INTERIM DECISION: ACCEPT 9 VEN-HP candidates (Final 7/12)

To: cve-editorial-board-list@lists.mitre.org
Subject: INTERIM DECISION: ACCEPT 9 VEN-HP candidates (Final 7/12)
From: "Steven M. Christey" <coley@linus.mitre.org>
Date: Mon, 12 Jul 1999 19:48:50 -0400 (EDT)
Sender: owner-cve-editorial-board-list@lists.mitre.org

I have made an Interim Decision to ACCEPT 9 of the candidates from
this cluster.  A Final Decision is scheduled for July 12.

Many of these candidates had only 2 registered opinions, and 2 NOOPs.

CAN-1999-0326 is an example of something Russ Cooper said in a recent
email about vendors who don't provide sufficient details to explain
the nature of a vulnerability.  Neither the X-Force database nor the
CIAC advisory are able to shed any light on the problem either,
although CIAC says that "Exploit information involving this
vulnerability has been made publicly available."

- Steve


Least controversial candidates are listed first.

Voters:
  Frech ACCEPT(2) MODIFY(7)
  Shostack NOOP(9)
  Hill ACCEPT(9)
  Northcutt NOOP(9)


*************************
ACCEPT
*************************

=================================
Candidate: CAN-1999-0309
Published:
Final-Decision:
Interim-Decision: 19990712
Modified:
Announced: 19990617
Assigned: 19990607
Category: SF
Reference: XF:hpux-vgdisplay
Reference: CIAC:H-27: HP-UX vgdisplay Buffer Overrun Vulnerability

HP-UX vgdisplay program gives root access to local users

VOTES:
   ACCEPT(2) Frech, Hill
   NOOP(2) Shostack, Northcutt


=================================
Candidate: CAN-1999-0423
Published:
Final-Decision:
Interim-Decision: 19990712
Modified:
Announced: 19990617
Assigned: 19990607
Category: SF
Reference: HP:HPSBUX9903-093

Vulnerability in hpterm on HP-UX 10.20 allows local users to gain
additional privileges.

VOTES:
   ACCEPT(2) Frech, Hill
   NOOP(2) Shostack, Northcutt




*************************
MODIFY
*************************

=================================
Candidate: CAN-1999-0326
Published:
Final-Decision:
Interim-Decision: 19990712
Modified: 19990712-01
Announced: 19990617
Assigned: 19990607
Category: SF
Reference: HP:HPSBUX9710-071
Reference: XF:hp-mediainit

Vulnerability in HP-UX mediainit program

Modifications:
  ADDREF XF:hp-mediainit

VOTES:
   ACCEPT(1) Hill
   MODIFY(1) Frech
   NOOP(2) Shostack, Northcutt

COMMENTS:
 Frech> Reference: XF:hp-mediainit


=================================
Candidate: CAN-1999-0353
Published:
Final-Decision:
Interim-Decision: 19990712
Modified: 19990712-01
Announced: 19990617
Assigned: 19990607
Category: SF
Reference: HP:HPSBUX9902-091
Reference: CIAC:J-026
Reference: XF:pcnfsd-world-write

rpc.pcnfsd in HP gives remote root access by changing the permissions
on the main printer spool directory.

Modifications:
  ADDREF XF:pcnfsd-world-write

VOTES:
   ACCEPT(1) Hill
   MODIFY(1) Frech
   NOOP(2) Shostack, Northcutt

COMMENTS:
 Frech> Reference: XF:pcnfsd-world-write


=================================
Candidate: CAN-1999-0432
Published:
Final-Decision:
Interim-Decision: 19990712
Modified: 19990712-01
Announced: 19990617
Assigned: 19990607
Category: SF
Reference: HP:HPSBUX9903-094
Reference: XF:hp-ftp

ftp on HP-UX 11.00 allows local users to gain privileges.

Modifications:
  ADDREF XF:hp-ftp

VOTES:
   ACCEPT(1) Hill
   MODIFY(1) Frech
   NOOP(2) Shostack, Northcutt

COMMENTS:
 Frech> Reference: XF:hp-ftp


=================================
Candidate: CAN-1999-0436
Published:
Final-Decision:
Interim-Decision: 19990712
Modified:
Announced: 19990617
Assigned: 19990607
Category: SF
Reference: HP:HPSBUX9903-095

Domain Enterprise Server Management System (DESMS) in HP-UX allows
local users to gain privileges.

VOTES:
   ACCEPT(1) Hill
   MODIFY(1) Frech
   NOOP(2) Shostack, Northcutt

COMMENTS:
 Frech> Reference: XF:hp-desms-servers


=================================
Candidate: CAN-1999-0447
Published:
Final-Decision:
Interim-Decision: 19990712
Modified:
Announced: 19990617
Assigned: 19990607
Category: SF
Reference: HP:HPSBMP9904-006

Local users can gain privileges using the debug utility in the MPE/iX
operating system.

VOTES:
   ACCEPT(1) Hill
   MODIFY(1) Frech
   NOOP(2) Shostack, Northcutt

COMMENTS:
 Frech> Reference: XF:mpeix-debug


=================================
Candidate: CAN-1999-0478
Published:
Final-Decision:
Interim-Decision: 19990712
Modified:
Announced: 19990617
Assigned: 19990607
Category: SF
Reference: HP:HPSBUX9904-097

Denial of service in HP-UX sendmail 8.8.6 related to accepting
connections.

VOTES:
   ACCEPT(1) Hill
   MODIFY(1) Frech
   NOOP(2) Shostack, Northcutt

COMMENTS:
 Frech> Reference: XF:sendmail-headers-dos


=================================
Candidate: CAN-1999-0479
Published:
Final-Decision:
Interim-Decision: 19990712
Modified:
Announced: 19990617
Assigned: 19990607
Category: SF
Reference: HP:HPSBUX9903-092

Denial of service Netscape Enterprise Server with VirtualVault  on
HP-UX VVOS systems.

VOTES:
   ACCEPT(1) Hill
   MODIFY(1) Frech
   NOOP(2) Shostack, Northcutt

COMMENTS:
 Frech> Reference: XF:netscape-server-dos

Prev by Date: INTERIM DECISION: ACCEPT 1 VEN-others candidates (Final 7/12)
Next by Date: INTERIM DECISION: ACCEPT 9 candidates from VEN-BSD (Final 7/12)
Prev by thread: INTERIM DECISION: ACCEPT 1 VEN-others candidates (Final 7/12)
Next by thread: INTERIM DECISION: ACCEPT 9 candidates from VEN-BSD (Final 7/12)
Index(es):
- Date
- Thread