[FINAL] ACCEPT 23 candidates from various clusters

To: cve-editorial-board-list@lists.mitre.org
Subject: [FINAL] ACCEPT 23 candidates from various clusters
From: "Steven M. Christey" <coley@linus.mitre.org>
Date: Mon, 10 Apr 2000 17:10:03 -0400 (EDT)
Delivery-Date: Mon Apr 10 17:10:27 2000
Sender: owner-cve-editorial-board-list@lists.mitre.org
I have made a Final Decision to ACCEPT the following candidates.
These candidates are now assigned CVE names as noted below.  The
resulting CVE entries will be published in the near future in a new
version of CVE.  Voting details and comments are provided at the end
of this report.

- Steve


Candidate	CVE Name
---------	----------
CAN-2000-0170	CVE-2000-0170
CAN-2000-0172	CVE-2000-0172
CAN-2000-0178	CVE-2000-0178
CAN-2000-0182	CVE-2000-0182
CAN-2000-0186	CVE-2000-0186
CAN-2000-0189	CVE-2000-0189
CAN-2000-0194	CVE-2000-0194
CAN-2000-0196	CVE-2000-0196
CAN-2000-0200	CVE-2000-0200
CAN-2000-0201	CVE-2000-0201
CAN-2000-0202	CVE-2000-0202
CAN-2000-0207	CVE-2000-0207
CAN-2000-0208	CVE-2000-0208
CAN-2000-0209	CVE-2000-0209
CAN-2000-0210	CVE-2000-0210
CAN-2000-0211	CVE-2000-0211
CAN-2000-0212	CVE-2000-0212
CAN-2000-0215	CVE-2000-0215
CAN-2000-0217	CVE-2000-0217
CAN-2000-0218	CVE-2000-0218
CAN-2000-0221	CVE-2000-0221
CAN-2000-0222	CVE-2000-0222
CAN-2000-0224	CVE-2000-0224


=================================
Candidate: CAN-2000-0170
Published:
Final-Decision: 20000410
Interim-Decision: 20000404
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF/CF/MP/SA/AN/unknown
Reference: BUGTRAQ:20000226 man bugs might lead to root compromise (RH 6.1 and other boxes)
Reference: BID:1011

Buffer overflow in the man program in Linux allows local users to
gain privileges via the MANPAGER environmental variable.

INFERRED ACTION: CAN-2000-0170 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Blake, Cole, Armstrong, Ozancin
   NOOP(2) Wall, LeBlanc


=================================
Candidate: CAN-2000-0172
Published:
Final-Decision: 20000410
Interim-Decision: 20000404
Modified: 20000410-01
Proposed: 20000322
Assigned: 20000322
Category: SF
Reference: BUGTRAQ:20000303 Potential security problem with mtr
Reference: DEBIAN:20000309 mtr
Reference: FREEBSD:FreeBSD-SA-00:09
Reference: BUGTRAQ:20000308 [TL-Security-Announce] mtr-0.41 and earlier TLSA2000003-1 (fwd)
Reference: BID:1038

The mtr program only uses a seteuid call when attempting to drop
privileges, which could allow local users to gain root privileges.

Modifications:
  Add details to description

INFERRED ACTION: CAN-2000-0172 ACCEPT_ACK (2 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(1) Blake
   MODIFY(1) Ozancin
   NOOP(3) Wall, Cole, LeBlanc

Comments:
 Ozancin> Description does not give enough information


=================================
Candidate: CAN-2000-0178
Published:
Final-Decision: 20000410
Interim-Decision: 20000404
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF/CF/MP/SA/AN/unknown
Reference: BUGTRAQ:20000227 Advisory: Foundry Networks ServerIron TCP/IP sequence predictability
Reference: MISC:http://www.foundrynet.com/bugTraq.html
Reference: BID:1017

ServerIron switches by Foundry Networks have predictable TCP/IP
sequence numbers, which allows remote attackers to spoof or hijack
sessions.

INFERRED ACTION: CAN-2000-0178 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Blake, Ozancin
   NOOP(3) Wall, Cole, LeBlanc


=================================
Candidate: CAN-2000-0182
Published:
Final-Decision: 20000410
Interim-Decision: 20000404
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF/CF/MP/SA/AN/unknown
Reference: BUGTRAQ:20000223 DoS for the iPlanet Web Server, Enterprise Edition 4.1

iPlanet Web Server 4.1 allows remote attackers to cause a denial of
service via a large number of GET commands, which consumes memory and
causes a kernel panic.

INFERRED ACTION: CAN-2000-0182 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Ozancin
   NOOP(3) Wall, Blake, LeBlanc


=================================
Candidate: CAN-2000-0186
Published:
Final-Decision: 20000410
Interim-Decision: 20000404
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF/CF/MP/SA/AN/unknown
Reference: BUGTRAQ:20000228 [ Hackerslab bug_paper ] Linux dump buffer overflow
Reference: TURBO:TLSA200007-1
Reference: BID:1020

Buffer overflow in the dump utility in the Linux ext2fs backup package
allows local users to gain privileges via a long command line
argument.

INFERRED ACTION: CAN-2000-0186 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Ozancin
   NOOP(3) Wall, Blake, LeBlanc


=================================
Candidate: CAN-2000-0189
Published:
Final-Decision: 20000410
Interim-Decision: 20000404
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF/CF/MP/SA/AN/unknown
Reference: NTBUGTRAQ:20000301 ColdFusions application.cfm shows full path
Reference: BUGTRAQ:20000305 ColdFusion Bug: Application.cfm shows full path
Reference: BID:1021

ColdFusion Server 4.x allows remote attackers to determine the real
pathname of the server via an HTTP request to the application.cfm or
onrequestend.cfm files.

INFERRED ACTION: CAN-2000-0189 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Wall, Blake, Cole, Ozancin
   NOOP(1) LeBlanc


=================================
Candidate: CAN-2000-0194
Published:
Final-Decision: 20000410
Interim-Decision: 20000404
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF/CF/MP/SA/AN/unknown
Reference: BUGTRAQ:20000224 Corel Linux 1.0 local root compromise
Reference: BID:1007

buildxconf in Corel Linux allows local users to modify or create
arbitrary files via the -x or -f parameters.

INFERRED ACTION: CAN-2000-0194 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Ozancin
   NOOP(3) Wall, Blake, LeBlanc


=================================
Candidate: CAN-2000-0196
Published:
Final-Decision: 20000410
Interim-Decision: 20000404
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF
Reference: DEBIAN:20000228 remote exploit in nmh
Reference: BID:1018

Buffer overflow in mhshow in the Linux nmh package allows remote
attackers to execute commands via malformed MIME headers in an email
message.

INFERRED ACTION: CAN-2000-0196 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Blake, Cole, Ozancin
   NOOP(2) Wall, LeBlanc


=================================
Candidate: CAN-2000-0200
Published:
Final-Decision: 20000410
Interim-Decision: 20000404
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF/CF/MP/SA/AN/unknown
Reference: MS:MS00-015
Reference: BID:1034

Buffer overflow in Microsoft Clip Art Gallery allows remote attackers
to cause a denial of service or execute commands via a malformed CIL
(clip art library) file, aka the "Clip Art Buffer Overrun"
vulnerability.

INFERRED ACTION: CAN-2000-0200 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Wall, Blake, LeBlanc, Ozancin, Cole


=================================
Candidate: CAN-2000-0201
Published:
Final-Decision: 20000410
Interim-Decision: 20000404
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF/CF/MP/SA/AN/unknown
Reference: BUGTRAQ:20000301 IE 5.x allows executing arbitrary programs using .chm files
Reference: BID:1033

The window.showHelp() method in Internet Explorer 5.x does not
restrict HTML help files (.chm) to be executed from the local host,
which allows remote attackers to execute arbitrary commands via
Microsoft Networking.

INFERRED ACTION: CAN-2000-0201 ACCEPT (4 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(4) Wall, Blake, Cole, LeBlanc
   NOOP(1) Ozancin


=================================
Candidate: CAN-2000-0202
Published:
Final-Decision: 20000410
Interim-Decision: 20000404
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF
Reference: MS:MS00-014
Reference: BID:1041

Microsoft SQL Server 7.0 and Microsoft Data Engine (MSDE) 1.0 allow
remote attackers to gain privileges via a malformed Select statement
in an SQL query.

INFERRED ACTION: CAN-2000-0202 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Wall, Blake, LeBlanc, Ozancin, Cole


=================================
Candidate: CAN-2000-0207
Published:
Final-Decision: 20000410
Interim-Decision: 20000404
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF/CF/MP/SA/AN/unknown
Reference: BUGTRAQ:20000301 infosrch.cgi vulnerability (IRIX 6.5)
Reference: BID:1031

SGI InfoSearch CGI program infosrch.cgi allows remote attackers to
execute commands via shell metacharacters.

INFERRED ACTION: CAN-2000-0207 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Blake, Cole, Ozancin
   NOOP(2) Wall, LeBlanc


=================================
Candidate: CAN-2000-0208
Published:
Final-Decision: 20000410
Interim-Decision: 20000404
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF/CF/MP/SA/AN/unknown
Reference: BUGTRAQ:20000228 ht://Dig remote information exposure
Reference: FREEBSD:FreeBSD-SA-00:06
Reference: DEBIAN:20000226 remote users can read files with webserver uid
Reference: TURBO:TLSA200005-1
Reference: BID:1026

The htdig (ht://Dig) CGI program htsearch allows remote attackers to
read arbitrary files by enclosing the file name with backticks (`) in
parameters to htsearch.

INFERRED ACTION: CAN-2000-0208 ACCEPT (3 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(3) Blake, Cole, Ozancin
   NOOP(2) Wall, LeBlanc


=================================
Candidate: CAN-2000-0209
Published:
Final-Decision: 20000410
Interim-Decision: 20000404
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF/CF/MP/SA/AN/unknown
Reference: BUGTRAQ:20000227 lynx - someone is deaf and blind ;)
Reference: FREEBSD:FreeBSD-SA-00:08
Reference: BID:1012

Buffer overflow in Lynx 2.x allows remote attackers to crash Lynx and
possibly execute commands via a long URL in a malicious web page.

INFERRED ACTION: CAN-2000-0209 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Blake, Cole, Ozancin
   NOOP(2) Wall, LeBlanc


=================================
Candidate: CAN-2000-0210
Published:
Final-Decision: 20000410
Interim-Decision: 20000404
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF/CF/MP/SA/AN/unknown
Reference: BUGTRAQ:20000221 flex license manager tempfile predictable name...
Reference: BID:998

The lit program in Sun Flex License Manager (FlexLM) follows symlinks,
which allows local users to modify arbitrary files.

INFERRED ACTION: CAN-2000-0210 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Blake, Armstrong, Ozancin
   NOOP(3) Wall, LeBlanc, Cole


=================================
Candidate: CAN-2000-0211
Published:
Final-Decision: 20000410
Interim-Decision: 20000404
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF/CF/MP/SA/AN/unknown
Reference: MS:MS00-013
Reference: XF:win-media-dos
Reference: BID:1000

The Windows Media server allows remote attackers to cause a denial of
service via a series of client handshake packets that are sent in an
improper sequence, aka the "Misordered Windows Media Services
Handshake" vulnerability.

INFERRED ACTION: CAN-2000-0211 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Wall, Blake, LeBlanc, Cole, Armstrong
   NOOP(1) Ozancin


=================================
Candidate: CAN-2000-0212
Published:
Final-Decision: 20000410
Interim-Decision: 20000404
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF/CF/MP/SA/AN/unknown
Reference: BUGTRAQ:20000224 Local / Remote D.o.S Attack in InterAccess TelnetD Server Release 4.0 *ALL BUILDS* for WinNT Vulnerability
Reference: BID:1001

InterAccess TelnetID Server 4.0 allows remote attackers to conduct a
denial of service via malformed terminal client configuration
information.

INFERRED ACTION: CAN-2000-0212 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Armstrong
   NOOP(4) Wall, Blake, LeBlanc, Ozancin


=================================
Candidate: CAN-2000-0215
Published:
Final-Decision: 20000410
Interim-Decision: 20000404
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF/CF/MP/SA/AN/unknown
Reference: SCO:SB-00.05
Reference: BID:1019

Vulnerability in SCO cu program in UnixWare 7.x allows local users to
gain privileges.

INFERRED ACTION: CAN-2000-0215 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Blake, Armstrong
   NOOP(4) Wall, LeBlanc, Cole, Ozancin


=================================
Candidate: CAN-2000-0217
Published:
Final-Decision: 20000410
Interim-Decision: 20000404
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF/CF/MP/SA/AN/unknown
Reference: BUGTRAQ:20000224 SSH & xauth
Reference: BID:1006

The default configuration of SSH allows X forwarding, which could
allow a remote attacker to control a client's X sessions via a
malicious xauth program.

INFERRED ACTION: CAN-2000-0217 ACCEPT (4 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(4) Blake, Cole, Armstrong, Ozancin
   NOOP(2) Wall, LeBlanc


=================================
Candidate: CAN-2000-0218
Published:
Final-Decision: 20000410
Interim-Decision: 20000404
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF/CF/MP/SA/AN/unknown
Reference: SUSE:20000210 util < 2.10f
Reference: CALDERA:CSSA-2000-002.0

Buffer overflow in Linux mount and umount allows local users to gain
root privileges via a long relative pathname.

INFERRED ACTION: CAN-2000-0218 ACCEPT (4 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(4) Blake, Cole, Armstrong, Ozancin
   NOOP(2) Wall, LeBlanc


=================================
Candidate: CAN-2000-0221
Published:
Final-Decision: 20000410
Interim-Decision: 20000404
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF
Reference: BUGTRAQ:20000225 Scorpion Marlin
Reference: BID:1009

The Nautica Marlin bridge allows remote attackers to cause a denial of
service via a zero length UDP packet to the SNMP port.

INFERRED ACTION: CAN-2000-0221 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Blake, Armstrong, Ozancin
   NOOP(3) Wall, LeBlanc, Cole


=================================
Candidate: CAN-2000-0222
Published:
Final-Decision: 20000410
Interim-Decision: 20000404
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF/CF/MP/SA/AN/unknown
Reference: BUGTRAQ:20000215 Windows 2000 installation process weakness
Reference: http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000215155750.M4500@safe.hsc.fr
Reference: BID:990

The installation for Windows 2000 does not activate the Administrator
password until the system has rebooted, which allows remote attackers
to connect to the ADMIN$ share without a password until the reboot
occurs.

INFERRED ACTION: CAN-2000-0222 ACCEPT (6 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(6) Wall, Blake, LeBlanc, Cole, Armstrong, Ozancin


=================================
Candidate: CAN-2000-0224
Published:
Final-Decision: 20000410
Interim-Decision: 20000404
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF/CF/MP/SA/AN/unknown
Reference: NAI:20000215 ARCserve symlink vulnerability
Reference: SCO:SSE063
Reference: XF:sco-openserver-arc-symlink

ARCserve agent in SCO UnixWare 7.x allows local attackers to gain root
privileges via a symlink attack.

INFERRED ACTION: CAN-2000-0224 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Blake, Armstrong
   NOOP(4) Wall, LeBlanc, Cole, Ozancin
Prev by Date: [VOTES] 19 High Priority Candidates - Need 1 More Vote
Next by Date: [CVEPRI] CVE version 20000410 to be released
Prev by thread: [VOTES] 19 High Priority Candidates - Need 1 More Vote
Next by thread: [CVEPRI] CVE version 20000410 to be released
Index(es):
- Date
- Thread