FINAL DECISION: ACCEPT 45 various candidates

To: cve-editorial-board-list@lists.mitre.org
Subject: FINAL DECISION: ACCEPT 45 various candidates
From: "Steven M. Christey" <coley@linus.mitre.org>
Date: Sat, 25 Sep 1999 14:58:25 -0400 (EDT)
Delivery-Date: Sat Sep 25 15:00:56 1999
Sender: owner-cve-editorial-board-list@lists.mitre.org
I have made a Final Decision to ACCEPT the following candidates.  Most
of them now have 3 non-MITRE votes; those with 2 non-MITRE votes
satisfy the minimum requirements (i.e. vendor confirmation and/or tool
usage).  These candidates are now assigned CVE names as noted below.
Voting details and comments are provided afterwards.

The CVE names for candidates that reach Final Decision should be
regarded as stable.  In the case of these and all other candidates
that reach Final Decision during this validation period, accepted
candidates won't reach Publication phase until CVE goes fully public.
The only difference between Publication and Final Decision is that the
CVE name is officially "announced" by MITRE during Publication.

- Steve


Candidate	CVE Name
---------	----------
CAN-1999-0002	CVE-1999-0002
CAN-1999-0042	CVE-1999-0042
CAN-1999-0048	CVE-1999-0048
CAN-1999-0125	CVE-1999-0125
CAN-1999-0153	CVE-1999-0153
CAN-1999-0173	CVE-1999-0173
CAN-1999-0174	CVE-1999-0174
CAN-1999-0177	CVE-1999-0177
CAN-1999-0178	CVE-1999-0178
CAN-1999-0179	CVE-1999-0179
CAN-1999-0180	CVE-1999-0180
CAN-1999-0191	CVE-1999-0191
CAN-1999-0194	CVE-1999-0194
CAN-1999-0211	CVE-1999-0211
CAN-1999-0217	CVE-1999-0217
CAN-1999-0218	CVE-1999-0218
CAN-1999-0221	CVE-1999-0221
CAN-1999-0224	CVE-1999-0224
CAN-1999-0234	CVE-1999-0234
CAN-1999-0236	CVE-1999-0236
CAN-1999-0239	CVE-1999-0239
CAN-1999-0265	CVE-1999-0265
CAN-1999-0266	CVE-1999-0266
CAN-1999-0272	CVE-1999-0272
CAN-1999-0274	CVE-1999-0274
CAN-1999-0288	CVE-1999-0288
CAN-1999-0292	CVE-1999-0292
CAN-1999-0299	CVE-1999-0299
CAN-1999-0349	CVE-1999-0349
CAN-1999-0366	CVE-1999-0366
CAN-1999-0372	CVE-1999-0372
CAN-1999-0375	CVE-1999-0375
CAN-1999-0376	CVE-1999-0376
CAN-1999-0379	CVE-1999-0379
CAN-1999-0382	CVE-1999-0382
CAN-1999-0384	CVE-1999-0384
CAN-1999-0385	CVE-1999-0385
CAN-1999-0386	CVE-1999-0386
CAN-1999-0392	CVE-1999-0392
CAN-1999-0402	CVE-1999-0402
CAN-1999-0442	CVE-1999-0442
CAN-1999-0457	CVE-1999-0457
CAN-1999-0487	CVE-1999-0487
CAN-1999-0496	CVE-1999-0496
CAN-1999-0566	CVE-1999-0566



=================================
Candidate: CAN-1999-0002
Published:
Final-Decision: 19990925
Interim-Decision: 19990922
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: CERT:CA-98.12.mountd
Reference: XF:linux-mountd-bo

Buffer overflow in NFS mountd gives root access to remote attackers,
mostly in Linux systems.

VOTES:
   ACCEPT(3) Frech, Northcutt, Landfield
   NOOP(1) Wall


=================================
Candidate: CAN-1999-0042
Published:
Final-Decision: 19990925
Interim-Decision: 19990922
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: NAI:NAI-21
Reference: CERT:CA-97.09.imap_pop
Reference: XF:popimap-bo

Buffer overflow in University of Washington's implementation of
IMAP and POP servers.

VOTES:
   ACCEPT(3) Wall, Frech, Landfield


=================================
Candidate: CAN-1999-0048
Published:
Final-Decision: 19990925
Interim-Decision: 19990922
Modified: 19990925-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: CERT:CA-97.04.talkd
Reference: FreeBSD:FreeBSD-SA-96:21
Reference: AUSCERT:AA-97.01
Reference: SUN:00147
Reference: XF:talkd-bo
Reference: XF:netkit-talkd

Talkd, when given corrupt DNS information, can be used to execute
arbitrary commands with root privileges.

Modifications:
  ADDREF XF:netkit-talkd

VOTES:
   ACCEPT(1) Northcutt
   MODIFY(2) Frech, Landfield
   NOOP(1) Shostack

COMMENTS:
 Frech> Add to references:
 Frech> XF:netkit-talkd
 Landfield> as per Frech comments


=================================
Candidate: CAN-1999-0125
Published:
Final-Decision: 19990925
Interim-Decision: 19990922
Modified: 19990922-01
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: XF:sgi-mailx-bo
Reference: SGI:19980605-01-PX

Buffer overflow in SGI IRIX mailx program.

Modifications:
  CHANGEREF XF:si-mailx-bo XF:sgi-mailx-bo

VOTES:
   ACCEPT(1) Ozancin
   MODIFY(2) Frech, Landfield
   NOOP(1) Wall

COMMENTS:
 Frech> Change XF:si-mailx-bo to XF:sgi-mailx-bo
 Landfield> as per Frech comments


=================================
Candidate: CAN-1999-0153
Published:
Final-Decision: 19990925
Interim-Decision: 19990922
Modified: 19990922-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: XF:win-oob

Windows 95/NT out of band (OOB) data denial of service through NETBIOS
port, aka WinNuke.

Modifications:
  ADDREF XF:win-oob

VOTES:
   ACCEPT(4) Hill, Wall, Northcutt, Landfield
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:win-oob


=================================
Candidate: CAN-1999-0173
Published:
Final-Decision: 19990925
Interim-Decision: 19990922
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: XF:http-cgi-formmail-use

FormMail CGI program can be used by web servers other than the
host server that the program resides on.

VOTES:
   ACCEPT(3) Northcutt, Frech, Landfield
   NOOP(1) Prosser


=================================
Candidate: CAN-1999-0174
Published:
Final-Decision: 19990925
Interim-Decision: 19990922
Modified: 19990922-01
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: XF:http-cgi-viewsrc

The view-source CGI program allows remote attackers to read any file on
the system that is internally accessible by the web server.

Modifications:
  ADDREF XF:http-cgi-viewsrc

VOTES:
   ACCEPT(2) Northcutt, Landfield
   MODIFY(1) Frech
   NOOP(1) Prosser

COMMENTS:
 Frech> XF:http-cgi-viewsrc


=================================
Candidate: CAN-1999-0177
Published:
Final-Decision: 19990925
Interim-Decision: 19990922
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: XF:http-website-uploader

The uploader program in the WebSite web server allows a remote
attacker to execute arbitrary programs.

VOTES:
   ACCEPT(3) Northcutt, Frech, Landfield
   NOOP(1) Prosser


=================================
Candidate: CAN-1999-0178
Published:
Final-Decision: 19990925
Interim-Decision: 19990922
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: XF:http-website-winsample

The win-c-sample program in the WebSite web server has a buffer
overflow that allows remote execution of commands.

VOTES:
   ACCEPT(2) Northcutt, Frech
   NOOP(2) Prosser, Landfield


=================================
Candidate: CAN-1999-0179
Published:
Final-Decision: 19990925
Interim-Decision: 19990922
Modified: 19990922-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: MSKB:Q140818
Reference: XF:nt-samba-dotdot
Reference: XF:nt-351
Reference: XF:nt-35

Windows NT crashes or locks up when a Samba client executes a "cd .."
command on a file share.

Modifications:
  ADDREF XF:nt-351
  ADDREF XF:nt-35

VOTES:
   ACCEPT(3) Hill, Wall, Landfield
   MODIFY(1) Frech

COMMENTS:
 Frech> Also add:
 Frech> XF:nt-351
 Frech> XF:nt-35


=================================
Candidate: CAN-1999-0180
Published:
Final-Decision: 19990925
Interim-Decision: 19990922
Modified: 19990922-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:rsh-null

in.rshd allows users to login with a NULL username and execute commands.

Modifications:
  ADDREF XF:rsh-null

VOTES:
   ACCEPT(2) Northcutt, Landfield
   MODIFY(2) Shostack, Frech
   NOOP(1) Christey

COMMENTS:
 Shostack> more info
 Frech> XF:rsh-null
 Christey> More details are not available, although this is confirmed in
 Christey> a security tool of a non-Board member.


=================================
Candidate: CAN-1999-0191
Published:
Final-Decision: 19990925
Interim-Decision: 19990922
Modified: 19990922-01
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: XF:http-cgi-newdsn

IIS newdsn.exe CGI script allows remote users to overwrite files.

Modifications:
  ADDREF XF:http-cgi-newdsn

VOTES:
   ACCEPT(2) Northcutt, Landfield
   MODIFY(1) Frech
   NOOP(1) Prosser

COMMENTS:
 Frech> XF:http-cgi-newdsn


=================================
Candidate: CAN-1999-0194
Published:
Final-Decision: 19990925
Interim-Decision: 19990922
Modified: 19990922-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:comsat

Denial of service in in.comsat allows attackers to generate messages.

Modifications:
  ADDREF XF:comsat

VOTES:
   ACCEPT(2) Shostack, Landfield
   MODIFY(1) Frech
   NOOP(2) Northcutt, Wall

COMMENTS:
 Frech> XF:comsat


=================================
Candidate: CAN-1999-0211
Published:
Final-Decision: 19990925
Interim-Decision: 19990922
Modified: 19990922-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: CERT:CA-94.02.REVISED.SunOS.rpc.mountd.vulnerability

Extra long export lists over 256 characters in some mount daemons
allows NFS directories to be mounted by anyone.

Modifications:
  DESC per Adam's comments
  ADDREF CERT:CA-94.02.REVISED.SunOS.rpc.mountd.vulnerability

VOTES:
   ACCEPT(2) Northcutt, Landfield
   MODIFY(1) Shostack
   REVIEWING(1) Frech

COMMENTS:
 Shostack> caused server to export to world


=================================
Candidate: CAN-1999-0217
Published:
Final-Decision: 19990925
Interim-Decision: 19990922
Modified: 19990922-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:udp-bomb

Malicious option settings in UDP packets could force a reboot in SunOS
4.1.3 systems.

Modifications:
  ADDREF XF:udp-bomb

VOTES:
   MODIFY(2) Shostack, Frech
   NOOP(3) Northcutt, Wall, Landfield

COMMENTS:
 Shostack> make Andre give us a reference. :)
 Frech> XF:udp-bomb


=================================
Candidate: CAN-1999-0218
Published:
Final-Decision: 19990925
Interim-Decision: 19990922
Modified: 19990922-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:portmaster-reboot

Livingston portmaster machines could be rebooted via a series
of commands.

Modifications:
  ADDREF XF:portmaster-reboot

VOTES:
   ACCEPT(2) Shostack, Landfield
   MODIFY(1) Frech
   NOOP(2) Northcutt, Wall

COMMENTS:
 Frech> XF:portmaster-reboot


=================================
Candidate: CAN-1999-0221
Published:
Final-Decision: 19990925
Interim-Decision: 19990922
Modified: 19990922-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: XF:ascend-150-kill

Denial of service of Ascend routers through port 150 (remote
administration).

Modifications:
  ADDREF XF:ascend-150-kill

VOTES:
   ACCEPT(3) Hill, Meunier, Landfield
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:ascend-150-kill


=================================
Candidate: CAN-1999-0224
Published:
Final-Decision: 19990925
Interim-Decision: 19990922
Modified: 19990922-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: XF:nt-messenger

Denial of service in Windows NT messenger service through a long
username.

Modifications:
  ADDREF XF:nt-messenger

VOTES:
   ACCEPT(3) Hill, Wall, Landfield
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:nt-messenger


=================================
Candidate: CAN-1999-0234
Published:
Final-Decision: 19990925
Interim-Decision: 19990922
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: XF:bash-cmd
Reference: CERT:CA-96.22.bash_vuls

Bash treats any character with a value of 255 as a command separator.

VOTES:
   ACCEPT(3) Ozancin, Frech, Landfield
   NOOP(1) Wall


=================================
Candidate: CAN-1999-0236
Published:
Final-Decision: 19990925
Interim-Decision: 19990922
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: XF:http-scriptalias

ScriptAlias directory in NCSA and Apache httpd allowed attackers to
read CGI programs.

VOTES:
   ACCEPT(3) Northcutt, Frech, Landfield
   NOOP(1) Prosser


=================================
Candidate: CAN-1999-0239
Published:
Final-Decision: 19990925
Interim-Decision: 19990922
Modified: 19990922-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:fastrack-get-directory-list

Netscape FastTrack Web server lists files when a lowercase "get"
command is used instead of an uppercase GET.

Modifications:
  ADDREF XF:fastrack-get-directory-list

VOTES:
   MODIFY(2) Shostack, Frech
   NOOP(3) Northcutt, Wall, Landfield

COMMENTS:
 Shostack> needs ref
 Frech> XF:fastrack-get-directory-list (note only one 't' in 'fastrack')


=================================
Candidate: CAN-1999-0265
Published:
Final-Decision: 19990925
Interim-Decision: 19990922
Modified: 19990922-01
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: MSKB:Q154174
Reference: ISS:ICMP Redirects Against Embedded Controllers
Reference: XF:icmp-redirect

ICMP redirect messages may crash or lock up a host.

Modifications:
  ADDREF MSKB:Q154174
  ADDREF ISS:ICMP Redirects Against Embedded Controllers
  DELREF XF:icmp-redirects

VOTES:
   ACCEPT(1) Landfield
   MODIFY(2) Wall, Frech

COMMENTS:
 Wall> Reference Q154174
 Frech> Remove XF:icmp-redirects
 Frech> Add ISS: ICMP Redirects Against Embedded Controllers


=================================
Candidate: CAN-1999-0266
Published:
Final-Decision: 19990925
Interim-Decision: 19990922
Modified: 19990922-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:http-cgi-info2www

The info2www CGI script allows remote file access or remote
command execution.

Modifications:
  ADDREF XF:http-cgi-info2www

VOTES:
   ACCEPT(2) Northcutt, Landfield
   MODIFY(1) Frech
   NOOP(1) Shostack

COMMENTS:
 Frech> XF:http-cgi-info2www


=================================
Candidate: CAN-1999-0272
Published:
Final-Decision: 19990925
Interim-Decision: 19990922
Modified: 19990922-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: XF:slmail-username-bo

Denial of service in Slmail v2.5 through the POP3 port.

Modifications:
  ADDREF XF:slmail-username-bo

VOTES:
   ACCEPT(2) Hill, Meunier
   MODIFY(1) Frech
   NOOP(1) Landfield

COMMENTS:
 Frech> XF:slmail-username-bo


=================================
Candidate: CAN-1999-0274
Published:
Final-Decision: 19990925
Interim-Decision: 19990922
Modified: 19990922-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: NAI:NAI-5
Reference: XF:nt-dns-dos

Denial of service in Windows NT DNS servers through malicious packet
which contains a response to a query that wasn't made.

Modifications:
  ADDREF XF:nt-dns-dos

VOTES:
   ACCEPT(3) Hill, Wall, Landfield
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:nt-dns-dos


=================================
Candidate: CAN-1999-0288
Published:
Final-Decision: 19990925
Interim-Decision: 19990922
Modified: 19990922-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: XF:nt-winsupd-fix

Denial of service in WINS with malformed data to port 137 (NETBIOS
Name Service).

Modifications:
  ADDREF XF:nt-winsupd-fix

VOTES:
   ACCEPT(3) Hill, Meunier, Landfield
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:nt-winsupd-fix


=================================
Candidate: CAN-1999-0292
Published:
Final-Decision: 19990925
Interim-Decision: 19990922
Modified: 19990922-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: XF:nt-winpopup

Denial of service through Winpopup using large user names.

Modifications:
  ADDREF XF:nt-winpopup

VOTES:
   ACCEPT(3) Hill, Wall, Landfield
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:nt-winpopup


=================================
Candidate: CAN-1999-0299
Published:
Final-Decision: 19990925
Interim-Decision: 19990922
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: NAI:NAI-9

Buffer overflow in FreeBSD lpd through long DNS hostnames.

VOTES:
   ACCEPT(2) Wall, Ozancin
   NOOP(1) Landfield
   REVIEWING(1) Frech

COMMENTS:
 Frech> Can't find in database. See
 Frech> http://www.nai.com/nai_labs/asp_set/advisory/09_lpd_adv.asp


=================================
Candidate: CAN-1999-0349
Published:
Final-Decision: 19990925
Interim-Decision: 19990922
Modified: 19990922-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: EEYE:IIS Remote FTP Exploit/DoS Attack
Reference: MS:MS99-003
Reference: MSKB:Q188348
Reference: BUGTRAQ:Jan27,1999
Reference: XF:iis-remote-ftp

A buffer overflow in the FTP list (ls) command in IIS allows remote
attackers to conduct a denial of service and, in some cases, execute
arbitrary commands.

Modifications:
  ADDREF XF:iis-remote-ftp

VOTES:
   ACCEPT(3) Hill, Wall, Landfield
   MODIFY(1) Frech
   NOOP(1) Christey

COMMENTS:
 Frech> XF:iis-remote-ftp
 Frech> It is extremely hard to find articles by their dates, especially
 Frech> for heavily trafficked groups like *Bugtraq. Is it possible to convert them
 Frech> to titles instead?
 Christey> Future references to Bugtraq postings will try to encode the
 Christey> date and the subject.  URLs are too unstable to reference
 Christey> directly.


=================================
Candidate: CAN-1999-0366
Published:
Final-Decision: 19990925
Interim-Decision: 19990922
Modified: 19990922-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: MS:MS99-004
Reference: MSKB:Q214840
Reference: XF:nt-sp4-auth-error

In some cases, Service Pack 4 for Windows NT 4.0 can allow access to
network shares using a blank password, through a problem with a null
NT hash value.

Modifications:
  ADDREF XF:nt-sp4-auth-error

VOTES:
   ACCEPT(3) Hill, Wall, Landfield
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:nt-sp4-auth-error


=================================
Candidate: CAN-1999-0372
Published:
Final-Decision: 19990925
Interim-Decision: 19990922
Modified: 19990922-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: MS:MS99-005
Reference: XF:nt-backoffice-setup
Reference: MSKB:Q217004

The installer for BackOffice Server includes account names and
passwords in a setup file (reboot.ini) which is not deleted.

Modifications:
  ADDREF XF:nt-backoffice-setup
  ADDREF MSKB:Q217004
  DESC list reboot.ini file

VOTES:
   ACCEPT(2) Hill, Landfield
   MODIFY(2) Wall, Frech

COMMENTS:
 Wall> "The installer for BackOffice Server 4.0 includes account names
 Wall> and passwords in a setup file (reboot.ini) which is not deleted."
 Wall> Also reference Q217004
 Frech> XF:nt-backoffice-setup


=================================
Candidate: CAN-1999-0375
Published:
Final-Decision: 19990925
Interim-Decision: 19990922
Modified: 19990905-01
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: NAI:February 16, 1999
Reference: BUGTRAQ:Feb16,1999
Reference: XF:nfr-webd-overflow

Buffer overflow in webd in Network Flight Recorder (NFR)
2.0.2-Research allows remote attackers to execute commands.

Modifications:
  ADDREF XF:nfr-webd-overflow

VOTES:
   ACCEPT(2) Northcutt, Hill
   MODIFY(1) Frech
   NOOP(2) Prosser, Landfield

COMMENTS:
 Frech> XF:nfr-webd-overflow


=================================
Candidate: CAN-1999-0376
Published:
Final-Decision: 19990925
Interim-Decision: 19990922
Modified: 19990922-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: MS:MS99-006
Reference: BUGTRAQ:Feb20,1999
Reference: L0PHT:Feb18,1999
Reference: XF:nt-knowndlls-list

Local users in Windows NT can obtain administrator privileges by
changing the KnownDLLs list to reference malicious programs.

Modifications:
  ADDREF XF:nt-knowndlls-list

VOTES:
   ACCEPT(3) Hill, Wall, Landfield
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:nt-knowndlls-list


=================================
Candidate: CAN-1999-0379
Published:
Final-Decision: 19990925
Interim-Decision: 19990922
Modified: 19990922-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Feb22,1999
Reference: MS:MS99-007
Reference: XF:win-resourcekit-taskpads

Microsoft Taskpads feature allows remote web sites to execute commands
on the visiting user's machine.

Modifications:
  ADDREF XF:win-resourcekit-taskpads

VOTES:
   ACCEPT(3) Hill, Wall, Landfield
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:win-resourcekit-taskpads


=================================
Candidate: CAN-1999-0382
Published:
Final-Decision: 19990925
Interim-Decision: 19990922
Modified: 19990922-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: MS:MS99-008
Reference: XF:nt-screen-saver

The screen saver in Windows NT does not verify that its security
context has been changed properly, allowing attackers to run programs
with elevated privileges.

Modifications:
  ADDREF XF:nt-screen-saver

VOTES:
   ACCEPT(3) Hill, Wall, Landfield
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:nt-screen-saver


=================================
Candidate: CAN-1999-0384
Published:
Final-Decision: 19990925
Interim-Decision: 19990922
Modified: 19990922-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: XF:forms-vuln-patch
Reference: MS:MS99-001

The Forms 2.0 ActiveX control (included with Visual Basic for
Applications 5.0) can be used to read text from a user's
clipboard when the user accesses documents with ActiveX content.

Modifications:
  ADDREF XF:forms-vuln-patch

VOTES:
   ACCEPT(2) Hill, Wall
   MODIFY(1) Frech
   NOOP(1) Landfield

COMMENTS:
 Frech> XF:forms-vuln-patch


=================================
Candidate: CAN-1999-0385
Published:
Final-Decision: 19990925
Interim-Decision: 19990922
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: MS:MS99-009
Reference: ISS:LDAP Buffer overflow against Microsoft Directory Services
Reference: XF:ldap-exchange-overflow
Reference: XF:ldap-mds-dos

The LDAP bind function in Exchange 5.5 has a buffer overflow that
allows a remote attacker to conduct a denial of service or execute
commands.

Modifications:
  ADDREF XF:ldap-exchange-overflow
  ADDREF XF:ldap-mds-dos

VOTES:
   ACCEPT(3) Hill, Wall, Landfield
   MODIFY(1) Frech

COMMENTS:
 Frech> Change ISS:LDAP Buffer overflow against Microsoft Directory Services
 Frech> XF:ldap-exchange-overflow
 Frech> XF:ldap-mds-dos


=================================
Candidate: CAN-1999-0386
Published:
Final-Decision: 19990925
Interim-Decision: 19990922
Modified: 19990922-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: MS:MS99-010
Reference: XF:pws-file-access

Microsoft Personal Web Server and FrontPage Personal Web Server in
some Windows systems allows a remote attacker to read files on the
server by using a nonstandard URL.

Modifications:
  ADDREF XF:pws-file-access

VOTES:
   ACCEPT(3) Hill, Wall, Landfield
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:pws-file-access


=================================
Candidate: CAN-1999-0392
Published:
Final-Decision: 19990925
Interim-Decision: 19990922
Modified: 19990922-01
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Jan10,1999
Reference: XF:http-cgic-library-bo

Buffer overflow in Thomas Boutell's cgic library version up to 1.05.

Modifications:
  DESC version isn't just 1.05

VOTES:
   ACCEPT(2) Ozancin, Landfield
   MODIFY(1) Frech
   NOOP(1) Wall

COMMENTS:
 Frech> Change version 1.05 to versions up to and including 1.05.


=================================
Candidate: CAN-1999-0402
Published:
Final-Decision: 19990925
Interim-Decision: 19990922
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Feb2,1999
Reference: XF:wget-permissions
Reference: DEBIAN:19990220

wget 1.5.3 follows symlinks to change permissions of the target file
instead of the symlink itself.

VOTES:
   ACCEPT(2) Ozancin, Frech
   NOOP(2) Wall, Landfield


=================================
Candidate: CAN-1999-0442
Published:
Final-Decision: 19990925
Interim-Decision: 19990922
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Jan7,1999
Reference: SF:327

Solaris ff.core allows local users to modify files.

VOTES:
   ACCEPT(2) Wall, Ozancin
   NOOP(2) Landfield, Christey
   REVIEWING(1) Frech

COMMENTS:
 Christey> This problem was verified by Casper Dik in a Bugtraq message,
 Christey> although I could not find any Sun advisories or patches that
 Christey> specifically mention ff.core.


=================================
Candidate: CAN-1999-0457
Published:
Final-Decision: 19990925
Interim-Decision: 19990922
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Jan17,1999
Reference: DEBIAN:19990117
Reference: XF:ftpwatch-vuln
Reference: SF:317

Linux ftpwatch program allows local users to gain root privileges.

VOTES:
   ACCEPT(1) Frech
   MODIFY(1) Ozancin
   NOOP(3) Wall, Christey, Landfield

COMMENTS:
 Ozancin> A little vague.
 Christey> Unfortunately, the advisory is also vague.


=================================
Candidate: CAN-1999-0487
Published:
Final-Decision: 19990925
Interim-Decision: 19990922
Modified: 19990922-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: MS:MS99-011
Reference: XF:ie-dhtml-control

The DHTML Edit ActiveX control in Internet Explorer allows remote
attackers to read arbitrary files.

Modifications:
  ADDREF XF:ie-dhtml-control

VOTES:
   ACCEPT(3) Hill, Wall, Landfield
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:ie-dhtml-control


=================================
Candidate: CAN-1999-0496
Published:
Final-Decision: 19990925
Interim-Decision: 19990922
Modified: 19990922-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: MSKB:Q146965
Reference: XF:nt-getadmin
Reference: XF:nt-getadmin-present

A Windows NT 4.0 user can gain administrative rights by forcing
NtOpenProcessToken to succeed regardless of the user's permissions,
aka GetAdmin.

Modifications:
  DESC Change the wording to describe the specific problem
  ADDREF XF:nt-getadmin
  ADDREF XF:nt-getadmin-present
  ADDREF MSKB:Q146965

VOTES:
   ACCEPT(2) Hill, Northcutt
   MODIFY(2) Wall, Frech
   NOOP(2) Christey, Landfield

COMMENTS:
 Wall> "A Windows NT 4.0 user can gain administrative rights, aka Getadmin"
 Wall> Also reference CIAC H-14 and Microsoft Knowledge Base article Q146965.
 Frech> XF:nt-getadmin
 Frech> XF:nt-getadmin-present
 Frech> XF:mssql-get-admin
 Christey> CIAC H-14 has to do with SGI problems


=================================
Candidate: CAN-1999-0566
Published:
Final-Decision: 19990925
Interim-Decision: 19990922
Modified: 19990922-01
Proposed: 19990630
Assigned: 19990607
Category: CF
Reference: XF:ibm-syslogd
Reference: XF:syslog-flood

An attacker can write to syslog files from any location, causing a
denial of service by filling up the logs, and hiding activities.

Modifications:
  ADDREF XF:ibm-syslogd
  ADDREF XF:syslog-flood

VOTES:
   ACCEPT(3) Hill, Meunier, Landfield
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:ibm-syslogd
 Frech> XF:syslog-flood
Prev by Date: Re: INTERIM DECISION: ACCEPT 5 SA category candidates (Final 9/28)
Next by Date: INTERIM DECISION: ACCEPT 50 various candidates (Final 9/28)
Prev by thread: FINAL DECISION: ACCEPT 45 various candidates
Next by thread: 20 CVE Entries for Interoperability Demo
Index(es):
- Date
- Thread