for Gaim before 0.59.1
allows remote attackers to execute arbitrary script via shell
metacharacters in a link.


Modifications:
  ADDREF MANDRAKE:MDKSA-2002:054
  ADDREF REDHAT:RHSA-2002:189
  ADDREF CONECTIVA:CLA-2002:521
  ADDREF HP:HPSBTL0209-067
  ADDREF FREEBSD:FreeBSD-SN-02:06
  ADDREF XF:gaim-url-handler-command-execution(9978)
  ADDREF BID:5574

Analysis
--------
Vendor Acknowledgement: yes

INFERRED ACTION: CAN-2002-0989 ACCEPT (4 accept, 5 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Armstrong, Baker, Cox
   NOOP(3) Foat, Christey, Wall

Voter Comments:
 Christey> ADDREF MANDRAKE:MDKSA-2002:054
 Christey> REDHAT:RHSA-2002:189
   URL:http://www.redhat.com/support/errata/RHSA-2002-189.html
 Christey> CONECTIVA:CLA-2002:521
   URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000521
   BID:5574
   URL:http://www.securityfocus.com/bid/5574
   HP:HPSBTL0209-067
   URL:http://online.securityfocus.com/advisories/4471
   FREEBSD:FreeBSD-SN-02:06
   URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SN-02:06.asc
   XF:gaim-url-handler-command-execution(9978)
   URL:http://www.iss.net/security_center/static/9978.php


======================================================
Candidate: CAN-2002-0995
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0995
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020830
Assigned: 20020827
Category: SF
Reference: BUGTRAQ:20020702 PHPAuction bug
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-07/0014.html
Reference: CONFIRM:http://www.phpauction.org/viewnew.php?id=5
Reference: XF:phpauction-admin-account-creation(9462)
Reference: URL:http://www.iss.net/security_center/static/9462.php
Reference: BID:5141
Reference: URL:http://www.securityfocus.com/bid/5141

login.php for PHPAuction allows remote attackers to gain privileges
via a direct call to login.php with the action parameter set to
"insert," which adds the provided username to the adminUsers table.

Analysis
--------
Vendor Acknowledgement: yes advisory

ACKNOWLEDGEMENT: the vendor's web site includes an advisory dated the
day after the initial Bugtraq post, which states "This fix addresses
the admin/login.php file and the possible security breach that could
occur without this change. It now has certain security checks added
for a safer admin back-end."

INFERRED ACTION: CAN-2002-0995 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Baker, Frech
   NOOP(3) Foat, Cox, Wall


======================================================
Candidate: CAN-2002-1000
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1000
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020830
Assigned: 20020827
Category: SF
Reference: BUGTRAQ:20020626 Foundstone Advisory - Buffer Overflow in AnalogX SimpleServer:Shout (fwd)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-06/0338.html
Reference: CONFIRM:http://www.analogx.com/contents/download/network/ssshout.htm
Reference: BID:5104
Reference: URL:http://www.securityfocus.com/bid/5104
Reference: XF:analogx-simpleserver-shout-bo(9427)
Reference: URL:http://www.iss.net/security_center/static/9427.php

Buffer overflow in AnalogX SimpleServer:Shout 1.0 allows remote
attackers to cause a denial of service and execute arbitrary code via
a long request to TCP port 8001.

Analysis
--------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: the changelog on the vendor web site includes an
entry for version 1.02 that "Fixed assert error found by Foundstone
[the discloser]."

INFERRED ACTION: CAN-2002-1000 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Green, Baker, Frech, Cole
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-1002
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1002
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020830
Assigned: 20020827
Category: SF
Reference: BUGTRAQ:20020812 NOVL-2002-2963081 - Novell iManager (eMFrame 1.2.1) DoS Attack
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-08/0093.html
Reference: BUGTRAQ:20020627 Cluestick Advisory #001
Reference: URL:http://online.securityfocus.com/archive/1/279683
Reference: XF:netware-imanage-username-dos(9444)
Reference: URL:http://www.iss.net/security_center/static/9444.php
Reference: BID:5117
Reference: URL:http://www.securityfocus.com/bid/5117

Buffer overflow in Novell iManager (eMFrame 1.2.1) allows remote
attackers to cause a denial of service (crash) via a long user name.

Analysis
--------
Vendor Acknowledgement: yes followup

INFERRED ACTION: CAN-2002-1002 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Green, Baker, Frech, Cole
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-1004
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1004
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020830
Assigned: 20020827
Category: SF
Reference: BUGTRAQ:20020703 Argosoft Mail Server Plus/Pro Webmail Reverse Directory Traversal
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-07/0029.html
Reference: CONFIRM:http://www.argosoft.com/applications/mailserver/changelist.asp
Reference: BID:5144
Reference: URL:http://www.securityfocus.com/bid/5144
Reference: XF:argosoft-dotdot-directory-traversal(9477)
Reference: URL:http://www.iss.net/security_center/static/9477.php

Directory traversal vulnerability in webmail feature of ArGoSoft Mail
Server Plus or Pro 1.8.1.5 and earlier allows remote attackers to read
arbitrary files via .. (dot dot) sequences in a URL.

Analysis
--------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: the vendor's change log includes an entry for 1.8.1.6
dated July 03, 2002, which states "Fixed security problem with the
Webmail Reverse Directory Traversal, discovered by team n. finity [the
discloser]."

INFERRED ACTION: CAN-2002-1004 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Frech, Cole
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-1006
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1006
Final-Decision:
Interim-Decision: 20030326
Modified: 20030325-01
Proposed: 20020830
Assigned: 20020827
Category: SF
Reference: BUGTRAQ:20020701 PTL-2002-03 Betsie XSS Vuln
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-07/0002.html
Reference: CONFIRM:http://www.bbc.co.uk/education/betsie/parser.pl.txt
Reference: BID:5135
Reference: URL:http://www.securityfocus.com/bid/5135
Reference: XF:betsie-parserl-xss(9468)
Reference: URL:http://www.iss.net/security_center/static/9468.php

Cross-site scripting (XSS) vulnerability in BBC Education Text to
Speech Internet Enhancer (Betsie) 1.5.11 and earlier allows remote
attackers to execute arbitrary web script via parserl.pl.


Modifications:
  DESC add "XSS" acronym

Analysis
--------
Vendor Acknowledgement: yes patch

ACKNOWLEDGEMENT: the comments inside the parserl.pl script itself
(version 1.5.12 on August 18, 2002) include a statement to "Beat
cross-site scripting vulnerability," and the original Bugtraq poster
is thanked at the top of the page.

INFERRED ACTION: CAN-2002-1006 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Frech, Cole
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-1013
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1013
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020830
Assigned: 20020827
Category: SF
Reference: BUGTRAQ:20020702 CORE-20020620: Inktomi Traffic Server Buffer Overflow
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-07/0023.html
Reference: CONFIRM:http://support.inktomi.com/kb/070202-003.html
Reference: BID:5098
Reference: URL:http://www.securityfocus.com/bid/5098
Reference: XF:inktomi-trafficserver-manager-bo(9465)
Reference: URL:http://www.iss.net/security_center/static/9465.php

Buffer overflow in traffic_manager for Inktomi Traffic Server 4.0.18
through 5.2.2, Traffic Edge 1.1.2 and 1.5.0, and Media-IXT 3.0.4
allows local users to gain root privileges via a long -path argument.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1013 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Frech, Cole
   NOOP(4) Christey, Cox, Wall, Foat

Voter Comments:
 Frech> CONFIRM is now http://support.inktomi.com/kb/Private/070202-003.html,
   and is only
   available to customers with a current support contract.
 Christey> I will keep the original CONFIRM URL to indicate that, at
   one point in time, the entire public could access a
   confirmation note.


======================================================
Candidate: CAN-2002-1014
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1014
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020830
Assigned: 20020827
Category: SF
Reference: BUGTRAQ:20020712 [SPSadvisory#48]RealONE Player Gold / RealJukebox2 Buffer Overflow
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-07/0127.html
Reference: CONFIRM:http://service.real.com/help/faq/security/bufferoverrun07092002.html
Reference: XF:realplayer-rjs-controlnimage-bo(9538)
Reference: URL:http://www.iss.net/security_center/static/9538.php
Reference: BID:5217
Reference: URL:http://www.securityfocus.com/bid/5217

Buffer overflow in RealJukebox 2 1.0.2.340 and 1.0.2.379, and RealOne
Player Gold 6.0.10.505, allows remote attackers to execute arbitrary
code via an RFS skin file whose skin.ini contains a long value in a
CONTROLnImage argument, such as CONTROL1Image.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1014 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Frech, Cole
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-1015
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1015
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020830
Assigned: 20020827
Category: SF
Reference: BUGTRAQ:20020712 [SPSadvisory#47]RealONE Player Gold / RealJukebox2 skin file download vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-07/0130.html
Reference: CONFIRM:http://service.real.com/help/faq/security/bufferoverrun07092002.html
Reference: XF:realplayer-rjs-file-download(9539)
Reference: URL:http://www.iss.net/security_center/static/9539.php
Reference: BID:5210
Reference: URL:http://www.securityfocus.com/bid/5210

RealJukebox 2 1.0.2.340 and 1.0.2.379, and RealOne Player Gold
6.0.10.505, allows remote attackers to execute arbitrary script in the
Local computer zone by inserting the script into the skin.ini file of
an RJS archive, then referencing skin.ini from a web page after it has
been extracted, which is parsed as HTML by Internet Explorer or other
Microsoft-based web readers.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1015 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Frech, Cole
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-1024
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1024
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020830
Assigned: 20020827
Category: SF
Reference: CERT-VN:VU#290140
Reference: URL:http://www.kb.cert.org/vuls/id/290140
Reference: CISCO:20020627 Scanning for SSH Can Cause a Crash
Reference: URL:http://www.cisco.com/warp/public/707/SSH-scanning.shtml
Reference: XF:cisco-ssh-scan-dos(9437)
Reference: URL:http://www.iss.net/security_center/static/9437.php
Reference: BID:5114
Reference: URL:http://www.securityfocus.com/bid/5114

Cisco IOS 12.0 through 12.2, when supporting SSH, allows remote
attackers to cause a denial of service (CPU consumption) via a large
packet that was designed to exploit the SSH CRC32 attack detection
overflow (CVE-2001-0144).

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1024 ACCEPT (5 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(5) Green, Baker, Frech, Wall, Cole
   NOOP(2) Cox, Foat


======================================================
Candidate: CAN-2002-1025
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1025
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020830
Assigned: 20020827
Category: SF
Reference: VULNWATCH:20020701 [VulnWatch] KPMG-2002026: Jrun sourcecode Disclosure
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0138.html
Reference: BUGTRAQ:20020701 KPMG-2002026: Jrun sourcecode Disclosure
Reference: URL:http://online.securityfocus.com/archive/1/280062
Reference: CONFIRM:http://www.macromedia.com/v1/handlers/index.cfm?ID=23164
Reference: BID:5134
Reference: URL:http://www.securityfocus.com/bid/5134
Reference: XF:jrun-null-view-source(9459)
Reference: URL:http://www.iss.net/security_center/static/9459.php

JRun 3.0 through 4.0 allows remote attackers to read JSP source code
via an encoded null byte in an HTTP GET request, which causes the
server to send the .JSP file unparsed.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1025 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Frech, Cole
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-1030
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1030
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020830
Assigned: 20020827
Category: SF
Reference: VULNWATCH:20020708 [VulnWatch] KPMG-2002029: Bea Weblogic Performance Pack Denial of Service
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0008.html
Reference: BUGTRAQ:20020708 KPMG-2002029: Bea Weblogic Performance Pack Denial of Service
Reference: URL:http://online.securityfocus.com/archive/1/281046
Reference: CONFIRM:http://dev2dev.bea.com/resourcelibrary/advisoriesdetail.jsp?highlight=advisoriesnotifications&path=components%2Fdev2dev%2Fresourcelibrary%2Fadvisoriesnotifications%2Fadvisory_BEA02-19.htm
Reference: BID:5159
Reference: URL:http://www.securityfocus.com/bid/5159
Reference: XF:weblogic-race-condition-dos(9486)
Reference: URL:http://www.iss.net/security_center/static/9486.php

Race condition in Performance Pack in BEA WebLogic Server and Express
5.1.x, 6.0.x, 6.1.x and 7.0 allows remote attackers to cause a denial
of service (crash) via a flood of data and connections.

Analysis
--------
Vendor Acknowledgement: yes advisory

ACKNOWLEDGEMENT: the advisory credits KPMG (the discloser) for
discovering the issue.

INFERRED ACTION: CAN-2002-1030 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Frech, Cole
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-1031
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1031
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020830
Assigned: 20020827
Category: SF
Reference: BUGTRAQ:20020707 KF Web Server version 1.0.2 shows file and directory content
Reference: URL:http://online.securityfocus.com/archive/1/281102
Reference: VULNWATCH:20020707 [VulnWatch] KF Web Server version 1.0.2 shows file and directory content
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0007.html
Reference: CONFIRM:http://www.keyfocus.net/kfws/support/
Reference: BID:5177
Reference: URL:http://www.securityfocus.com/bid/5177
Reference: XF:kfwebserver-null-view-dir(9500)
Reference: URL:http://www.iss.net/security_center/static/9500.php

KeyFocus (KF) web server 1.0.2 allows remote attackers to list
directories and read restricted files via an HTTP request containing a
%00 (null) character.

Analysis
--------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: the vendor's change log for 1.0.3, dated July 4,
2002, states: "Security vulnerability - %00. If the requested URL
contains a %00 after a directory name, then the server used to
generate an index of the files in the directory."

INFERRED ACTION: CAN-2002-1031 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Frech, Cole
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-1035
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1035
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020830
Assigned: 20020827
Category: SF
Reference: BUGTRAQ:20020701 BufferOverflow in OmniHTTPd 2.09
Reference: URL:http://online.securityfocus.com/archive/1/280132
Reference: XF:omnihttpd-http-version-bo(9457)
Reference: URL:http://www.iss.net/security_center/static/9457.php
Reference: BID:5136
Reference: URL:http://www.securityfocus.com/bid/5136

Omnicron OmniHTTPd 2.09 allows remote attackers to cause a denial of
service (crash) via an HTTP request with a long, malformed HTTP
1version number.

Analysis
--------
Vendor Acknowledgement: yes via-email

ACKNOWLEDGEMENT: an email inquiry was sent to support@omnicron.ca on
August 22, 2002, and the vendor replied on August 24 that the
vulnerability was fixed in version 2.10.

INFERRED ACTION: CAN-2002-1035 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Frech, Cole
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-1039
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1039
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020830
Assigned: 20020827
Category: SF
Reference: VULNWATCH:20020714 [VulnWatch] Double Choco Latte multiple vulnerabilities
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0022.html
Reference: BUGTRAQ:20020714 Double Choco Latte multiple vulnerabilities
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102668783632589&w=2
Reference: CONFIRM:http://dcl.sourceforge.net/index.php
Reference: XF:dcl-dotdot-directory-traversal(9743)
Reference: URL:http://www.iss.net/security_center/static/9743.php

Directory traversal vulnerability in Double Choco Latte (DCL) before
20020706 allows remote attackers to read arbitrary files via .. (dot
dot) sequences when downloading files from the Projects: Attachments
feature.

Analysis
--------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: the vendor's changelog, dated July 6, 2002, states:
"Fix to prevent file download spoofing."

INFERRED ACTION: CAN-2002-1039 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Frech, Cole
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-1046
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1046
Final-Decision:
Interim-Decision: 20030326
Modified: 20030325-01
Proposed: 20020830
Assigned: 20020827
Category: SF
Reference: VULNWATCH:20020709 KPMG-2002030: Watchguard Firebox Dynamic VPN Configuration Protocol DoS
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0012.html
Reference: BID:5186
Reference: URL:http://www.securityfocus.com/bid/5186
Reference: XF:firebox-dvcp-dos(9509)
Reference: URL:http://www.iss.net/security_center/static/9509.php

Dynamic VPN Configuration Protocol service (DVCP) in Watchguard
Firebox firmware 5.x.x allows remote attackers to cause a denial of
service (crash) via a malformed packet containing tab characters to
TCP port 4110.


Modifications:
  CHANGEREF VULNWATCH [normalize]

Analysis
--------
Vendor Acknowledgement: unknown discloser-claimed

INFERRED ACTION: CAN-2002-1046 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Frech, Foat
   NOOP(3) Cox, Wall, Cole


======================================================
Candidate: CAN-2002-1049
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1049
Final-Decision:
Interim-Decision: 20030326
Modified: 20030325-01
Proposed: 20020830
Assigned: 20020830
Category: SF
Reference: BUGTRAQ:20020729 HylaFAX - Various Vulnerabilities Fixed
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-07/0358.html
Reference: DEBIAN:DSA-148
Reference: URL:http://www.debian.org/security/2002/dsa-148
Reference: MANDRAKE:MDKSA-2002:055
Reference: URL:http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2002:055
Reference: SUSE:SuSE-SA:2002:035
Reference: URL:http://www.suse.de/de/security/2002_035_hylafax.html
Reference: CONFIRM:http://bugs.hylafax.org/bugzilla/show_bug.cgi?id=300
Reference: BID:5348
Reference: URL:http://www.securityfocus.com/bid/5348
Reference: XF:hylafax-faxgetty-tsi-dos(9728)
Reference: URL:http://www.iss.net/security_center/static/9728.php

Format string vulnerability in HylaFAX faxgetty before 4.1.3 allows
remote attackers to cause a denial of service (crash) via the TSI data
element.


Modifications:
  ADDREF MANDRAKE:MDKSA-2002:055
  ADDREF SUSE:SuSE-SA:2002:035

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1049 ACCEPT_ACK (2 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(2) Baker, Cole
   NOOP(4) Christey, Cox, Wall, Foat

Voter Comments:
 Christey> MANDRAKE:MDKSA-2002:055
 Christey> SUSE:SuSE-SA:2002:035


======================================================
Candidate: CAN-2002-1050
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1050
Final-Decision:
Interim-Decision: 20030326
Modified: 20030325-01
Proposed: 20020830
Assigned: 20020830
Category: SF
Reference: BUGTRAQ:20020729 HylaFAX - Various Vulnerabilities Fixed
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-07/0358.html
Reference: DEBIAN:DSA-148
Reference: URL:http://www.debian.org/security/2002/dsa-148
Reference: CONFIRM:http://bugs.hylafax.org/bugzilla/show_bug.cgi?id=312
Reference: MANDRAKE:MDKSA-2002:055
Reference: URL:http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2002:055
Reference: SUSE:SuSE-SA:2002:035
Reference: URL:http://www.suse.de/de/security/2002_035_hylafax.html
Reference: BID:5349
Reference: URL:http://www.securityfocus.com/bid/5349
Reference: XF:hylafax-faxgetty-image-bo(9729)
Reference: URL:http://www.iss.net/security_center/static/9729.php

Buffer overflow in HylaFAX faxgetty before 4.1.3 allows remote
attackers to cause a denial of service, and possibly execute arbitrary
code, via a long line of image data.


Modifications:
  ADDREF MANDRAKE:MDKSA-2002:055
  ADDREF SUSE:SuSE-SA:2002:035
  DESC fix typo

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1050 ACCEPT_ACK (2 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(2) Baker, Cole
   NOOP(4) Christey, Cox, Wall, Foat

Voter Comments:
 Christey> MANDRAKE:MDKSA-2002:055
 Christey> SUSE:SuSE-SA:2002:035
   Close off parenthesis in desc.
 Christey> fix typo (extra parenthesis)


======================================================
Candidate: CAN-2002-1051
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1051
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020830
Assigned: 20020830
Category: SF
Reference: BUGTRAQ:20020606 Format String bug in TrACESroute 6.0 GOLD
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-06/0040.html
Reference: BUGTRAQ:20020721 Nanog traceroute format string exploit.
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102737546927749&w=2
Reference: BUGTRAQ:20020723 Re: Nanog traceroute format string exploit.
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-07/0254.html
Reference: BUGTRAQ:20020724 Re: Nanog traceroute format string exploit.
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102753136231920&w=2
Reference: SUSE:SuSE-SA:2000:041
Reference: URL:http://www.suse.de/de/security/2000_041_traceroute_txt.html
Reference: BID:4956
Reference: URL:http://www.securityfocus.com/bid/4956
Reference: XF:tracesroute-t-format-string(9291)
Reference: URL:http://www.iss.net/security_center/static/9291.php

Format string vulnerability in TrACESroute 6.0 GOLD (aka NANOG
traceroute) allows local users to execute arbitrary code via the -T
(terminator) command line argument.

Analysis
--------
Vendor Acknowledgement: yes followup

NOTE: Debian confirmed via email that it is not vulnerable.

INFERRED ACTION: CAN-2002-1051 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Frech, Foat, Cole
   NOOP(1) Wall


======================================================
Candidate: CAN-2002-1053
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1053
Final-Decision:
Interim-Decision: 20030326
Modified: 20030325-01
Proposed: 20020830
Assigned: 20020830
Category: SF
Reference: BUGTRAQ:20020817 W3C Jigsaw Proxy Server: Cross-Site Scripting Vulnerability (REPOST)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-08/0190.html
Reference: CONFIRM:http://www.w3.org/Jigsaw/RelNotes.html#2.2.1
Reference: BID:5506
Reference: URL:http://www.securityfocus.com/bid/5506
Reference: XF:jigsaw-http-proxy-xss(9914)
Reference: URL:http://www.iss.net/security_center/static/9914.php

Cross-site scripting (XSS) vulnerability in W3C Jigsaw Proxy Server
before 2.2.1 allows remote attackers to execute arbitrary script via a
URL that contains a reference to a nonexistent host followed by the
script, which is included in the resulting error message.


Modifications:
  DESC add "XSS" term

Analysis
--------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: the vendor's changelog for 2.2.1 says "Added a flag
to remove the URI from default error pages as well as the proxy module
(SECURITY FIX: avoiding cross scripting attacks)."

INFERRED ACTION: CAN-2002-1053 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Cole, Armstrong
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-1054
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1054
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020830
Assigned: 20020830
Category: SF
Reference: BUGTRAQ:20020722 Pablo Sofware Solutions FTP server Directory Traversal Vulnerability
Reference: URL:http://online.securityfocus.com/archive/1/283665
Reference: VULNWATCH:20020722 [VulnWatch] Pablo Sofware Solutions FTP server Directory Traversal Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0035.html
Reference: CONFIRM:http://www.pablovandermeer.nl/ftpserversrc.zip
Reference: BID:5283
Reference: URL:http://www.securityfocus.com/bid/5283
Reference: XF:pablo-ftp-directory-traversal(9647)
Reference: URL:http://www.iss.net/security_center/static/9647.php

Directory traversal vulnerability in Pablo FTP server 1.0 build 9 and
earlier allows remote authenticated users to list arbitrary
directories via "..\" (dot-dot backslash) sences in a LIST command.

Analysis
--------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: the Release/whatsnew.txt file in the source code
includes an item dated [07/21/2002], Version 1.10, states "Fixed
security hole in GetDirectoryList (LIST \..\) (thanks to:
http://www.sec uriteinfo.com) [the discloser]"

INFERRED ACTION: CAN-2002-1054 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Baker, Cole
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-1057
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1057
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020830
Assigned: 20020830
Category: SF
Reference: BUGTRAQ:20020723 MailMax security advisory/exploit/patch
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-07/0245.html
Reference: BID:5285
Reference: URL:http://www.securityfocus.com/bid/5285
Reference: XF:mailmax-pop3max-user-bo(9651)
Reference: URL:http://www.iss.net/security_center/static/9651.php

Buffer overflow in SmartMax MailMax POP3 daemon (popmax) 4.8 allows
remote attackers to execute arbitrary code via a long USER command.

Analysis
--------
Vendor Acknowledgement: yes via-email

ACKNOWLEDGEMENT: e-mail inquiry sent on August 28, 2002, via interface
at https://supportcenteronline.com/ics/support/default.asp?deptID=468.
Vendor acknowledged the issue on August 29: "This report is accurate
and we have a patch fixing the issue available for our customers."

INFERRED ACTION: CAN-2002-1057 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Baker, Cole
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-1059
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1059
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020830
Assigned: 20020830
Category: SF
Reference: BUGTRAQ:20020723 Arbitrary Code Execution Vulnerability in VanDyke SecureCRT 3.4 & 4.0 beta
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102744150718462&w=2
Reference: BUGTRAQ:20020723 Re: Arbitrary Code Execution Vulnerability in VanDyke SecureCRT
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102746007908689&w=2
Reference: CONFIRM:http://www.vandyke.com/products/securecrt/security07-25-02.html
Reference: XF:securecrt-ssh1-identifier-bo(9650)
Reference: URL:http://www.iss.net/security_center/static/9650.php
Reference: BID:5287
Reference: URL:http://www.securityfocus.com/bid/5287

Buffer overflow in Van Dyke SecureCRT SSH client before 3.4.6, and 4.x
before 4.0 beta 3, allows an SSH server to execute arbitrary code via
a long SSH1 protocol version string.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1059 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Baker, Cole
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-1060
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1060
Final-Decision:
Interim-Decision: 20030326
Modified: 20030325-01
Proposed: 20020830
Assigned: 20020830
Category: SF
Reference: BUGTRAQ:20020724 CacheFlow CacheOS Cross-site Scripting Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-07/0283.html
Reference: CONFIRM:http://download.cacheflow.com/release/CA/4.1.00-docs/CACacheOS41fixes.htm
Reference: BID:5305
Reference: URL:http://www.securityfocus.com/bid/5305
Reference: XF:cacheos-unresolved-error-xss(9674)
Reference: URL:http://www.iss.net/security_center/static/9674.php

Cross-site scripting (XSS) vulnerability in CacheFlow CacheOS 4.1.06
and earlier allows remote attackers to insert arbitrary HTML,
including script, via a URL to a nonexistent hostname that includes
the HTML, which is inserted into the resulting error message.


Modifications:
  DESC add XSS term

Analysis
--------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: the changelog, dated 07/15/2002, includes the
following item for V4.1.07(build 18110): "Modified default
user-configurable error pages to eliminate cross-site scripting
attack."

INFERRED ACTION: CAN-2002-1060 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Baker, Cole
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-1076
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1076
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020830
Assigned: 20020830
Category: SF
Reference: BUGTRAQ:20020725 IPSwitch IMail ADVISORY/EXPLOIT/PATCH
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-07/0326.html
Reference: BUGTRAQ:20020729 Hoax Exploit
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-07/0363.html
Reference: BUGTRAQ:20020729 Re:  Hoax Exploit (2c79cbe14ac7d0b8472d3f129fa1df55 RETURNS)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-07/0368.html
Reference: CONFIRM:http://support.ipswitch.com/kb/IM-20020731-DM02.htm
Reference: CONFIRM:http://support.ipswitch.com/kb/IM-20020729-DM01.htm
Reference: BID:5323
Reference: URL:http://www.securityfocus.com/bid/5323
Reference: XF:imail-web-messaging-bo(9679)
Reference: URL:http://www.iss.net/security_center/static/9679.php

Buffer overflow in the Web Messaging daemon for Ipswitch IMail before
7.12 allows remote attackers to execute arbitrary code via a long HTTP
GET request for HTTP/1.0.

Analysis
--------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: the release notes for version 7.12 say "Fixed a
buffer over-run which could result in a vulnerability (bugtraq id
5323)."

INFERRED ACTION: CAN-2002-1076 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Wall, Cole
   NOOP(2) Cox, Foat


======================================================
Candidate: CAN-2002-1079
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1079
Final-Decision:
Interim-Decision: 20030326
Modified: 20030325-01
Proposed: 20020830
Assigned: 20020830
Category: SF
Reference: BUGTRAQ:20020822 Abyss 1.0.3 directory traversal and administration bugs
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-08/0229.html
Reference: CONFIRM:http://www.aprelium.com/news/patch1033.html
Reference: XF:abyss-get-directory-traversal(9941)
Reference: URL:http://www.iss.net/security_center/static/9941.php
Reference: XF:abyss-http-directory-traversal(9940)
Reference: URL:http://www.iss.net/security_center/static/9940.php
Reference: BID:5547
Reference: URL:http://www.securityfocus.com/bid/5547

Directory traversal vulnerability in Abyss Web Server 1.0.3 allows
remote attackers to read arbitrary files via ..\ (dot-dot backslash)
sequences in an HTTP GET request.


Modifications:
  ADDREF BID:5547

Analysis
--------
Vendor Acknowledgement: yes

ACKNOWLEDGEMENT: the vendor includes a statement dated August 19,
2002, of a patch for 1.03 regarding "two bugs related to URLs decoding
(thanks to Auriemma Luigi)," the original discloser.

INFERRED ACTION: CAN-2002-1079 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Cole, Armstrong
   NOOP(4) Christey, Cox, Wall, Foat

Voter Comments:
 Christey> BID:5547
   URL:http://www.securityfocus.com/bid/5547


======================================================
Candidate: CAN-2002-1081
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1081
Final-Decision:
Interim-Decision: 20030326
Modified: 20030325-01
Proposed: 20020830
Assigned: 20020830
Category: SF
Reference: BUGTRAQ:20020822 Abyss 1.0.3 directory traversal and administration bugs
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-08/0229.html
Reference: CONFIRM:http://www.aprelium.com/news/patch1033.html
Reference: XF:abyss-plus-file-disclosure(9956)
Reference: URL:http://www.iss.net/security_center/static/9956.php
Reference: BID:5549
Reference: URL:http://www.securityfocus.com/bid/5549

The Administration console for Abyss Web Server 1.0.3 allows remote
attackers to read files without providing login credentials via an
HTTP request to a target file that ends in a "+" character.


Modifications:
  ADDREF BID:5549

Analysis
--------
Vendor Acknowledgement: yes

ACKNOWLEDGEMENT: the vendor includes a statement dated August 19,
2002, of a patch for 1.03 regarding "two bugs related to URLs decoding
(thanks to Auriemma Luigi)," the original discloser.

INFERRED ACTION: CAN-2002-1081 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Cole, Armstrong
   NOOP(4) Christey, Cox, Wall, Foat

Voter Comments:
 Christey> BID:5549
   URL:http://www.securityfocus.com/bid/5549


======================================================
Candidate: CAN-2002-1088
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1088
Final-Decision:
Interim-Decision: 20030326
Modified:
Proposed: 20020830
Assigned: 20020830
Category: SF
Reference: BUGTRAQ:20020725 Novell GroupWise 6.0.1 Support Pack 1 Bufferoverflow
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-07/0296.html
Reference: CONFIRM:http://support.novell.com/servlet/tidfinder/2963273
Reference: BID:5313
Reference: URL:http://www.securityfocus.com/bid/5313
Reference: XF:groupwise-rcpt-bo(9671)
Reference: URL:http://www.iss.net/security_center/static/9671.php

Buffer overflow in Novell GroupWise 6.0.1 Support Pack 1 allows remote
attackers to execute arbitrary code via a long RCPT TO command.

Analysis
--------
Vendor Acknowledgement: yes

ACKNOWLEDGEMENT: while the Novell TID does not itself contain vendor
acknowledgement, the vendor's security advisory page has a link to the
TID with the phrase "Buffer overflow in Novell GroupWise 6.0.1 Support
Pack 1."

INFERRED ACTION: CAN-2002-1088 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Baker, Cole
   NOOP(3) Cox, Wall, Foat

 
Page Last Updated: May 22, 2007