[VOTES] Vote details for other recently proposed clusters

To: cve-editorial-board-list@lists.mitre.org
Subject: [VOTES] Vote details for other recently proposed clusters
From: "Steven M. Christey" <coley@linus.mitre.org>
Date: Wed, 12 Jan 2000 20:02:39 -0500 (EST)
Delivery-Date: Wed Jan 12 20:05:15 2000
Sender: owner-cve-editorial-board-list@lists.mitre.org
This "LEGACY-RECENT-OTHER" meta-cluster contains voting details for
all other recently proposed clusters that deal with legacy candidates.

NET-01
UNIX-UNCONF
MISC-01
WEB

- Steve


--------------------- CLUSTER NET-01 ---------------------

NET-01 (12 candidates)
--------------------
Proposed: 12/21
Scheduled Proposed: 12/20
Scheduled Interim Decision: 1/3
Scheduled Final Decision: 1/7

Various problems in network devices and protocols


Voters:
  Cole ACCEPT(9) MODIFY(3)
  Stracener ACCEPT(9) MODIFY(1) NOOP(1) REVIEWING(1)


<INTERIM> --> 6
<PROPOSED> --> 6
ACCEPT --> 8
MODIFY --> 3
REVIEWING --> 1

=================================
Candidate: CAN-1999-0667
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991008
Category: SF

The ARP protocol allows any host to spoof ARP replies and poison the
ARP cache to conduct IP address spoofing or a denial of service.

INFERRED ACTION: CAN-1999-0667 MOREVOTES (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Cole
   MODIFY(1) Stracener

Comments:
 Stracener> Add Ref: BUGTRAQ:19970919 Playing redir games with ARP and ICMP


=================================
Candidate: CAN-1999-0675
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: BID:576

Firewall-1 can be subjected to a denial of service via UDP packets
that are sent through VPN-1 to port 0 of a host.

INFERRED ACTION: CAN-1999-0675 MOREVOTES (1 accept, 0 ack, 1 review)

Current Votes:
   MODIFY(1) Cole
   REVIEWING(1) Stracener

Comments:
 Cole> This only occurs when the VPN being used for the transport of the packet
 Cole> supports ISAKMP encryption.


=================================
Candidate: CAN-1999-0683
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: XF:gauntlet-dos
Reference: BUGTRAQ:19990729 Remotely Lock Up Gauntlet 5.0
Reference: BID:556

Denial of service in Gauntlet Firewall via a malformed ICMP packet.

INFERRED ACTION: CAN-1999-0683 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(1) Stracener
   MODIFY(1) Cole

Comments:
 Cole> The BUGTRAQ number is 19990730 and the BID is 556.  This also occurs when an
 Cole> ICMP Protocol Problem packet's (ICMP_PARAMPROB) encapsulated IP packet has a
 Cole> random protocol field and certain IP options set.


=================================
Candidate: CAN-1999-0734
Published:
Final-Decision:
Interim-Decision: 20000111
Modified:
Proposed: 19991222
Assigned: 19991125
Category: CF
Reference: CISCO: CiscoSecure Access Control Server for UNIX Remote Administration Vulnerability
Reference: XF:ciscosecure-read-write

A default configuration of CiscoSecure Access Control Server (ACS)
allows remote users to modify the server database without
authentication.

INFERRED ACTION: CAN-1999-0734 ACCEPT_ACK (2 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Stracener


=================================
Candidate: CAN-1999-0770
Published:
Final-Decision:
Interim-Decision: 20000111
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990729 Simple DOS attack on FW-1
Reference: BID:549
Reference: CHECKPOINT:ACK DOS ATTACK

Firewall-1 sets a long timeout for connections that begin with ACK or
other packets except SYN, allowing an attacker to conduct a denial of
service via a large number of connection attempts to unresponsive
systems.

INFERRED ACTION: CAN-1999-0770 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Stracener


=================================
Candidate: CAN-1999-0775
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: CISCO:19990610 Cisco IOS Software established Access List Keyword Error
Reference: XF:cisco-gigaswitch

Cisco Gigabit Switch routers running IOS allow remote attackers to
forward unauthorized packets due to improper handling of the
"established" keyword in an access list.

Modifications:
  ADDREF XF:cisco-gigaswitch

INFERRED ACTION: CAN-1999-0775 ACCEPT_ACK (2 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Stracener


=================================
Candidate: CAN-1999-0816
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19980510 Security Vulnerability in Motorola CableRouters

The Motorola CableRouter allows any remote user to connect to and
configure the router on port 1024.

INFERRED ACTION: CAN-1999-0816 MOREVOTES (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Stracener


=================================
Candidate: CAN-1999-0875
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19991222
Assigned: 19991208
Category: CF
Reference: L0PHT:19990811
Reference: MSKB:Q216141
Reference: BID:578
Reference: XF:irdp-gateway-spoof

DHCP clients with ICMP Router Discovery Protocol (IRDP) enabled allow
remote attackers to modify their default routes.

Modifications:
  ADDREF XF:irdp-gateway-spoof

INFERRED ACTION: CAN-1999-0875 ACCEPT_ACK (2 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Stracener


=================================
Candidate: CAN-1999-0889
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19990810 Cisco 675 password nonsense

Cisco 675 routers running CBOS allow remote attackers to establish
telnet sessions if an exec or superuser password has not been set.

INFERRED ACTION: CAN-1999-0889 MOREVOTES (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Stracener


=================================
Candidate: CAN-1999-0895
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19991020 Checkpoint FireWall-1 V4.0: possible bug in LDAP authentication

Firewall-1 does not properly restrict access to LDAP attributes.

INFERRED ACTION: CAN-1999-0895 MOREVOTES (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Stracener


=================================
Candidate: CAN-1999-0905
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19991020 Remote DoS in Axent's Raptor 6.0
Reference: BID:736
Reference: XF:raptor-ipoptions-dos

Denial of service in Axent Raptor firewall via malformed zero-length
IP options.

Modifications:
  ADDREF BID:736
  ADDREF XF:raptor-ipoptions-dos

INFERRED ACTION: CAN-1999-0905 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(1) Stracener
   MODIFY(1) Cole

Comments:
 Cole> This occurs when the SECURITY and TIMESTAMP IP options length is set to 0


=================================
Candidate: CAN-1999-0919
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19980510 Security Vulnerability in Motorola CableRouters

A memory leak in a Motorola CableRouter allows remote attackers to
conduct a denial of service via a large number of telnet connections.

INFERRED ACTION: CAN-1999-0919 MOREVOTES (1 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(1) Cole
   NOOP(1) Stracener




--------------------- CLUSTER UNIX-UNCONF ---------------------

UNIX-UNCONF (42 candidates)
--------------------
Proposed: 12/21
Scheduled Proposed: 12/20
Scheduled Interim Decision: 1/3
Scheduled Final Decision: 1/7

Various Unix problems that may not be confirmed by vendor


Voters:
  Ozancin ACCEPT(34) NOOP(8)
  Christey NOOP(1)
  Stracener ACCEPT(35) MODIFY(6) REVIEWING(1)


<MODIFIED> --> 2
<PROPOSED> --> 40
ACCEPT --> 35
MODIFY --> 6
REVIEWING --> 1

=================================
Candidate: CAN-1999-0189
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19990607
Category: SF
Reference: SUN:00142

Solaris rpcbind listens on a high numbered UDP port, which may not be
filtered since the standard port number is 111.

INFERRED ACTION: CAN-1999-0189 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Stracener, Ozancin


=================================
Candidate: CAN-1999-0389
Published:
Final-Decision:
Interim-Decision:
Modified: 19991207-01
Proposed: 19991222
Assigned: 19990607
Category: SF
Reference: DEBIAN:19990104
Reference: BUGTRAQ:19990103 [SECURITY] New versions of netstd fixes buffer overflows
Reference: BID:324

Buffer overflow in the bootp server in the Debian Linux netstd
package.

INFERRED ACTION: CAN-1999-0389 ACCEPT_ACK (2 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(2) Stracener, Ozancin
   NOOP(1) Christey

Comments:
 Christey> Is this the same line of code as CVE-1999-0914?  Both are in
 Christey> the netstd package, it could look like a library problem.
 Christey>
 Christey> However, deep in the changelog in the
 Christey> netstd_3.07-7slink.3.diff on Debian, Herbert Xu includes
 Christey> the following entry:
 Christey>
 Christey> +netstd (3.07-7slink.1) frozen; urgency=high
 Christey> +
 Christey> +  * bootpd:     Applied patch from Redhat as well as a fix for the overflow in
 Christey> +                report() (fixes #30675).
 Christey> +  * netkit-ftp: Applied patch from RedHat that fixes some obscure overflow
 Christey> +                bugs.
 Christey> +
 Christey> + -- Herbert Xu <herbert@debian.org>  Sat, 19 Dec 1998 14:36:48 +1100
 Christey>
 Christey> This tells me that two separate bugs are involved.


=================================
Candidate: CAN-1999-0390
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19990104 Dosemu/S-Lang Overflow + sploit
Reference: BID:187

Buffer overflow in Dosemu Slang library in Linux.

INFERRED ACTION: CAN-1999-0390 MOREVOTES (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Stracener, Ozancin


=================================
Candidate: CAN-1999-0676
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: XF:sun-stdcm-convert
Reference: BID:575
Reference: BUGTRAQ:19990808 stdcm_convert

stdcm_convert in Solaris 2.6 allows a local user to overwrite
sensitive files via a symlink attack.

INFERRED ACTION: CAN-1999-0676 MOREVOTES (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Stracener, Ozancin


=================================
Candidate: CAN-1999-0678
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: CF
Reference: XF:apache-debian-usrdoc
Reference: BUGTRAQ: An issue with Apache on Debian

A default configuration of Apache on Debian Linux sets the ServerRoot
to /usr/doc, which allows remote users to read documentation files
for the entire server.

INFERRED ACTION: CAN-1999-0678 MOREVOTES (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Stracener, Ozancin


=================================
Candidate: CAN-1999-0697
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990908 SCO 5.0.5 /bin/doctor nightmare
Reference: BID:621

SCO Doctor allows local users to gain root privileges through a Tools
option.

INFERRED ACTION: CAN-1999-0697 MOREVOTES (1 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Stracener
   NOOP(1) Ozancin


=================================
Candidate: CAN-1999-0698
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF

Denial of service in IP protocol logger (ippl) on Red Hat and Debian
Linux.

INFERRED ACTION: CAN-1999-0698 MOREVOTES (1 accept, 0 ack, 1 review)

Current Votes:
   ACCEPT(1) Ozancin
   REVIEWING(1) Stracener

Comments:
 Stracener> Is the candidate referring to the denial of service problem mentioned in
 Stracener> the
 Stracener> changelogs for versions previous to 1.4.3-1 or does it pertain to some
 Stracener> problem with or
 Stracener> 1.4.8-1?


=================================
Candidate: CAN-1999-0711
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: BUGTRAQ: *Huge* security hole in Oracle 8.0.5 with Intellegent agent installed
Reference: XF:oracle-oratclsh

The oratclsh interpreter in Oracle 8.x Intelligent Agent for Unix
allows local users to execute Tcl commands as root.

INFERRED ACTION: CAN-1999-0711 MOREVOTES (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Stracener, Ozancin


=================================
Candidate: CAN-1999-0720
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: BID:597
Reference: XF:linux-pt-chown

The pt_chown command in Linux allows local users to modify TTY
terminal devices that belong to other users.

INFERRED ACTION: CAN-1999-0720 MOREVOTES (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Ozancin
   MODIFY(1) Stracener

Comments:
 Stracener> Add Ref: BUGTRAQ:19990823 [Linux] glibc 2.1.x / wu-ftpd <=2.5 / BeroFTPD
 Stracener> / lynx /
 Stracener> vlock / mc / glibc 2.0.x


=================================
Candidate: CAN-1999-0727
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF

A kernel leak in the OpenBSD kernel allows IPsec packets to be sent
unencrypted.

INFERRED ACTION: CAN-1999-0727 MOREVOTES (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Ozancin
   MODIFY(1) Stracener

Comments:
 Stracener> Add Ref: OPENBSD:19990608  Packets that should have been handled by
 Stracener> IPsec maybe transmitted as cleartext. PF_KEY SA expirations may leak
 Stracener> kernel resources.


=================================
Candidate: CAN-1999-0733
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990626 VMWare Advisory - buffer overflows
Reference: XF:linux-vmware-buffer-overflows

Buffer overflow in VMWare 1.0.1 for Linux via a long HOME
environmental variable.

INFERRED ACTION: CAN-1999-0733 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Stracener, Ozancin


=================================
Candidate: CAN-1999-0740
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: BID:594
Reference: XF:linux-telnetd-term
Reference: CALDERA:CSSA-1999:022
Reference: REDHAT:RHSA1999029_01

Remote attackers can cause a denial of service on Linux in.telnetd
telnet daemon through a malformed TERM environmental variable.

INFERRED ACTION: CAN-1999-0740 ACCEPT_ACK (2 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(2) Stracener, Ozancin


=================================
Candidate: CAN-1999-0746
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: CF
Reference: BUGTRAQ:19990814 DOS against SuSE's identd
Reference: BID:587
Reference: XF:suse-identd-dos

A default configuration of in.identd in SuSE Linux waits 120 seconds
between requests, allowing a remote attacker to conduct a denial of
service.

INFERRED ACTION: CAN-1999-0746 MOREVOTES (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Stracener, Ozancin


=================================
Candidate: CAN-1999-0747
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: BUGTRAQ: Symmetric Multiprocessing (SMP) Vulnerbility in BSDi 4.0.1
Reference: BID:589
Reference: XF:bsdi-smp-dos

Denial of service in BSDi Symmetric Multiprocessing (SMP) when an
fstat call is made when the system has a high CPU load.

INFERRED ACTION: CAN-1999-0747 MOREVOTES (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Ozancin
   MODIFY(1) Stracener

Comments:
 Stracener> Add a date to the Ref above: BUGTRAQ:19990817 Symmetric...


=================================
Candidate: CAN-1999-0754
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: XF:inn-innconf-env
Reference: BUGTRAQ:19990511 INN 2.0 and higher. Root compromise potential

The INN inndstart program allows local users to gain privileges by
specifying an alternate configuration file using the INNCONF
environmental variable.

INFERRED ACTION: CAN-1999-0754 MOREVOTES (1 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Stracener
   NOOP(1) Ozancin


=================================
Candidate: CAN-1999-0773
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990511 Solaris2.6 and 2.7 lpset overflow
Reference: XF:sol-lpset-bo

Buffer overflow in Solaris lpset program allows local users to gain
root access.

INFERRED ACTION: CAN-1999-0773 MOREVOTES (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Stracener, Ozancin


=================================
Candidate: CAN-1999-0780
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19981118 Multiple KDE security vulnerabilities (root compromise)

KDE klock allows local users to kill arbitrary processes by specifying
an arbitrary PID in the .kss.pid file.

INFERRED ACTION: CAN-1999-0780 MOREVOTES (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Stracener, Ozancin


=================================
Candidate: CAN-1999-0781
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19981118 Multiple KDE security vulnerabilities (root compromise)

KDE allows local users to execute arbitrary commands by setting the
KDEDIR environmental variable to modify the search path that KDE uses
to locate its executables.

INFERRED ACTION: CAN-1999-0781 MOREVOTES (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Stracener, Ozancin


=================================
Candidate: CAN-1999-0782
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19981118 Multiple KDE security vulnerabilities (root compromise)

KDE kppp allows local users to create a directory in an arbitrary
location via the HOME environmental variable.

INFERRED ACTION: CAN-1999-0782 MOREVOTES (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Stracener, Ozancin


=================================
Candidate: CAN-1999-0785
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990511 INN 2.0 and higher. Root compromise potential
Reference: XF:inn-pathrun

The INN inndstart program allows local users to gain root privileges
via the "pathrun" parameter in the inn.conf file.

INFERRED ACTION: CAN-1999-0785 MOREVOTES (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Stracener, Ozancin


=================================
Candidate: CAN-1999-0786
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990922 LD_PROFILE local root exploit for solaris 2.6
Reference: BID:659

The dynamic linker in Solaris allows a local user to create arbitrary
files via the LD_PROFILE environmental variable and a symlink attack.

INFERRED ACTION: CAN-1999-0786 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Stracener, Ozancin


=================================
Candidate: CAN-1999-0787
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: BID:660

The SSH authentication agent follows symlinks via a UNIX domain
socket.

INFERRED ACTION: CAN-1999-0787 MOREVOTES (1 accept, 0 ack, 0 review)

Current Votes:
   MODIFY(1) Stracener
   NOOP(1) Ozancin

Comments:
 Stracener> Add Ref: BUGTRAQ:19990924 [Fwd: Truth about ssh 1.2.27 vulnerability]


=================================
Candidate: CAN-1999-0795
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: NAI:NAI-27

The NIS+ rpc.nisd server allows remote attackers to execute certain
RPC calls without authentication to obtain system information, disable
logging, or modify caches.

CONTENT-DECISIONS: SF-LOC

INFERRED ACTION: CAN-1999-0795 MOREVOTES (1 accept, 1 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Stracener
   NOOP(1) Ozancin


=================================
Candidate: CAN-1999-0797
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: CIAC:I-070

NIS finger allows an attacker to conduct a denial of service via a
large number of finger requests, resulting in a large number of NIS
queries.

INFERRED ACTION: CAN-1999-0797 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Stracener, Ozancin


=================================
Candidate: CAN-1999-0798
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19981204 bootpd remote vulnerability

Buffer overflow in bootpd on OpenBSD, FreeBSD, and Linux systems via
a malformed header type.

INFERRED ACTION: CAN-1999-0798 MOREVOTES (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Stracener, Ozancin


=================================
Candidate: CAN-1999-0799
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19970725 Exploitable buffer overflow in bootpd (most unices)

Buffer overflow in bootpd 2.4.3 and earlier via a long boot file
location.

INFERRED ACTION: CAN-1999-0799 MOREVOTES (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Stracener, Ozancin


=================================
Candidate: CAN-1999-0803
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: BUGTRAQ: IBM eNetwork Firewall for AIX

The fwluser script in AIX eNetwork Firewall allows local users to
write to arbitrary files via a symlink attack.

INFERRED ACTION: CAN-1999-0803 MOREVOTES (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Stracener, Ozancin


=================================
Candidate: CAN-1999-0806
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: XF:cde-dtprintinfo

Buffer overflow in Solaris dtprintinfo program.

INFERRED ACTION: CAN-1999-0806 MOREVOTES (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Ozancin
   MODIFY(1) Stracener

Comments:
 Stracener> Add Ref: BUGTRAQ:19990510:Solaris2.6,2.7 dtprintinfo exploits


=================================
Candidate: CAN-1999-0813
Published:
Final-Decision:
Interim-Decision:
Modified: 20000106-01
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990810 Severe bug in cfingerd before 1.4.0
Reference: BUGTRAQ:19980724 CFINGERD root security hole
Reference: DEBIAN:19990814

Cfingerd with ALLOW_EXECUTION enabled does not properly drop
privileges when it executes a program on behalf of the user, allowing
local users to gain root privileges.

Modifications:
  ADDREF DEBIAN:19990814
  ADDREF BUGTRAQ:19980724 CFINGERD root security hole
  DESC add ALLOW_EXECUTION qualifier

INFERRED ACTION: CAN-1999-0813 MOREVOTES (1 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(1) Stracener
   NOOP(1) Ozancin


=================================
Candidate: CAN-1999-0888
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19990817 Security Bug in Oracle
Reference: BID:585

dbsnmp in Oracle Intelligent Agent allows local users to gain
privileges by setting the ORACLE_HOME environmental variable, which
dbsnmp uses to find the nmiconf.tcl script.

INFERRED ACTION: CAN-1999-0888 MOREVOTES (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Stracener, Ozancin


=================================
Candidate: CAN-1999-0893
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19991011 SCO OpenServer 5.0.5 overwrite /etc/shadow

userOsa in SCO OpenServer allows local users to corrupt files via a
symlink attack.

INFERRED ACTION: CAN-1999-0893 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Stracener, Ozancin


=================================
Candidate: CAN-1999-0903
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19991025 IBM AIX Packet Filter module
Reference: BUGTRAQ:19991027 Re: IBM AIX Packet Filter module (followup)

genfilt in the AIX Packet Filtering Module does not properly filter
traffic to destination ports greater than 32767.

INFERRED ACTION: CAN-1999-0903 MOREVOTES (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Stracener, Ozancin


=================================
Candidate: CAN-1999-0906
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19990923 SuSE 6.2 sccw overflow exploit
Reference: BID:656

Buffer overflow in sccw allows local users to gain root access via the
HOME environmental variable.

INFERRED ACTION: CAN-1999-0906 MOREVOTES (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Ozancin
   MODIFY(1) Stracener

Comments:
 Stracener> Add Ref:SUSE: Security hole in sccw (Part II) 26.09.1999


=================================
Candidate: CAN-1999-0908
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19990921 solaris DoS
Reference: BID:655

Denial of service in Solaris TCP streams driver via a malicious
connection that causes the server to panic as a result of recursive
calls to mutex_enter.

INFERRED ACTION: CAN-1999-0908 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Stracener, Ozancin


=================================
Candidate: CAN-1999-0912
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19990921 FreeBSD-specific denial of service
Reference: BID:653

FreeBSD VFS cache (vfs_cache) allows local users to cause a denial of
service by opening a large number of files.

INFERRED ACTION: CAN-1999-0912 MOREVOTES (1 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Stracener
   NOOP(1) Ozancin


=================================
Candidate: CAN-1999-0920
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19990526 Remote vulnerability in pop2d

Buffer overflow in the pop-2d POP daemon in the IMAP package allows
remote attackers to gain privileges via the FOLD command.

INFERRED ACTION: CAN-1999-0920 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Stracener, Ozancin


=================================
Candidate: CAN-1999-0942
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19991005 SCO UnixWare 7.1 local root exploit

UnixWare dos7utils allows a local user to gain root privileges by
using the STATICMERGE environmental variable to find a script which
it executes.

INFERRED ACTION: CAN-1999-0942 MOREVOTES (1 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Stracener
   NOOP(1) Ozancin


=================================
Candidate: CAN-1999-0952
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19990126 Buffer overflow in Solaris 2.6/2.7 /usr/bin/lpstat

Buffer overflow in Solaris lpstat via class argument allows local
users to gain root access.

INFERRED ACTION: CAN-1999-0952 MOREVOTES (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Stracener, Ozancin


=================================
Candidate: CAN-1999-0958
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19980112 Re: hole in sudo for MP-RAS.

sudo 1.5.x allows local users to execute arbitrary commands via a
.. (dot dot) attack.

INFERRED ACTION: CAN-1999-0958 MOREVOTES (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Stracener, Ozancin


=================================
Candidate: CAN-1999-0961
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19960921 Vunerability in HP sysdiag ?

HPUX sysdiag allows local users to gain root privileges via a symlink
attack during log file creation.

INFERRED ACTION: CAN-1999-0961 MOREVOTES (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Stracener, Ozancin


=================================
Candidate: CAN-1999-0966
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: L0PHT:19970127 Solaris libc - getopt(3)

Buffer overflow in Solaris getopt in libc allows local users to gain
root privileges via a long argv[0].

INFERRED ACTION: CAN-1999-0966 MOREVOTES (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Stracener, Ozancin


=================================
Candidate: CAN-1999-0971
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19970722 Security hole in exim 1.62: local root exploit

Buffer overflow in Exim allows local users to gain root privileges via
a long :include: option in a .forward file.

INFERRED ACTION: CAN-1999-0971 MOREVOTES (1 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Stracener
   NOOP(1) Ozancin




--------------------- CLUSTER MISC-01 ---------------------

MISC-01 (35 candidates)
--------------------
Proposed: 12/21
Scheduled Proposed: 12/20
Scheduled Interim Decision: 1/3
Scheduled Final Decision: 1/7

Miscellaneous issues in "obscure" software


Voters:
  Stracener ACCEPT(27) MODIFY(8)


<PROPOSED> --> 35
ACCEPT --> 27
MODIFY --> 8

=================================
Candidate: CAN-1999-0671
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: BID:572

Buffer overflow in ToxSoft NextFTP client through CWD command.

INFERRED ACTION: CAN-1999-0671 MOREVOTES (1 accept, 0 ack, 0 review)

Current Votes:
   MODIFY(1) Stracener

Comments:
 Stracener> AddRef: ShadowPenguinSecurity:PenguinToolbox,No.035


=================================
Candidate: CAN-1999-0672
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: BID:573

Buffer overflow in Fujitsu Chocoa IRC client via IRC channel topics.

INFERRED ACTION: CAN-1999-0672 MOREVOTES (1 accept, 0 ack, 0 review)

Current Votes:
   MODIFY(1) Stracener

Comments:
 Stracener> AddRef: ShadowPenguinSecurity:PenguinToolbox,No.036


=================================
Candidate: CAN-1999-0673
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: BID:574

Buffer overflow in ALMail32 POP3 client via From: or To: headers.

INFERRED ACTION: CAN-1999-0673 MOREVOTES (1 accept, 0 ack, 0 review)

Current Votes:
   MODIFY(1) Stracener

Comments:
 Stracener> AddRef: ShadowPenguinSecurity:PenguinToolbox,No.037


=================================
Candidate: CAN-1999-0679
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990813 w00w00's efnet ircd advisory (exploit included)
Reference: BID:581

Buffer overflow in hybrid-6 IRC server commonly used on EFnet allows
remote attackers to execute commands via m_invite invite option.

INFERRED ACTION: CAN-1999-0679 MOREVOTES (1 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Stracener


=================================
Candidate: CAN-1999-0719
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: BID:563

The Guile plugin for Gnumeric allows attackers to execute arbitrary code.

INFERRED ACTION: CAN-1999-0719 MOREVOTES (1 accept, 0 ack, 0 review)

Current Votes:
   MODIFY(1) Stracener

Comments:
 Stracener> Add Ref: BUGTRAQ:19990803 Gnumeric Potential Security Hole
 Stracener> Add Ref: REDHAT:RHSA-1999:023-01


=================================
Candidate: CAN-1999-0741
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990818 QMS 2060 printer security hole
Reference: BID:593
Reference: XF:qms-2060-no-root-password

QMS CrownNet Unix Utilities for 2060 allows root to log on without a
password.

INFERRED ACTION: CAN-1999-0741 MOREVOTES (1 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Stracener


=================================
Candidate: CAN-1999-0750
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990913 Hotmail security vulnerability - injecting JavaScript using 'STYLE' tag
Reference: BID:630

Hotmail allows Javascript to be executed via the HTML STYLE tag,
allowing remote attackers to execute commands on the user's Hotmail
account.

INFERRED ACTION: CAN-1999-0750 MOREVOTES (1 accept, 0 ack, 0 review)

Current Votes:
   MODIFY(1) Stracener

Comments:
 Stracener> Many sites are vulnerable to this problem. I recommend removing the
 Stracener> explicit references to Hotmail and making the description more generic.
 Stracener> Suggest: Javascript can be injected using the STYLE tag in an HTML
 Stracener> formatted e-mail, allowing remote attackers to execute commands on user
 Stracener> accounts.


=================================
Candidate: CAN-1999-0759
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990913 Many kind of POP3/SMTP server softwares for Windows have buffer overflow bug
Reference: BID:634

Buffer overflow in FuseMAIL POP service via long USER and PASS
commands.

INFERRED ACTION: CAN-1999-0759 MOREVOTES (1 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Stracener


=================================
Candidate: CAN-1999-0778
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: KSRT:011
Reference: XF:accelx-bo

Buffer overflow in Xi Graphics Accelerated-X server allows local
users to gain root access via a long display or query parameter.

INFERRED ACTION: CAN-1999-0778 MOREVOTES (1 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(1) Stracener


=================================
Candidate: CAN-1999-0788
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: BID:662

Arkiea nlservd allows remote attackers to conduct a denial of service.

INFERRED ACTION: CAN-1999-0788 MOREVOTES (1 accept, 0 ack, 0 review)

Current Votes:
   MODIFY(1) Stracener

Comments:
 Stracener> Add Ref:BUGTRAQ:19990923 Multiple vendor Knox Arkiea local root/remote
 Stracener> DoS


=================================
Candidate: CAN-1999-0791
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: KSRT:012

Hybrid Network cable modems do not include an authentication mechanism
for administration, allowing remote attackers to compromise the system
through the HSMP protocol.

INFERRED ACTION: CAN-1999-0791 MOREVOTES (1 accept, 0 ack, 0 review)

Current Votes:
   MODIFY(1) Stracener

Comments:
 Stracener> Add Ref: BUGTRAQ:19991006 KSR[T] Advisories #012: Hybrid Network's Cable
 Stracener> Modems


=================================
Candidate: CAN-1999-0792
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: CF
Reference: ROOTSHELL:23

ROUTERmate has a default SNMP community name which allows remote
attackers to modify its configuration.

INFERRED ACTION: CAN-1999-0792 MOREVOTES (1 accept, 0 ack, 0 review)

Current Votes:
   MODIFY(1) Stracener

Comments:
 Stracener> Change the Ref to read: ROOTSHELL: Osicom Technologies ROUTERmate
 Stracener> Security
 Stracener> Advisory


=================================
Candidate: CAN-1999-0801
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: XF:bmc-patrol-frames
Reference: BUGTRAQ:19990409 Patrol security bugs

BMC Patrol allows remote attackers to gain access to an agent by
spoofing frames.

INFERRED ACTION: CAN-1999-0801 MOREVOTES (1 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Stracener


=================================
Candidate: CAN-1999-0873
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: BID:759

Buffer overflow in Skyfull mail server via MAIL FROM command.

INFERRED ACTION: CAN-1999-0873 MOREVOTES (1 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Stracener


=================================
Candidate: CAN-1999-0890
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19990928 Team Asylum: iHTML Merchant Vulnerabilities

iHTML Merchant allows remote attackers to obtain sensitive information
or execute commands via a code parsing error.

INFERRED ACTION: CAN-1999-0890 MOREVOTES (1 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(1) Stracener


=================================
Candidate: CAN-1999-0896
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19991109 RealNetworks RealServer G2 buffer overflow.
Reference: BID:767

Buffer overflow in RealNetworks RealServer administration utility
allows remote attackers to execute arbitrary commands via a long
username and password.

INFERRED ACTION: CAN-1999-0896 MOREVOTES (1 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(1) Stracener


=================================
Candidate: CAN-1999-0904
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19991103 Remote DoS Attack in BFTelnet Server v1.1 for Windows NT
Reference: BID:771

Buffer overflow in BFTelnet allows remote attackers to cause a denial
of service via a long username.

INFERRED ACTION: CAN-1999-0904 MOREVOTES (1 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Stracener


=================================
Candidate: CAN-1999-0916
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991208
Category: CF
Reference: ISS:19990629 Bad Permissions on Passwords Stored by WebTrends Software

WebTrends software stores account names and passwords in a file which
does not have restricted access permissions.

INFERRED ACTION: CAN-1999-0916 MOREVOTES (1 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(1) Stracener


=================================
Candidate: CAN-1999-0921
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19990409 Patrol security bugs

BMC Patrol allows any remote attacker to flood its UDP port, causing a
denial of service.

INFERRED ACTION: CAN-1999-0921 MOREVOTES (1 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(1) Stracener


=================================
Candidate: CAN-1999-0925
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19990903 Web servers / possible DOS Attack / mime header flooding

UnityMail allows remote attackers to conduct a denial of service via a
large number of MIME headers.

CONTENT-DECISIONS: SF-CODEBASE

INFERRED ACTION: CAN-1999-0925 MOREVOTES (1 accept, 0 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Stracener


=================================
Candidate: CAN-1999-0927
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: EEYE:AD05261999

NTMail allows remote attackers to read arbitrary files via a .. (dot
dot) attack.

INFERRED ACTION: CAN-1999-0927 MOREVOTES (1 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Stracener


=================================
Candidate: CAN-1999-0928
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19990525 Buffer overflow in SmartDesk WebSuite v2.1

Buffer overflow in SmartDesk WebSuite allows remote attackers to cause
a denial of service via a long URL.

INFERRED ACTION: CAN-1999-0928 MOREVOTES (1 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Stracener


=================================
Candidate: CAN-1999-0930
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19980903 wwwboard.pl vulnerability

wwwboard allows a remote attacker to delete message board articles via
a malformed argument.

INFERRED ACTION: CAN-1999-0930 MOREVOTES (1 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Stracener


=================================
Candidate: CAN-1999-0931
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19990930 Security flaw in Mediahouse Statistics Server v4.28 & 5.01
Reference: BID:734

Buffer overflow in Mediahouse Statistics Server allows remote
attackers to execute commands.

INFERRED ACTION: CAN-1999-0931 MOREVOTES (1 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(1) Stracener


=================================
Candidate: CAN-1999-0932
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991208
Category: CF
Reference: BUGTRAQ:19990930 Security flaw in Mediahouse Statistics Server v4.28 & 5.01
Reference: BID:735

Mediahouse Statistics Server allows remote attackers to read the
administrator password which is stored in cleartext in the ss.cfg
file.

INFERRED ACTION: CAN-1999-0932 MOREVOTES (1 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(1) Stracener


=================================
Candidate: CAN-1999-0941
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19980728 mutt x.x

Mutt mail client allows a remote attacker to execute commands via
shell metacharacters.

INFERRED ACTION: CAN-1999-0941 MOREVOTES (1 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(1) Stracener


=================================
Candidate: CAN-1999-0944
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19991024 password leak in IBM WebSphere / HTTP Server / ikeyman

IBM WebSphere ikeyman tool uses weak encryption to store
a password for a key database that is used for SSL connections.

CONTENT-DECISIONS: DESIGN-WEAK-ENCRYPTION

INFERRED ACTION: CAN-1999-0944 MOREVOTES (1 accept, 0 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Stracener


=================================
Candidate: CAN-1999-0946
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19991102 Some holes for Win/UNIX softwares
Reference: BID:760

Buffer overflow in Yamaha MidiPlug via a Text variable in an EMBED
tag.

INFERRED ACTION: CAN-1999-0946 MOREVOTES (1 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Stracener


=================================
Candidate: CAN-1999-0948
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: BID:757
Reference: BUGTRAQ:19991102 Some holes for Win/UNIX softwares

Buffer overflow in uum program for Canna input system allows local
users to gain root privileges.

CONTENT-DECISIONS: SF-LOC, SF-EXEC

INFERRED ACTION: CAN-1999-0948 MOREVOTES (1 accept, 0 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Stracener


=================================
Candidate: CAN-1999-0949
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: BID:757
Reference: BUGTRAQ:19991102 Some holes for Win/UNIX softwares

Buffer overflow in canuum program for Canna input system allows local
users to gain root privileges.

CONTENT-DECISIONS: SF-LOC, SF-EXEC

INFERRED ACTION: CAN-1999-0949 MOREVOTES (1 accept, 0 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Stracener


=================================
Candidate: CAN-1999-0950
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19991027 WFTPD v2.40 FTPServer remotely exploitable buffer overflow vulnerability
Reference: BID:747

Buffer overflow in WFTPD FTP server allows remote attackers to gain
root access via	a series of MKD and CWD commands that create nested
directories.

INFERRED ACTION: CAN-1999-0950 MOREVOTES (1 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(1) Stracener


=================================
Candidate: CAN-1999-0954
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991208
Category: CF
Reference: BUGTRAQ:19990916 More fun with WWWBoard
Reference: BID:649

WWWBoard has a default username and default password.

INFERRED ACTION: CAN-1999-0954 MOREVOTES (1 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Stracener


=================================
Candidate: CAN-1999-0957
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19970618 Security hole in MajorCool 1.0.3

MajorCool mj_key_cache program allows local users to modify files via
a symlink attack.

INFERRED ACTION: CAN-1999-0957 MOREVOTES (1 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Stracener


=================================
Candidate: CAN-1999-0968
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19981226 bnc exploit

Buffer overflow in BNC IRC proxy allows remote attackers to gain
privileges.

INFERRED ACTION: CAN-1999-0968 MOREVOTES (1 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Stracener


=================================
Candidate: CAN-1999-0970
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19990605 Remote Exploit (Bug) in OmniHTTPd Web Server

The OmniHTTPD visadmin.exe program allows a remote attacker to conduct
a denial of service via a malformed URL which causes a large number of
temporary files to be created.

INFERRED ACTION: CAN-1999-0970 MOREVOTES (1 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Stracener




--------------------- CLUSTER WEB ---------------------

WEB (35 candidates)
--------------------
Proposed: 12/13
Scheduled Proposed: 12/13
Scheduled Interim Decision: 12/27
Scheduled Final Decision: 12/31

Problems in WWW servers and clients


Voters:
  Christey NOOP(1)
  Cole ACCEPT(2) MODIFY(2) NOOP(6)
  Stracener ACCEPT(9) REVIEWING(1)
  Blake ACCEPT(10)


<FINAL> --> 25
<INTERIM> --> 3
<MODIFIED> --> 1
<PROPOSED> --> 6
ACCEPT --> 8
MODIFY --> 1
REVIEWING --> 1

=================================
Candidate: CAN-1999-0677
Published:
Final-Decision:
Interim-Decision:
Modified: 19991228-01
Proposed: 19991214
Assigned: 19991125
Category: CF
Reference: BUGTRAQ:19990802 [LoWNOISE] Password hunting with webramp
Reference: BID:577

The WebRamp web administration utility has a default password.

CONTENT-DECISIONS: CF-PASS

INFERRED ACTION: CAN-1999-0677 ACCEPT (3 accept, 0 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(2) Blake, Stracener
   MODIFY(1) Cole

Comments:
 Cole> I would add that is is not forced to be changed.


=================================
Candidate: CAN-1999-0753
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19991214
Assigned: 19991125
Category: unknown
Reference: BUGTRAQ:19990817 Stupid bug in W3-msql
Reference: XF:mini-sql-w3-msql-cgi
Reference: BID:591

The w3-msql CGI script provided with Mini SQL allows remote attackers
to view restricted directories.

Modifications:
  ADDREF XF:mini-sql-w3-msql-cgi

INFERRED ACTION: CAN-1999-0753 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Blake, Stracener
   NOOP(1) Christey

Comments:
 Christey> May be a configuration error and not a software flaw.  See
 Christey> BUGTRAQ:19990820 Re: Stupid bug in W3-msql (David J. Hughes)


=================================
Candidate: CAN-1999-0776
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: NTBUGTRAQ:19990506 ".."-hole in Alibaba 2.0
Reference: XF:http-alibaba-dotdot

Alibaba HTTP server allows remote attackers to read files via a
.. (dot dot) attack.

INFERRED ACTION: CAN-1999-0776 MOREVOTES (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Blake, Stracener
   NOOP(1) Cole


=================================
Candidate: CAN-1999-0790
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991214
Assigned: 19991125
Category: SF

A remote attacker can read information from a Netscape user's cache
via JavaScript.

INFERRED ACTION: CAN-1999-0790 MOREVOTES (2 accept, 0 ack, 1 review)

Current Votes:
   ACCEPT(1) Blake
   MODIFY(1) Cole
   REVIEWING(1) Stracener

Comments:
 Cole> What is being exploited?
 Stracener> need reference


=================================
Candidate: CAN-1999-0881
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19991214
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19991025 Falcon Web Server
Reference: BINDVIEW:Falcon Web Server
Reference: BID:743
Reference: XF:falcon-path-parsing

Falcon web server allows remote attackers to read arbitrary files via
a .. (dot dot) attack.

Modifications:
  ADDREF XF:falcon-path-parsing
  ADDREF BID:743

INFERRED ACTION: CAN-1999-0881 ACCEPT_ACK (2 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(2) Blake, Stracener
   NOOP(1) Cole


=================================
Candidate: CAN-1999-0882
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991214
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19991025 Falcon Web Server
Reference: BINDVIEW:Falcon Web Server

Falcon web server allows remote attackers to determine the absolute
path of the web root via long file names.

CONTENT-DECISIONS: DESIGN-REAL-PATH

INFERRED ACTION: CAN-1999-0882 ACCEPT_ACK (2 accept, 2 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(2) Blake, Stracener
   NOOP(1) Cole


=================================
Candidate: CAN-1999-0885
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991214
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19991103 More Alibaba Web Server problems...
Reference: BID:770

Alibaba web server allows remote attackers to execute commands via a
pipe character in a malformed URL.

INFERRED ACTION: CAN-1999-0885 MOREVOTES (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Blake, Stracener
   NOOP(1) Cole


=================================
Candidate: CAN-1999-0897
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991214
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19990908 bug in iChat 3.0 (maybe others)

iChat ROOMS Webserver allows remote attackers to read arbitrary files
via a .. (dot dot) attack.

INFERRED ACTION: CAN-1999-0897 MOREVOTES (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Blake, Stracener
   NOOP(1) Cole


=================================
Candidate: CAN-1999-0913
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991214
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19990804 NSW Dragon Fire gets drowned
Reference: BID:564

dfire.cgi script in Dragon-Fire IDS allows remote users to execute
commands via shell metacharacters.

INFERRED ACTION: CAN-1999-0913 MOREVOTES (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Blake, Stracener
   NOOP(1) Cole


=================================
Candidate: CAN-1999-0929
Published:
Final-Decision:
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19990616 Novell NetWare webservers DoS

Novell NetWare with Novell-HTTP-Server or YAWN web servers allows
remote attackers to conduct a denial of service via a large number of
HTTP GET requests.

CONTENT-DECISIONS: SF-CODEBASE

INFERRED ACTION: CAN-1999-0929 ACCEPT (3 accept, 0 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(3) Cole, Blake, Stracener
Prev by Date: [VOTES] Vote details for recent clusters with advisories
Next by Date: [VOTES] Vote details for older clusters related to content decisions
Prev by thread: [VOTES] Vote details for recent clusters with advisories
Next by thread: [VOTES] Vote details for older clusters related to content decisions
Index(es):
- Date
- Thread