PROPOSAL: Cluster 21 - MORELOW (37 candidates)

To: cve-editorial-board-list@lists.mitre.org
Subject: PROPOSAL: Cluster 21 - MORELOW (37 candidates)
From: "Steven M. Christey" <coley@linus.mitre.org>
Date: Mon, 26 Jul 1999 19:45:40 -0400 (EDT)
Sender: owner-cve-editorial-board-list@lists.mitre.org
This cluster contains low-controversy vulnerabilities.  These were not
included in earlier clusters because they required more research.
Most were gleaned from Bugtraq between January and April, but they had
not been sufficiently verified at the time that I initially created
them.

- Steve



Summary of votes to use (in ascending order of "severity"):

ACCEPT - member accepts the candidate as proposed
NOOP - member has no opinion on the candidate
MODIFY - member wants to change some minor detail (e.g. reference/description)
REVIEWING - member is reviewing/researching the candidate
RECAST - candidate must be significantly modified, e.g. split or merged
REJECT - candidate is "not a vulnerability", or a duplicate, etc.

Please write your vote on the line that starts with "VOTE: ".  If you
want to add comments or details, add them to lines after the VOTE: line.


=================================
Candidate: CAN-1999-0012
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990726
Assigned: 19990607
Category: SF
Reference: CERT:CA-98.04.Win32.WebServers

Some web servers under Microsoft Windows allow remote attackers
to bypass access restrictions for files with long file names.

VOTE:

=================================
Candidate: CAN-1999-0063
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990726
Assigned: 19990607
Category: SF
Reference: AUSCERT:ESB-98.197
Reference: CISCO:http://www.cisco.com/warp/public/770/iossyslog-pub.shtml

Cisco IOS 12.0 and other versions can be crashed by nmap UDP scans

VOTE:

=================================
Candidate: CAN-1999-0123
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990726
Assigned: 19990607
Category: SF
Reference: XF:linux-mailx

Race condition in Linux mailx command allows local users to
read user files.

VOTE:

=================================
Candidate: CAN-1999-0125
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990726
Assigned: 19990607
Category: SF
Reference: XF:si-mailx-bo
Reference: SGI:19980605-01-PX

Buffer overflow in SGI IRIX mailx program.

VOTE:

=================================
Candidate: CAN-1999-0234
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990726
Assigned: 19990607
Category: SF
Reference: XF:bash-cmd

Bash treats any character with a value of 255 as a command separator.

VOTE:

=================================
Candidate: CAN-1999-0275
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990726
Assigned: 19990607
Category: SF
Reference: XF:nt-dns-crash
Reference: MS:Q169461

Denial of service in Windows NT DNS servers by flooding the server.

VOTE:

=================================
Candidate: CAN-1999-0299
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990726
Assigned: 19990607
Category: SF
Reference: NAI:NAI-9

Buffer overflow in FreeBSD lpd through long DNS hostnames.

VOTE:

=================================
Candidate: CAN-1999-0355
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990726
Assigned: 19990607
Category: SF
Reference: ISS:Multiple vulnerabilities in ControlIT(tm) (formerly Remotely Possible/32) enterprise management software
Reference: XF:controlit-reboot

Local or remote users can force ControlIT 4.5 to reboot or force a
user to log out, resulting in a denial of service.

VOTE:

=================================
Candidate: CAN-1999-0362
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990726
Assigned: 19990607
Category: SF
Reference: EEYE:AD02021999
Reference: XF:wsftp-remote-dos
Reference: SF:217

WS_FTP server remote denial of service through cwd command.

VOTE:

=================================
Candidate: CAN-1999-0363
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Feb02,1999
Reference: XF:plp-lpc-bo
Reference: SF:328

SuSe 5.2 PLP lpc program has a buffer overflow that leads to root
compromise.

VOTE:

=================================
Candidate: CAN-1999-0365
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Feb04,1999
Reference: XF:metamail-header-commands

The metamail package allows remote command execution using shell
metacharacters that are not quoted in a mailcap entry.

VOTE:

=================================
Candidate: CAN-1999-0371
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Feb11,1999
Reference: XF:lynx-temp-files-race

Lynx allows a local user to overwrite sensitive files through /tmp
symlinks.

VOTE:

=================================
Candidate: CAN-1999-0380
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Feb25,1999
Reference: SF:497

SLMail 3.2 or 3.1 allows local users to access any file in the
NTFS file system when the Remote Administration Service (RAS) is
enabled.

VOTE:

=================================
Candidate: CAN-1999-0381
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Feb26,1999
Reference: Sekure:SUPER's log function buffer overflow
Reference: XF:linux-super-logging-bo
Reference: SF:342

super 3.11.6 and other versions have a buffer overflow in the syslog
utility which allows a local user to gain root access.

VOTE:

=================================
Candidate: CAN-1999-0383
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Feb02,1999
Reference: XF:acc-tigris-login

ACC Tigris allowed public access without a login.

VOTE:

=================================
Candidate: CAN-1999-0392
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Jan10,1999
Reference: XF:http-cgic-library-bo

Buffer overflow in Thomas Boutell's cgic library version 1.05.

VOTE:

=================================
Candidate: CAN-1999-0402
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Feb2,1999
Reference: XF:wget-permissions
Reference: DEBIAN:19990220

wget 1.5.3 follows symlinks to change permissions of the target file
instead of the symlink itself.

VOTE:

=================================
Candidate: CAN-1999-0404
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Feb14,1999
Reference: XF:mailmax-bo

Buffer overflow in the Mail-Max SMTP server for Windows systems allows
remote command execution.

VOTE:

=================================
Candidate: CAN-1999-0408
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Feb19,1999
Reference: XF:cobalt-raq-history-exposure
Reference: SF:337

Files created from interactive shell sessions in Cobalt RaQ
microservers (e.g. .bash_history) are world readable, and thus are
accessible from the web server.

VOTE:

=================================
Candidate: CAN-1999-0409
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Mar4,1999
Reference: XF:gnuplot-home-overflow
Reference: SF:319

Buffer overflow in gnuplot in Linux version 3.5 allows local users to
obtain root access.

VOTE:

=================================
Candidate: CAN-1999-0410
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Mar5,1999
Reference: XF:sol-cancel
Reference: SF:293

The cancel command in Solaris 2.6 (i386) has a buffer overflow that
allows local users to obtain root access.

VOTE:

=================================
Candidate: CAN-1999-0412
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Feb19,1999
Reference: XF:iis-isapi-execute
Reference: SF:501

In IIS and other web servers, an attacker can attack commands as
SYSTEM if the server is running as SYSTEM and loading an ISAPI
extension.

VOTE:

=================================
Candidate: CAN-1999-0417
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Mar9,1999
Reference: XF:solaris-psinfo-crash
Reference: SF:448

64 bit Solaris 7 procfs allows local users to perform a denial of
service.

VOTE:

=================================
Candidate: CAN-1999-0424
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990726
Assigned: 19990607
Category: SF
Reference: SUSE:Mar18,1999
Reference: XF:netscape-talkback-overwrite

talkback in Netscape 4.5 allows a local user to overwrite
arbitrary files of another user whose Netscape crashes.

VOTE:

=================================
Candidate: CAN-1999-0425
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990726
Assigned: 19990607
Category: SF
Reference: SUSE:Mar18,1999
Reference: XF:netscape-talkback-kill

talkback in Netscape 4.5 allows a local user to kill an arbitrary
process of another user whose Netscape crashes.

VOTE:

=================================
Candidate: CAN-1999-0429
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990726
Assigned: 19990607
Category: CF
Reference: BUGTRAQ:Mar23,1999
Reference: XF:lotus-client-encryption

The Lotus Notes 4.5 client may send a copy of encrypted mail in the
clear across the network if the user does not set the "Encrypt Saved
Mail" preference.

VOTE:

=================================
Candidate: CAN-1999-0439
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Apr4,1999
Reference: XF:procmail-overflow

Buffer overflow in procmail before version 3.12 allows remote
execution, or local attackers to gain privileges.

VOTE:

=================================
Candidate: CAN-1999-0440
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Apr4,1999
Reference: XF:java-unverified-code

The byte code verifier component of the Java Virtual Machine (JVM)
allows remote execution through malicious web pages.

VOTE:

=================================
Candidate: CAN-1999-0441
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990726
Assigned: 19990607
Category: SF
Reference: EEYE:AD02221999
Reference: XF:wingate-redirector-dos
Reference: SF:509

Remote attackers can perform a denial of service in WinGate machines
using a buffer overflow in the Winsock Redirector Service.

VOTE:

=================================
Candidate: CAN-1999-0442
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Jan7,1999
Reference: SF:327

Solaris ff.core allows local users to modify files.

VOTE:

=================================
Candidate: CAN-1999-0448
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990726
Assigned: 19990607
Category: SF
Reference: XF:iis-http-request-logging

IIS 4.0 and Apache log HTTP request methods, regardless of how long
they are, allowing a remote attacker to hide the URL they really
request.

VOTE:

=================================
Candidate: CAN-1999-0450
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Jan22,1999
Reference: SF:194

In IIS, an attacker could determine a real path using a request for a
non-existent URLs that would be interpreted by Perl (perl.exe) .

VOTE:

=================================
Candidate: CAN-1999-0451
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Jan19,1999
Reference: SF:343

Denial of service in Linux 2.0.36 allows local users to prevent
any server from listening on any non-privileged port.

VOTE:

=================================
Candidate: CAN-1999-0455
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990726
Assigned: 19990607
Category: SF
Reference: ALLAIRE:ASB-001
Reference: XF:coldfusion-expression-evaluator
Reference: SF:115

The Expression Evaluator sample application in ColdFusion allows
remote attackers to read or delete files on the server.

VOTE:

=================================
Candidate: CAN-1999-0457
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Jan17,1999
Reference: DEBIAN:19990117
Reference: XF:ftpwatch-vuln
Reference: SF:317

Linux ftpwatch program allows local users to gain root privileges.

VOTE:

=================================
Candidate: CAN-1999-0460
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Feb18,1999
Reference: SF:312

Buffer overflow in Linux autofs module through long directory names
allows local users to perform a denial of service.

VOTE:

=================================
Candidate: CAN-1999-0477
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990726
Assigned: 19990607
Category: SF
Reference: L0PHT:Cold Fusion App Server
Reference: XF:coldfusion-expression-evaluator
Reference: SF:115

The Expression Evaluator in the ColdFusion Application Server allows a
remote attacker to execute commands by uploading a file.

VOTE:
Prev by Date: 19 candidate clusters to be proposed this week
Next by Date: PROPOSAL: Cluster 22 - CDEC (15 candidates)
Prev by thread: 19 candidate clusters to be proposed this week
Next by thread: RE: PROPOSAL: Cluster 21 - MORELOW (37 candidates)
Index(es):
- Date
- Thread