|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [INTERIM] ACCEPT 480 candidates (Final Decision September 1)
I have made an Interim Decision to ACCEPT the following 480 candidates. I will make a Final Decision on September 1. The candidates came from the following clusters: 1 RECENT-48 2 RECENT-49 1 MISC-99 1 RECENT-60 1 RECENT-61 1 RECENT-62 1 RECENT-65 1 RECENT-66 1 RECENT-67 1 LEGACY-UNIX-ADV 1 LEGACY-MISC-1997 1 LEGACY-MISC-1998-A 1 LEGACY-MISC-1998-B 3 LEGACY-MISC-1999-A 3 LEGACY-MISC-1999-B 1 LEGACY-MISC-1999-C 2 RECENT-69 1 RECENT-72 1 RECENT-73 3 RECENT-75 2 RECENT-76 2 RECENT-77 3 RECENT-78 1 RECENT-79 1 RECENT-80 1 RECENT-81 2 RECENT-82 1 RECENT-84 2 MISC-2001-001 3 MISC-2001-002 1 RECENT-86 1 RECENT-87 1 RECENT-88 4 MISC-2001-004 2 RECENT-89 1 RECENT-90 1 RECENT-91 10 RECENT-93 2 RECENT-96 6 RECENT-97 3 MISC-2001-005 2 RECENT-98 2 RECENT-103 2 RECENT-104 24 CERT-2003a 17 CISCO-2003a 27 UNIX-2002a 35 UNIX-2002b 22 UNIX-2002c 21 UNIX-2003a 36 MS-2002a 31 CONFIRM-2002a 28 CONFIRM-2002b 39 CONFIRM-2003a 23 MISC-2002b 1 RECENT-14 3 RECENT-31 1 RECENT-32 Voters: Renaud NOOP(1) Ziese ACCEPT(2) NOOP(6) REVIEWING(6) Dik ACCEPT(2) Levy ACCEPT(3) REVIEWING(2) Green ACCEPT(253) MODIFY(1) NOOP(5) REVIEWING(3) Magdych NOOP(1) Frech ACCEPT(36) MODIFY(76) Cole ACCEPT(418) NOOP(62) Alderson ACCEPT(6) REVIEWING(1) Jones ACCEPT(27) MODIFY(6) NOOP(2) REVIEWING(5) Stracener ACCEPT(6) NOOP(1) Balinsky ACCEPT(13) MODIFY(2) NOOP(4) Foat ACCEPT(33) MODIFY(1) NOOP(43) Bollinger ACCEPT(8) Cox ACCEPT(89) MODIFY(55) NOOP(290) REVIEWING(1) Williams ACCEPT(16) MODIFY(4) NOOP(1) REVIEWING(2) Baker ACCEPT(294) MODIFY(1) Bishop ACCEPT(1) NOOP(2) Christey MODIFY(4) NOOP(155) Armstrong ACCEPT(212) NOOP(24) Wall ACCEPT(116) NOOP(206) REVIEWING(30) ====================================================== Candidate: CAN-1999-0718 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0718 Final-Decision: Interim-Decision: 20040825 Modified: Proposed: 20010214 Assigned: 19991125 Category: unknown Reference: NTBUGTRAQ:19990823 IBM Gina security warning Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9908&L=ntbugtraq&F=&S=&P=5534 Reference: BID:608 Reference: URL:http://www.securityfocus.com/bid/608 Reference: XF:ibm-gina-group-add Reference: URL:http://xforce.iss.net/static/3166.php IBM GINA, when used for OS/2 domain authentication of Windows NT users, allows local users to gain administrator privileges by changing the GroupMapping registry key. Analysis -------- Vendor Acknowledgement: unknown INFERRED ACTION: CAN-1999-0718 ACCEPT (3 accept, 0 ack, 0 review) Current Votes: ACCEPT(3) Baker, Frech, Cole Voter Comments: Frech> XF:ibm-gina-group-add ====================================================== Candidate: CAN-1999-1189 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1189 Final-Decision: Interim-Decision: 20040825 Modified: 20040723 Proposed: 20010912 Assigned: 20010831 Category: SF Reference: BUGTRAQ:19991124 Netscape Communicator 4.7 - Navigator Overflows Reference: URL:http://www.securityfocus.com/archive/1/36306 Reference: BUGTRAQ:19991127 Netscape Communicator 4.7 - Navigator Overflows Reference: URL:http://www.securityfocus.com/archive/1/36608 Reference: BID:822 Reference: URL:http://www.securityfocus.com/bid/822 Reference: XF:netscape-long-argument-bo(7884) Reference: URL:http://xforce.iss.net/xforce/xfdb/7884 Buffer overflow in Netscape Navigator/Communicator 4.7 for Windows 95 and Windows 98 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long argument after the ? character in a URL that references an .asp, .cgi, .html, or .pl file. Modifications: 20040723 ADDREF XF:netscape-long-argument-bo(7884) Analysis -------- Vendor Acknowledgement: INFERRED ACTION: CAN-1999-1189 ACCEPT (3 accept, 0 ack, 0 review) Current Votes: ACCEPT(2) Wall, Cole MODIFY(1) Frech NOOP(1) Foat Voter Comments: Frech> XF:netscape-long-argument-bo(7884) ====================================================== Candidate: CAN-1999-1199 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1199 Final-Decision: Interim-Decision: 20040825 Modified: 20040723 Proposed: 20010912 Assigned: 20010831 Category: SF Reference: BUGTRAQ:19980807 YA Apache DoS attack Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90252779826784&w=2 Reference: BUGTRAQ:19980808 Debian Apache Security Update Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90276683825862&w=2 Reference: BUGTRAQ:19980810 Apache DoS Attack Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90286768232093&w=2 Reference: BUGTRAQ:19980811 Apache 'sioux' DOS fix for TurboLinux Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90280517007869&w=2 Reference: CONFIRM:http://www.redhat.com/support/errata/rh51-errata-general.html#apache Apache WWW server 1.3.1 and earlier allows remote attackers to cause a denial of service (resource exhaustion) via a large number of MIME headers with the same name, aka the "sioux" vulnerability. Modifications: 20040723 ADDREF CONFIRM Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-1999-1199 ACCEPT_ACK (2 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Cox, Cole NOOP(3) Christey, Wall, Foat Voter Comments: Christey> CONFIRM:http://www.redhat.com/support/errata/rh51-errata-general.html#apache ====================================================== Candidate: CAN-1999-1201 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1201 Final-Decision: Interim-Decision: 20040825 Modified: 20040723 Proposed: 20010912 Assigned: 20010831 Category: SF Reference: NTBUGTRAQ:19990206 New Windows 9x Bug: TCP Chorusing Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91849617221319&w=2 Reference: BID:225 Reference: URL:http://www.securityfocus.com/bid/225 Reference: XF:win-multiple-ip-dos(7542) Reference: URL:http://xforce.iss.net/xforce/xfdb/7542 Windows 95 and Windows 98 systems, when configured with multiple TCP/IP stacks bound to the same MAC address, allow remote attackers to cause a denial of service (traffic amplification) via a certain ICMP echo (ping) packet, which causes all stacks to send a ping response, aka TCP Chorusing. Modifications: 20040723 ADDREF XF:win-multiple-ip-dos(7542) Analysis -------- Vendor Acknowledgement: INFERRED ACTION: CAN-1999-1201 ACCEPT (3 accept, 0 ack, 0 review) Current Votes: ACCEPT(2) Wall, Cole MODIFY(1) Frech NOOP(1) Foat Voter Comments: Frech> XF:win-multiple-ip-dos(7542) ====================================================== Candidate: CAN-1999-1217 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1217 Final-Decision: Interim-Decision: 20040825 Modified: Proposed: 20010912 Assigned: 20010831 Category: SF Reference: NTBUGTRAQ:19970725 Re: NT security - why bother? Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=87602726319435&w=2 Reference: NTBUGTRAQ:19970723 NT security - why bother? Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=87602726319426&w=2 Reference: XF:nt-path(526) Reference: URL:http://xforce.iss.net/static/526.php The PATH in Windows NT includes the current working directory (.), which could allow local users to gain privileges by placing Trojan horse programs with the same name as commonly used system programs into certain directories. Analysis -------- Vendor Acknowledgement: INFERRED ACTION: CAN-1999-1217 ACCEPT (3 accept, 0 ack, 0 review) Current Votes: ACCEPT(3) Frech, Foat, Cole Voter Comments: CHANGE> [Foat changed vote from NOOP to ACCEPT] ====================================================== Candidate: CAN-1999-1365 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1365 Final-Decision: Interim-Decision: 20040825 Modified: 20040723 Proposed: 20010912 Assigned: 20010831 Category: SF Reference: NTBUGTRAQ:19990628 NT runs Explorer.exe, Taskmgr.exe etc. from wrong location Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=93069418400856&w=2 Reference: NTBUGTRAQ:19990630 Update: NT runs explorer.exe, etc... Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=93127894731200&w=2 Reference: XF:nt-login-default-folder(2336) Reference: URL:http://xforce.iss.net/xforce/xfdb/2336 Reference: BID:0515 Reference: URL:http://www.securityfocus.com/bid/0515 Windows NT searches a user's home directory (%systemroot% by default) before other directories to find critical programs such as NDDEAGNT.EXE, EXPLORER.EXE, USERINIT.EXE or TASKMGR.EXE, which could allow local users to bypass access restrictions or gain privileges by placing a Trojan horse program into the root directory, which is writable by default. Modifications: 20040723 ADDREF XF:nt-login-default-folder(2336) Analysis -------- Vendor Acknowledgement: The %systemroot% being writable by users is contrary to Microsoft recommended configuration. So, is this just one implication of a bad configuration problem? INFERRED ACTION: CAN-1999-1365 ACCEPT (4 accept, 0 ack, 0 review) Current Votes: ACCEPT(3) Wall, Foat, Cole MODIFY(1) Frech Voter Comments: Frech> XF:nt-login-default-folder(2336) CHANGE> [Foat changed vote from NOOP to ACCEPT] Frech> XF:nt-login-default-folder(2336) ====================================================== Candidate: CAN-1999-1397 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1397 Final-Decision: Interim-Decision: 20040825 Modified: 20020218-01 Proposed: 20010912 Assigned: 20010831 Category: SF Reference: BUGTRAQ:19990323 Index Server 2.0 and the Registry Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92242671024118&w=2 Reference: NTBUGTRAQ:19990323 Index Server 2.0 and the Registry Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=92223293409756&w=2 Reference: BID:476 Reference: URL:http://www.securityfocus.com/bid/476 Reference: XF:iis-indexserver-reveal-path(7559) Reference: URL:http://www.iss.net/security_center/static/7559.php Index Server 2.0 on IIS 4.0 stores physical path information in the ContentIndex\Catalogs subkey of the AllowedPaths registry key, whose permissions allows local and remote users to obtain the physical paths of directories that are being indexed. Modifications: ADDREF XF:iis-indexserver-reveal-path(7559) Analysis -------- Vendor Acknowledgement: INFERRED ACTION: CAN-1999-1397 ACCEPT (3 accept, 0 ack, 0 review) Current Votes: ACCEPT(2) Wall, Cole MODIFY(1) Frech NOOP(1) Foat Voter Comments: Frech> XF:iis-indexserver-reveal-path(7559) ====================================================== Candidate: CAN-1999-1486 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1486 Final-Decision: Interim-Decision: 20040825 Modified: 20040723 Proposed: 20010912 Assigned: 20010831 Category: SF Reference: CONFIRM:http://techsupport.services.ibm.com/aix/fixes/v4/os/bos.acct.4.3.1.0.info Reference: AIXAPAR:IX75554 Reference: AIXAPAR:IX76853 Reference: AIXAPAR:IX76330 Reference: BID:408 Reference: URL:http://www.securityfocus.com/bid/408 Reference: XF:aix-sadc-timex(7675) Reference: URL:http://xforce.iss.net/xforce/xfdb/7675 sadc in IBM AIX 4.1 through 4.3, when called from programs such as timex that are setgid adm, allows local users to overwrite arbitrary files via a symlink attack. Modifications: 20040723 fix desc. to show linkage with timex 20040723 ADDREF CONFIRM Analysis -------- Vendor Acknowledgement: yes patch ABSTRACTION: This could be related to the sadc problem in other UNIXes as discovered by 8lgm in 1994, but there are insufficient details to be sure. INFERRED ACTION: CAN-1999-1486 ACCEPT (4 accept, 2 ack, 0 review) Current Votes: ACCEPT(4) Bollinger, Foat, Cole, Stracener NOOP(1) Christey Voter Comments: Christey> The description needs to be modified to mention the role of timex. The one-line description for the IX75554 APAR mentions timex instead of sadc, but the BID mentions sadc and not timex. This apparent discrepancy is resolved by a README file for the fileset that is used by IX75554: CONFIRM:http://techsupport.services.ibm.com/aix/fixes/v4/os/bos.acct.4.3.1.0.info This clearly shows the relationship between timex and sadc. Bollinger> The one line abstract is somewhat misleading. The timex command calls sadc with a filename and it's the sadc command that can be tricked into modifying files owned by the adm group. Since sadc is only executable by group adm, a local attacker would need to use timex to exploit this. (timex is setgid adm.) So the vulnerability is really in sadc and that's where the fix was made. ====================================================== Candidate: CAN-1999-1520 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1520 Final-Decision: Interim-Decision: 20040825 Modified: 20040723 Proposed: 20010912 Assigned: 20010831 Category: CF Reference: BUGTRAQ:19990511 [ALERT] Site Server 3.0 May Expose SQL IDs and PSWs Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92647407227303&w=2 Reference: BID:256 Reference: URL:http://www.securityfocus.com/bid/256 Reference: XF:siteserver-site-csc(2270) Reference: URL:http://xforce.iss.net/static/2270.php A configuration problem in the Ad Server Sample directory (AdSamples) in Microsoft Site Server 3.0 allows an attacker to obtain the SITE.CSC file, which exposes sensitive SQL database information. Modifications: 20040723 update desc style Analysis -------- Vendor Acknowledgement: unknown INFERRED ACTION: CAN-1999-1520 ACCEPT (3 accept, 0 ack, 0 review) Current Votes: ACCEPT(3) Frech, Wall, Cole NOOP(1) Foat ====================================================== Candidate: CAN-1999-1537 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1537 Final-Decision: Interim-Decision: 20040825 Modified: Proposed: 20010912 Assigned: 20010831 Category: SF Reference: NTBUGTRAQ:19990707 SSL and IIS. Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=93138827329577&w=2 Reference: BID:521 Reference: URL:http://www.securityfocus.com/bid/521 Reference: XF:ssl-iis-dos(2352) Reference: URL:http://xforce.iss.net/static/2352.php IIS 3.x and 4.x does not distinguish between pages requiring encryption and those that do not, which allows remote attackers to cause a denial of service (resource exhaustion) via SSL requests to the HTTPS port for normally unencrypted files, which will cause IIS to perform extra work to send the files over SSL. Analysis -------- Vendor Acknowledgement: unknown INFERRED ACTION: CAN-1999-1537 ACCEPT (3 accept, 0 ack, 0 review) Current Votes: ACCEPT(3) Frech, Wall, Cole NOOP(1) Foat ====================================================== Candidate: CAN-1999-1556 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1556 Final-Decision: Interim-Decision: 20040825 Modified: 20040723 Proposed: 20010912 Assigned: 20010831 Category: SF Reference: NTBUGTRAQ:19980629 MS SQL Server 6.5 stores password in unprotected registry keys Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=90222453431645&w=2 Reference: BID:109 Reference: URL:http://www.securityfocus.com/bid/109 Reference: XF:mssql-sqlexecutivecmdexec-password(7354) Reference: URL:http://xforce.iss.net/xforce/xfdb/7354 Microsoft SQL Server 6.5 uses weak encryption for the password for the SQLExecutiveCmdExec account and stores it in an accessible portion of the registry, which could allow local users to gain privileges by reading and decrypting the CmdExecAccount value. Modifications: 20040723 ADDREF XF:mssql-sqlexecutivecmdexec-password(7354) 20040723 desc: fix typo "andd" Analysis -------- Vendor Acknowledgement: unknown INFERRED ACTION: CAN-1999-1556 ACCEPT (3 accept, 0 ack, 0 review) Current Votes: ACCEPT(2) Wall, Cole MODIFY(1) Frech NOOP(2) Christey, Foat Voter Comments: Frech> XF:mssql-sqlexecutivecmdexec-password(7354) Christey> Need to consult MS on this issue. ====================================================== Candidate: CAN-1999-1568 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1568 Final-Decision: Interim-Decision: 20040825 Modified: Proposed: 20010912 Assigned: 20010831 Category: SF Reference: BUGTRAQ:19990223 NcFTPd remote buffer overflow Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91981352617720&w=2 Reference: BUGTRAQ:19990223 Comments on NcFTPd "theoretical root compromise" Reference: URL:http://www.securityfocus.com/archive/1/12699 Reference: XF:ncftpd-port-bo(1833) Reference: URL:http://xforce.iss.net/static/1833.php Off-by-one error in NcFTPd FTP server before 2.4.1 allows a remote attacker to cause a denial of service (crash) via a long PORT command. Analysis -------- Vendor Acknowledgement: yes followup INCLUSION: This is a UNIX based server. The process that crashes is a child process whose resources are released appropriately, according to reports. Since it's also an off-by-one error instead of a buffer overflow, perhaps this is not "exploitable" and as such should not be included in CVE. INFERRED ACTION: CAN-1999-1568 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Frech, Foat, Cole NOOP(1) Wall ====================================================== Candidate: CAN-2000-0247 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0247 Final-Decision: Interim-Decision: 20040825 Modified: 20040723 Proposed: 20000412 Assigned: 20000412 Category: SF Reference: BUGTRAQ:20000322 Local root compromise in GNQS 3.50.6 and 3.50.7 Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0236.html Reference: MISC:http://ftp.gnqs.org/pub/gnqs/source/by-version-number/v3.50/Generic-NQS-3.50.8-ChangeLog.txt Reference: FREEBSD:FreeBSD-SA-00:13 Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:13.generic-nqs.asc Reference: BID:1842 Reference: URL:http://www.securityfocus.com/bid/1842 Reference: XF:generic-nqs-local-root(4306) Reference: URL:http://xforce.iss.net/xforce/xfdb/4306 Unknown vulnerability in Generic-NQS (GNQS) allows local users to gain root privileges. Modifications: 20040723 desc: add "unknown" 20040723 ADDREF BID:1842 20040723 ADDREF XF:generic-nqs-local-root(4306) 20040723 ADDREF FREEBSD:FreeBSD-SA-00:13 Analysis -------- Vendor Acknowledgement: yes INFERRED ACTION: CAN-2000-0247 ACCEPT_ACK_REV (2 accept, 1 ack, 1 review) Current Votes: ACCEPT(1) Baker MODIFY(2) Frech, Christey NOOP(2) Magdych, Cole REVIEWING(1) Levy Voter Comments: Christey> ADDREF FREEBSD:FreeBSD-SA-00:13 ADDREF ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00%3A13-generic-nqs.asc CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:generic-nqs-local-root CHANGE> [Magdych changed vote from REVIEWING to NOOP] CHANGE> [Christey changed vote from NOOP to MODIFY] Christey> BID:1842 XF:generic-nqs-local-root(4306) ====================================================== Candidate: CAN-2000-0747 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0747 Final-Decision: Interim-Decision: 20040825 Modified: 20040723 Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000726 CONECTIVA LINUX SECURITY ANNOUNCEMENT - OPENLDAP Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0379.html Reference: XF:openldap-logrotate-script-dos(5036) Reference: URL:http://xforce.iss.net/xforce/xfdb/5036 The logrotate script for OpenLDAP before 1.2.11 in Conectiva Linux sends an improper signal to the kernel log daemon (klogd) and kills it. Modifications: 20040723 ADDREF XF:openldap-logrotate-script-dos(5036) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2000-0747 ACCEPT_ACK_REV (2 accept, 1 ack, 1 review) Current Votes: ACCEPT(2) Baker, Cole NOOP(1) Wall REVIEWING(1) Levy ====================================================== Candidate: CAN-2000-0773 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0773 Final-Decision: Interim-Decision: 20040825 Modified: 20040723 Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000731 Two security flaws in Bajie Webserver Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0426.html Reference: BID:1522 Reference: URL:http://www.securityfocus.com/bid/1522 Reference: XF:bajie-view-arbitrary-files(5021) Reference: URL:http://xforce.iss.net/xforce/xfdb/5021 Bajie HTTP web server 0.30a allows remote attackers to read arbitrary files via a URL that contains a "....", a variant of the dot dot directory traversal attack. Modifications: 20040723 XF:bajie-view-arbitrary-files(5021) Analysis -------- Vendor Acknowledgement: unknown INFERRED ACTION: CAN-2000-0773 ACCEPT (3 accept, 0 ack, 0 review) Current Votes: ACCEPT(3) Baker, Levy, Williams MODIFY(1) Christey NOOP(2) Wall, Cole Voter Comments: Baker> Apparently the vendor fixed this issue, as it doesn't appear in later versions of the software. Christey> XF:bajie-view-arbitrary-files(5021) ====================================================== Candidate: CAN-2000-0781 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0781 Final-Decision: Interim-Decision: 20040825 Modified: 20040723 Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000728 Client Agent 6.62 for Unix Vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0431.html Reference: BID:1519 Reference: URL:http://www.securityfocus.com/bid/1519 Reference: XF:arcserveit-clientagent-temp-file(5023) Reference: URL:http://xforce.iss.net/xforce/xfdb/5023 uagentsetup in ARCServeIT Client Agent 6.62 does not properly check for the existence or ownership of a temporary file which is moved to the agent.cfg configuration file, which allows local users to execute arbitrary commands by modifying the temporary file before it is moved. Modifications: 20040723 desc fix "the the" 20040723 XF:arcserveit-clientagent-temp-file(5023) Analysis -------- Vendor Acknowledgement: unknown INFERRED ACTION: CAN-2000-0781 ACCEPT (3 accept, 0 ack, 0 review) Current Votes: ACCEPT(2) Levy, Williams MODIFY(2) Baker, Christey NOOP(2) Wall, Cole Voter Comments: Christey> fix typo: "the the" Baker> Can't really access the CA website to get info on this. CHANGE> [Christey changed vote from NOOP to MODIFY] Christey> XF:arcserveit-clientagent-temp-file(5023) ====================================================== Candidate: CAN-2000-0797 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0797 Final-Decision: Interim-Decision: 20040825 Modified: 20040818 Proposed: 20000921 Assigned: 20000919 Category: SF Reference: BUGTRAQ:20000802 [LSD] some unpublished LSD exploit codes Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=200008021924.e72JOVs12558@ix.put.poznan.pl Reference: SGI:20040104-01-P Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20040104-01-P.asc Reference: BID:1526 Reference: URL:http://www.securityfocus.com/bid/1526 Reference: XF:irix-grosview-bo(5062) Reference: URL:http://xforce.iss.net/xforce/xfdb/5062 Reference: OSVDB:3815 Reference: URL:http://www.osvdb.org/3815 Buffer overflow in gr_osview in IRIX 6.2 and 6.3 allows local users to gain privileges via a long -D option. Modifications: 20040723 ADDREF XF:irix-grosview-bo(5062) 20040723 ADDREF SGI:20040104-01-P 20040818 ADDREF OSVDB:3815 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2000-0797 ACCEPT_ACK (2 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Baker, Levy NOOP(4) Williams, Wall, Cole, Christey Voter Comments: Christey> XF:irix-grosview-bo http://xforce.iss.net/static/5062.php Christey> SGI:20040104-01-P URL:ftp://patches.sgi.com/support/free/security/advisories/20040104-01-P.asc ====================================================== Candidate: CAN-2000-0894 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0894 Final-Decision: Interim-Decision: 20040825 Modified: 20040818 Proposed: 20010202 Assigned: 20001114 Category: SF Reference: ISS:20001214 Multiple vulnerabilities in the WatchGuard SOHO Firewall Reference: URL:http://xforce.iss.net/alerts/advise70.php Reference: XF:watchguard-soho-web-auth(5554) Reference: URL:http://xforce.iss.net/xforce/xfdb/5554 Reference: BID:2119 Reference: URL:http://www.securityfocus.com/bid/2119 Reference: OSVDB:4404 Reference: URL:http://www.osvdb.org/4404 HTTP server on the WatchGuard SOHO firewall does not properly restrict access to administrative functions such as password resets or rebooting, which allows attackers to cause a denial of service or conduct unauthorized activities. Modifications: 20040818 ADDREF OSVDB:4404 Analysis -------- Vendor Acknowledgement: unknown INFERRED ACTION: CAN-2000-0894 ACCEPT_ACK_REV (2 accept, 1 ack, 1 review) Current Votes: ACCEPT(2) Baker, Cole MODIFY(1) Frech NOOP(2) Wall, Christey REVIEWING(1) Ziese Voter Comments: Frech> XF:watchguard-soho-web-auth(5554) Christey> Consider adding BID:2119 ====================================================== Candidate: CAN-2000-0895 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0895 Final-Decision: Interim-Decision: 20040825 Modified: 20040818 Proposed: 20010202 Assigned: 20001114 Category: SF Reference: ISS:20001214 Multiple vulnerabilities in the WatchGuard SOHO Firewall Reference: URL:http://xforce.iss.net/alerts/advise70.php Reference: BID:2114 Reference: URL:http://www.securityfocus.com/bid/2114 Reference: XF:watchguard-soho-web-dos(5218) Reference: URL:http://xforce.iss.net/xforce/xfdb/5218 Reference: OSVDB:4403 Reference: URL:http://www.osvdb.org/4403 Buffer overflow in HTTP server on the WatchGuard SOHO firewall allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long GET request. Modifications: 20040723 ADDREF XF:watchguard-soho-web-dos(5218) 20040723 desc normalize to "arbitrary code" 20040818 ADDREF OSVDB:4403 Analysis -------- Vendor Acknowledgement: unknown INFERRED ACTION: CAN-2000-0895 ACCEPT_ACK_REV (2 accept, 1 ack, 1 review) Current Votes: ACCEPT(2) Baker, Cole MODIFY(1) Frech NOOP(1) Wall REVIEWING(1) Ziese Voter Comments: Frech> XF:watchguard-soho-web-dos(5218) ====================================================== Candidate: CAN-2000-1203 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1203 Final-Decision: Interim-Decision: 20040825 Modified: 20030325-01 Proposed: 20020830 Assigned: 20020131 Category: SF Reference: VULN-DEV:20000520 Infinite loop in LOTUS NOTE 5.0.3. SMTP SERVER Reference: URL:http://marc.theaimsgroup.com/?l=vuln-dev&m=95886062521327&w=2 Reference: BUGTRAQ:20010820 Lotus Domino DoS Reference: URL:http://www.securityfocus.com/cgi-bin/archive.pl?id=1&start=2002-01-21&end=2002-01-27&mid=209116&threads=1 Reference: BUGTRAQ:20010823 Lotus Domino DoS solution Reference: URL:http://www.securityfocus.com/archive/1/209754 Reference: BID:3212 Reference: URL:http://www.securityfocus.com/bid/3212 Reference: XF:lotus-domino-bounced-message-dos(7012) Reference: URL:http://xforce.iss.net/xforce/xfdb/7012 Lotus Domino SMTP server 4.63 through 5.08 allows remote attackers to cause a denial of service (CPU consumption) by forging an email message with the sender as bounce@[127.0.0.1] (localhost), which causes Domino to enter a mail loop. Modifications: ADDREF XF:lotus-domino-bounced-message-dos(7012) Analysis -------- Vendor Acknowledgement: INFERRED ACTION: CAN-2000-1203 ACCEPT (4 accept, 0 ack, 0 review) Current Votes: ACCEPT(3) Baker, Armstrong, Green MODIFY(1) Frech NOOP(5) Cox, Wall, Foat, Cole, Christey Voter Comments: Green> Since a work around involving configuration settings exists the presenting problem should also exist. Frech> XF:lotus-domino-bounced-message-dos(7012) CONFIRM: http://www-1.ibm.com/support/docview.wss?rs=0&org=sims&doc=DA18AA221C3 B982085256B84000033EB Christey> The CONFIRM URL provided by Andre is broken ====================================================== Candidate: CAN-2001-0042 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0042 Final-Decision: Interim-Decision: 20040825 Modified: 20040723 Proposed: 20010202 Assigned: 20010201 Category: SF Reference: BUGTRAQ:20001206 CHINANSL Security Advisory(CSA-200011) Reference: URL:http://www.securityfocus.com/archive/1/149210 Reference: BID:2060 Reference: URL:http://www.securityfocus.com/bid/2060 Reference: XF:apache-php-disclose-files Reference: URL:http://xforce.iss.net/static/5659.php PHP 3.x (PHP3) on Apache 1.3.6 allows remote attackers to read arbitrary files via a modified .. (dot dot) attack containing "%5c" (encoded backslash) sequences. Modifications: 20040723 desc normalize, add "%5c" detail Analysis -------- Vendor Acknowledgement: INFERRED ACTION: CAN-2001-0042 ACCEPT_REV (3 accept, 0 ack, 1 review) Current Votes: ACCEPT(3) Cole, Baker, Frech NOOP(1) Wall REVIEWING(1) Ziese ====================================================== Candidate: CAN-2001-0375 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0375 Final-Decision: Interim-Decision: 20040825 Modified: 20040723 Proposed: 20010524 Assigned: 20010524 Category: SF Reference: BUGTRAQ:20010406 PIX Firewall 5.1 DoS Vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=98658271707833&w=2 Reference: CISCO:20011003 Cisco PIX Firewall Authentication Denial of Service Vulnerability Reference: URL:http://www.cisco.com/warp/public/707/pixfirewall-authen-flood-pub.shtml Reference: XF:cisco-pix-tacacs-dos(6353) Reference: URL:http://xforce.iss.net/xforce/xfdb/6353 Reference: BID:2551 Reference: URL:http://www.securityfocus.com/bid/2551 Cisco PIX Firewall 515 and 520 with 5.1.4 OS running aaa authentication to a TACACS+ server allows remote attackers to cause a denial of service via a large number of authentication requests. Modifications: 20040723 desc normalize 20040723 XF:cisco-pix-tacacs-dos(6353) 20040723 CISCO:20011003 Cisco PIX Firewall Authentication Denial of Service Vulnerability Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0375 ACCEPT_ACK_REV (2 accept, 1 ack, 1 review) Current Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(2) Wall, Christey REVIEWING(1) Ziese Voter Comments: Frech> XF:cisco-pix-tacacs-dos(6353) Christey> CISCO:20011003 Cisco PIX Firewall Authentication Denial of Service Vulnerability URL:http://www.cisco.com/warp/public/707/pixfirewall-authen-flood-pub.shtml ====================================================== Candidate: CAN-2001-0423 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0423 Final-Decision: Interim-Decision: 20040825 Modified: 20040723 Proposed: 20010524 Assigned: 20010524 Category: SF Reference: BUGTRAQ:20010412 Solaris ipcs vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-04/0217.html Reference: BID:2581 Reference: URL:http://www.securityfocus.com/bid/2581 Reference: XF:solaris-ipcs-bo(6369) Reference: URL:http://xforce.iss.net/xforce/xfdb/6369 Buffer overflow in ipcs in Solaris 7 x86 allows local users to execute arbitrary code via a long TZ (timezone) environmental variable, a different vulnerability than CAN-2002-0093. Modifications: 20040723 desc add "different from CAN-2002-0093" 20040723 ADDREF XF:solaris-ipcs-bo(6369) Analysis -------- Vendor Acknowledgement: yes cve-vote INFERRED ACTION: CAN-2001-0423 ACCEPT_ACK_REV (2 accept, 1 ack, 2 review) Current Votes: ACCEPT(1) Dik MODIFY(1) Frech NOOP(3) Wall, Cole, Christey REVIEWING(2) Ziese, Williams Voter Comments: Frech> XF:solaris-ipcs-bo(6369) Dik> sun bug: 4448598 Christey> This might be a duplicate of CAN-2002-0093, which is for Compaq IPCS. Christey> An authoritative source confirmed that this issue is in fact different from CAN-2002-0093. ====================================================== Candidate: CAN-2001-0485 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0485 Final-Decision: Interim-Decision: 20040825 Modified: 20040723 Proposed: 20010524 Assigned: 20010524 Category: SF Reference: BUGTRAQ:20010426 IRIX /usr/lib/print/netprint local root symbols exploit. Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-04/0475.html Reference: BUGTRAQ:20010427 Re: IRIX /usr/lib/print/netprint local root symbols exploit. Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-04/0502.html Reference: SGI:20010701-01-P Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20010701-01-P Reference: BID:2656 Reference: URL:http://www.securityfocus.com/bid/2656 Reference: XF:irix-netprint-shared-library(6473) Reference: URL:http://xforce.iss.net/xforce/xfdb/6473 Unknown vulnerability in netprint in IRIX 6.2, and possibly other versions, allows local users with lp privileges attacker to execute arbitrary commands via the -n option. Modifications: 20040723 ADDREF SGI:20010701-01-P 20040723 ADDREF BID:2656 20040723 ADDREF XF:irix-netprint-shared-library(6473) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0485 ACCEPT_ACK_REV (2 accept, 1 ack, 1 review) Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(5) Wall, Cole, Christey, Ziese, Renaud REVIEWING(1) Williams Voter Comments: Williams> Apply the following patch: 2022? See advisory 19961203-01-PX for more information? Frech> XF:irix-netprint-shared-library(6473) Christey> SGI:20010701-01-P Baker> SGI Patch 20010701-01-P Christey> ADDREF BID:2656 ====================================================== Candidate: CAN-2001-0548 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0548 Final-Decision: Interim-Decision: 20040825 Modified: 20020223-01 Proposed: 20010727 Assigned: 20010717 Category: SF Reference: BUGTRAQ:20010724 NSFOCUS SA2001-04 : Solaris dtmail Buffer Overflow Vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=99598918914068&w=2 Reference: XF:solaris-dtmail-bo(6879) Reference: URL:http://xforce.iss.net/static/6879.php Reference: BID:3081 Reference: URL:http://www.securityfocus.com/bid/3081 Buffer overflow in dtmail in Solaris 2.6 and 7 allows local users to gain privileges via the MAIL environment variable. Modifications: ADDREF XF:solaris-dtmail-bo(6879) DESC remove "possibly other OSes" Analysis -------- Vendor Acknowledgement: unknown INFERRED ACTION: CAN-2001-0548 ACCEPT (5 accept, 0 ack, 0 review) Current Votes: ACCEPT(3) Foat, Armstrong, Stracener MODIFY(2) Frech, Balinsky NOOP(4) Wall, Cole, Christey, Ziese Voter Comments: Frech> XF:solaris-dtmail-bo(6879) Balinsky> Delete "and possibly other operating systems" because that is not verifiable, and add the following references from Sun, which acknowledge the problem: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fpatches/105338 http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fpatches/105339 http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fpatches/107200 http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fpatches/107201 Christey> BID:3081 URL:http://www.securityfocus.com/bid/3081 Christey> It is not clear from the patch list whether these *particular* dtmail overflows have been addressed. ====================================================== Candidate: CAN-2001-0612 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0612 Final-Decision: Interim-Decision: 20040825 Modified: 20040818 Proposed: 20010727 Assigned: 20010727 Category: SF Reference: BUGTRAQ:20010516 Remote Desktop DoS Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-05/0158.html Reference: XF:remote-desktop-dos(6547) Reference: URL:http://xforce.iss.net/static/6547.php Reference: BID:2726 Reference: URL:http://www.securityfocus.com/bid/2726 Reference: OSVDB:6288 Reference: URL:http://www.osvdb.org/6288 McAfee Remote Desktop 3.0 and earlier allows remote attackers to cause a denial of service (crash) via a large number of packets to port 5045. Modifications: 20040723 desc normalize 20040818 ADDREF OSVDB:6288 Analysis -------- Vendor Acknowledgement: unknown INFERRED ACTION: CAN-2001-0612 ACCEPT (3 accept, 0 ack, 0 review) Current Votes: ACCEPT(3) Cole, Frech, Ziese NOOP(3) Wall, Foat, Bishop Voter Comments: CHANGE> [Bishop changed vote from REVIEWING to NOOP] ====================================================== Candidate: CAN-2001-0643 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0643 Final-Decision: Interim-Decision: 20040825 Modified: 20040723 Proposed: 20010829 Assigned: 20010806 Category: SF Reference: BUGTRAQ:20010416 Double clicking on innocent looking files may be dangerous Reference: URL:http://www.securityfocus.com/archive/1/176909 Reference: MISC:http://www.guninski.com/clsidext.html Reference: MISC:http://vil.nai.com/vil/virusSummary.asp?virus_k=99048 Reference: MISC:http://www.sarc.com/avcenter/venc/data/vbs.postcard@mm.html Reference: XF:ie-clsid-execute-files(6426) Reference: URL:http://xforce.iss.net/static/6426.php Reference: BID:2612 Reference: URL:http://www.securityfocus.com/bid/2612 A type-check flaw in Internet Explorer 5.5 does not display the Class ID (CLSID) when it is at the end of the file name, which could allow attackers to trick the user into executing dangerous programs by making it appear that the document is of a safe file type. Modifications: 20040723 ADDREF MISC:http://www.guninski.com/clsidext.html 20040723 ADDREF BID:2612 Analysis -------- Vendor Acknowledgement: unknown INFERRED ACTION: CAN-2001-0643 ACCEPT (5 accept, 0 ack, 0 review) Current Votes: ACCEPT(5) Wall, Foat, Cole, Baker, Frech NOOP(2) Stracener, Ziese Voter Comments: CHANGE> [Wall changed vote from REVIEWING to ACCEPT] ====================================================== Candidate: CAN-2001-0741 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0741 Final-Decision: Interim-Decision: 20040825 Modified: Proposed: 20011012 Assigned: 20011012 Category: CF Reference: BUGTRAQ:20010503 Cisco HSRP Weakness/DoS Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-05/0035.html Reference: MISC:http://www.cisco.com/networkers/nw00/pres/2402.pdf Reference: XF:cisco-hsrp-dos(6497) Reference: URL:http://xforce.iss.net/static/6497.php Reference: BID:2684 Reference: URL:http://www.securityfocus.com/bid/2684 Cisco Hot Standby Routing Protocol (HSRP) allows local attackers to cause a denial of service by spoofing HSRP packets. Analysis -------- Vendor Acknowledgement: unknown INFERRED ACTION: CAN-2001-0741 ACCEPT (3 accept, 0 ack, 0 review) Current Votes: ACCEPT(3) Foat, Armstrong, Frech NOOP(2) Wall, Cole ====================================================== Candidate: CAN-2001-0749 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0749 Final-Decision: Interim-Decision: 20040825 Modified: 20040723 Proposed: 20020131 Assigned: 20011012 Category: SF Reference: BUGTRAQ:20010524 IPC@Chip Security Reference: URL:http://www.securityfocus.com/archive/1/186418 Reference: BID:2775 Reference: URL:http://www.securityfocus.com/bid/2775 Reference: XF:ipcchip-web-root-system(8922) Reference: URL:http://xforce.iss.net/xforce/xfdb/8922 Beck IPC GmbH IPC@CHIP Embedded-Webserver allows remote attacker to retrieve arbitrary files via webserver root directory set to system root. Modifications: 20040723 ADDREF XF:ipcchip-web-root-system(8922) Analysis -------- Vendor Acknowledgement: INFERRED ACTION: CAN-2001-0749 ACCEPT (3 accept, 0 ack, 0 review) Current Votes: ACCEPT(2) Cole, Green MODIFY(1) Frech NOOP(3) Wall, Foat, Armstrong Voter Comments: Frech> XF:ipcchip-web-root-system(8922) ====================================================== Candidate: CAN-2001-0792 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0792 Final-Decision: Interim-Decision: 20040825 Modified: 20020226-01 Proposed: 20011012 Assigned: 20011012 Category: SF Reference: MISC:http://www.securiteam.com/exploits/5AP0Q2A4AQ.html Reference: XF:xchat-nickname-format-string(7416) Reference: URL:http://xforce.iss.net/static/7416.php Format string vulnerability in XChat 1.2.x allows remote attackers to execute arbitrary code via a malformed nickname. Modifications: ADDREF XF:xchat-nickname-format-string(7416) Analysis -------- Vendor Acknowledgement: INFERRED ACTION: CAN-2001-0792 ACCEPT (3 accept, 0 ack, 0 review) Current Votes: ACCEPT(2) Cole, Armstrong MODIFY(1) Frech NOOP(3) Wall, Foat, Christey Voter Comments: Frech> XF:xchat-nickname-format-string(7416) Christey> Inquiry sent to xchat developer on 2/25/2002. Christey> Received a reply 2/26/2002: "I don't know... It doesn't seem to effect [sic] any recent versions though." This vulnerability was reported for a *MUCH* older version. ====================================================== Candidate: CAN-2001-0825 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0825 Final-Decision: Interim-Decision: 20040825 Modified: 20020821-02 Proposed: 20011122 Assigned: 20011122 Category: SF Reference: SUSE:SuSE-SA:2001:022 Reference: URL:http://lists.suse.com/archives/suse-security-announce/2001-Jun/0002.html Reference: CONECTIVA:CLA-2001:406 Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000406 Reference: REDHAT:RHSA-2001:092 Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-092.html Reference: IMMUNIX:IMNX-2001-70-029-01 Reference: URL:http://download.immunix.org/ImmunixOS/7.0/updates/IMNX-2001-70-029-01 Reference: BID:2971 Reference: URL:http://www.securityfocus.com/bid/2971 Reference: XF:xinetd-zero-length-bo(6804) Reference: URL:http://xforce.iss.net/static/6804.php Buffer overflow in internal string handling routines of xinetd before 2.1.8.8 allows remote attackers to execute arbitrary commands via a length argument of zero or less, which disables the length check. Modifications: ADDREF XF:xinetd-zero-length-bo(6804) ADDREF IMMUNIX:IMNX-2001-70-024-01 DELREF IMMUNIX:IMNX-2001-70-024-01 DELREF BUGTRAQ:20010629 xinetd update [normalize to IMMUNIX] DELREF BUGTRAQ:20010608 potential buffer overflow in xinetd-2.1.8.9pre11-1 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0825 ACCEPT (7 accept, 2 ack, 0 review) Current Votes: ACCEPT(6) Wall, Foat, Cole, Armstrong, Baker, Bishop MODIFY(1) Frech NOOP(1) Christey Voter Comments: Frech> XF:xinetd-zero-length-bo(6804) Christey> Need to sift through the references to make sure they're correct and appropriately distinguish from CAN-2001-0763. Christey> DELREF IMMUNIX:IMNX-2001-70-024-01 - it does not explicitly mention this issue. DELREF BUGTRAQ:20010608 potential buffer overflow in xinetd-2.1.8.9pre11-1 That's for CAN-2001-0763. Change affected version to 2.1.8, I have no idea where 2.3.1 came from. ====================================================== Candidate: CAN-2001-0837 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0837 Final-Decision: Interim-Decision: 20040825 Modified: 20040723 Proposed: 20011122 Assigned: 20011122 Category: SF Reference: BUGTRAQ:20011025 Pc-to-Phone vulnerability - broken by design Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100403691432052&w=2 Reference: XF:pc2phone-temp-account-readable(7393) Reference: URL:http://xforce.iss.net/xforce/xfdb/7393 Reference: BID:3475 Reference: URL:http://www.securityfocus.com/bid/3475 DeltaThree Pc-To-Phone 3.0.3 places sensitive data in world-readable locations in the installation directory, which allows local users to read the information in (1) temp.html, (2) the log folder, and (3) the PhoneBook folder. Modifications: 20040723 ADDREF XF:pc2phone-temp-account-readable(7393) Analysis -------- Vendor Acknowledgement: unknown discloser-claimed INFERRED ACTION: CAN-2001-0837 ACCEPT (3 accept, 0 ack, 0 review) Current Votes: ACCEPT(2) Armstrong, Baker MODIFY(1) Frech NOOP(4) Wall, Foat, Cole, Bishop Voter Comments: Frech> XF:pc2phone-temp-account-readable(7393) Armstrong> http://www.securiteam.com/windowsntfocus/6V00P202UC.html ====================================================== Candidate: CAN-2001-0902 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0902 Final-Decision: Interim-Decision: 20040825 Modified: 20040723 Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20011120 IIS logging issue Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100626531103946&w=2 Reference: NTBUGTRAQ:20011120 IIS logging issue Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=100627497122247&w=2 Reference: XF:iis-fake-log-entry(7613) Reference: URL:http://xforce.iss.net/xforce/xfdb/7613 Reference: BID:6795 Reference: URL:http://www.securityfocus.com/bid/6795 Microsoft IIS 5.0 allows remote attackers to spoof web log entries via an HTTP request that includes hex-encoded newline or form-feed characters. Modifications: 20040723 ADDREF XF:iis-fake-log-entry(7613) Analysis -------- Vendor Acknowledgement: unknown INFERRED ACTION: CAN-2001-0902 ACCEPT_REV (3 accept, 0 ack, 1 review) Current Votes: ACCEPT(2) Foat, Cole MODIFY(1) Frech NOOP(1) Armstrong REVIEWING(1) Wall Voter Comments: Frech> XF:iis-fake-log-entry(7613) ====================================================== Candidate: CAN-2001-0907 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0907 Final-Decision: Interim-Decision: 20040825 Modified: 20020817-01 Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20011018 Flaws in recent Linux kernels Reference: URL:http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=221337 Reference: MANDRAKE:MDKSA-2001:082 Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-082-1.php3 Reference: SUSE:SuSE-SA:2001:036 Reference: URL:http://www.suse.de/de/support/security/2001_036_kernel_txt.html Reference: IMMUNIX:IMNX-2001-70-035-01 Reference: URL:http://download.immunix.org/ImmunixOS/7.0/updates/IMNX-2001-70-035-01 Reference: CALDERA:CSSA-2001-036.0 Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2001-036.0.txt Reference: MANDRAKE:MDKSA-2001:079 Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-079.php Reference: ENGARDE:ESA-20011019-02 Reference: URL:http://www.linuxsecurity.com/advisories/other_advisory-1650.html Reference: BUGTRAQ:20011019 TSLSA-2001-0028 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100350685431610&w=2 Reference: XF:linux-multiple-symlink-dos(7312) Reference: URL:http://www.iss.net/security_center/static/7312.php Reference: BID:3444 Reference: URL:http://www.securityfocus.com/bid/3444 Linux kernel 2.2.1 through 2.2.19, and 2.4.1 through 2.4.10, allows local users to cause a denial of service via a series of deeply nested symlinks, which causes the kernel to spend extra time when trying to access the link. Modifications: ADDREF SUSE:SuSE-SA:2001:036 ADDREF IMMUNIX:IMNX-2001-70-035-01 ADDREF CALDERA:CSSA-2001-036.0 ADDREF MANDRAKE:MDKSA-2001:079 ADDREF ENGARDE:ESA-20011019-02 ADDREF BUGTRAQ:20011019 TSLSA-2001-0028 ADDREF XF:linux-multiple-symlink-dos(7312) ADDREF BID:3444 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0907 ACCEPT_REV (5 accept, 2 ack, 1 review) Current Votes: ACCEPT(4) Foat, Cole, Green, Baker MODIFY(1) Frech NOOP(1) Christey REVIEWING(1) Wall Voter Comments: Frech> XF:linux-multiple-symlink-dos(7312) Christey> SUSE:SuSE-SA:2001:036 URL:http://www.suse.de/de/support/security/2001_036_kernel_txt.html IMMUNIX:IMNX-2001-70-035-01 URL:http://download.immunix.org/ImmunixOS/7.0/updates/IMNX-2001-70-035-01 CALDERA:CSSA-2001-036.0 URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2001-036.0.txt MANDRAKE:MDKSA-2001:079 ENGARDE:ESA-20011019-02 URL:http://www.linuxsecurity.com/advisories/other_advisory-1650.html BUGTRAQ:20011019 TSLSA-2001-0028 URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100350685431610&w=2 ====================================================== Candidate: CAN-2001-0909 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0909 Final-Decision: Interim-Decision: 20040825 Modified: 20040723 Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20011121 Buffer overflow in Windows XP "helpctr.exe" Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100638955422011&w=2 Reference: XF:winxp-helpctr-bo(7605) Reference: URL:http://xforce.iss.net/static/7605.php Reference: BID:6802 Reference: URL:http://www.securityfocus.com/bid/6802 Buffer overflow in helpctr.exe program in Microsoft Help Center for Windows XP allows remote attackers to execute arbitrary code via a long hcp: URL. Modifications: 20040723 BID:6802 Analysis -------- Vendor Acknowledgement: no INFERRED ACTION: CAN-2001-0909 ACCEPT_REV (3 accept, 0 ack, 1 review) Current Votes: ACCEPT(3) Foat, Cole, Frech NOOP(1) Armstrong REVIEWING(1) Wall ====================================================== Candidate: CAN-2001-0914 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0914 Final-Decision: Interim-Decision: 20040825 Modified: 20040723 Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20011121 SuSE 7.3 : Kernel 2.4.10-4GB Bug Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100638584813349&w=2 Reference: BUGTRAQ:20011122 Re: SuSE 7.3 : Kernel 2.4.10-4GB Bug Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100654787226869&w=2L:2 Reference: XF:linux-vmlinux-dos(7591) Reference: URL:http://xforce.iss.net/xforce/xfdb/7591 Reference: BID:3570 Reference: URL:http://www.securityfocus.com/bid/3570 Linux kernel before 2.4.11pre3 in multiple Linux distributions allows local users to cause a denial of service (crash) by starting the core vmlinux kernel, possibly related to poor error checking during ELF loading. Modifications: 20040723 ADDREF XF:linux-vmlinux-dos(7591) 20040723 ADDREF BID:3570 Analysis -------- Vendor Acknowledgement: yes followup ABSTRACTION: There could be a rediscovery of CVE-2000-0729, but there is insufficient information to be certain. INFERRED ACTION: CAN-2001-0914 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Foat, Cole, Armstrong, Baker MODIFY(1) Frech NOOP(1) Wall Voter Comments: Frech> XF:linux-vmlinux-dos(7591) ====================================================== Candidate: CAN-2001-0951 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0951 Final-Decision: Interim-Decision: 20040825 Modified: 20040723 Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20011207 UDP DoS attack in Win2k via IKE Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100774842520403&w=2 Reference: BUGTRAQ:20011211 UDP DoS attack in Win2k via IKE Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100813081913496&w=2 Reference: XF:win2k-ike-dos(7667) Reference: URL:http://xforce.iss.net/static/7667.php Reference: BID:3652 Reference: URL:http://www.securityfocus.com/bid/3652 Windows 2000 allows remote attackers to cause a denial of service (CPU consumption) by flooding Internet Key Exchange (IKE) UDP port 500 with packets that contain a large number of dot characters. Modifications: 20040723 desc normalize DoS term Analysis -------- Vendor Acknowledgement: unknown INFERRED ACTION: CAN-2001-0951 ACCEPT_REV (3 accept, 0 ack, 1 review) Current Votes: ACCEPT(3) Foat, Green, Frech NOOP(1) Cole REVIEWING(1) Wall ====================================================== Candidate: CAN-2001-1029 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1029 Final-Decision: Interim-Decision: 20040825 Modified: 20040818 Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20010920 Local vulnerability in libutil derived with FreeBSD 4.4-RC (and earlier) Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-09/0173.html Reference: XF:bsd-libutil-privilege-dropping(8697) Reference: URL:http://xforce.iss.net/xforce/xfdb/8697 Reference: OSVDB:6073 Reference: URL:http://www.osvdb.org/6073 libutil in OpenSSH on FreeBSD 4.4 and earlier does not drop privileges before verifying the capabilities for reading the copyright and welcome files, which allows local users to bypass the capabilities checks and read arbitrary files by specifying alternate copyright or welcome files. Modifications: 20040723 ADDREF XF:bsd-libutil-privilege-dropping(8697) 20040818 ADDREF OSVDB:6073 Analysis -------- Vendor Acknowledgement: unknown discloser-claimed INFERRED ACTION: CAN-2001-1029 ACCEPT (3 accept, 0 ack, 0 review) Current Votes: ACCEPT(2) Foat, Green MODIFY(1) Frech NOOP(2) Wall, Cole Voter Comments: CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:bsd-libutil-privilege-dropping(8697) ====================================================== Candidate: CAN-2001-1055 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1055 Final-Decision: Interim-Decision: 20040825 Modified: 20040723 Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20010730 ARPNuke - 80 kb/s kills a whole subnet Reference: URL:http://www.securityfocus.com/archive/1/200323 Reference: BID:3113 Reference: URL:http://www.securityfocus.com/bid/3113 Reference: XF:win-arp-packet-flooding-dos(6924) Reference: URL:http://xforce.iss.net/xforce/xfdb/6924 The Microsoft Windows network stack allows remote attackers to cause a denial of service (CPU consumption) via a flood of malformed ARP request packets with random source IP and MAC addresses, as demonstrated by ARPNuke. Modifications: 20040723 ADDREF XF:win-arp-packet-flooding-dos(6924) 20040723 desc - add ARPNuke Analysis -------- Vendor Acknowledgement: There is insufficient information to be able to narrow down which operating systems are affected; the disclosers did not mention these specifics. INFERRED ACTION: CAN-2001-1055 ACCEPT (3 accept, 0 ack, 0 review) Current Votes: ACCEPT(1) Foat MODIFY(2) Green, Frech NOOP(3) Wall, Cole, Armstrong Voter Comments: Green> TOO VAGUE TO REACH ANY CONCLUSION Frech> XF:win-arp-packet-flooding-dos(6924) ====================================================== Candidate: CAN-2001-1066 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1066 Final-Decision: Interim-Decision: 20040825 Modified: 20040725 Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20010827 Dangerous temp file creation during installation of Netscape 6. Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=99893667921216&w=2 Reference: VULNWATCH:20010827 Dangerous temp file creation during installation of Netscape 6. Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2001-q3/0036.html Reference: SUNBUG:4633888 Reference: BID:3243 Reference: URL:http://www.securityfocus.com/bid/3243 Reference: XF:netscape-install-tmpfile-symlink(7042) Reference: URL:http://xforce.iss.net/static/7042.php ns6install installation script for Netscape 6.01 on Solaris, and other versions including 6.2.1 beta, allows local users to overwrite arbitrary files via a symlink attack. Modifications: 20040725 ADDREF SUNBUG:4633888 20040725 ADDREF BID:3243 20040725 ADDREF XF:netscape-install-tmpfile-symlink(7042) 20040725 ADDREF VULNWATCH:20010827 [VulnWatch] Dangerous temp file creation during installation of Netscape 6. Analysis -------- Vendor Acknowledgement: yes cve-vote INFERRED ACTION: CAN-2001-1066 ACCEPT_REV (3 accept, 1 ack, 1 review) Current Votes: ACCEPT(2) Dik, Green MODIFY(1) Frech NOOP(4) Foat, Cole, Armstrong, Christey REVIEWING(1) Wall Voter Comments: Dik> Verified by code inspection of ns6install from netscape 6.2.1 beta Sun bug: 4633888 (just filed) Christey> BID:3243 URL:http://www.securityfocus.com/bid/3243 XF:netscape-install-tmpfile-symlink(7042) URL:http://xforce.iss.net/static/7042.php Christey> VULNWATCH:20010827 [VulnWatch] Dangerous temp file creation during installation of Netscape 6. URL:http://archives.neohapsis.com/archives/vulnwatch/2001-q3/0036.html Frech> XF:netscape-install-tmpfile-symlink(7042) ====================================================== Candidate: CAN-2001-1069 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1069 Final-Decision: Interim-Decision: 20040825 Modified: Proposed: 20020131 Assigned: 20020131 Category: CF Reference: BUGTRAQ:20010822 Adobe Acrobat creates world writable ~/AdobeFnt.lst files Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=99849121502399&w=2 Reference: MISC:http://lists.debian.org/debian-security/2001/debian-security-200101/msg00085.html Reference: BID:3225 Reference: URL:http://www.securityfocus.com/bid/3225 Reference: XF:adobe-acrobat-insecure-permissions(7024) Reference: URL:http://xforce.iss.net/static/7024.php libCoolType library as used in Adobe Acrobat (acroread) on Linux creates the AdobeFnt.lst file with world-writable permissions, which allows local users to modify the file and possibly modify acroread's behavior. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1069 ACCEPT_REV (3 accept, 1 ack, 1 review) Current Votes: ACCEPT(3) Foat, Green, Frech NOOP(3) Cole, Armstrong, Christey REVIEWING(1) Wall Voter Comments: Christey> SGI:20020806-01-I points to this candidate, but I'm not so sure that's correct; the SGI advisory discusses symlink attacks, but this CAN is related to permissions. ====================================================== Candidate: CAN-2001-1081 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1081 Final-Decision: Interim-Decision: 20040825 Modified: 20040725 Proposed: 20020131 Assigned: 20020131 Category: SF Reference: CONFIRM:http://freshmeat.net/releases/52020/ Reference: MLIST:[fm-news] 20010713 Newsletter for Friday, July 13th 2001 Reference: URL:http://archives.neohapsis.com/archives/apps/freshmeat/2001-07/0009.html Reference: VULNWATCH:20010719 [VulnWatch] Changelog maddness (14 various broken apps) Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2001-q3/0005.html Reference: BID:2994 Reference: URL:http://www.securityfocus.com/bid/2994 Format string vulnerabilities in Livingston/Lucent RADIUS before 2.1.va.1 may allow local or remote attackers to cause a denial of service and possibly execute arbitrary code via format specifiers that are injected into log messages. Modifications: 20040725 VULNWATCH:20010719 Changelog maddness (14 various broken apps) 20040725 MLIST:[fm-news] 20010713 Newsletter for Friday, July 13th 2001 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1081 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Cole, Armstrong, Green, Baker MODIFY(2) Christey, Frech NOOP(2) Wall, Foat Voter Comments: Frech> ISS: ISS Security Advisory: Remote Buffer Overflow in Multiple RADIUS Implementations XF:lucent-radius-authentication-bo(6794) CONFIRM reference is no longer available. Christey> VULNWATCH:20010719 [VulnWatch] Changelog maddness (14 various broken apps) URL:http://archives.neohapsis.com/archives/vulnwatch/2001-q3/0005.html MISC:http://archives.neohapsis.com/archives/apps/freshmeat/2001-07/0009.html Christey> XF:lucent-radius-authentication-bo(6794) does not seem appropriate, as it deals with buffer overflows; however, this is a format string issue. XF:lucent-radius-authentication-bo(6794) is really about CAN-2001-0534. ====================================================== Candidate: CAN-2001-1098 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1098 Final-Decision: Interim-Decision: 20040825 Modified: 20040725 Proposed: 20020315 Assigned: 20020315 Category: SF Reference: BUGTRAQ:20011010 Vulnerability: Cisco PIX Firewall Manager Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-10/0071.html Reference: CERT-VN:VU#639507 Reference: URL:http://www.kb.cert.org/vuls/id/639507 Reference: XF:cisco-pfm-plaintext-password(7265) Reference: URL:http://xforce.iss.net/static/7265.php Reference: BID:3419 Reference: URL:http://www.securityfocus.com/bid/3419 Cisco PIX firewall manager (PFM) 4.3(2)g logs the enable password in plaintext in the pfm.log file, which could allow local users to obtain the password by reading the file. Modifications: 20040725 ADDREF BID:3419 20040725 ADDREF CERT-VN:VU#639507 Analysis -------- Vendor Acknowledgement: unknown discloser-claimed INFERRED ACTION: CAN-2001-1098 ACCEPT_REV (3 accept, 1 ack, 1 review) Current Votes: ACCEPT(3) Foat, Green, Frech NOOP(3) Wall, Cole, Armstrong REVIEWING(1) Ziese Voter Comments: CHANGE> [Armstrong changed vote from REVIEWING to NOOP] Frech> HAS-INDEPENDENT-CONFIRMATION:http://www.kb.cert.org/vuls/id/6 39507 ====================================================== Candidate: CAN-2001-1103 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1103 Final-Decision: Interim-Decision: 20040825 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: CERT-VN:VU#320944 Reference: URL:http://www.kb.cert.org/vuls/id/320944 Reference: XF:ftp-voyager-embedded-script-execution(7119) Reference: URL:http://xforce.iss.net/static/7119.php FTP Voyager ActiveX control before 8.0, when it is marked as safe for scripting (the default) or if allowed by the IObjectSafety interface, allows remote attackers to execute arbitrary commands. Analysis -------- Vendor Acknowledgement: unknown INFERRED ACTION: CAN-2001-1103 ACCEPT_REV (4 accept, 1 ack, 1 review) Current Votes: ACCEPT(4) Green, Baker, Frech, Ziese NOOP(3) Foat, Cole, Armstrong REVIEWING(1) Wall Voter Comments: Green> Vendor appears to have acknowledged with a new release of the product, although there is no explicit citing of the vulnerability on the vendor's website ====================================================== Candidate: CAN-2001-1186 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1186 Final-Decision: Interim-Decision: 20040825 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: BUGTRAQ:20011211 Microsoft IIS/5 bogus Content-length bug. Reference: URL:http://www.securityfocus.com/archive/1/244892 Reference: BUGTRAQ:20011211 Microsoft IIS/5 bogus Content-length bug Memory attack Reference: URL:http://online.securityfocus.com/archive/1/244931 Reference: BUGTRAQ:20011212 Microsoft IIS/5.0 Content-Length DoS (proved) Reference: URL:http://online.securityfocus.com/archive/1/245100 Reference: BID:3667 Reference: URL:http://www.securityfocus.com/bid/3667 Reference: XF:iis-false-content-length-dos(7691) Reference: URL:http://www.iss.net/security_center/static/7691.php Microsoft IIS 5.0 allows remote attackers to cause a denial of service via an HTTP request with a content-length value that is larger than the size of the request, which prevents IIS from timing out the connection. Analysis -------- Vendor Acknowledgement: unknown INFERRED ACTION: CAN-2001-1186 ACCEPT_REV (3 accept, 0 ack, 1 review) Current Votes: ACCEPT(3) Cole, Green, Frech NOOP(2) Foat, Ziese REVIEWING(1) Wall ====================================================== Candidate: CAN-2001-1200 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1200 Final-Decision: Interim-Decision: 20040825 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: BUGTRAQ:20011217 Hot keys permissions bypass under XP Reference: URL:http://www.securityfocus.com/archive/1/246014 Reference: BID:3703 Reference: URL:http://www.securityfocus.com/bid/3703 Reference: XF:winxp-hotkey-execute-programs(7713) Reference: URL:http://www.iss.net/security_center/static/7713.php Microsoft Windows XP allows local users to bypass a locked screen and run certain programs that are associated with Hot Keys. Analysis -------- Vendor Acknowledgement: unknown INFERRED ACTION: CAN-2001-1200 ACCEPT_REV (3 accept, 0 ack, 1 review) Current Votes: ACCEPT(3) Foat, Green, Frech NOOP(2) Cole, Ziese REVIEWING(1) Wall ====================================================== Candidate: CAN-2001-1267 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1267 Final-Decision: Interim-Decision: 20040825 Modified: 20040818 Proposed: 20020502 Assigned: 20020501 Category: SF Reference: BUGTRAQ:20010712 SECURITY.NNOV: directory traversal and path globing in multiple archivers Reference: URL:http://online.securityfocus.com/archive/1/196445 Reference: CONFIRM:ftp://alpha.gnu.org/gnu/tar/tar-1.13.25.tar.gz Reference: MANDRAKE:MDKSA-2002:066 Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2002:066 Reference: REDHAT:RHSA-2002:096 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-096.html Reference: REDHAT:RHSA-2002:138 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-138.html Reference: REDHAT:RHSA-2003:218 Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-218.html Reference: CONECTIVA:CLA-2002:538 Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000538 Reference: HP:HPSBTL0209-068 Reference: URL:http://online.securityfocus.com/advisories/4514 Reference: XF:archive-extraction-directory-traversal(10224) Reference: URL:http://www.iss.net/security_center/static/10224.php Reference: BID:3024 Reference: URL:http://www.securityfocus.com/bid/3024 Directory traversal vulnerability in GNU tar 1.13.19 and earlier allows local users overwrite arbitrary files during archive extraction via a tar file whose filenames contain a .. (dot dot). Modifications: ADDREF MANDRAKE:MDKSA-2002:066 ADDREF REDHAT:RHSA-2002:096 ADDREF CONECTIVA:CLA-2002:538 ADDREF HP:HPSBTL0209-068 ADDREF XF:archive-extraction-directory-traversal(10224) 20040725 BID:3024 20040818 ADDREF REDHAT:RHSA-2002:138 20040818 ADDREF REDHAT:RHSA-2003:218 Analysis -------- Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: in the ChangeLog file for 1.13.25, the entry dated 2001-08-27 says "(extract_archive): Fix test for absolute pathnames and/or '..'." INFERRED ACTION: CAN-2001-1267 ACCEPT (4 accept, 3 ack, 0 review) Current Votes: ACCEPT(2) Cole, Green MODIFY(2) Frech, Cox NOOP(3) Wall, Foat, Christey Voter Comments: Christey> MANDRAKE:MDKSA-2002:066 CHANGE> [Cox changed vote from REVIEWING to MODIFY] Cox> ADDREF: RHSA-2002:096 Frech> XF:archive-extraction-directory-traversal(10224) Christey> MANDRAKE:MDKSA-2002:066 URL:http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2002:066 CONECTIVA:CLA-2002:538 URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000538 HP:HPSBTL0209-068 URL:http://online.securityfocus.com/advisories/4514 REDHAT:RHSA-2002:096 URL:http://www.redhat.com/support/errata/RHSA-2002-096.html Christey> There are a couple directory traversal variants for GNU tar out there. Can we be sure the references line up correctly? ====================================================== Candidate: CAN-2001-1279 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1279 Final-Decision: Interim-Decision: 20040825 Modified: 20030318-02 Proposed: 20020502 Assigned: 20020501 Category: SF Reference: REDHAT:RHSA-2001:089 Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-089.html Reference: FREEBSD:FreeBSD-SA-01:48 Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:48.tcpdump.asc Reference: CONECTIVA:CLA-2002:480 Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000480 Reference: MANDRAKE:MDKSA-2002:032 Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-032.php Reference: CALDERA:CSSA-2002-025.0 Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-025.0.txt Reference: XF:tcpdump-afs-rpc-bo(7006) Reference: URL:http://www.iss.net/security_center/static/7006.php Reference: BID:3065 Reference: URL:http://online.securityfocus.com/bid/3065 Reference: CERT-VN:VU#797201 Reference: URL:http://www.kb.cert.org/vuls/id/797201 Buffer overflow in print-rx.c of tcpdump 3.x (probably 3.6x) allows remote attackers to cause a denial of service and possibly execute arbitrary code via AFS RPC packets with invalid lengths that trigger an integer signedness error, a different vulnerability than CVE-2000-1026. Modifications: ADDREF CONECTIVA:CLA-2002:480 ADDREF MANDRAKE:MDKSA-2002:032 ADDREF CALDERA:CSSA-2002-025.0 ADDREF XF:tcpdump-afs-rpc-bo(7006) ADDREF CERT-VN:VU#797201 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1279 ACCEPT (4 accept, 4 ack, 0 review) Current Votes: ACCEPT(3) Cole, Green, Cox MODIFY(1) Frech NOOP(3) Wall, Foat, Christey Voter Comments: Christey> ADDREF CONECTIVA:CLA-2002:480 The Conectiva advisory references the FreeBSD advisory used in this CAN, along with other issues that are addressed. Christey> CONECTIVA:CLA-2002:480 URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000480 Christey> MANDRAKE:MDKSA-2002:032 CONECTIVA:CLA-2002:480 CALDERA:CSSA-2002-025.0 Frech> XF:tcpdump-afs-rpc-bo(7006) Christey> Consider whether SUSE:SuSE-SA:2002:020 addresses this issue or not. ====================================================== Candidate: CAN-2001-1302 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1302 Final-Decision: Interim-Decision: 20040825 Modified: Proposed: 20020502 Assigned: 20020501 Category: SF Reference: NTBUGTRAQ:20010718 Changing NT/2000 accounts password from the command line Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0107&L=ntbugtraq&F=P&S=&P=1911 Reference: BID:3063 Reference: URL:http://www.securityfocus.com/bid/3063 Reference: XF:win2k-change-network-passwords(6876) Reference: URL:http://xforce.iss.net/static/6876.php The change password option in the Windows Security interface for Windows 2000 allows attackers to use the option to attempt to change passwords of other users on other systems or identify valid accounts by monitoring error messages, possibly due to a problem in the NetuserChangePassword function. Analysis -------- Vendor Acknowledgement: INFERRED ACTION: CAN-2001-1302 ACCEPT_REV (4 accept, 0 ack, 1 review) Current Votes: ACCEPT(4) Foat, Cole, Green, Frech NOOP(1) Cox REVIEWING(1) Wall ====================================================== Candidate: CAN-2001-1328 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1328 Final-Decision: Interim-Decision: 20040825 Modified: Proposed: 20020502 Assigned: 20020501 Category: Reference: CIAC:L-103 Reference: AUSCERT:AA-2001.03 Reference: URL:ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-2001.03 Reference: SUN:00203 Reference: XF:solaris-ypbind-bo(6828) Buffer overflow in ypbind daemon in Solaris 5.4 through 8 allows remote attackers to execute arbitrary code. Analysis -------- Vendor Acknowledgement: INFERRED ACTION: CAN-2001-1328 ACCEPT_ACK_REV (2 accept, 3 ack, 1 review) Current Votes: ACCEPT(2) Green, Frech NOOP(3) Foat, Cole, Cox REVIEWING(1) Wall Voter Comments: Green> Sun Security bulletin 00203 ====================================================== Candidate: CAN-2001-1347 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1347 Final-Decision: Interim-Decision: 20040825 Modified: Proposed: 20020502 Assigned: 20020501 Category: SF Reference: BUGTRAQ:20010524 Elevation of privileges with debug registers on Win2K Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-05/0232.html Reference: XF:win2k-debug-elevate-privileges(6590) Reference: URL:http://www.iss.net/security_center/static/6590.php Reference: BID:2764 Reference: URL:http://www.securityfocus.com/bid/2764 Windows 2000 allows local users to cause a denial of service and possibly gain privileges by setting a hardware breakpoint that is handled using global debug registers, which could cause other processes to terminate due to an exception, and allow hijacking of resources such as named pipes. Analysis -------- Vendor Acknowledgement: unknown discloser-claimed INFERRED ACTION: CAN-2001-1347 ACCEPT_REV (4 accept, 0 ack, 1 review) Current Votes: ACCEPT(4) Foat, Cole, Green, Frech NOOP(1) Cox REVIEWING(1) Wall ====================================================== Candidate: CAN-2001-1350 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1350 Final-Decision: Interim-Decision: 20040825 Modified: 20040725 Proposed: 20020611 Assigned: 20020602 Category: SF Reference: REDHAT:RHSA-2001:162 Reference: MISC:http://search.namazu.org/ml/namazu-devel-ja/msg02114.html Cross-site scripting vulnerability in namazu.cgi for Namazu 2.0.7 and earlier allows remote attackers to execute arbitrary Javascript as other web users via the lang parameter. Modifications: 20040725 XF:linux-namazu-css(7875) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1350 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Wall, Cole, Green, Cox MODIFY(1) Frech NOOP(2) Foat, Christey Voter Comments: Frech> XF:linux-namazu-bo(7876) Christey> This is not a buffer overflow as suggested by the XF reference, it's a CSS/XSS issue (XF:linux-namazu-css(7875)) ====================================================== Candidate: CAN-2001-1351 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1351 Final-Decision: Interim-Decision: 20040825 Modified: 20040818 Proposed: 20020611 Assigned: 20020602 Category: SF Reference: REDHAT:RHSA-2001:162 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&w=2&r=1&s=namazu&q=b Reference: XF:linux-namazu-css(7875) Reference: URL:http://www.iss.net/security_center/static/7875.php Reference: OSVDB:5690 Reference: URL:http://www.osvdb.org/5690 Cross-site scripting vulnerability in Namazu 2.0.8 and earlier allows remote attackers to execute arbitrary Javascript as other web users via the index file name that is displayed when displaying hit numbers. Modifications: ADDREF XF:linux-namazu-css(7875) 20040818 ADDREF OSVDB:5690 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1351 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Cole, Alderson, Green, Cox MODIFY(1) Frech NOOP(2) Wall, Foat Voter Comments: Frech> XF:linux-namazu-css(7875) ====================================================== Candidate: CAN-2001-1352 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1352 Final-Decision: Interim-Decision: 20040825 Modified: 20040818 Proposed: 20020611 Assigned: 20020602 Category: SF Reference: REDHAT:RHSA-2001:179 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101060476404565&w=2 Reference: BUGTRAQ:20011227 Re: [RHSA-2001:162-04] Updated namazu packages are available Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100947261916155&w=2 Reference: BUGTRAQ:20020109 Details on the updated namazu packages that are available Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101068116016472&w=2 Reference: XF:linux-namazu-css(7875) Reference: URL:http://xforce.iss.net/xforce/xfdb/7875 Reference: OSVDB:5691 Reference: URL:http://www.osvdb.org/5691 Cross-site scripting vulnerability in Namazu 2.0.9 and earlier allows remote attackers to execute arbitrary Javascript as other web users via an error message that is returned when an invalid index file is specified in the idxname parameter. Modifications: 20040725 ADDREF XF:linux-namazu-css(7875) 20040818 ADDREF OSVDB:5691 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1352 ACCEPT (6 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Wall, Cole, Alderson, Green, Cox MODIFY(1) Frech NOOP(1) Foat Voter Comments: Frech> XF:linux-namazu-css(7875) ====================================================== Candidate: CAN-2001-1367 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1367 Final-Decision: Interim-Decision: 20040825 Modified: 20040725 Proposed: 20020611 Assigned: 20020607 Category: SF Reference: CONFIRM:http://phpslice.org/comments.php?aid=1031&; Reference: VULNWATCH:20010719 [VulnWatch] Changelog maddness (14 various broken apps) Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2001-q3/0005.html Reference: XF:phpslice-checkaccess-function-privileges(9649) Reference: URL:http://xforce.iss.net/xforce/xfdb/9649 The checkAccess function in PHPSlice 0.1.4, and all other versions between 0.1.1 and 0.1.6, does not properly verify the administrative access level, which could allow remote attackers to gain privileges. Modifications: 20040725 ADDREF XF:phpslice-checkaccess-function-privileges(9649) Analysis -------- Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: a post on the vendor web page states "Due to a stupid mistake on a line in the checkAccess() function, PHPSlice 0.1.4 (and potentially all earlier releases as well) has a gaping security hole that allows any user to perform administrative tasks if they enter the correct URL." ACCURACY: while the vendor's statement implies that the problem was fixed after 0.1.4, a review of the source code indicates that it actually wasn't fixed until 0.1.7. INFERRED ACTION: CAN-2001-1367 ACCEPT_REV (3 accept, 1 ack, 1 review) Current Votes: ACCEPT(2) Cole, Green MODIFY(1) Frech NOOP(3) Wall, Foat, Cox REVIEWING(1) Alderson Voter Comments: Alderson> Is there a candidate already in existence for the problem as it relates to 0.1.4? If so, since this problem was not fixed, perhaps that one needs to be modified to include 0.1.7. Frech> XF:phpslice-checkaccess-function-privileges(9649) ====================================================== Candidate: CAN-2001-1386 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1386 Final-Decision: Interim-Decision: 20040825 Modified: Proposed: 20020830 Assigned: 20020827 Category: SF Reference: BUGTRAQ:20010701 WFTPD v3.00 R5 Directory Traversal Reference: URL:http://www.securityfocus.com/archive/1/194442 Reference: XF:ftp-lnk-directory-traversal(6760) Reference: URL:http://www.iss.net/security_center/static/6760.php Reference: BID:2957 Reference: URL:http://www.securityfocus.com/bid/2957 WFTPD 3.00 allows remote attackers to read arbitrary files by uploading a (link) file that ends in a ".lnk." extension, which bypasses WFTPD's check for a ".lnk" extension. Analysis -------- Vendor Acknowledgement: INFERRED ACTION: CAN-2001-1386 ACCEPT_REV (4 accept, 0 ack, 1 review) Current Votes: ACCEPT(3) Green, Baker, Frech MODIFY(1) Foat NOOP(3) Cole, Armstrong, Cox REVIEWING(1) Wall Voter Comments: Foat> If a windows shortcut file (*.lnk) linked to a directory is uploaded, an ftp user would be3 able to have access to the directory link points by typing 'cd <file>.lnk'. If an ftp user uploads a *.lnk file to a known file for which the user does not have access and then does a 'GET' on the link, the file will be downloaded. ====================================================== Candidate: CAN-2001-1391 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1391 Final-Decision: Interim-Decision: 20040825 Modified: 20040725 Proposed: 20020830 Assigned: 20020830 Category: SF Reference: BUGTRAQ:20010405 Trustix Security Advisory #2001-0003 - kernel Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=98653252326445&w=2 Reference: BUGTRAQ:20010409 PROGENY-SA-2001-01: execve()/ptrace() exploit in Linux kernels Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=98684172109474&w=2 Reference: CONFIRM:http://www.linux.org.uk/VERSION/relnotes.2219.html Reference: IMMUNIX:IMNX-2001-70-010-01 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=98575345009963&w=2 Reference: CALDERA:CSSA-2001-012.0 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=98637996127004&w=2 Reference: MANDRAKE:MDKSA-2001:037 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=98759029811377&w=2 Reference: DEBIAN:DSA-047 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=98741381506142&w=2 Reference: SUSE:SuSE-SA:2001:018 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=99013830726309&w=2 Reference: CONECTIVA:CLA-2001:394 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=98775114228203&w=2 Reference: REDHAT:RHSA-2001:047 Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-047.html Reference: XF:linux-cpia-memory-overwrite(11162) Reference: URL:http://xforce.iss.net/xforce/xfdb/11162 Off-by-one vulnerability in CPIA driver of Linux kernel before 2.2.19 allows users to modify kernel memory. Modifications: 20040725 desc fix small typo 20040725 XF:linux-cpia-memory-overwrite(11162) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1391 ACCEPT (7 accept, 5 ack, 0 review) Current Votes: ACCEPT(6) Wall, Cole, Armstrong, Green, Baker, Cox MODIFY(1) Frech NOOP(2) Foat, Christey Voter Comments: Frech> XF:linux-ptrace-modify-process(6080) Christey> fix typo: "off-by-one" should be "Off-by-one" Christey> XF:linux-cpia-memory-overwrite(11162) is clearly the correct reference here. ====================================================== Candidate: CAN-2002-0036 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0036 Final-Decision: Interim-Decision: 20040825 Modified: 20040818 Proposed: 20030317 Assigned: 20020116 Category: SF Reference: CONFIRM:http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-001-multiple.txt Reference: CERT-VN:VU#587579 Reference: URL:http://www.kb.cert.org/vuls/id/587579 Reference: CONECTIVA:CLA-2003:639 Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000639 Reference: MANDRAKE:MDKSA-2003:043 Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:043 Reference: REDHAT:RHSA-2003:051 Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-051.html Reference: REDHAT:RHSA-2003:052 Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-052.html Reference: REDHAT:RHSA-2003:168 Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-168.html Reference: XF:kerberos-kdc-neglength-bo(11190) Reference: URL:http://xforce.iss.net/xforce/xfdb/11190 Reference: BID:6713 Reference: URL:http://www.securityfocus.com/bid/6713 Reference: OSVDB:4896 Reference: URL:http://www.osvdb.org/4896 Integer signedness error in MIT Kerberos V5 ASN.1 decoder before krb5 1.2.5 allows remote attackers to cause a denial of service via a large unsigned data element length, which is later used as a negative value. Modifications: 20040725 ADDREF REDHAT:RHSA-2003:051 20040725 ADDREF REDHAT:RHSA-2003:052 20040725 ADDREF MANDRAKE:MDKSA-2003:043 20040725 ADDREF CONECTIVA:CLA-2003:639 20040725 ADDREF XF:kerberos-kdc-neglength-bo(11190) 20040725 ADDREF BID:6713 20040818 ADDREF REDHAT:RHSA-2003:168 20040818 ADDREF OSVDB:4896 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0036 ACCEPT (5 accept, 3 ack, 0 review) Current Votes: ACCEPT(3) Baker, Wall, Cole MODIFY(2) Frech, Cox NOOP(1) Christey Voter Comments: Cox> This is fixed in krb5 version 1.2.5 Cox> Addref RHSA-2003:051 Cox> Addref REDHAT:RHSA-2003:052 Christey> MANDRAKE:MDKSA-2003:043 (as suggested by Vincent Danen of Mandrake) Frech> XF:kerberos-kdc-neglength-bo(11190) ====================================================== Candidate: CAN-2002-0090 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0090 Final-Decision: Interim-Decision: 20040825 Modified: 20040824 Proposed: 20020315 Assigned: 20020306 Category: SF Reference: MISC:http://www.esecurityonline.com/advisories/eSO3761.asp Reference: VULNWATCH:20020429 [VulnWatch] eSecurityOnline Security Advisory 3761 - Sun Solaris lbxproxy display name buffer overflow vulnerability Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0041.html Reference: BUGTRAQ:20020429 eSecurityOnline Security Advisory 3761 - Sun Solaris lbxproxy display name buffer overflow vulnerability Reference: URL:http://online.securityfocus.com/archive/1/270149 Reference: SUNALERT:44842 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/44842 Reference: CERT-VN:VU#188507 Reference: URL:http://www.kb.cert.org/vuls/id/188507 Reference: BID:4633 Reference: URL:http://www.securityfocus.com/bid/4633 Reference: XF:solaris-lbxproxy-display-bo(8958) Reference: URL:http://www.iss.net/security_center/static/8958.php Reference: OVAL:OVAL179 Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL179.html Reference: OVAL:OVAL86 Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL86.html Buffer overflow in Low BandWidth X proxy (lbxproxy) in Solaris 8 allows local users to execute arbitrary code via a long display command line option. Modifications: ADDREF VULNWATCH:20020429 [VulnWatch] eSecurityOnline Security Advisory 3761 - Sun Solaris lbxproxy display name buffer overflow vulnerability ADDREF BUGTRAQ:20020429 eSecurityOnline Security Advisory 3761 - Sun Solaris lbxproxy display name buffer overflow vulnerability ADDREF BID:4633 ADDREF CONFIRM:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F44842&zone_32=category%3Asecurity%20lbxproxy ADDREF XF:solaris-lbxproxy-display-bo(8958) ADDREF CERT-VN:VU#188507 DESC expanded "lbx" term 20040725 Normalize SUNALERT reference 20040824 ADDREF OVAL:OVAL179 20040824 ADDREF OVAL:OVAL86 Analysis -------- Vendor Acknowledgement: yes INFERRED ACTION: CAN-2002-0090 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Balinsky, Wall, Cole, Green NOOP(3) Ziese, Foat, Christey Voter Comments: Balinsky> Patch at http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fpatches%2F108652 resolves an lbxproxy buffer overflow. Christey> VULNWATCH:20020429 [VulnWatch] eSecurityOnline Security Advisory 3761 - Sun Solaris lbxproxy display name buffer overflow vulnerability URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0041.html BUGTRAQ:20020429 eSecurityOnline Security Advisory 3761 - Sun Solaris lbxproxy display name buffer overflow vulnerability URL:http://online.securityfocus.com/archive/1/270149 BID:4633 URL:http://www.securityfocus.com/bid/4633 ====================================================== Candidate: CAN-2002-0158 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0158 Final-Decision: Interim-Decision: 20040825 Modified: 20040824 Proposed: 20020502 Assigned: 20020327 Category: SF Reference: BUGTRAQ:20020402 NSFOCUS SA2002-01: Sun Solaris Xsun "-co" heap overflow Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101776858410652&w=2 Reference: VULNWATCH:20020402 NSFOCUS SA2002-01: Sun Solaris Xsun "-co" heap overflow Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0000.html Reference: CONFIRM:http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fpatches%2F108652 Reference: OVAL:OVAL14 Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL14.html Reference: OVAL:OVAL33 Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL33.html Buffer overflow in Xsun on Solaris 2.6 through 8 allows local users to gain root privileges via a long -co (color database) command line argument. Modifications: ADDREF CONFIRM:http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fpatches%2F108652 20040824 ADDREF OVAL:OVAL14 20040824 ADDREF OVAL:OVAL33 Analysis -------- Vendor Acknowledgement: yes patch ACKNOWLEDGEMENT: the description for patch 108652-52, bug 4661987, explicitly references CAN-2002-0158. INFERRED ACTION: CAN-2002-0158 ACCEPT_REV (5 accept, 1 ack, 1 review) Current Votes: ACCEPT(4) Baker, Foat, Armstrong, Green MODIFY(1) Frech NOOP(3) Christey, Cox, Cole REVIEWING(1) Wall Voter Comments: Green> The documentation of this vulnerability is compelling Christey> CONFIRM:http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fpatches%2F108652 the description for patch 108652-52, bug 4661987, explicitly references CAN-2002-0158. Green> The documentation of this vulnerability is compelling Frech> XF:solaris-xsun-co-bo(8703) Christey> I received an email on Oct 10, 2003, that suggested that other non-Sun operating systems may be affected. Christey> XSco is also affected: BUGTRAQ:20020611 SCO Openserver Xsco heap overflow. URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102380830430665&w=2 VULN-DEV:20020611 SCO Openserver Xsco heap overflow. URL:http://marc.theaimsgroup.com/?l=vuln-dev&m=102381771109722&w=2 CALDERA:CSSA-2003-SCO.26 ====================================================== Candidate: CAN-2002-0188 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0188 Final-Decision: Interim-Decision: 20040825 Modified: 20030320-01 Proposed: 20020611 Assigned: 20020420 Category: SF Reference: BUGTRAQ:20020516 [SNS Advisory No.48] Microsoft Internet Explorer Still Download And Execute ANY Program Automatically Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-05/0126.html Reference: MS:MS02-023 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-023.asp Reference: MISC:http://www.lac.co.jp/security/english/snsadv_e/48_e.html Reference: XF:ie-content-disposition-variant2(9086) Reference: URL:http://www.iss.net/security_center/static/9086.php Microsoft Internet Explorer 5.01 and 6.0 allow remote attackers to execute arbitrary code via malformed Content-Disposition and Content-Type header fields that cause the application for the spoofed file type to pass the file back to the operating system for handling rather than raise an error message, aka the second variant of the "Content Disposition" vulnerability. Modifications: ADDREF BUGTRAQ:20020516 [SNS Advisory No.48] Microsoft Internet Explorer Still Download And Execute ANY Program Automatically ADDREF MISC:http://www.lac.co.jp/security/english/snsadv_e/48_e.html ADDREF XF:ie-content-disposition-variant2(9086) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0188 ACCEPT (6 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Baker, Wall, Foat, Cole, Armstrong MODIFY(1) Frech NOOP(1) Cox Voter Comments: Frech> XF:ie-content-disposition-variant2(9086) ====================================================== Candidate: CAN-2002-0193 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0193 Final-Decision: Interim-Decision: 20040825 Modified: 20040824 Proposed: 20020611 Assigned: 20020420 Category: SF Reference: MS:MS02-023 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-023.asp Reference: XF:ie-content-disposition-variant(9085) Reference: URL:http://xforce.iss.net/xforce/xfdb/9085 Reference: BID:4752 Reference: URL:http://www.securityfocus.com/bid/4752 Reference: OVAL:OVAL27 Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL27.html Reference: OVAL:OVAL99 Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL99.html Microsoft Internet Explorer 5.01 and 6.0 allow remote attackers to execute arbitrary code via malformed Content-Disposition and Content-Type header fields that cause the application for the spoofed file type to pass the file back to the operating system for handling rather than raise an error message, aka the first variant of the "Content Disposition" vulnerability. Modifications: 20040725 XF:ie-content-disposition-variant(9085) 20040725 BID:4752 20040824 ADDREF OVAL:OVAL27 20040824 ADDREF OVAL:OVAL99 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0193 ACCEPT (6 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Baker, Wall, Foat, Cole, Armstrong MODIFY(1) Frech NOOP(1) Cox Voter Comments: Frech> XF:ie-content-disposition-variant(9085) ====================================================== Candidate: CAN-2002-0275 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0275 Final-Decision: Interim-Decision: 20040825 Modified: 20040725 Proposed: 20020502 Assigned: 20020501 Category: SF Reference: BUGTRAQ:20020213 Falcon Web Server Authentication Circumvention Vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101363946626951&w=2 Reference: VULNWATCH:20020526 [SecurityOffice] Falcon Web Server Unauthorized File Disclosure Vulnerability Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0082.html Reference: BUGTRAQ:20020526 [SecurityOffice] Falcon Web Server Unauthorized File Disclosure Vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102253858809370&w=2 Reference: BID:4099 Reference: URL:http://online.securityfocus.com/bid/4099 Reference: XF:falcon-protected-dir-access(8189) Reference: URL:http://xforce.iss.net/xforce/xfdb/8189 Falcon web server 2.0.0.1020 and earlier allows remote attackers to bypass authentication and read restricted files via an extra / (slash) in the requested URL. Modifications: 20040725 XF:falcon-protected-dir-access(8189) 20040725 VULNWATCH:20020526 [VulnWatch] [SecurityOffice] Falcon Web Server Unauthorized File Disclosure Vulnerability 20040725 BUGTRAQ:20020526 [SecurityOffice] Falcon Web Server Unauthorized File Disclosure Vulnerability Analysis -------- Vendor Acknowledgement: yes via-email ACKNOWLEDGEMENT: the vendor confirmed the issue via email. INFERRED ACTION: CAN-2002-0275 ACCEPT_ACK (2 accept, 1 ack, 0 review) Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(6) Christey, Cox, Wall, Foat, Cole, Armstrong Voter Comments: Frech> XF:falcon-protected-dir-access(8189) Christey> This issue was rediscovered a few months later: VULNWATCH:20020526 [VulnWatch] [SecurityOffice] Falcon Web Server Unauthorized File Disclosure Vulnerability URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0082.html BUGTRAQ:20020526 [SecurityOffice] Falcon Web Server Unauthorized File Disclosure Vulnerability URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102253858809370&w=2 ====================================================== Candidate: CAN-2002-0313 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0313 Final-Decision: Interim-Decision: 20040825 Modified: 20040725 Proposed: 20020502 Assigned: 20020501 Category: SF Reference: BUGTRAQ:20020226 SecurityOffice Security Advisory:// Essentia Web Server Vulnerabilities (Vendor Patch) Re | ||||