[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[VOTES] Vote details for remaining older clusters



This OLD-OTHER meta-cluster includes all other clusters that were
proposed in summer 1999.

A number of these candidates are for important issues (e.g. related to
CERT or vendor advisories), but are mostly being held back due to
unresolved content decisions or lack of sufficient details.

DESC
VERIFY-TOOL
VERIFY-BUGTRAQ
IDS
FINGER
NOREFS
ONEREF
RESTLOW
DENY
NTLOW
BUF
CGI
VEN-BSD
VEN-OTHERS
VEN-SGI
VEN-HP
VEN-SUN
VEN-AIX
CERT


- Steve


--------------------- CLUSTER DESC ---------------------

DESC (2 candidates)
--------------------
Proposed: 7/28
Scheduled Proposed: 7/27
Scheduled Interim Decision: 8/23
Scheduled Final Decision: 8/27

Description/information problems


Voters:
  Frech MODIFY(1)
  Wall MODIFY(1) NOOP(1)
  Christey NOOP(1) REVIEWING(1)
  Northcutt NOOP(2)


<MODIFIED> --> 1
<PROPOSED> --> 1
MODIFY --> 1
REVIEWING --> 1

=================================
Candidate: CAN-1999-0001
Published:
Final-Decision:
Interim-Decision:
Modified: 20000106-01
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: CERT:CA-98-13-tcp-denial-of-service
Reference: BUGTRAQ:19981223 Re: CERT Advisory CA-98.13 - TCP/IP Denial of Service

Denial of service in BSD-derived TCP/IP implementations, as described
in CERT CA-98-13.

Modifications:
  ADDREF BUGTRAQ:19981223 Re: CERT Advisory CA-98.13 - TCP/IP Denial of Service

INFERRED ACTION: CAN-1999-0001 SMC_REVIEW (0 accept, 1 review)

Current Votes:
   NOOP(2) Wall, Northcutt
   REVIEWING(1) Christey

Comments:
 Christey> A Bugtraq posting indicates that the bug has to do with
 Christey> "short packets with certain options set," so the description
 Christey> should be modified accordingly.
 Christey>
 Christey> But is this the same as CVE-1999-0052?  That one is related
 Christey> to nestea (CAN-1999-0257) and probably the one described in
 Christey> BUGTRAQ:19981023 nestea v2 against freebsd 3.0-Release
 Christey> The patch for nestea is in ip_input.c around line 750.
 Christey> The patches for CAN-1999-0001 are in lines 388&446.  So,
 Christey> CAN-1999-0001 is different from CAN-1999-0257 and CVE-1999-0052.
 Christey> The FreeBSD patch for CVE-1999-0052 is in line 750.
 Christey> So, CAN-1999-0257 and CVE-1999-0052 may be the same, though
 Christey> CVE-1999-0052 should be RECAST since this bug affects Linux
 Christey> and other OSes besides FreeBSD.


=================================
Candidate: CAN-1999-0345
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF

Jolt ICMP attack causes a denial of service in Windows 95 and Windows
NT systems.

INFERRED ACTION: CAN-1999-0345 MOREVOTES (2 accept, 0 ack, 0 review)

Current Votes:
   MODIFY(2) Wall, Frech
   NOOP(2) Northcutt, Christey

Comments:
 Wall> Invalid ICMP datagram fragments causes a denial of service in Windows 95 and
 Wall> Windows NT systems.
 Wall> Reference: Q154174.
 Wall> Jolt is also known as sPING, ICMP bug, Icenewk, and Ping of Death.
 Wall> It is a modified teardrop 2 attack.
 Frech> XF:nt-ssping
 Frech> ADDREF XF:ping-death
 Frech> ADDREF XF:teardrop-mod
 Frech> ADDREF XF:mpeix-echo-request-dos
 Christey> I can't tell whether the Jolt exploit at:
 Christey>
 Christey> http://www.securityfocus.com/templates/archive.pike?list=1&date=1997-06-28&msg=Pine.BSF.3.95q.970629163422.3264A-200000@apollo.tomco.net
 Christey>
 Christey> is exploiting any different flaw than teardrop does.




--------------------- CLUSTER VERIFY-TOOL ---------------------

VERIFY-TOOL (7 candidates)
--------------------
Proposed: 7/27
Scheduled Interim Decision: 8/23
Scheduled Final Decision: 8/27

Problems mentioned in a tool, but not seen in other VDB's


Voters:
  Frech NOOP(1)
  Shostack MODIFY(1)
  Christey NOOP(1) REJECT(1)
  Northcutt ACCEPT(5) NOOP(2)


<MODIFIED> --> 2
<PROPOSED> --> 5
ACCEPT --> 3
MODIFY --> 1
NOOP --> 2
REJECT --> 1

=================================
Candidate: CAN-1999-0220
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF

Attackers can do a denial of service of IRC by crashing the server.

INFERRED ACTION: CAN-1999-0220 MOREVOTES (0 accept, 0 ack, 0 review)

Current Votes:
   NOOP(1) Northcutt


=================================
Candidate: CAN-1999-0226
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF

Windows NT TCP/IP processes fragmented IP packets improperly, causing
a denial of service.

INFERRED ACTION: CAN-1999-0226 SMC_REJECT (1 reject, 1 accept, 0 review)

Current Votes:
   ACCEPT(1) Northcutt
   REJECT(1) Christey

Comments:
 Christey> Too general, and no references.


=================================
Candidate: CAN-1999-0240
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF

Some filters or firewalls allow fragmented SYN packets with IP
reserved bits in violation of their implemented policy.

INFERRED ACTION: CAN-1999-0240 MOREVOTES (1 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Northcutt


=================================
Candidate: CAN-1999-0247
Published:
Final-Decision:
Interim-Decision:
Modified: 19991130-01
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: NAI:17

Buffer overflow in nnrpd program in INN up to version 1.6 allows
remote users to execute arbitrary commands.

Modifications:
  ADDREF NAI:17
  add version number

INFERRED ACTION: CAN-1999-0247 MOREVOTES (0 accept, 1 ack, 0 review)

Current Votes:
   NOOP(1) Northcutt


=================================
Candidate: CAN-1999-0248
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF

sshd 1.2.17 can be compromised through the SSH protocol.

INFERRED ACTION: CAN-1999-0248 MOREVOTES (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Northcutt
   MODIFY(1) Shostack
   NOOP(1) Frech

Comments:
 Shostack> http://oliver.efri.hr/~crv/security/bugs/mUNIXes/ssh2.html
 Shostack> looks to me to be about the correct message that came from Tatu.
 Shostack> There are comments in changelog: * Improved the security of
 Shostack> auth_input_request_forwarding().
 Shostack>
 Shostack> I'm not in favor of moving this forward without additional detail, but
 Shostack> thought I'd add a confirming URL and comment.  We have insufficient
 Shostack> detail to accept it as a CVE.
 Frech> Try http://www.uni-karlsruhe.de/~ig25/ssh-faq/ssh-faq-6.html#ss6.1; to wit
 Frech> (see asterisked section):
 Frech> ...
 Frech> *****
 Frech> Versions of ssh prior to 1.2.17 had problems with authentication agent
 Frech> handling on some machines. There is a chance (a race condition) that a
 Frech> malicious user could steal another user's credentials. This should be fixed
 Frech> in 1.2.17.
 Frech> *****


=================================
Candidate: CAN-1999-0493
Published:
Final-Decision:
Interim-Decision:
Modified: 19991203-01
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: CERT:CA-99-05
Reference: SUN:00186
Reference: BUGTRAQ:19990103 SUN almost has a clue! (automountd)

rpc.statd allows remote attackers to forward RPC calls to the local
operating system via the SM_MON and SM_NOTIFY commands, which in turn
could be used to remotely exploit other bugs such as in automountd.

Modifications:
  Added numerous references

INFERRED ACTION: CAN-1999-0493 MOREVOTES (1 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(1) Northcutt
   NOOP(1) Christey

Comments:
 Christey> This candidate has been modified heavily.


=================================
Candidate: CAN-1999-0495
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF

A remote attacker can gain access to a file system using ..  (dot dot)
when accessing SMB shares.

INFERRED ACTION: CAN-1999-0495 MOREVOTES (1 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Northcutt




--------------------- CLUSTER VERIFY-BUGTRAQ ---------------------

VERIFY-BUGTRAQ (23 candidates)
--------------------
Proposed: 7/27
Scheduled Interim Decision: 8/23
Scheduled Final Decision: 8/27

Problems discussed on Bugtraq but not seen in VDB's, or not confirmed


Voters:
  Frech MODIFY(21) REJECT(1) REVIEWING(1)
  Christey NOOP(6) REVIEWING(2) REVOTE(1)


<MODIFIED> --> 15
<PROPOSED> --> 8
MODIFY --> 19
REJECT --> 1
REVIEWING --> 3

=================================
Candidate: CAN-1999-0378
Published:
Final-Decision:
Interim-Decision:
Modified: 20000106-01
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19990222 BlackHats Advisory -- InterScan VirusWall
Reference: BUGTRAQ:19990225 Patch for InterScan VirusWall for Unix now available
Reference: XF:viruswall-http-request

InterScan VirusWall for Solaris doesn't scan files for viruses when
a single HTTP request includes two GET commands.

Modifications:
  ADDREF XF:viruswall-http-request
  ADDREF BUGTRAQ:19990225 Patch for InterScan VirusWall for Unix now available

INFERRED ACTION: CAN-1999-0378 MOREVOTES (1 accept, 1 ack, 0 review)

Current Votes:
   MODIFY(1) Frech

Comments:
 Frech> XF:viruswall-http-request


=================================
Candidate: CAN-1999-0387
Published:
Final-Decision:
Interim-Decision:
Modified: 19991206-01
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: MS:MS99-052
Reference: MSKB:Q168115
Reference: BID:829

A legacy credential caching mechanism used in Windows 95 and Windows
98 systems allows attackers to read plaintext network passwords.

Modifications:
  ADDREF MS:MS99-052
  ADDREF MSKB:Q168115
  ADDREF BID:829

INFERRED ACTION: CAN-1999-0387 REVOTE (0 accept, 1 review)

Current Votes:
   REVIEWING(1) Frech
   REVOTE(1) Christey

Comments:
 Frech> Term 'legacy' is vague and can be subject to interpretation. Require a
 Frech> reference to establish this vulnerability.
 Christey> added refs


=================================
Candidate: CAN-1999-0393
Published:
Final-Decision:
Interim-Decision:
Modified: 20000106-01
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19981212 ** Sendmail 8.9.2 DoS - exploit ** get what you want!
Reference: XF:sendmail-parsing-redirection

Remote attackers can cause a denial of service in Sendmail 8.8.x and
8.9.2 by sending messages with a large number of headers.

Modifications:
  ADDREF XF:sendmail-parsing-redirection
  CHANGEREF BUGTRAQ [change date to 19981212]
  ADDREF BUGTRAQ:19990121 Sendmail 8.8.x/8.9.x bugware

INFERRED ACTION: CAN-1999-0393 MOREVOTES (1 accept, 0 ack, 0 review)

Current Votes:
   MODIFY(1) Frech

Comments:
 Frech> I assume that Reference: BUGTRAQ:Dec12,1999 is not attesting to the power of
 Frech> CVE to foresee events in the future. This reference should be 12/12/98.
 Frech> ADDREF XF:sendmail-parsing-redirection


=================================
Candidate: CAN-1999-0394
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19990115 DPEC Online Courseware

DPEC Online Courseware allows an attacker to change another user's
password without knowing the original password.

INFERRED ACTION: CAN-1999-0394 REJECT (1 reject, 0 accept, 0 review)

Current Votes:
   REJECT(1) Frech

Comments:
 Frech> If I understand the issue, this HIGHCARD involves insecure web programming.
 Frech> If I don't understand, mark this as my first NOOP.


=================================
Candidate: CAN-1999-0398
Published:
Final-Decision:
Interim-Decision:
Modified: 20000106-01
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19990123 SSH 1.x and 2.x Daemon
Reference: BUGTRAQ:19990124 SSH Daemon
Reference: XF:ssh-exp-account-access

In some instances of SSH 1.2.27 and 2.0.11 on Linux systems, SSH will
allow users with expired accounts to login.

Modifications:
  ADDREF XF:ssh-exp-account-access
  ADDREF BUGTRAQ:19990124 SSH Daemon

INFERRED ACTION: CAN-1999-0398 MOREVOTES (1 accept, 0 ack, 0 review)

Current Votes:
   MODIFY(1) Frech

Comments:
 Frech> Followups to the bugtraq message (1/24/99) indicate that 1.2.27 was not yet
 Frech> released. v1.2.26 should be substituted in the description for '27.
 Frech> XF:ssh-exp-account-access


=================================
Candidate: CAN-1999-0399
Published:
Final-Decision:
Interim-Decision:
Modified: 20000105-01
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19990124 Mirc 5.5 'DCC Server' hole
Reference: XF:mirc-dcc-metachar-filename

The DCC server command in the Mirc 5.5 client doesn't filter
characters from file names properly, allowing remote attackers to
place a malicious file in a different location, possibly allowing the
attacker to execute commands.

Modifications:
  ADDREF XF:mirc-dcc-metachar-filename

INFERRED ACTION: CAN-1999-0399 MOREVOTES (1 accept, 0 ack, 0 review)

Current Votes:
   MODIFY(1) Frech

Comments:
 Frech> XF:mirc-dcc-metachar-filename


=================================
Candidate: CAN-1999-0400
Published:
Final-Decision:
Interim-Decision:
Modified: 20000105-01
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19990127 2.2.0 SECURITY (fwd)
Reference: XF:linux-kernel-ldd-dos
Reference: BID:344

Denial of service in Linux 2.2.0 running the ldd command on a core
file.

Modifications:
  ADDREF BUGTRAQ:19990127 2.2.0 SECURITY (fwd)
  ADDREF XF:linux-kernel-ldd-dos
  ADDREF BID:344

INFERRED ACTION: CAN-1999-0400 MOREVOTES (1 accept, 0 ack, 0 review)

Current Votes:
   MODIFY(1) Frech

Comments:
 Frech> BUGTRAQ:Jan27,1999
 Frech> (http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-01-22&;
 Frech> msg=Pine.LNX.4.05.9901270538380.539-100000@vitelus.com)
 Frech> XF:linux-kernel-ldd-dos


=================================
Candidate: CAN-1999-0401
Published:
Final-Decision:
Interim-Decision:
Modified: 20000105-01
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19990202 [patch] /proc race fixes for 2.2.1 (fwd)
Reference: XF:linux-race-condition-proc

A race condition in Linux 2.2.1 allows local users to read arbitrary
memory from /proc files.

Modifications:
  ADDREF XF:linux-race-condition-proc

INFERRED ACTION: CAN-1999-0401 MOREVOTES (1 accept, 0 ack, 0 review)

Current Votes:
   MODIFY(1) Frech

Comments:
 Frech> XF:linux-race-condition-proc


=================================
Candidate: CAN-1999-0406
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Feb19,1999
Reference: XF:digital-networker-bo

Digital Unix Networker program nsralist has a buffer overflow which
allows local users to obtain root privilege.

INFERRED ACTION: CAN-1999-0406 MOREVOTES (1 accept, 0 ack, 0 review)

Current Votes:
   MODIFY(1) Frech

Comments:
 Frech> In description, change 'which' to 'that'.


=================================
Candidate: CAN-1999-0407
Published:
Final-Decision:
Interim-Decision:
Modified: 19991203-01
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19990209 ALERT: IIS4 allows proxied password attacks over NetBIOS
Reference: MSKB:Q184619
Reference: XF:iis-iisadmpwd

By default, IIS 4.0 has a virtual directory /IISADMPWD which contains
files that can be used as proxies for brute force password attacks, or
to identify valid users on the system.

Modifications:
  Modified Bugtraq ref, added KB article and ISS ref

INFERRED ACTION: CAN-1999-0407 MOREVOTES (1 accept, 1 ack, 0 review)

Current Votes:
   MODIFY(1) Frech

Comments:
 Frech> ADDREF XF:iis-iisadmpwd


=================================
Candidate: CAN-1999-0419
Published:
Final-Decision:
Interim-Decision:
Modified: 20000105-01
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19990319 Microsoft's SMTP service broken/stupid
Reference: XF:smtp-4xx-error-dos

When the Microsoft SMTP service attempts to send a message to a server
and receives a 4xx error code, it quickly and repeatedly attempts to
redeliver the message, causing a denial of service.

Modifications:
  ADDREF XF:smtp-4xx-error-dos

INFERRED ACTION: CAN-1999-0419 MOREVOTES (1 accept, 0 ack, 0 review)

Current Votes:
   MODIFY(1) Frech

Comments:
 Frech> XF:smtp-4xx-error-dos


=================================
Candidate: CAN-1999-0426
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19990319 The default permissions on /dev/kmem is insecure.

The default permissions of /dev/kmem in Linux versions before 2.0.36
allows IP spoofing.

INFERRED ACTION: CAN-1999-0426 SMC_REVIEW (1 accept, 1 review)

Current Votes:
   MODIFY(1) Frech
   REVIEWING(1) Christey

Comments:
 Frech> XF:linux-dev-kmem-spoof
 Christey> DUPE CVE-1999-0414?
 Christey> XF:linux-dev-kmem-spoof does not exist.


=================================
Candidate: CAN-1999-0427
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19990320 Eudora Attachment Buffer Overflow
Reference: XF:eudora-long-attachments

Eudora 4.1 allows remote attackers to perform a denial of service by
sending attachments with long file names.

INFERRED ACTION: CAN-1999-0427 MOREVOTES (1 accept, 0 ack, 0 review)

Current Votes:
   MODIFY(1) Frech

Comments:
 Frech> Change version number to 4.2beta. Second to last paragraph in bugtraq
 Frech> reference states: "Both the Win 95 and Win NT versions, along with the 4.2
 Frech> beta of Eudora are affected."


=================================
Candidate: CAN-1999-0431
Published:
Final-Decision:
Interim-Decision:
Modified: 20000106-01
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19990324 DoS for Linux 2.1.89 - 2.2.3: 0 length fragment bug
Reference: XF:linux-zerolength-fragment

Linux 2.2.3 and earlier allow a remote attacker to perform an IP
fragmentation attack, causing a denial of service.

Modifications:
  ADDREF XF:linux-zerolength-fragment

INFERRED ACTION: CAN-1999-0431 MOREVOTES (1 accept, 0 ack, 0 review)

Current Votes:
   MODIFY(1) Frech

Comments:
 Frech> XF:linux-zerolength-fragment


=================================
Candidate: CAN-1999-0434
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19990331 Bug in xfs
Reference: BID:359

XFree86 xfs command is vulnerable to a symlink attack, allowing
local users to create files in restricted directories, possibly
allowing them to gain privileges or cause a denial of service.

CONTENT-DECISIONS: SF-LOC

INFERRED ACTION: CAN-1999-0434 MOREVOTES (1 accept, 0 ack, 0 review) HAS_CDS

Current Votes:
   MODIFY(1) Frech
   NOOP(1) Christey

Comments:
 Frech> XF:xfree86-xfs-symlink-dos
 Christey> Is this the same problem as CVE-1999-0433?  CVE-1999-0433
 Christey> deals with a symlink attack on one file (/tmp/.X11-unix),
 Christey> while xfs (this candidate) deals with /tmp/.font-unix
 Christey> XF:xfree86-xfs-symlink-dos doesn't exist.


=================================
Candidate: CAN-1999-0443
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19990409 Patrol security bugs
Reference: XF:bmc-patrol-replay

Patrol management software allows a remote attacker to conduct a
replay attack to steal the administrator password.

INFERRED ACTION: CAN-1999-0443 MOREVOTES (1 accept, 0 ack, 0 review)

Current Votes:
   MODIFY(1) Frech

Comments:
 Frech> Change "Patrol management software" to "The PATROL management product from
 Frech> BMC Software".


=================================
Candidate: CAN-1999-0444
Published:
Final-Decision:
Interim-Decision:
Modified: 20000106-01
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19990412 ARP problem in Windows9X/NT
Reference: XF:windows-arp-dos

Remote attackers can perform a denial of service in Windows machines
using malicious ARP packets, forcing a message box display for each
packet or filling up log files.

Modifications:
  ADDREF XF:windows-arp-dos

INFERRED ACTION: CAN-1999-0444 MOREVOTES (1 accept, 0 ack, 0 review)

Current Votes:
   MODIFY(1) Frech

Comments:
 Frech> ADDREF: XF:windows-arp-dos


=================================
Candidate: CAN-1999-0461
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF

Versions of rpcbind including Linux, IRIX, and Wietse Venema's rpcbind
allow a remote attacker to insert and delete entries by spoofing a
source address.

INFERRED ACTION: CAN-1999-0461 SMC_REVIEW (1 accept, 1 review)

Current Votes:
   MODIFY(1) Frech
   REVIEWING(1) Christey

Comments:
 Frech> ADDREF XF:pmap-sset
 Christey> CAN-1999-0195 = CAN-1999-0461 ?


=================================
Candidate: CAN-1999-0462
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19990114 Secuity hole with perl (suidperl) and nosuid mounts on Linux
Reference: BID:339

suidperl in Linux Perl does not check the nosuid mount option on file
systems, allowing local users to gain root access by placing a setuid
script in a mountable file system, e.g. a CD-ROM or floppy disk.

INFERRED ACTION: CAN-1999-0462 MOREVOTES (1 accept, 0 ack, 0 review)

Current Votes:
   MODIFY(1) Frech
   NOOP(1) Christey

Comments:
 Frech> XF:perl-suidperl-bo
 Christey> XF:perl-suidperl-bo doesn't exist.


=================================
Candidate: CAN-1999-0464
Published:
Final-Decision:
Interim-Decision:
Modified: 19991205-01
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19990104 Tripwire mess..

Local users can perform a denial of service in Tripwire 1.2 and
earlier using long filenames.

Modifications:
  ADDREF BUGTRAQ:19990104 Tripwire mess..

INFERRED ACTION: CAN-1999-0464 MOREVOTES (1 accept, 1 ack, 0 review)

Current Votes:
   MODIFY(1) Frech
   NOOP(1) Christey

Comments:
 Frech> XF:tripwire-long-filename-dos
 Christey> XF:tripwire-long-filename-dos doesn't exist.


=================================
Candidate: CAN-1999-0480
Published:
Final-Decision:
Interim-Decision:
Modified: 20000106-01
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19980315 Midnight Commander /tmp race

Local attackers can conduct a denial of service in Midnight Commander
4.x with a symlink attack.

Modifications:
  CHANGEREF BUGTRAQ [date,title]

INFERRED ACTION: CAN-1999-0480 MOREVOTES (1 accept, 0 ack, 0 review)

Current Votes:
   MODIFY(1) Frech
   NOOP(1) Christey

Comments:
 Frech> XF:midnight-commander-symlink-dos
 Christey> XF:midnight-commander-symlink-dos


=================================
Candidate: CAN-1999-0486
Published:
Final-Decision:
Interim-Decision:
Modified: 20000106-01
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19990420 AOL Instant Messenger URL Crash

Denial of service in AOL Instant Messenger when a remote attacker
sends a malicious hyperlink to the receiving client, potentially
causing a system crash.

Modifications:
  CHANGEREF BUGTRAQ [add title]

INFERRED ACTION: CAN-1999-0486 MOREVOTES (1 accept, 0 ack, 0 review)

Current Votes:
   MODIFY(1) Frech
   NOOP(1) Christey

Comments:
 Frech> XF:aol-im.
 Christey> XF:aol-im appears to be related to the problem discussed in
 Christey> BUGTRAQ:19980224 AOL Instant Messanger Bug
 Christey>
 Christey> This one is related to BUGTRAQ:19990420 AOL Instant Messenger URL Crash


=================================
Candidate: CAN-1999-0491
Published:
Final-Decision:
Interim-Decision:
Modified: 20000106-01
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19990420 Bash Bug
Reference: BID:119

The prompt parsing in bash allows a local user to execute commands as
another user by creating a directory with the name of the command
to execute.

Modifications:
  CHANGEREF BUGTRAQ [title]

INFERRED ACTION: CAN-1999-0491 MOREVOTES (1 accept, 1 ack, 0 review)

Current Votes:
   MODIFY(1) Frech
   NOOP(1) Christey

Comments:
 Frech> bash-prompt-pars-dir
 Christey> XF:bash-prompt-pars-dir doesn't exist.




--------------------- CLUSTER IDS ---------------------

IDS (5 candidates)
--------------------
Proposed: 7/26
Scheduled Interim Decision: 8/23
Scheduled Final Decision: 8/27

Problems with IDSes


Voters:
  Northcutt ACCEPT(5)


<PROPOSED> --> 5
ACCEPT --> 5

=================================
Candidate: CAN-1999-0598
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: CF

A network intrusion detection system (IDS) does not properly handle
packets that are sent out of order, allowing an attacker to escape
detection.

INFERRED ACTION: CAN-1999-0598 MOREVOTES (1 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Northcutt


=================================
Candidate: CAN-1999-0599
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: CF

A network intrusion detection system (IDS) does not properly handle
packets with improper sequence numbers.

INFERRED ACTION: CAN-1999-0599 MOREVOTES (1 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Northcutt


=================================
Candidate: CAN-1999-0600
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: CF

A network intrusion detection system (IDS) does not verify the
checksum on a packet.

INFERRED ACTION: CAN-1999-0600 MOREVOTES (1 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Northcutt


=================================
Candidate: CAN-1999-0601
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: CF

A network intrusion detection system (IDS) does not properly handle
data within TCP handshake packets.

INFERRED ACTION: CAN-1999-0601 MOREVOTES (1 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Northcutt


=================================
Candidate: CAN-1999-0602
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: CF

A network intrusion detection system (IDS) does not properly
reassemble fragmented packets.

INFERRED ACTION: CAN-1999-0602 MOREVOTES (1 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Northcutt




--------------------- CLUSTER FINGER ---------------------

FINGER (6 candidates)
--------------------
Proposed: 7/26
Scheduled Interim Decision: 8/23
Scheduled Final Decision: 8/27

Problems related to finger


Voters:
  Frech MODIFY(3) REVIEWING(3)
  Shostack ACCEPT(1) MODIFY(5)
  Christey REVIEWING(1)
  Northcutt ACCEPT(2) NOOP(1) REJECT(3)


<INTERIM> --> 1
<PROPOSED> --> 5
MODIFY --> 1
REJECT --> 3
REVIEWING --> 2

=================================
Candidate: CAN-1999-0105
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF

finger allows recursive searches by using a long string of @ symbols.

INFERRED ACTION: CAN-1999-0105 REJECT (1 reject, 2 accept, 0 review)

Current Votes:
   MODIFY(2) Shostack, Frech
   REJECT(1) Northcutt

Comments:
 Shostack> fingerD
 Frech> XF:finger-bomb


=================================
Candidate: CAN-1999-0106
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF

Finger redirection allows finger bombs.

INFERRED ACTION: CAN-1999-0106 SMC_REVIEW (3 accept, 1 review)

Current Votes:
   ACCEPT(1) Northcutt
   MODIFY(2) Shostack, Frech
   REVIEWING(1) Christey

Comments:
 Shostack> fingerd allows redirection
 Shostack> This is a larger modification, since there are two applications of the
 Shostack> vulnerability, one that I can finger anonymously, and the other that I
 Shostack> can finger bomb anonymously.
 Frech> XF:finger-bomb
 Christey> need more refs


=================================
Candidate: CAN-1999-0197
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF

finger 0@host on some systems may print information on some user accounts.

INFERRED ACTION: CAN-1999-0197 REJECT (1 reject, 1 accept, 1 review)

Current Votes:
   MODIFY(1) Shostack
   REJECT(1) Northcutt
   REVIEWING(1) Frech

Comments:
 Shostack> fingerd may respond to 'finger 0@host' with account info
 Frech> Need more reference to establish this 'exposure'.


=================================
Candidate: CAN-1999-0198
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF

finger .@host on some systems may print information on some user accounts.

INFERRED ACTION: CAN-1999-0198 REJECT (1 reject, 1 accept, 1 review)

Current Votes:
   MODIFY(1) Shostack
   REJECT(1) Northcutt
   REVIEWING(1) Frech

Comments:
 Shostack> as above
 Frech> Need more reference to establish this 'exposure'.


=================================
Candidate: CAN-1999-0259
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000106-01
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19970523 cfingerd vulnerability
Reference: XF:cfinger-user-enumeration

cfingerd lists all users on a system via search.**@target.

Modifications:
  ADDREF BUGTRAQ:19970523 cfingerd vulnerability
  ADDREF XF:cfinger-user-enumeration

INFERRED ACTION: CAN-1999-0259 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(1) Shostack
   MODIFY(1) Frech
   NOOP(1) Northcutt

Comments:
 Frech> XF:cfinger-user-enumeration


=================================
Candidate: CAN-1999-0492
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Apr23,1999

The ffingerd 1.19 allows remote attackers to identify users on the
target system based on its responses.

INFERRED ACTION: CAN-1999-0492 MOREVOTES (2 accept, 0 ack, 1 review)

Current Votes:
   ACCEPT(1) Northcutt
   MODIFY(1) Shostack
   REVIEWING(1) Frech

Comments:
 Shostack> isn't that what finger is supposed to do?




--------------------- CLUSTER NOREFS ---------------------

NOREFS (23 candidates)
--------------------
Proposed: 7/13
Scheduled Proposed: 7/6
Scheduled Interim Decision: 7/26
Scheduled Final Decision: 7/30

Vulnerability has no references, but is tested by some tool


Voters:
  Frech MODIFY(16) REVIEWING(2)
  Wall MODIFY(3) NOOP(15)
  Shostack ACCEPT(5) MODIFY(4) NOOP(9)
  Christey NOOP(4) RECAST(1) REJECT(4) REVIEWING(3) REVOTE(3)
  Northcutt NOOP(18)
  Blake NOOP(1)


<FINAL> --> 5
<INTERIM> --> 1
<MODIFIED> --> 12
<PROPOSED> --> 5
MODIFY --> 9
RECAST --> 1
REJECT --> 4
REVIEWING --> 4

=================================
Candidate: CAN-1999-0020
Published:
Final-Decision:
Interim-Decision:
Modified: 20000106-01
Proposed: 19990714
Assigned: 19990607
Category: SF

** REJECT ** Duplicate of CVE-1999-0032 ** REJECT **
Buffer overflow in Linux lpr command gives root access.

Modifications:
  DESC Add REJECT header.

INFERRED ACTION: CAN-1999-0020 SMC_REJECT (1 reject, 1 accept, 0 review)

Current Votes:
   MODIFY(1) Frech
   NOOP(3) Northcutt, Shostack, Wall
   REJECT(1) Christey

Comments:
 Frech> XF:lpr-bo
 Christey> DUPE CVE-1999-0032, which includes XF:lpr-bo


=================================
Candidate: CAN-1999-0107
Published:
Final-Decision:
Interim-Decision:
Modified: 19991223-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:apache-dos
Reference: BUGTRAQ:19971230 Apache DoS attack?

Buffer overflow in Apache 1.2.5 and earlier allows a remote attacker
to cause a denial of service with a large number of GET requests
containing a large number of / characters.

Modifications:
  ADDREF XF:apache-dos
  ADDREF BUGTRAQ:19971230 Apache DoS attack?
  DESC make more explicit

INFERRED ACTION: CAN-1999-0107 REVOTE (1 accept, 0 review)

Current Votes:
   MODIFY(1) Frech
   NOOP(3) Northcutt, Shostack, Wall
   REVOTE(1) Christey

Comments:
 Wall> - Although this is probably the phf hack.
 Frech> XF:apache-dos


=================================
Candidate: CAN-1999-0110
Published:
Final-Decision:
Interim-Decision: 19990810
Modified: 20000106-01
Proposed: 19990714
Assigned: 19990607
Category: SF

** REJECT ** Duplicate of CVE-1999-0315 (this has a typo) ** REJECT **
Buffer overflow in fbformat command in Solaris.

INFERRED ACTION: CAN-1999-0110 SMC_REJECT (1 reject, 1 accept, 0 review)

Current Votes:
   MODIFY(1) Frech
   NOOP(3) Northcutt, Shostack, Wall
   REJECT(1) Christey

Comments:
 Frech> XF:fdformat-bo
 Christey> Duplicate of CAN-1999-0315


=================================
Candidate: CAN-1999-0114
Published:
Final-Decision:
Interim-Decision:
Modified: 20000106-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19990912 elm filter program
Reference: BUGTRAQ:19951226 filter (elm package) security hole
Reference: XF:elm-filter2

Local users can execute commands as other users, and read other users'
files, through the filter command in the Elm elm-2.4 mail package
using a symlink attack.

Modifications:
  ADDREF XF:elm-filter2
  ADDREF BUGTRAQ:19951226 filter (elm package) security hole
  ADDREF BUGTRAQ:19990912 elm filter program

INFERRED ACTION: CAN-1999-0114 MOREVOTES (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Shostack
   MODIFY(1) Frech
   NOOP(2) Northcutt, Wall

Comments:
 Frech> XF:elm-filter2


=================================
Candidate: CAN-1999-0115
Published:
Final-Decision:
Interim-Decision:
Modified: 20000106-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19970909 AIX bugfiler
Reference: XF:ibm-bugfiler

AIX bugfiler program allows local users to gain root access.

Modifications:
  ADDREF BUGTRAQ:19970909 AIX bugfiler
  ADDREF XF:ibm-bugfiler

INFERRED ACTION: CAN-1999-0115 MOREVOTES (1 accept, 0 ack, 0 review)

Current Votes:
   MODIFY(1) Frech
   NOOP(4) Northcutt, Shostack, Wall, Christey

Comments:
 Frech> XF:ibm-bugfiler
 Christey> I could not find any acknowledgement of this bug on the IBM
 Christey> web site.


=================================
Candidate: CAN-1999-0118
Published:
Final-Decision:
Interim-Decision:
Modified: 20000106-02
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19981119 RSI.0011.11-09-98.AIX.INFOD
Reference: XF:aix-infod

AIX infod allows local users to gain root access through an X display.

Modifications:
  ADDREF XF:aix-infod
  ADDREF BUGTRAQ:19981119 RSI.0011.11-09-98.AIX.INFOD

INFERRED ACTION: CAN-1999-0118 MOREVOTES (1 accept, 1 ack, 0 review)

Current Votes:
   MODIFY(1) Frech
   NOOP(4) Northcutt, Shostack, Wall, Christey

Comments:
 Frech> XF:aix-infod
 Christey> See BUGTRAQ:19981119 RSI.0011.11-09-98.AIX.INFOD
 Christey> An AIX patch list confirms this problem.


=================================
Candidate: CAN-1999-0195
Published:
Final-Decision:
Interim-Decision:
Modified: 19991130-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19990128 rpcbind: deceive, enveigle and obfuscate

Denial of service in RPC portmapper allows attackers to register or
unregister RPC services or spoof RPC services using a spoofed source
IP address such as 127.0.0.1.

Modifications:
  Add Bugtraq reference, expand description

INFERRED ACTION: CAN-1999-0195 SMC_REVIEW (2 accept, 1 review)

Current Votes:
   ACCEPT(1) Shostack
   MODIFY(1) Frech
   NOOP(2) Northcutt, Wall
   REVIEWING(1) Christey

Comments:
 Frech> XF:rpcbind-spoof
 Christey> CAN-1999-0195 = CAN-1999-0461 ?


=================================
Candidate: CAN-1999-0200
Published:
Final-Decision:
Interim-Decision:
Modified: 19991130-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: MSKB:Q137853

Windows NT FTP server (WFTP) with the guest account enabled without a
password allows an attacker to log into the FTP server using any
username and password.

Modifications:
  Expand WFTP to Windows FTP, clarify situation
  ADDREF MSKB:Q137853

INFERRED ACTION: CAN-1999-0200 REVOTE (2 accept, 0 review)

Current Votes:
   MODIFY(2) Shostack, Frech
   NOOP(2) Northcutt, Wall
   REVOTE(1) Christey

Comments:
 Shostack> WFTP is not sufficient; is this wu-, ws-, war-, or another?
 Frech> Other have mentioned this before, but it may be WU-FTP.
 Frech> POSSIBLY XF:ftp-exec; does this have to do with the Site Exec allowing root
 Frech> access without anon FTP or a regular account?
 Frech> POSSIBLY XF:wu-ftpd-exec;same as above conditions, but instead from a
 Frech> non-anon FTP account and gain root privs.
 Christey> added MSKB reference


=================================
Candidate: CAN-1999-0210
Published:
Final-Decision:
Interim-Decision:
Modified: 19991130-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19971126 Solaris 2.5.1 automountd exploit (fwd)
Reference: BUGTRAQ:19990103 SUN almost has a clue! (automountd)
Reference: HP:HPSBUX9910-104
Reference: CERT:CA-99-05

Automount daemon automountd allows local or remote users to gain
privileges via shell metacharacters.

Modifications:
  Changed description and added references.

INFERRED ACTION: CAN-1999-0210 SMC_REVIEW (2 accept, 1 review)

Current Votes:
   MODIFY(2) Shostack, Frech
   NOOP(2) Northcutt, Wall
   REVIEWING(1) Christey

Comments:
 Shostack> I think there was an SNI advisory on this
 Frech> Not enough information; POSSIBLY XF:sun-automountd (changing mount options)
 Christey> This is a tough one.  There's an old automount bug that's
 Christey> only locally exploitable, then a newer rpc.statd bug allows
 Christey> it to be remotely exploitable.  There's at least two bugs,
 Christey> but should there be three?  Also see CERT:CA-99-05
 Christey>
 Christey> Also see CAN-1999-0088 and CAN-1999-0493


=================================
Candidate: CAN-1999-0222
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF

Denial of service in Cisco IOS web server allows attackers to reboot
the router using a long URL.

INFERRED ACTION: CAN-1999-0222 SMC_REVIEW (2 accept, 1 review)

Current Votes:
   MODIFY(2) Shostack, Frech
   NOOP(2) Northcutt, Wall
   REVIEWING(1) Christey

Comments:
 Shostack> I follow cisco announcements and problems pretty closely, and haven't
 Shostack> seen this.  Source?
 Frech> XF:cisco-web-crash
 Christey> XF:cisco-web-crash has no additional references.  I can't find
 Christey> any references in Bugtraq or Cisco either.  This bug is
 Christey> supposedly tested by at least one security product, but that
 Christey> product's database doesn't have any references either.  So
 Christey> a question becomes, how did it make it into at least two
 Christey> security companies' databases?


=================================
Candidate: CAN-1999-0223
Published:
Final-Decision:
Interim-Decision:
Modified: 20000106-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19961109 Syslogd and Solaris 2.4
Reference: XF:sol-syslogd-crash

Solaris syslogd crashes when receiving a message from a host that
doesn't have an inverse DNS entry.

Modifications:
  ADDREF BUGTRAQ:19961109 Syslogd and Solaris 2.4
  ADDREF XF:sol-syslogd-crash

INFERRED ACTION: CAN-1999-0223 MOREVOTES (1 accept, 0 ack, 0 review)

Current Votes:
   MODIFY(1) Frech
   NOOP(3) Northcutt, Shostack, Wall

Comments:
 Frech> XF:sol-syslogd-crash


=================================
Candidate: CAN-1999-0229
Published:
Final-Decision:
Interim-Decision:
Modified: 19991228-02
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: MSKB:Q115052

Denial of service in Windows NT IIS server using ..\..

Modifications:
  ADDREF MSKB:Q115052
  ADDREF XF:http-dotdot
  DELREF XF:http-dotdot

INFERRED ACTION: CAN-1999-0229 REVOTE (3 accept, 0 review)

Current Votes:
   ACCEPT(1) Shostack
   MODIFY(2) Wall, Frech
   NOOP(1) Northcutt
   REVOTE(1) Christey

Comments:
 Wall> Denial of service in Windows NT IIS Server 1.0 using ..\...
 Wall> Source: Microsoft Knowledge Base Article Q115052 - IIS Server.
 Frech> XF:http-dotdot (not necessarily IIS?)
 Christey> DELREF XF:http-dotdot - it deals with a read/access dot dot
 Christey> problem.


=================================
Candidate: CAN-1999-0242
Published:
Final-Decision:
Interim-Decision:
Modified: 20000106-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19951222 mailx-5.5 (slackware /bin/mail) security hole
Reference: XF:linux-pop3d

Remote attackers can access mail files via POP3 in some Linux systems
that are using shadow passwords.

Modifications:
  ADDREF BUGTRAQ:19951222 mailx-5.5 (slackware /bin/mail) security hole
  ADDREF XF:linux-pop3d

INFERRED ACTION: CAN-1999-0242 MOREVOTES (1 accept, 0 ack, 0 review)

Current Votes:
   MODIFY(1) Frech
   NOOP(4) Northcutt, Shostack, Wall, Christey

Comments:
 Frech> Ambiguous description: need more detail. Possibly:
 Frech> XF:linux-pop3d (mktemp() leads to reading e-mail)
 Christey> At first glance this might look like CAN-1999-0123 or
 Christey> CVE-1999-0125, however this particular candidate arises out
 Christey> of a brief mention of the problem in a larger posting which
 Christey> discusses CAN-1999-0123 (which may be the same bug as
 Christey> CVE-1999-0125).  See the following phrase in the Bugtraq
 Christey> post: "one such example of this is in.pop3d"
 Christey>
 Christey> However, the original source of this candidate's description
 Christey> explicitly mentions shadowed passwords, though it has no
 Christey> references to help out here.


=================================
Candidate: CAN-1999-0243
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF

Linux cfingerd could be exploited to gain root access.

INFERRED ACTION: CAN-1999-0243 SMC_REJECT (1 reject, 1 accept, 1 review)

Current Votes:
   ACCEPT(1) Shostack
   NOOP(2) Northcutt, Wall
   REJECT(1) Christey
   REVIEWING(1) Frech

Comments:
 Christey> This has no sources; neither does the original database that
 Christey> this entry came from.  It's a likely duplicate of
 Christey> CAN-1999-0813.


=================================
Candidate: CAN-1999-0249
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF

Windows NT RSHSVC program allows remote users to execute arbitrary
commands.

INFERRED ACTION: CAN-1999-0249 RECAST (1 recast, 2 accept, 0 review)

Current Votes:
   MODIFY(2) Wall, Frech
   NOOP(2) Northcutt, Shostack
   RECAST(1) Christey

Comments:
 Wall> Windows NT Rshsvc.exe from the Windows NT Resource Kit allows
 Wall> remote
 Wall> users to execute arbitrary commands.
 Wall> Source: rshsvc.txt from the Windows NT Resource Kit.
 Frech> XF:rsh-svc
 Christey> MSKB:Q158320, last reviewed in January 1999, refers to a case
 Christey> where remote users coming from authorized machines are
 Christey> allowed access regardless of what .rhosts says.  XF:rsh-svc
 Christey> refers to a bug circa 1997 where any remote entity could
 Christey> execute commands as system.


=================================
Candidate: CAN-1999-0286
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF

In some NT web servers, appending a space at the end of a URL may
allow attackers to read source code for active pages.

INFERRED ACTION: CAN-1999-0286 MOREVOTES (2 accept, 0 ack, 1 review)

Current Votes:
   ACCEPT(1) Shostack
   MODIFY(1) Wall
   NOOP(2) Northcutt, Christey
   REVIEWING(1) Frech

Comments:
 Wall> In some NT web servers, appending a dot at the end of a URL may
 Wall> allows attackers to read source code for active pages.
 Wall> Source:  MS Knowledge Base Article Q163485 - "Active Server Pages Script Appears
 Wall> in Browser"
 Frech> In the meantime, reword description as 'Windows NT' (trademark issue)
 Christey> Q163485 does not refer to a space, it refers to a dot.
 Christey> However, I don't have other references.
 Christey>
 Christey> Reading source code with a dot appended is in CAN-1999-0154,
 Christey> which will be proposed.  A subsequent bug similar to the
 Christey> dot bug is CAN-1999-0253.


=================================
Candidate: CAN-1999-0287
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF

Vulnerability in the Wguest CGI program.

INFERRED ACTION: CAN-1999-0287 SMC_REJECT (1 reject, 2 accept, 0 review)

Current Votes:
   MODIFY(2) Shostack, Frech
   NOOP(3) Northcutt, Wall, Blake
   REJECT(1) Christey

Comments:
 Shostack> allows file reading
 Frech> XF:http-cgi-webcom-guestbook
 Christey> CAN-1999-0287 is probably a duplicate of CAN-1999-0467.  In
 Christey> NTBUGTRAQ:19990409 Webcom's CGI Guestbook for Win32 web servers
 Christey> Mnemonix says that he had previously reported on a similar
 Christey> problem.  Let's refer to the NTBugtraq posting as
 Christey> CAN-1999-0467.  We will refer to the "previous report" as
 Christey> CAN-1999-0287, which could be found at:
 Christey> http://oliver.efri.hr/~crv/security/bugs/NT/httpd41.html
 Christey>
 Christey> 0287 describes an exploit via the "template" hidden variable.
 Christey> The exploit describes manually editing the HTML form to
 Christey> change the filename to read from the template variable.
 Christey>
 Christey> The exploit as described in 0467 encodes the template variable
 Christey> directly into the URL.  However, hidden variables are also
 Christey> encoded into the URL, which would have looked the same to
 Christey> the web server regardless of the exploit.  Therefore 0287
 Christey> and 0467 are the same.


=================================
Candidate: CAN-1999-0330
Published:
Final-Decision:
Interim-Decision:
Modified: 20000105-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19940101 (No Subject)
Reference: XF:bdash-bo

Linux bdash game has a buffer overflow that allows local users to
gain root access.

Modifications:
  ADDREF BUGTRAQ:19940101 (No Subject)
  ADDREF XF:bdash-bo

INFERRED ACTION: CAN-1999-0330 MOREVOTES (1 accept, 0 ack, 0 review)

Current Votes:
   MODIFY(1) Frech
   NOOP(3) Northcutt, Shostack, Wall

Comments:
 Frech> XF:bdash-bo




--------------------- CLUSTER ONEREF ---------------------

ONEREF (43 candidates)
--------------------
Proposed: 7/13
Scheduled Proposed: 7/6
Scheduled Interim Decision: 7/26
Scheduled Final Decision: 7/30

Vulnerability only has one reference


Voters:
  Frech ACCEPT(5) MODIFY(1) RECAST(1)
  Shostack ACCEPT(1) MODIFY(2) NOOP(3) RECAST(1)
  Christey NOOP(1) RECAST(2) REJECT(2) REVIEWING(2)
  Northcutt ACCEPT(7)
  Baker ACCEPT(3) NOOP(4)
  Prosser MODIFY(2) NOOP(3) RECAST(1) REVIEWING(1)


<FINAL> --> 36
<MODIFIED> --> 2
<PROPOSED> --> 5
RECAST --> 4
REJECT --> 2
REVIEWING --> 2

=================================
Candidate: CAN-1999-0156
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:ftp-pwless

wu-ftpd FTP daemon allows any user and password combination.

INFERRED ACTION: CAN-1999-0156 RECAST (1 recast, 2 accept, 1 review)

Current Votes:
   ACCEPT(2) Northcutt, Shostack
   NOOP(1) Baker
   RECAST(1) Frech
   REVIEWING(1) Prosser

Comments:
 Prosser> but so far can find no reference to this one
 Frech> Our records indicate that this does not necessarly affect just wu-ftp (ie,
 Frech> also affects IIS FTP server).


=================================
Candidate: CAN-1999-0163
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:smtp-pipe

In older versions of Sendmail, an attacker could use a pipe character
to execute root commands.

INFERRED ACTION: CAN-1999-0163 RECAST (1 recast, 3 accept, 0 review)

Current Votes:
   ACCEPT(2) Northcutt, Frech
   MODIFY(1) Prosser
   NOOP(2) Baker, Christey
   RECAST(1) Shostack

Comments:
 Shostack> there was a 'To: |' and a 'From: |' attack, which I
 Shostack> think are seperate.
 Prosser> older vulnerability, but one additional reference is-
 Prosser> The Ultimate Sendmail Hole List by Markus Hübner @
 Prosser> bau2.uibk.ac.at/matic/buglist.htm
 Prosser> '|PROGRAM '
 Christey> Description needs to be more specific to distinguish between
 Christey> this and CAN-1999-0203, as alluded to by Adam Shostack


=================================
Candidate: CAN-1999-0165
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:nfs-cache

NFS cache poisoning

INFERRED ACTION: CAN-1999-0165 SMC_REVIEW (3 accept, 1 review)

Current Votes:
   ACCEPT(3) Northcutt, Baker, Frech
   MODIFY(1) Shostack
   NOOP(1) Prosser
   REVIEWING(1) Christey

Comments:
 Shostack> need more data
 Christey> need more refs


=================================
Candidate: CAN-1999-0306
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:hp-xlock

buffer overflow in HP xlock program.

CONTENT-DECISIONS: SF-CODEBASE

INFERRED ACTION: CAN-1999-0306 SMC_REJECT (1 reject, 3 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(3) Northcutt, Baker, Frech
   MODIFY(1) Prosser
   NOOP(1) Shostack
   REJECT(1) Christey

Comments:
 Prosser> This is another of those with multiple affected OSs.
 Prosser> Refs:  CA-97.13, http://207.237.120.45/linux/xlock-exploit.txt,
 Prosser> HPSBUX9711-073, SGI 19970502-02-PX, Sun Bulletin 000150
 Christey> XF:hp-xlock points to SGI:19970502-02-PX which says this is
 Christey> the same problem as in CERT:CA-97.13, which is CVE-1999-0038.


=================================
Candidate: CAN-1999-0307
Published:
Final-Decision:
Interim-Decision:
Modified: 19991207-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19961116 This week: turn me on, dead man
Reference: XF:hpux-cstm-bo

Buffer overflow in HP-UX cstm program allows local users to gain
root privileges.

Modifications:
  ADDREF BUGTRAQ:19961116 This week: turn me on, dead man

CONTENT-DECISIONS: SF-EXEC

INFERRED ACTION: CAN-1999-0307 RECAST (1 recast, 2 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(2) Northcutt, Frech
   NOOP(3) Shostack, Prosser, Baker
   RECAST(1) Christey

Comments:
 Prosser> only ref I can find is an old SOD exploit on
 Prosser> www.outpost9.com
 Christey> MERGE CAN-1999-0336 (likely same codebase)
 Christey> Also, there does not seem to be any recognition of this problem
 Christey> by HP.  The only other information besides the Bugtraq post
 Christey> is the SOD exploit.


=================================
Candidate: CAN-1999-0331
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:msie-bo

Buffer overflow in Internet Explorer 4.0(1)

INFERRED ACTION: CAN-1999-0331 SMC_REJECT (1 reject, 3 accept, 0 review)

Current Votes:
   ACCEPT(2) Northcutt, Baker
   MODIFY(2) Shostack, Frech
   RECAST(1) Prosser
   REJECT(1) Christey

Comments:
 Shostack> this is a high cardinality item
 Prosser> needs to be more specific.
 Frech> Replace reference with XF:iemk-bug (msie-bo is obsolete and a vague
 Frech> duplicate)
 Frech> Description (from xfdb): Some versions of Internet Explorer for Windows
 Frech> contain a vulnerability that may crash the broswer when a malicious web site
 Frech> contains a certain kind of URL (that begins with "mk://") with more
 Frech> characters than the browser supports.
 Christey> The description is too vague.


=================================
Candidate: CAN-1999-0336
Published:
Final-Decision:
Interim-Decision:
Modified: 19991207-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19961116 This week: turn me on, dead man
Reference: XF:hpux-mstm-bo

Buffer overflow in mstm in HP-UX allows local users to gain root
access.

Modifications:
  ADDREF BUGTRAQ:19961116 This week: turn me on, dead man

CONTENT-DECISIONS: SF-EXEC

INFERRED ACTION: CAN-1999-0336 RECAST (1 recast, 2 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(2) Northcutt, Frech
   NOOP(3) Shostack, Prosser, Baker
   RECAST(1) Christey

Comments:
 Prosser> same as CAN-1999-0307, only ref I can find is an old SOD
 Prosser> exploit on www.outpost9.com
 Christey> MERGE CAN-1999-0307 (likely same codebase)
 Christey> Also, there does not seem to be any recognition of this problem
 Christey> by HP.  The only other information besides the Bugtraq post
 Christey> is the SOD exploit.




--------------------- CLUSTER RESTLOW ---------------------

RESTLOW (39 candidates)
--------------------
Proposed: 6/29
Scheduled Interim Decision: 7/12
Scheduled Final Decision: 7/16

The rest of the low-controversy vuln's


Voters:
  Ozancin ACCEPT(1) REVIEWING(1)
  Landfield NOOP(1)
  Frech ACCEPT(2) MODIFY(5) REVIEWING(2)
  Proctor ACCEPT(2)
  Hill ACCEPT(9)
  Northcutt ACCEPT(7) NOOP(1) REJECT(1)
  Christey NOOP(2) RECAST(2) REVIEWING(3)
  Balinsky ACCEPT(2)
  Prosser ACCEPT(1) MODIFY(3)
  Blake ACCEPT(3)


<FINAL> --> 30
<MODIFIED> --> 4
<PROPOSED> --> 5
MODIFY --> 1
RECAST --> 2
REJECT --> 1
REVIEWING --> 5

=================================
Candidate: CAN-1999-0061
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: NAI:NAI-20
Reference: XF:bsd-lpd

File creation and deletion, and remote execution, in the BSD
line printer daemon (lpd).

INFERRED ACTION: CAN-1999-0061 RECAST (1 recast, 2 accept, 0 review)

Current Votes:
   ACCEPT(3) Hill, Frech, Northcutt
   RECAST(1) Christey

Comments:
 Christey> This should be split into three separate problems.


=================================
Candidate: CAN-1999-0145
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF

Sendmail WIZ command enabled, allowing root access.

INFERRED ACTION: CAN-1999-0145 REJECT (1 reject, 5 accept, 0 review)

Current Votes:
   ACCEPT(4) Hill, Blake, Proctor, Balinsky
   MODIFY(2) Frech, Prosser
   NOOP(1) Christey
   REJECT(1) Northcutt

Comments:
 Frech> XF:smtp-wiz
 Northcutt> I have voted against this before as well.  This raises the case of a
 Northcutt> historic but no longer existant vulnerability.  Or is there any data
 Northcutt> that wiz still exists on any operational systems?
 Prosser> additional sources
 Prosser> Bugtraq
 Prosser> "sendmail wizard thing"
 Prosser> http://securityfocus/
 Prosser> CERT Advisory CA-93.14
 Prosser> http://www.cert.org
 Christey> While this may not be active anywhere (we hope), it is still
 Christey> of historic interest and potentially useful for academic
 Christey> study.  Therefore it should be included.


=================================
Candidate: CAN-1999-0203
Published:
Final-Decision:
Interim-Decision:
Modified: 19991228-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: CERT:CA-95.08
Reference: CIAC:E-03

In Sendmail, attackers can gain root privileges via SMTP by specifying
an improper "mail from" address and an invalid "rcpt to" address that would
cause the mail to bounce to a program.

Modifications:
  ADDREF CERT:CA-95.08
  ADDREF CIAC:E-03

INFERRED ACTION: CAN-1999-0203 ACCEPT_REV (4 accept, 2 ack, 1 review)

Current Votes:
   ACCEPT(5) Hill, Blake, Balinsky, Ozancin, Northcutt
   NOOP(1) Christey
   REVIEWING(1) Frech

Comments:
 Christey> Description needs to be more specific to distinguish between
 Christey> this and CAN-1999-0163, as alluded to by Adam Shostack


=================================
Candidate: CAN-1999-0205
Published:
Final-Decision:
Interim-Decision:
Modified: 19990925-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19990708 SM 8.6.12

Denial of service in Sendmail 8.6.11 and 8.6.12.

Modifications:
  ADDREF BUGTRAQ:19990708 SM 8.6.12

INFERRED ACTION: CAN-1999-0205 SMC_REVIEW (3 accept, 2 review)

Current Votes:
   ACCEPT(2) Hill, Northcutt
   MODIFY(2) Frech, Prosser
   REVIEWING(2) Ozancin, Christey

Comments:
 Frech> XF:sendmail-alias-dos
 Prosser> additional source
 Prosser> Bugtraq
 Prosser> "Re:  SM 8.6.12"
 Prosser> http://www.securityfocus.com
 Christey> The Bugtraq thread does not provide any proof, including a
 Christey> comment by Eric Allman that he hadn't been provided any
 Christey> details either.
 Christey>
 Christey> See http://www.securityfocus.com/templates/archive.pike?list=1&date=1995-07-8&thread=199507131402.KAA02492@bedbugs.net.ohio-state.edu
 Christey> for the thread.


=================================
Candidate: CAN-1999-0241
Published:
Final-Decision:
Interim-Decision:
Modified: 19990925-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: XF:http-xguess-cookie

Guessable magic cookies in X Windows allows remote attackers to
execute commands, e.g. through xterm.

INFERRED ACTION: CAN-1999-0241 SMC_REVIEW (4 accept, 1 review)

Current Votes:
   ACCEPT(3) Hill, Northcutt, Proctor
   MODIFY(2) Frech, Prosser
   REVIEWING(1) Christey

Comments:
 Frech> Also add to references:
 Frech> XF:sol-mkcookie
 Prosser> additional source
 Prosser> Bugtraq
 Prosser> "X11 cookie hijacker"
 Prosser> http://www.securityfocus.com
 Christey> The cookie hijacker thread has to do with stealing cookies
 Christey> through a file with bad permissions.  I'm not sure the
 Christey> X-Force reference identifies this problem either.


=================================
Candidate: CAN-1999-0246
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: XF:hp-remote

HP Remote Watch allows a remote user to gain root access.

INFERRED ACTION: CAN-1999-0246 RECAST (1 recast, 3 accept, 0 review)

Current Votes:
   ACCEPT(4) Hill, Frech, Northcutt, Prosser
   RECAST(1) Christey

Comments:
 Frech> Comment: Determine if it's RemoteWatch or Remote Watch.
 Christey> HP:HPSBUX9610-039 alludes to multiple vulnerabilities in
 Christey> Remote Watch (the advisory uses two words, not one, for the
 Christey> "Remote Watch" name)
 Prosser> agree that the advisory mentions two vulnerabilities in Remote
 Prosser> Watch, one being a socket connection and other with the showdisk utility
 Prosser> which seems to be a suid vulnerability.  Never get much details on this
 Prosser> anywhere since the recommendation is to remove the program since it is
 Prosser> obsolete and superceded by later tools. Believe the biggest concern here is
 Prosser> to just not run the tool at all.


=================================
Candidate: CAN-1999-0323
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: FreeBSD:FreeBSD-SA-98:04

FreeBSD mmap function allows users to modify append-only or immutable
files.

INFERRED ACTION: CAN-1999-0323 MOREVOTES (1 accept, 1 ack, 1 review)

Current Votes:
   ACCEPT(2) Hill, Northcutt
   REVIEWING(1) Frech

Comments:
 Frech> probably XF:bsd-mmap


=================================
Candidate: CAN-1999-0395
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: ISS:Vulnerability in the BackWeb Polite Agent Protocol

A race condition in the BackWeb Polite Agent Protocol allows an
attacker to spoof a BackWeb server.

INFERRED ACTION: CAN-1999-0395 MOREVOTES (1 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(1) Hill
   MODIFY(1) Frech
   NOOP(2) Northcutt, Landfield

Comments:
 Frech> XF:backweb-polite-agent-protocol


=================================
Candidate: CAN-1999-0498
Published:
Final-Decision:
Interim-Decision:
Modified: 19990925-01
Proposed: 19990630
Assigned: 19990607
Category: CF
Reference: CERT:CA-91.18.Active.Internet.tftp.Attacks

TFTP is not running in a restricted directory, allowing a remote
attacker to access sensitive information such as password files.

Modifications:
  ADDREF CERT:CA-91.18.Active.Internet.tftp.Attacks

CONTENT-DECISIONS: CF

INFERRED ACTION: CAN-1999-0498 SMC_REVIEW (3 accept, 1 review) HAS_CDS

Current Votes:
   ACCEPT(3) Hill, Blake, Northcutt
   MODIFY(1) Frech
   REVIEWING(1) Christey

Comments:
 Frech> XF:linux-tftp
 Christey> XF:linux-tftp refers to CAN-1999-0183




--------------------- CLUSTER DENY ---------------------

DENY (13 candidates)
--------------------
Proposed: 6/29
Scheduled Interim Decision: 7/12
Scheduled Final Decision: 7/16

Some (not all) denial of service


Voters:
  Frech ACCEPT(1) MODIFY(4)
  Hill ACCEPT(5)
  Christey NOOP(1) REVIEWING(2)
  Meunier ACCEPT(2) MODIFY(1) NOOP(1) RECAST(1)


<FINAL> --> 8
<MODIFIED> --> 1
<PROPOSED> --> 4
MODIFY --> 2
RECAST --> 1
REVIEWING --> 2

=================================
Candidate: CAN-1999-0140
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF

Denial of service in RAS/PPTP on NT systems.

INFERRED ACTION: CAN-1999-0140 MOREVOTES (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Hill
   MODIFY(2) Meunier, Frech
   NOOP(1) Christey

Comments:
 Meunier> Add "pptp invalid packet length in header" to distinguish from other
 Meunier> vulnerabilities in RAS/PPTP on NT systems resulting in DOS, that might be
 Meunier> discovered in the future.
 Frech> XF:nt-ras-bo
 Frech> ONLY IF reference is to MS:MS99-016
 Christey> According to my mappings, this is not the MS:MS99-016 problem
 Christey> referred to by Andre.  However, I have yet to dig up a
 Christey> source.


=================================
Candidate: CAN-1999-0144
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: XF:qmail-rcpt

Denial of service in Qmail by specifying a large number of
recipients with the RCPT command.

INFERRED ACTION: CAN-1999-0144 SMC_REVIEW (2 accept, 1 review)

Current Votes:
   ACCEPT(3) Hill, Meunier, Frech
   REVIEWING(1) Christey

Comments:
 Christey> DUPE CAN-1999-0418 and CAN-1999-0250?


=================================
Candidate: CAN-1999-0213
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF

libnsl in Solaris allowed an attacker to perform a denial of service
of rpcbind.

INFERRED ACTION: CAN-1999-0213 MOREVOTES (1 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Hill
   MODIFY(1) Frech
   NOOP(1) Meunier

Comments:
 Frech> XF:sun-libnsl


=================================
Candidate: CAN-1999-0216
Published:
Final-Decision:
Interim-Decision:
Modified: 19991203-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19971130 Linux inetd..
Reference: XF:linux-inetd-dos
Reference: HP:HPSBUX9803-077
Reference: XF:hp-inetd

Denial of service of inetd on Linux through SYN and RST packets.

Modifications:
  ADDREF BUGTRAQ:19971130 Linux inetd..
  ADDREF XF:linux-inetd-dos
  ADDREF HP:HPSBUX9803-077
  ADDREF XF:hp-inetd

INFERRED ACTION: CAN-1999-0216 RECAST (1 recast, 1 accept, 0 review)

Current Votes:
   ACCEPT(1) Hill
   MODIFY(1) Frech
   RECAST(1) Meunier

Comments:
 Meunier> The location of the vulnerability, whether in the Linux kernel or the
 Meunier> application, is debatable.  Any program making the same (reasonnable)
 Meunier> assumption is vulnerable, i.e., implements the same vulnerability:
 Meunier> "Assumption that TCP-three-way handshake is complete after calling Linux
 Meunier> kernel function accept(), which returns socket after getting SYN.   Result
 Meunier> is process death by SIGPIPE"
 Meunier> Moreover, whether it results in DOS (to third parties) depends on the
 Meunier> process that made the assumption.
 Meunier> I think that the present entry should be split, one entry for every
 Meunier> application that implements the vulnerability (really describing threat
 Meunier> instances, which is what other people think about when we talk about
 Meunier> vulnerabilities), and one entry for the Linux kernel that allows the
 Meunier> vulnerability to happen.
 Frech> XF:hp-inetd
 Frech> XF:linux-inetd-dos


=================================
Candidate: CAN-1999-0250
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: XF:qmail-leng

Denial of service in Qmail through long SMTP commands.

INFERRED ACTION: CAN-1999-0250 SMC_REVIEW (2 accept, 1 review)

Current Votes:
   ACCEPT(2) Hill, Meunier
   MODIFY(1) Frech
   REVIEWING(1) Christey

Comments:
 Frech> XF:qmail-rcpt
 Christey> DUPE CAN-1999-0418 and CAN-1999-0144?




--------------------- CLUSTER NTLOW ---------------------

NTLOW (19 candidates)
--------------------
Proposed: 6/29
Scheduled Interim Decision: 7/12
Scheduled Final Decision: 7/16

Some low controversy NT vulnerabilities


Voters:
  Frech MODIFY(1) REVIEWING(2)
  Wall NOOP(3)
  Hill ACCEPT(3)
  Blake MODIFY(1)


<FINAL> --> 16
<MODIFIED> --> 1
<PROPOSED> --> 2
MODIFY --> 1
REVIEWING --> 2

=================================
Candidate: CAN-1999-0225
Published:
Final-Decision:
Interim-Decision:
Modified: 19991220-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: SNI:SNI-25
Reference: MSKB:Q180963

Denial of service in Windows NT using a malformed SMB logon request
before logging in and accessing shares.

Modifications:
  ADDREF MSKB:Q180963
  reword description

INFERRED ACTION: CAN-1999-0225 MOREVOTES (1 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(1) Hill
   MODIFY(1) Frech
   NOOP(1) Wall

Comments:
 Frech> XF:nt-logondos


=================================
Candidate: CAN-1999-0285
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF

Denial of service in telnet from the Windows NT Resource Kit, by
opening then immediately closing a connection.

INFERRED ACTION: CAN-1999-0285 MOREVOTES (0 accept, 0 ack, 1 review)

Current Votes:
   ACCEPT(1) Hill
   NOOP(1) Wall
   REVIEWING(1) Frech


=================================
Candidate: CAN-1999-0549
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990630
Assigned: 19990607
Category: CF

Windows NT automatically logs in an administrator upon rebooting.

CONTENT-DECISIONS: CF

INFERRED ACTION: CAN-1999-0549 MOREVOTES (1 accept, 0 ack, 1 review) HAS_CDS

Current Votes:
   ACCEPT(1) Hill
   MODIFY(1) Blake
   NOOP(1) Wall
   REVIEWING(1) Frech

Comments:
 Wall> Don't know what this is.  Don't think it is a vulnerability and would
 Wall> initially reject.  This is different than just renaming the
 Wall> administrator account.
 Frech> Would appreciate more information on this one, as in a reference.
 Blake> Reference: XF:nt-autologin




--------------------- CLUSTER BUF ---------------------

BUF (33 candidates)
--------------------
Proposed: 6/23
Scheduled Interim Decision: 7/5
Scheduled Final Decision: 7/9

Some (not all) buffer overflows in single applications


Voters:
  Frech ACCEPT(2) MODIFY(3) RECAST(1)
  Hill ACCEPT(6)
  Christey REJECT(2) REVIEWING(4)
  Northcutt ACCEPT(6)
  Prosser ACCEPT(1) NOOP(4) RECAST(1)


<FINAL> --> 26
<MODIFIED> --> 4
<PROPOSED> --> 2
RECAST --> 1
REJECT --> 2
REVIEWING --> 3

=================================
Candidate: CAN-1999-0187
Published:
Final-Decision:
Interim-Decision:
Modified: 19990805
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: SUN:00179

** REJECT **  Duplicate of CAN-1999-0022 (SUN:00179 is referenced in
CERT:CA-97.23.rdist)
The rdist program in Solaris has some buffer overflows that allow
attackers to gain root access.

INFERRED ACTION: CAN-1999-0187 RECAST (2 recast, 1 accept, 1 review)

Current Votes:
   ACCEPT(2) Northcutt, Hill
   RECAST(2) Prosser, Frech
   REVIEWING(1) Christey

Comments:
 Prosser> The Sun Patches in Ref roll-up fixes for an earlier BO in
 Prosser> rdist lookup( )(ref CERT 96.14)as well as the BO in rdist function expstr()
 Prosser> (ref CERT 97-23) and various vendor bulletins.  However both of these rdist
 Prosser> BO's affect many more OSs than just Sun, i.e., BSD/OS 2.1, DEC OSF's, AIX,
 Prosser> FreeBSD, SCO, SGI, etc.  Believe this falls into the SF-codebase content
 Prosser> decision
 Frech> XF:rdist-bo (error msg formation)
 Frech> XF:rdist-bo2 (execute code)
 Frech> XF:rdist-bo3 (execute user-created code)
 Frech> XF:rdist-sept97 (root from local)
 Christey> Duplicate of CAN-1999-0022 (SUN:00179 is referenced in
 Christey> CERT:CA-97.23.rdist), but as Mike and Andre noted, there
 Christey> are multiple flaws here, so a RECAST may be necessary.


=================================
Candidate: CAN-1999-0232
Published:
Final-Decision:
Interim-Decision:
Modified: 19991220-01
Proposed: 19990623
Assigned: 19990607
Category: SF

Buffer overflow in NCSA WebServer (version 1.5c) gives remote access.

INFERRED ACTION: CAN-1999-0232 SMC_REVIEW (2 accept, 1 review)

Current Votes:
   ACCEPT(2) Northcutt, Hill
   MODIFY(1) Frech
   NOOP(1) Prosser
   REVIEWING(1) Christey

Comments:
 Frech> Unable to provide a match due to vague/insufficient description/references.
 Frech> Possible matches are:
 Frech> XF:ftp-ncsa (probably not, considering you've mentioned the webserver.)
 Frech> XF:http-ncsa-longurl (highest probability)
 Christey> CAN-1999-0235 is the one associated with XF:http-ncsa-longurl
 Christey> More research is necessary for this one.


=================================
Candidate: CAN-1999-0235
Published:
Final-Decision:
Interim-Decision:
Modified: 19991220-01
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:CA-95:04
Reference: CIAC:F-11

Buffer overflow in NCSA WebServer (1.4.1 and below) gives remote access.

Modifications:
  ADDREF CERT:CA-95:04
  ADDREF CIAC:F-11

INFERRED ACTION: CAN-1999-0235 SMC_REJECT (1 reject, 3 accept, 0 review)

Current Votes:
   ACCEPT(3) Northcutt, Hill, Prosser
   MODIFY(1) Frech
   REJECT(1) Christey

Comments:
 Frech> XF:http-ncsa-longurl
 Christey> CAN-1999-0235 has the same ref's as CVE-1999-0267


=================================
Candidate: CAN-1999-0255
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF

Buffer overflow in ircd allows arbitrary command execution.

INFERRED ACTION: CAN-1999-0255 SMC_REJECT (1 reject, 2 accept, 0 review)

Current Votes:
   ACCEPT(2) Northcutt, Hill
   MODIFY(1) Frech
   NOOP(1) Prosser
   REJECT(1) Christey

Comments:
 Frech> XF:irc-bo
 Christey> This is too general and doesn't have any references.  The
 Christey> XF reference doesn't appear toe xist any more.
 Christey>
 Christey> Perhaps this reference would help:
 Christey> BUGTRAQ:19970701 ircd buffer overflow


=================================
Candidate: CAN-1999-0317
Published:
Final-Decision:
Interim-Decision:
Modified: 19991216-01
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19990818 slackware-3.5 /bin/su buffer overflow
Reference: XF:su-bo

Buffer overflow in Linux su command gives root access to local
users.

Modifications:
  ADDREF BUGTRAQ:19990818 slackware-3.5 /bin/su buffer overflow

INFERRED ACTION: CAN-1999-0317 SMC_REVIEW (2 accept, 1 review)

Current Votes:
   ACCEPT(3) Northcutt, Hill, Frech
   NOOP(1) Prosser
   REVIEWING(1) Christey

Comments:
 Christey> DUPE CAN-1999-0845?
 Christey> A report summary by Aleph One states that nobody was able to
 Christey> confirm this problem on any Linux distribution.


=================================
Candidate: CAN-1999-0319
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: XF:xmcd-tiflestr

Buffer overflow in xmcd 2.1 allows local users to gain access
through a user resource setting.

INFERRED ACTION: CAN-1999-0319 SMC_REVIEW (2 accept, 1 review)

Current Votes:
   ACCEPT(3) Northcutt, Hill, Frech
   NOOP(1) Prosser
   REVIEWING(1) Christey

Comments:
 Christey> BUGTRAQ:19961126 Security Problems in XMCD 2.1
 Christey> A followup to this post says that xmcd is not suid here.




--------------------- CLUSTER CGI ---------------------

CGI (31 candidates)
--------------------
Proposed: 6/23
Scheduled Interim Decision: 7/5
Scheduled Final Decision: 7/9

CGI programs


Voters:
  Levy ACCEPT(1)
  Wall ACCEPT(1)
  Frech ACCEPT(2) MODIFY(1) REVIEWING(6)
  Christey NOOP(4) REVIEWING(1)
  Northcutt ACCEPT(9)
  Prosser ACCEPT(3) MODIFY(1) NOOP(5)
  Blake ACCEPT(2)


<FINAL> --> 22
<INTERIM> --> 2
<MODIFIED> --> 4
<PROPOSED> --> 3
ACCEPT --> 2
MODIFY --> 1
REVIEWING --> 6

=================================
Candidate: CAN-1999-0233
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: MSKB:Q148188
Reference: XF:http-iis-cmd

IIS allows users to execute arbitrary commands using .bat or .cmd
files.

Modifications:
  ADDREF MSKB:Q148188
  DESC Remove WebSite reference.

INFERRED ACTION: CAN-1999-0233 ACCEPT_ACK_REV (2 accept, 1 ack, 1 review)

Current Votes:
   ACCEPT(2) Northcutt, Prosser
   NOOP(1) Christey
   REVIEWING(1) Frech

Comments:
 Frech> XF reference is correct, but cannot find supporting reference for WebSite
 Frech> vulnerability.
 Frech> No further action to be taken unless more information forthcoming.
 Christey> Can't find the WebSite mention now, so I will remove it.


=================================
Candidate: CAN-1999-0238
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: XF:http-cgi-phpfileread

php.cgi allows attackers to read any file on the system.

CONTENT-DECISIONS: SF-EXEC,SF-LOC

INFERRED ACTION: CAN-1999-0238 ACCEPT (3 accept, 0 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(3) Northcutt, Prosser, Frech

Comments:
 Prosser> additional source
 Prosser> AUSCERT External Security Bulletin ESB-97.047
 Prosser> http://www.auscert.org.au
 Prosser> Published:
 Prosser> Final-Decision:
 Prosser> Interim-Decision:
 Prosser> Modified:
 Prosser> Announced: 19990623
 Prosser> Assigned: 19990607
 Prosser> Category: SF
 Prosser> Reference: XF:http-iis-2e
 Prosser> IIS 3.0 allows remote intruders to read source code for ASP programs
 Prosser> by using a "2e" instead of a "." in the URL.


=================================
Candidate: CAN-1999-0253
Published:
Final-Decision:
Interim-Decision:
Modified: 2000106-01
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: XF:http-iis-2e
Reference: L0PHT:19970319

IIS 3.0 with the iis-fix hotfix installed allows remote intruders to
read source code for ASP programs by using a %2e instead of a . (dot)
in the URL.

INFERRED ACTION: CAN-1999-0253 MOREVOTES (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Northcutt, Frech
   NOOP(2) Prosser, Christey

Comments:
 Christey> This is a problem that was introduced after patching a
 Christey> previous dot bug with the iis-fix hotfix (see CAN-1999-0154).
 Christey> Since the hotfix introduced the problem, this should be
 Christey> treated as a seaprate issue.


=================================
Candidate: CAN-1999-0268
Published:
Final-Decision:
Interim-Decision:
Modified: 19991205-01
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19980630 Security vulnerabilities in MetaInfo products

MetaInfo MetaWeb web server allows users to upload and execute scripts.

INFERRED ACTION: CAN-1999-0268 MOREVOTES (1 accept, 0 ack, 1 review)

Current Votes:
   ACCEPT(1) Northcutt
   NOOP(1) Prosser
   REVIEWING(1) Frech


=================================
Candidate: CAN-1999-0270
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CIAC:I-041
Reference: XF:sgi-pfdispaly

pfdispaly CGI program for SGI's Performer API Search Tool allows read
access to files.

Modifications:
  ADDREF CIAC:I-041
  ADDREF XF:sgi-pfdispaly

INFERRED ACTION: CAN-1999-0270 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Northcutt, Prosser
   MODIFY(1) Frech
   NOOP(1) Christey

Comments:
 Prosser> additional source
 Prosser> CIAC Security Bulletin I-041
 Prosser> http://www.ciac.org
 Frech> XF:sgi-pfdispaly
 Frech> XF:sgi-dispaly-patch-vuln
 Christey> There are two bugs here, as described in Bugtraq.  The first one
 Christey> allowed read access to files outside of a document root (a dot dot
 Christey> problem).  The second one was a shell metacharacter problem.
 Christey> Reference: BUGTRAQ:19980407: perfomer_tools again
 Christey> CAN-1999-0270 refers to the first problem only.


=================================
Candidate: CAN-1999-0271
Published:
Final-Decision:
Interim-Decision:
Modified: 19990925-01
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19980115 pnserver exploit..
Reference: BUGTRAQ:19980817 Re: Real Audio Server Version 5 bug?

Progressive Networks Real Video server (pnserver) can be crashed remotely.

Modifications:
  ADDREF BUGTRAQ:19980115 pnserver exploit..
  ADDREF BUGTRAQ:19980817 Re: Real Audio Server Version 5 bug?

INFERRED ACTION: CAN-1999-0271 ACCEPT_ACK_REV (2 accept, 1 ack, 1 review)

Current Votes:
   ACCEPT(2) Northcutt, Blake
   NOOP(2) Prosser, Christey
   REVIEWING(1) Frech

Comments:
 Christey> Problem confirmed by RealServer vendor (URL listed in Bugtraq
 Christey> posting), but may be multiple codebases since several
 Christey> Real Audio servers are affected.
 Christey>
 Christey> Also, this may be the same as BUGTRAQ:19991105 RealNetworks RealServer G2 buffer overflow.
 Christey> See CAN-1999-0896


=================================
Candidate: CAN-1999-0283
Published:
Final-Decision:
Interim-Decision:
Modified: 19991203-01
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19970716 Viewable .jhtml source with JavaWebServer

The Java Web Server would allow remote users to obtain the source
code for CGI programs.

Modifications:
  ADDREF BUGTRAQ:19970716 Viewable .jhtml source with JavaWebServer
  DESC Augment the description to include .jhtml

INFERRED ACTION: CAN-1999-0283 MOREVOTES (2 accept, 0 ack, 1 review)

Current Votes:
   ACCEPT(2) Northcutt, Blake
   NOOP(1) Prosser
   REVIEWING(1) Frech


=================================
Candidate: CAN-1999-0347
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Jan26,1999
Reference: NTBUGTRAQ:Jan28,1999

Javascript bug in Internet Explorer 4.01 by adding %01URL allows
reading local files and spoofing of web pages from other sites.

INFERRED ACTION: CAN-1999-0347 SMC_REVIEW (3 accept, 2 review)

Current Votes:
   ACCEPT(2) Northcutt, Levy
   MODIFY(1) Prosser
   REVIEWING(2) Frech, Christey

Comments:
 Prosser> this is a modified Cross-Frame vulnerability that circumvents
 Prosser> the original Cross-Frame Patch.  Addressed in MS Bulletin MS99.012
 Prosser> http://www.microsoft.com/security/bulletins/ms99-012.asp
 Christey> Duplicate of CAN-1999-0490?


=================================
Candidate: CAN-1999-0360
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Jan29,1999
Reference: NTBUGTRAQ:Jan29,1999

MS Site Server 2.0 with IIS 4 can allow users to upload content,
including ASP, to the target web site, thus allowing them to
execute commands remotely.

INFERRED ACTION: CAN-1999-0360 MOREVOTES (2 accept, 0 ack, 1 review)

Current Votes:
   ACCEPT(2) Northcutt, Wall
   NOOP(1) Prosser
   REVIEWING(1) Frech




--------------------- CLUSTER VEN-BSD ---------------------

VEN-BSD (13 candidates)
--------------------
Proposed: 6/17
Scheduled Interim Decision: 6/28
Scheduled Final Decision: 7/2

candidates with advisories from BSD vendors


Voters:
  Frech ACCEPT(1) MODIFY(8)


<FINAL> --> 13
ACCEPT --> 1
MODIFY --> 8



--------------------- CLUSTER VEN-OTHERS ---------------------

VEN-OTHERS (2 candidates)
--------------------
Proposed: 6/17
Scheduled Interim Decision: 6/28
Scheduled Final Decision: 7/2

candidates with advisories from other vendors


Voters:
  Frech MODIFY(1)
  Shostack ACCEPT(1)
  Hill ACCEPT(1)
  Northcutt ACCEPT(1)
  Prosser MODIFY(1)


<FINAL> --> 1
<PROPOSED> --> 1
MODIFY --> 1

=================================
Candidate: CAN-1999-0358
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990617
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19990125 Digital Unix 4.0 exploitable buffer overflows
Reference: COMPAQ:SSRT0583U

Digital Unix 4.0 has a buffer overflow in the inc program of the mh
package.

CONTENT-DECISIONS: SF-CODEBASE/DUPE

INFERRED ACTION: CAN-1999-0358 ACCEPT (4 accept, 1 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(3) Shostack, Northcutt, Hill
   MODIFY(2) Prosser, Frech

Comments:
 Prosser> Ref'd SSRT has an 'at' vulnerable as well supposedly fixed by
 Prosser> the patch.  Shouldn't this be included as a seperate CVE in this
 Prosser> cluster. ref:BugTraq "Digital Unix Buffer Overflows: Exploits" from
 Prosser> Lamont Granquist for both as well.
 Frech> Reference: XF:du-inc




--------------------- CLUSTER VEN-SGI ---------------------

VEN-SGI (7 candidates)
--------------------
Proposed: 6/17
Scheduled Interim Decision: 6/28
Scheduled Final Decision: 7/2

candidates with advisories from SGI vendor


Voters:


<FINAL> --> 7



--------------------- CLUSTER VEN-HP ---------------------

VEN-HP (11 candidates)
--------------------
Proposed: 6/17
Scheduled Interim Decision: 6/28
Scheduled Final Decision: 7/2

candidates with advisories from HP vendor


Voters:


<FINAL> --> 11



--------------------- CLUSTER VEN-SUN ---------------------

VEN-SUN (18 candidates)
--------------------
Proposed: 6/17
Scheduled Interim Decision: 6/28
Scheduled Final Decision: 7/2

candidates with advisories from SUN vendor


Voters:
  Frech MODIFY(2)
  Christey REVIEWING(2)
  Northcutt ACCEPT(2)
  Prosser ACCEPT(1) MODIFY(1)


<FINAL> --> 16
<MODIFIED> --> 1
<PROPOSED> --> 1
REVIEWING --> 2

=================================
Candidate: CAN-1999-0121
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990617
Assigned: 19990607
Category: SF
Reference: SUN:00164
Reference: ERS:ERS-SVA-E01-1997:005.1

Buffer overflow in dtaction command gives root access.

CONTENT-DECISIONS: SF-CODEBASE

INFERRED ACTION: CAN-1999-0121 SMC_REVIEW (3 accept, 1 review) HAS_CDS

Current Votes:
   ACCEPT(1) Northcutt
   MODIFY(2) Frech, Prosser
   REVIEWING(1) Christey

Comments:
 Frech> Reference: XF:dtaction-bo
 Frech> Reference: XF:sun-dtaction
 Prosser> Buffer overflow also affects /usr/dt/bin/dtaction in libDtSvc.a
 Prosser> library in AIX 4.x, but reference for this Sun vulnerability should
 Prosser> only reflect the Sun Bulletin or the CIAC I-032 version of the Sun
 Prosser> Bulletin
 Christey> This is the Same Codebase as CAN-1999-0089, so the two entries
 Christey> should be merged.


=================================
Candidate: CAN-1999-0370
Published:
Final-Decision:
Interim-Decision:
Modified: 19991210-01
Proposed: 19990617
Assigned: 19990607
Category: SF
Reference: SUN:00184
Reference: BID:165

In Sun Solaris and SunOS, man and catman contain vulnerabilities
that allow overwriting arbitrary files.

Modifications:
  ADDREF BID:165

INFERRED ACTION: CAN-1999-0370 SMC_REVIEW (3 accept, 1 review)

Current Votes:
   ACCEPT(2) Northcutt, Prosser
   MODIFY(1) Frech
   REVIEWING(1) Christey

Comments:
 Frech> Reference: XF:sun-man
 Christey> Is the Linux man symlink problem the same as the one for Sun?
 Christey> See BUGTRAQ:19990602 /tmp symlink problems in SuSE Linux 6.1




--------------------- CLUSTER VEN-AIX ---------------------

VEN-AIX (10 candidates)
--------------------
Proposed: 6/17
Scheduled Interim Decision: 6/28
Scheduled Final Decision: 7/2

candidates with advisories from AIX vendor


Voters:
  Frech MODIFY(3)
  Shostack ACCEPT(3)
  Christey REJECT(1) REVIEWING(2)
  Northcutt ACCEPT(3)
  Prosser MODIFY(3)


<FINAL> --> 7
<INTERIM> --> 2
<PROPOSED> --> 1
REJECT --> 1
REVIEWING --> 2

=================================
Candidate: CAN-1999-0086
Published:
Final-Decision:
Interim-Decision: 19990630
Modified:
Proposed: 19990617
Assigned: 19990607
Category: SF
Reference: ERS:ERS-SVA-E01-1998:001.1
Reference: XF:ibm-routed

AIX routed allows remote users to modify sensitive files.

Modifications:
  ADDREF XF:ibm-routed

CONTENT-DECISIONS: SF-CODEBASE

INFERRED ACTION: CAN-1999-0086 SMC_REJECT (1 reject, 4 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(2) Shostack, Northcutt
   MODIFY(2) Frech, Prosser
   REJECT(1) Christey

Comments:
 Frech> Reference: XF:ibm-routed
 Prosser> This vulnerability allows debug mode to be turned on which is
 Prosser> the problem.  Should this be more specific in the description? This
 Prosser> one also affects SGI OSes, ref SGI Security Advisory 19981004-PX which
 Prosser> is in the SGI cluster, shouldn't these be cross-referenced as the same
 Prosser> vuln affects multiple OSes.
 Christey> This appears to be subsumed by CVE-1999-0215


=================================
Candidate: CAN-1999-0088
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990617
Assigned: 19990607
Category: SF
Reference: ERS:ERS-SVA-E01-1998:004.1

IRIX and AIX automountd services (autofsd) allow remote users to
execute root commands.

CONTENT-DECISIONS: SF-CODEBASE

INFERRED ACTION: CAN-1999-0088 SMC_REVIEW (4 accept, 1 review) HAS_CDS

Current Votes:
   ACCEPT(2) Shostack, Northcutt
   MODIFY(2) Frech, Prosser
   REVIEWING(1) Christey

Comments:
 Frech> ERS (and other references, BTW) explicitly stipulate 'local and
 Frech> remote'.
 Frech> Reference: XF:irix-autofsd
 Prosser> Include the SGI Alert as well since it is mentioned in the
 Prosser> description.
 Prosser> SGI Security Advisory 19981005-01-PX
 Christey> DUPE CAN-1999-0210?


=================================
Candidate: CAN-1999-0089
Published:
Final-Decision:
Interim-Decision: 19990630
Modified:
Proposed: 19990617
Assigned: 19990607
Category: SF
Reference: ERS:ERS-SVA-E01-1997:005.1
Reference: XF:ibm-libDtSvc

Buffer overflow in AIX libDtSvc library can allow local users
to gain root access.

Modifications:
  ADDREF XF:ibm-libDtSvc

CONTENT-DECISIONS: SF-CODEBASE

INFERRED ACTION: CAN-1999-0089 SMC_REVIEW (4 accept, 1 review) HAS_CDS

Current Votes:
   ACCEPT(2) Shostack, Northcutt
   MODIFY(2) Frech, Prosser
   REVIEWING(1) Christey

Comments:
 Frech> Reference: XF:ibm-libDtSvc
 Prosser> The overflow is in the dtaction utility.  Also affects
 Prosser> dtaction in the CDE on versions of SunOS (SUN 164). Probably should be
 Prosser> specific.
 Christey> Same Codebase as CAN-1999-0121, so the two entries should be
 Christey> merged.




--------------------- CLUSTER CERT ---------------------

CERT (60 candidates)
--------------------
Proposed: 6/7
Scheduled Final Decision: 7/2

candidates associated with CERT advisories


Voters:
  Wall ACCEPT(3)
  Shostack ACCEPT(3) REVIEWING(1)
  Frech ACCEPT(1) MODIFY(2) RECAST(1)
  Hill ACCEPT(2)
  Christey RECAST(1) REVIEWING(2)
  Landfield ACCEPT(2)
  Northcutt ACCEPT(3) RECAST(1)


<FINAL> --> 56
<MODIFIED> --> 2
<PROPOSED> --> 2
RECAST --> 3
REVIEWING --> 2

=================================
Candidate: CAN-1999-0004
Published:
Final-Decision:
Interim-Decision:
Modified: 19990621-01
Proposed: 19990607
Assigned: 19990607
Category: SF
Reference: CERT:CA-98.10.mime_buffer_overflows
Reference: XF:outlook-long-name
Reference: SUN:00175
Reference: MS:MS98-008

MIME buffer overflow in email clients, e.g. Solaris mailtool
and Outlook.

Modifications:
  ADDREF MS:MS98-008
  DESC include Outlook

CONTENT-DECISIONS: SF-CODEBASE

INFERRED ACTION: CAN-1999-0004 ACCEPT_REV (4 accept, 3 ack, 1 review) HAS_CDS

Current Votes:
   ACCEPT(3) Northcutt, Landfield, Wall
   MODIFY(1) Frech
   REVIEWING(1) Shostack

Comments:
 Frech> Extremely minor, but I believe e-mail is the correct term. (If you reject
 Frech> this suggestion, I will not be devastated.) :-)


=================================
Candidate: CAN-1999-0033
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990607
Assigned: 19990607
Category: SF
Reference: CERT:CA-97.18.at
Reference: SUN:00160
Reference: XF:sun-atbo

Command execution in Sun systems via buffer overflow in the at program

CONTENT-DECISIONS: SF-CODEBASE

INFERRED ACTION: CAN-1999-0033 RECAST (1 recast, 3 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(4) Northcutt, Hill, Shostack, Wall
   RECAST(1) Frech

Comments:
 Frech> This vulnerability also manifests itself for the following =
 Frech> platforms: AIX, HPUX, IRIX, Solaris, SCO, NCR MP-RAS. In this light,
 Frech> please add the = following:
 Frech> Reference: XF:at-bo


=================================
Candidate: CAN-1999-0078
Published:
Final-Decision:
Interim-Decision:
Modified: 19990621-01
Proposed: 19990607
Assigned: 19990607
Category: SF
Reference: CERT:CA-96.08.pcnfsd
Reference: XF:rpc-pcnfsd

pcnfsd (aka rpc.pcnfsd) allows local users to change file permissions,
or execute arbitrary commands through arguments in the RPC call.

Modifications:
  DELREF XF:nfs-pcnfsd

INFERRED ACTION: CAN-1999-0078 RECAST (1 recast, 4 accept, 0 review)

Current Votes:
   ACCEPT(4) Frech, Shostack, Northcutt, Landfield
   RECAST(1) Christey

Comments:
 Christey> This candidate should be SPLIT, since there are two separate
 Christey> software flaws.  One is a symlink race and the other is a
 Christey> shell metacharacter problem.


=================================
Candidate: CAN-1999-0142
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990607
Assigned: 19990607
Category: SF
Reference: CERT:CA-96.05.java_applet_security_mgr

Java Applet Security Manager allows an applet to connect to arbitrary
hosts.

INFERRED ACTION: CAN-1999-0142 RECAST (1 recast, 3 accept, 1 review)

Current Votes:
   ACCEPT(3) Hill, Shostack, Wall
   MODIFY(1) Frech
   RECAST(1) Northcutt
   REVIEWING(1) Christey

Comments:
 Northcutt> Please note I am not a Java expert, but I think jdk 2.0 and
 Northcutt> so forth do not have a sandbox notion and applets (perhaps trusted
 Northcutt> applets) can connect to arbitrary hosts as a matter of course.  You
 Northcutt> might want to contact Li Gong (li.gong@sun.com) or a similar
 Northcutt> expert before issuing this one.  NOTE: another reason to consider
 Northcutt> the original date!!!
 Christey> Noting Steve Northcutt's comments, perhaps we would need to modify the
 Christey> description somewhat to distinguish between current Java versions and
 Christey> the one that had this vulnerability.  However, the CERT reference
 Christey> associates a general place and time for where this vulnerability
 Christey> arose, so I don't think it's too big of a deal.
 Frech> Reference: XF:http-java-appletsecmgr

Page Last Updated or Reviewed: May 22, 2007