[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[VOTEPRI] 6 High Priority Candidates as of 4/11/2000



I have defined a new [VOTEPRI] tag for the regular "high priority"
voting lists.

The following 6 candidates are the remainder of last week's high
priority list (thanks to Craig Ozancin for knocking off the other 13,
which are comfortably in Interim Decision.)

These candidates have all been acknowledged by the software vendor.
They need just 1 more ACCEPT vote.  If you have a chance to vote on
these, please send your votes to me.

Thanks,
- Steve



=================================
Candidate: CAN-2000-0050
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: BID:915
Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=915
Reference: ALLAIRE:ASB00-01
Reference: URL:http://www.allaire.com/handlers/index.cfm?ID=13976&Method=Full

The Allaire Spectra Webtop allows authenticated users to access other
Webtop sections by specifying explicit URLs.

INFERRED ACTION: CAN-2000-0050 MOREVOTES-1 (1 accept, 1 ack, 0 review)

Current Votes:
   MODIFY(1) Frech
   NOOP(1) Ozancin

Comments:
 Frech> XF:allaire-webtop-access


=================================
Candidate: CAN-2000-0051
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: BID:916
Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=916
Reference: ALLAIRE:ASB00-02
Reference: URL:http://www.allaire.com/handlers/index.cfm?ID=13977&Method=Full

The Allaire Spectra Configuration Wizard allows remote attackers to
cause a denial of service by repeatedly resubmitting data collections
for indexing via a URL.

INFERRED ACTION: CAN-2000-0051 MOREVOTES-1 (1 accept, 1 ack, 0 review)

Current Votes:
   MODIFY(1) Frech
   NOOP(1) Ozancin

Comments:
 Frech> XF:allaire-spectra-config-dos


=================================
Candidate: CAN-2000-0070
Published:
Final-Decision:
Interim-Decision:
Modified: 20000204-01
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: BINDVIEW:20000113 Local Promotion Vulnerability in Windows NT 4
Reference: URL:http://www.bindview.com/security/advisory/adv_NtImpersonate.html
Reference: MS:MS00-003
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-003.asp
Reference: MSKB:Q247869
Reference: XF:nt-spoofed-lpc-port
Reference: URL:http://xforce.iss.net/search.php3?type=2&pattern=nt-spoofed-lpc-port

NtImpersonateClientOfPort local procedure call in Windows NT 4.0
allows local users to gain privileges, aka "Spoofed LPC Port Request."

Modifications:
  ADDREF XF:nt-spoofed-lpc-port

INFERRED ACTION: CAN-2000-0070 MOREVOTES-1 (1 accept, 3 ack, 0 review)

Current Votes:
   MODIFY(1) Frech
   NOOP(1) Ozancin

Comments:
 Frech> ADDREF XF:nt-spoofed-lpc-port


=================================
Candidate: CAN-2000-0112
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000208
Assigned: 20000208
Category: CF
Reference: BUGTRAQ:20000202 vulnerability in Linux Debian default boot configuration
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94973075614088&w=2
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94952030018431&w=2
Reference: BID:960
Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=960

The default installation of Debian Linux uses an insecure Master Boot
Record (MBR) which allows a local user to boot from a floppy disk
during the installation.

INFERRED ACTION: CAN-2000-0112 MOREVOTES-1 (1 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(1) Cole
   NOOP(2) Wall, Ozancin


=================================
Candidate: CAN-2000-0165
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000223
Assigned: 20000223
Category: SF
Reference: BUGTRAQ:20000210 Re: application proxies?
Reference: FREEBSD:FreeBSD-SA-00:04
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-15&msg=Pine.BSF.4.21.0002192249290.10784-100000@freefall.freebsd.org
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-8&msg=Pine.BSF.4.10.10002100058420.43483-100000@hydrant.intranova.net

The Delegate application proxy has several buffer overflows which
allow a remote attacker to execute commands.

INFERRED ACTION: CAN-2000-0165 MOREVOTES-1 (1 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(1) Cole
   NOOP(3) Wall, LeBlanc, Ozancin


=================================
Candidate: CAN-2000-0173
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF
Reference: SCO:SB-00.08a
Reference: URL:ftp://ftp.sco.com/SSE/security_bulletins/SB-00.08a

Vulnerability in the EELS system in SCO UnixWare 7.1.x allows remote
attackers to cause a denial of service.

INFERRED ACTION: CAN-2000-0173 MOREVOTES-1 (1 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(1) Blake
   NOOP(4) Wall, LeBlanc, Ozancin, Cole

Page Last Updated or Reviewed: May 22, 2007