[INTERIM] ACCEPT 34 recent candidates (Final 6/1)

To: cve-editorial-board-list@lists.mitre.org
Subject: [INTERIM] ACCEPT 34 recent candidates (Final 6/1)
From: "Steven M. Christey" <coley@linus.mitre.org>
Date: Tue, 30 May 2000 15:16:48 -0400 (EDT)
Delivery-Date: Tue May 30 15:16:55 2000
Sender: owner-cve-editorial-board-list@lists.mitre.org
I have made an Interim Decision to ACCEPT the following 34 candidates
from various RECENT-XX clusters, most of which were originally
proposed sometime in 1999.  I will make a Final Decision on the
evening of June 1, 2000.

The candidates come from the following clusters:

  11 RECENT-01
   1 RECENT-02
   1 RECENT-04
   1 RECENT-07
   2 RECENT-13
  11 RECENT-14
   4 RECENT-15
   3 RECENT-16

Voters:
  Wall ACCEPT(3) NOOP(9)
  Levy ACCEPT(3)
  LeBlanc NOOP(9)
  Ozancin ACCEPT(2)
  Cole ACCEPT(24) MODIFY(4) NOOP(5)
  Stracener ACCEPT(17) MODIFY(2) NOOP(1)
  Dik MODIFY(1)
  Frech ACCEPT(3) MODIFY(27)
  Northcutt ACCEPT(7)
  Christey NOOP(10)
  Armstrong ACCEPT(13) NOOP(6)
  Prosser ACCEPT(9) NOOP(1) REVIEWING(1)
  Blake NOOP(2) RECAST(1)


=================================
Candidate: CAN-1999-0819
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: NTBUGTRAQ:19991130 NTmail and VRFY
Reference: BUGTRAQ:19991130 NTmail and VRFY
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94398141118586&w=2
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94407764018739&w=2
Reference: XF:nt-mail-vrfy

NTMail does not disable the VRFY command, even if the administrator
has explicitly disabled it.

Modifications:
  ADDREF XF:nt-mail-vrfy

INFERRED ACTION: CAN-1999-0819 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Stracener, Prosser
   MODIFY(2) Cole, Frech
   NOOP(2) Armstrong, Christey

Comments:
 Cole> The references are wrong.  The BID is 856 and the full ID is
 Cole> 19991129 not 30.
 Cole> I would add that NTMail does not disable the VRFY command on ESMTP
 Cole> servers, even ...  This can be used to gather information about users email
 Cole> addresses.
 Frech> XF:nt-mail-vrfy
 Christey> Mike Prosser's REVIEWING vote expires on May 8, 2000


=================================
Candidate: CAN-1999-0832
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000526-02
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991109 undocumented bugs - nfsd
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.20.9911091058140.12964-100000@mail.zigzag.pl
Reference: DEBIAN:19991111 buffer overflow in nfs server
Reference: URL:http://www.debian.org/security/1999/19991111
Reference: SUSE:19991110 Security hole in nfs-server < 2.2beta47 within nkita
Reference: URL:http://www.suse.de/de/support/security/suse_security_announce_29.txt
Reference: CALDERA:CSSA-1999-033.0
Reference: URL:ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-1999-033.0.txt
Reference: REDHAT:RHSA-1999:053-01
Reference: URL:http://www.redhat.com/support/errata/rh42-errata-general.html#NFS
Reference: BUGTRAQ:19991130 [david@slackware.com: New Patches for Slackware 4.0 Available]
Reference: XF:linux-nfs-maxpath-bo
Reference: BID:782
Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=782

Buffer overflow in NFS server on Linux allows attackers to execute
commands via a long pathname.

Modifications:
  ADDREF BUGTRAQ:19991109 undocumented bugs - nfsd
  ADDREF DEBIAN:19991111 buffer overflow in nfs server
  ADDREF SUSE:19991110 Security hole in nfs-server < 2.2beta47 within nkita
  ADDREF CALDERA:CSSA-1999-033.0
  ADDREF REDHAT:RHSA-1999:053-01
  ADDREF BID:782
  ADDREF XF:linux-nfs-maxpath-bo
  DESC Remove Slackware, say it's on Linux systems.

INFERRED ACTION: CAN-1999-0832 ACCEPT (5 accept, 4 ack, 0 review)

Current Votes:
   ACCEPT(3) Armstrong, Cole, Prosser
   MODIFY(2) Stracener, Frech
   NOOP(1) Christey

Comments:
 Stracener> Suggest removing "Slackware 7.0" from the description
 Stracener> Add Ref: CSSA-1999-033.0
 Stracener> Add Ref: DEBIAN: nfs-server: buffer overflow in nfs server 11/11/99
 Stracener> Add Ref: SuSE Security Announcement "nfs-server < 2.2beta47 within
 Stracener> nkita" 11/12/99
 Frech> XF:linux-nfs-maxpath-bo
 Christey> ADDREF DEBIAN:19991111 buffer overflow in nfs server
 Christey> ADDREF SUSE:19991110 Security hole in nfs-server < 2.2beta47 within nkita
 Christey> ADDREF CALDERA:CSSA-1999-033.0
 Christey> ADDREF RHSA-1999:053-01
 Christey> ADDREF? BID:782
 Christey> ADDREF? BUGTRAQ:19991109 undocumented bugs - nfsd
 Prosser> agree that description should be generic Linux vice Slackware
 Prosser> only since multiple versions affected


=================================
Candidate: CAN-1999-0836
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000501-01
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991202 UnixWare 7 uidadmin exploit + discussion
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=19991202160111.20553.qmail@nwcst282.netaddress.usa.net
Reference: SCO:SB-99.22a
Reference: URL:ftp://ftp.sco.com/SSE/security_bulletins/SB-99.22a
Reference: BID:842
Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=842
Reference: XF:unixware-uid-admin

UnixWare uidadmin allows local users to modify arbitrary files via
a symlink attack.

Modifications:
  ADDREF BID:842
  ADDREF XF:unixware-uid-admin
  ADDREF SCO:SB-99.22a

INFERRED ACTION: CAN-1999-0836 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Stracener, Armstrong, Prosser
   MODIFY(2) Cole, Frech
   NOOP(1) Christey

Comments:
 Cole> The BID is 842.
 Frech> unixware-uid-admin
 Christey> ADDREF ftp://ftp.sco.com/SSE/security_bulletins/SB-99.22a


=================================
Candidate: CAN-1999-0838
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991202 Remote DoS Attack in Serv-U FTP-Server v2.5a Vulnerability
Reference: XF:servu-ftp-site-bo

Buffer overflow in Serv-U FTP 2.5 allows remote users to conduct a
denial of service via the SITE command.

Modifications:
  ADDREF XF:servu-ftp-site-bo

INFERRED ACTION: CAN-1999-0838 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Armstrong, Cole, Stracener, Prosser
   MODIFY(1) Frech

Comments:
 Frech> XF:servu-ftp-site-bo


=================================
Candidate: CAN-1999-0842
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: NTBUGTRAQ:19991129 Symantec Mail-Gear 1.0 Web interface Server Directory Traversal Vulnerability
Reference: BUGTRAQ:19991129 Symantec Mail-Gear 1.0 Web interface Server Directory Traversal Vulnerability
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=NCBBKFKDOLAGKIAPMILPCEAFCBAA.labs@ussrback.com
Reference: BID:827
Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=827
Reference: XF:symantec-mail-dir-traversal

Symantec Mail-Gear 1.0 web interface server allows remote users to
read arbitrary files via a .. (dot dot) attack.

Modifications:
  ADDREF XF:symantec-mail-dir-traversal

INFERRED ACTION: CAN-1999-0842 ACCEPT (5 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(4) Armstrong, Cole, Stracener, Prosser
   MODIFY(1) Frech

Comments:
 Frech> XF:symantec-mail-dir-traversal


=================================
Candidate: CAN-1999-0854
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 19991208
Assigned: 19991207
Category: unknown
Reference: BUGTRAQ:19991130 Ultimate Bulletin Board v5.3x? Bug
Reference: BUGTRAQ:20000225 FW: Important UBB News For Licensed Users
Reference: CONFIRM:http://www.ultimatebb.com/home/versions.shtml
Reference: XF:http-ultimate-bbs

Ultimate Bulletin Board stores data files in the cgi-bin directory,
allowing remote attackers to view the data if an error occurs when the
HTTP server attempts to execute the file.

Modifications:
  ADDREF BUGTRAQ:20000225 FW: Important UBB News For Licensed Users
  ADDREF CONFIRM:http://www.ultimatebb.com/home/versions.shtml

INFERRED ACTION: CAN-1999-0854 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Armstrong, Cole
   MODIFY(1) Frech
   NOOP(3) Stracener, Christey, Prosser

Comments:
 Frech> XF:http-ultimate-bbs
 Christey> The following could be a confirmation by UBB:
 Christey> BUGTRAQ:20000225 FW: Important UBB News For Licensed Users
 Christey> Also see the entry for Version 5.44 on February 18, 2000
 Christey> at http://www.ultimatebb.com/home/versions.shtml


=================================
Candidate: CAN-1999-0856
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991202 Slackware 7.0 - login bug
Reference: XF:slackware-remote-login

login in Slackware 7.0 allows remote attackers to identify valid users
on the system by reporting an encryption error when an account is
locked or does not exist.

Modifications:
  ADDREF XF:slackware-remote-login

INFERRED ACTION: CAN-1999-0856 ACCEPT_REV (4 accept, 0 ack, 1 review)

Current Votes:
   ACCEPT(3) Armstrong, Cole, Stracener
   MODIFY(1) Frech
   REVIEWING(1) Prosser

Comments:
 Frech> XF:slackware-remote-login


=================================
Candidate: CAN-1999-0859
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991130 Solaris 2.x chkperm/arp vulnerabilities
Reference: SUNBUG:4296166
Reference: BID:837
Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=837
Reference: XF:sol-arp-parse

Solaris arp allows local users to read files via the -f parameter,
which lists lines in the file that do not parse properly.

Modifications:
  ADDREF SUNBUG:4296166
  ADDREF XF:sol-arp-parse

INFERRED ACTION: CAN-1999-0859 ACCEPT (6 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Armstrong, Stracener, Prosser
   MODIFY(3) Cole, Frech, Dik

Comments:
 Cole> This attack makes it possible to read bin and owned files to which
 Cole> read access is not permitted to local users through exploiting subtle
 Cole> vulenrabilties in arp and chkperm.
 Frech> XF:sol-arp-parse
 Dik> include reference to Sun bug 4296166


=================================
Candidate: CAN-1999-0864
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000526-02
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991202 UnixWare coredumps follow symlinks
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=19991203020720.13115.qmail@nwcst289.netaddress.usa.net
Reference: BUGTRAQ:19991215 Recent postings about SCO UnixWare 7
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94530783815434&w=2
Reference: BUGTRAQ:19991223 FYI, SCO Security patches available.
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94606167110764&w=2
Reference: BUGTRAQ:19991220 SCO OpenServer Security Status
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94581379905584&w=2
Reference: XF:sco-coredump-symlink
Reference: BID:851
Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=851

UnixWare programs that dump core allow a local user to
modify files via a symlink attack on the ./core.pid file.

Modifications:
  ADDREF BUGTRAQ:19991223 FYI, SCO Security patches available.
  ADDREF BUGTRAQ:19991220 SCO OpenServer Security Status
  ADDREF XF:sco-coredump-symlink

INFERRED ACTION: CAN-1999-0864 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Armstrong, Cole, Stracener, Prosser
   MODIFY(1) Frech

Comments:
 Frech> XF:sco-coredump-symlink
 Prosser> FYI, the ptf 7016m that fixes this problem in UnixWare 7.0 is
 Prosser> still available. However, it appears (at least I haven't been able to view
 Prosser> them) 7096n for 7.0.1, 7413j for 7.1.0, and 7626a for 7.1.1 are no longer
 Prosser> available from the SCO Security Site.  Don't know if they are fixing them
 Prosser> since they were pre-release or have included them in other SSEs or upgrades.


=================================
Candidate: CAN-1999-0865
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991203 CommuniGatePro 3.1 for NT DoS
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94426440413027&w=2
Reference: NTBUGTRAQ:19991203 CommuniGatePro 3.1 for NT Buffer Overflow
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=94454565726775&w=2
Reference: BID:860
Reference: XF:communigate-pro-bo

Buffer overflow in CommuniGatePro via a long string to the HTTP
configuration port.

Modifications:
  ADDREF BID:860
  ADDREF XF:communigate-pro-bo

INFERRED ACTION: CAN-1999-0865 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Armstrong, Cole, Stracener, Prosser
   MODIFY(1) Frech

Comments:
 Frech> XF:communigate-pro-bo
 Prosser> add BID 860, http://www.securityfocus.com/bid/860


=================================
Candidate: CAN-1999-0866
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000501-02
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991203 UnixWare gain root with non-su/gid binaries
Reference: BUGTRAQ:19991215 Recent postings about SCO UnixWare 7
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94530783815434&w=2
Reference: BUGTRAQ:19991223 FYI, SCO Security patches available.
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94606167110764&w=2
Reference: BUGTRAQ:19991220 SCO OpenServer Security Status
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94581379905584&w=2
Reference: SCO:SB-99.24a
Reference: URL:ftp://ftp.sco.com/SSE/security_bulletins/SB-99.24a
Reference: XF:sco-xauto-bo
Reference: BID:848
Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=848

Buffer overflow in UnixWare xauto program allows local users to gain
root privilege.

Modifications:
  ADDREF BUGTRAQ:19991223 FYI, SCO Security patches available.
  ADDREF BUGTRAQ:19991220 SCO OpenServer Security Status
  ADDREF XF:sco-xauto-bo
  ADDREF SCO:SB-99.24a

INFERRED ACTION: CAN-1999-0866 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Armstrong, Stracener, Prosser
   MODIFY(2) Cole, Frech
   NOOP(1) Christey

Comments:
 Cole> I would take out the word local.
 Frech> XF:sco-xauto-bo
 Christey> ADDREF ftp://ftp.sco.com/SSE/security_bulletins/SB-99.24a


=================================
Candidate: CAN-1999-0976
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 19991214
Assigned: 19991214
Category: SF
Reference: OPENBSD:19991204
Reference: BUGTRAQ:19991207 [Debian] New version of sendmail released
Reference: XF:sendmail-bi-alias
Reference: BID:857
Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=857

Sendmail allows local users to reinitialize the aliases database via
the newaliases command, then cause a denial of service by interrupting
Sendmail.

Modifications:
  ADDREF OPENBSD:19991204
  ADDREF XF:sendmail-bi-alias

INFERRED ACTION: CAN-1999-0976 RECAST (1 recast, 3 accept, 0 review)

Current Votes:
   ACCEPT(2) Cole, Stracener
   MODIFY(1) Frech
   NOOP(1) Christey
   RECAST(1) Blake

Comments:
 Blake> *This issue is insufficiently defined.  I can't see why it should be
 Blake> restricted to Debian, in fact, I just ran newaliases on FreeBSD-3.2 as a
 Blake> regular user and is ran.  Perhaps the entry can be broadened to include
 Blake> incorrect permissions on the newaliases binary...
 Frech> XF:sendmail-bi-alias
 Christey> ADDREF OPENBSD:19991204
 Christey> http://www.openbsd.org/errata.html#sendmail


=================================
Candidate: CAN-2000-0004
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000526-02
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: NTBUGTRAQ:19991223 Local / Remote GET Buffer Overflow Vulnerability in ZBServer 1.5 Pro Edition for Win98/NT
Reference: BUGTRAQ:19991223 Re: Local / Remote GET Buffer Overflow Vulnerability in ZBServer 1.5 Pro Edition for Win98/NT
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94606572912422&w=2
Reference: XF:zbserver-url-dot

ZBServer Pro allows remote attackers to read source code for
executable files by inserting a . (dot) into the URL.

Modifications:
  ADDREF XF:zbserver-url-dot

INFERRED ACTION: CAN-2000-0004 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Armstrong
   MODIFY(2) Stracener, Frech
   NOOP(1) Christey

Comments:
 Stracener> The references don't discuss the (dot) attack mentioned in the
 Stracener> description. Suggest changing the description or citing the relevant
 Stracener> sources.
 Christey> An email followup mentioned another possible bug.
 Christey> See http://marc.theaimsgroup.com/?l=bugtraq&m=94606572912422&w=2
 Christey>
 Frech> XF:zbserver-url-dot


=================================
Candidate: CAN-2000-0113
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000419-01
Proposed: 20000208
Assigned: 20000208
Category: SF
Reference: BUGTRAQ:20000128 SyGate 3.11 Port 7323 / Remote Admin hole
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94934808714972&w=2
Reference: BUGTRAQ:20000202 SV: SyGate 3.11 Port 7323 / Remote Admin hole
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94952641025328&w=2
Reference: BUGTRAQ:20000203 UPDATE: Sygate 3.11 Port 7323 Telnet Hole
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94973281714994&w=2
Reference: CONFIRM:http://www.sybergen.com/support/fix.htm
Reference: BID:952
Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=952

The SyGate Remote Management program does not properly restrict access
to its administration service, which allows remote attackers to
cause a denial of service, or access network traffic statistics.

INFERRED ACTION: CAN-2000-0113 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Levy
   NOOP(2) Christey, Wall

Comments:
 Christey> Sygate confirms this in 01/2000 - Build 563 (Beta) with
 Christey> the comment: "fix to block external telnet to port 7323
 Christey> without enhanced security."


=================================
Candidate: CAN-2000-0169
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 20000322
Assigned: 20000322
Category: SF
Reference: NTBUGTRAQ:20000314 Oracle Web Listener 4.0.x
Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/2000-q1/0211.html
Reference: BID:1053
Reference: URL:http://www.securityfocus.com/bid/1053
Reference: XF:oracle-weblistener-remote-attack

Batch files in the Oracle web listener ows-bin directory allow remote
attackers to execute commands via a malformed URL that includes '?&'.

Modifications:
  ADDREF XF:oracle-weblistener-remote-attack

INFERRED ACTION: CAN-2000-0169 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Ozancin, Cole
   MODIFY(1) Frech
   NOOP(3) Wall, Blake, LeBlanc

Comments:
 Frech> XF:oracle-weblistener-remote-attack


=================================
Candidate: CAN-2000-0171
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 20000322
Assigned: 20000322
Category: SF
Reference: BUGTRAQ:20000311 TESO advisory -- atsadc
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0102.html
Reference: XF:atsar-root-access
Reference: BID:1048
Reference: URL:http://www.securityfocus.com/bid/1048

atsadc in the atsar package for Linux does not properly check the
permissions of an output file, which allows local users to gain root
privileges.

Modifications:
  ADDREF XF:atsar-root-access

INFERRED ACTION: CAN-2000-0171 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Ozancin, Cole
   MODIFY(1) Frech
   NOOP(3) Wall, Blake, LeBlanc

Comments:
 Frech> XF:atsar-root-access


=================================
Candidate: CAN-2000-0226
Published:
Final-Decision:
Interim-Decision: 20000530
Modified:
Proposed: 20000412
Assigned: 20000412
Category: SF
Reference: MS:MS00-018
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-018.asp
Reference: BID:1066
Reference: URL:http://www.securityfocus.com/bid/1066
Reference: XF:iis-chunked-encoding-dos

IIS 4.0 allows attackers to cause a denial of service by requesting a
large buffer in a POST or PUT command which consumes memory, aka the
"Chunked Transfer Encoding Buffer Overflow Vulnerability."

INFERRED ACTION: CAN-2000-0226 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Frech, Cole


=================================
Candidate: CAN-2000-0228
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 20000412
Assigned: 20000412
Category: SF
Reference: MS:MS00-016
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-016.asp
Reference: BID:1058
Reference: URL:http://www.securityfocus.com/bid/1058
Reference: XF:mwmt-malformed-media-license

Microsoft Windows Media License Manager allows remote attackers to
cause a denial of service by sending a malformed request that causes
the manager to halt, aka the "Malformed Media License Request"
Vulnerability.

Modifications:
  ADDREF XF:mwmt-malformed-media-license

INFERRED ACTION: CAN-2000-0228 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(1) Cole
   MODIFY(1) Frech

Comments:
 Frech> XF:mwmt-malformed-media-license


=================================
Candidate: CAN-2000-0229
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000424-01
Proposed: 20000412
Assigned: 20000412
Category: SF
Reference: BUGTRAQ:20000322 gpm-root
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000322182143.4498.qmail@securityfocus.com
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0242.html
Reference: SUSE:20000405 Security hole in gpm < 1.18.1
Reference: URL:http://www.suse.de/de/support/security/suse_security_announce_45.txt
Reference: REDHAT:RHSA-2000:009-02
Reference: URL:http://www.redhat.com/support/errata/RHSA-2000009-02.html
Reference: BID:1069
Reference: URL:http://www.securityfocus.com/bid/1069
Reference: XF:linux-gpm-root

gpm-root in the gpm package does not properly drop privileges, which
allows local users to gain privileges by starting a utility from
gpm-root.

Modifications:
  ADDREF SUSE:20000405 Security hole in gpm < 1.18.1
  ADDREF REDHAT:RHSA-2000:009-02

INFERRED ACTION: CAN-2000-0229 ACCEPT_ACK (2 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(2) Frech, Levy
   NOOP(2) Cole, Wall


=================================
Candidate: CAN-2000-0230
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000526-02
Proposed: 20000412
Assigned: 20000412
Category: SF
Reference: BUGTRAQ:20000316 TESO & C-Skills development advisory -- imwheel
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0168.html
Reference: REDHAT:RHSA-2000:016-02
Reference: URL:http://www.redhat.com/support/errata/RHSA-2000016-02.html
Reference: XF:linux-imwheel-bo
Reference: BID:1060
Reference: URL:http://www.securityfocus.com/bid/1060

Buffer overflow in imwheel allows local users to gain root privileges
via the imwheel-solo script and a long HOME environmental variable.

Modifications:
  ADDREF REDHAT:RHSA-2000:016-02
  ADDREF XF:linux-imwheel-bo

INFERRED ACTION: CAN-2000-0230 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(1) Levy
   MODIFY(1) Frech
   NOOP(2) Cole, Wall

Comments:
 Frech> XF:linux-imwheel-bo


=================================
Candidate: CAN-2000-0231
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000421-01
Proposed: 20000412
Assigned: 20000412
Category: SF
Reference: BUGTRAQ:20000316 "TESO & C-Skills development advisory -- kreatecd" at:
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0162.html
Reference: SUSE:20000405 Security hole in kreatecd < 0.3.8b
Reference: URL:http://www.suse.de/de/support/security/suse_security_announce_46.txt
Reference: XF:linux-kreatecd-path
Reference: BID:1061
Reference: URL:http://www.securityfocus.com/bid/1061

Linux kreatecd trusts a user-supplied path that is used to find the
cdrecord program, allowing local users to gain root privileges.

Modifications:
  ADDREF SUSE:20000405 Security hole in kreatecd < 0.3.8b

INFERRED ACTION: CAN-2000-0231 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Frech, Cole


=================================
Candidate: CAN-2000-0232
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 20000412
Assigned: 20000412
Category: SF
Reference: MS:MS00-021
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-021.asp
Reference: BUGTRAQ:20000330 Remote DoS Attack in Windows 2000/NT 4.0 TCP/IP Print Request Server Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0306.html
Reference: BID:1082
Reference: URL:http://www.securityfocus.com/bid/1082
Reference: XF:win-tcpip-printing-dos

Microsoft TCP/IP Printing Services, aka Print Services for Unix,
allows an attacker to cause a denial of service via a malformed TCP/IP
print request.

Modifications:
  ADDREF XF:win-tcpip-printing-dos

INFERRED ACTION: CAN-2000-0232 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(1) Cole
   MODIFY(1) Frech

Comments:
 Frech> XF:win-tcpip-printing-dos


=================================
Candidate: CAN-2000-0233
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 20000412
Assigned: 20000412
Category: SF
Reference: SUSE:20000327 Security hole in SuSE Linux IMAP Server
Reference: URL:http://archives.neohapsis.com/archives/vendor/2000-q1/0035.html
Reference: XF:linux-imap-remote-unauthorized-access

SuSE Linux IMAP server allows remote attackers to bypass IMAP
authentication and gain privileges.

Modifications:
  ADDREF XF:linux-imap-remote-unauthorized-access

INFERRED ACTION: CAN-2000-0233 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Stracener, Northcutt, Armstrong
   MODIFY(1) Frech
   NOOP(2) Cole, LeBlanc

Comments:
 Frech> XF:linux-imap-remote-unauthorized-access


=================================
Candidate: CAN-2000-0234
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 20000412
Assigned: 20000412
Category: CF
Reference: BUGTRAQ:20000330 Cobalt apache configuration exposes .htaccess
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000330220757.28456.qmail@securityfocus.com
Reference: CONFIRM:http://www.securityfocus.com/templates/advisory.html?id=2150
Reference: BID:1083
Reference: URL:http://www.securityfocus.com/bid/1083
Reference: XF:cobalt-raq-remote-access

The default configuration of Cobalt RaQ2 and RaQ3 as specified in
access.conf allows remote attackers to view sensitive contents of a
.htaccess file.

Modifications:
  ADDREF XF:cobalt-raq-remote-access

INFERRED ACTION: CAN-2000-0234 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Stracener, Northcutt
   MODIFY(1) Frech
   NOOP(3) Cole, LeBlanc, Armstrong

Comments:
 Frech> XF:cobalt-raq-remote-access


=================================
Candidate: CAN-2000-0235
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 20000412
Assigned: 20000412
Category: SF
Reference: FREEBSD:FreeBSD-SA-00:10
Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:10-orville-write.asc
Reference: BID:1070
Reference: URL:http://www.securityfocus.com/bid/1070
Reference: XF:freebsd-orvillewrite-bo

Buffer overflow in the huh program in the orville-write package allows
local users to gain root privileges.

Modifications:
  ADDREF XF:freebsd-orvillewrite-bo

INFERRED ACTION: CAN-2000-0235 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Stracener, Northcutt, Armstrong
   MODIFY(1) Frech
   NOOP(2) Cole, LeBlanc

Comments:
 Frech> XF:freebsd-orvillewrite-bo


=================================
Candidate: CAN-2000-0245
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 20000412
Assigned: 20000412
Category: SF
Reference: BUGTRAQ:20000328 Objectserver vulnerability
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=200003290852.aa27218@blaze.arl.mil
Reference: SGI:20000303-01-PX
Reference: URL:ftp://sgigate.sgi.com/security/20000303-01-PX
Reference: XF:irix-objectserver-create-accounts
Reference: BID:1079
Reference: URL:http://www.securityfocus.com/bid/1079

Vulnerability in SGI IRIX objectserver daemon allows remote attackers
to create user accounts.

Modifications:
  ADDREF XF:irix-objectserver-create-accounts

INFERRED ACTION: CAN-2000-0245 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(1) Cole
   MODIFY(1) Frech

Comments:
 Frech> XF:irix-objectserver-create-accounts


=================================
Candidate: CAN-2000-0246
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 20000412
Assigned: 20000412
Category: SF
Reference: MS:MS00-019
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-019.asp
Reference: MSKB:Q249599
Reference: URL:http://www.microsoft.com/technet/support/kb.asp?ID=249599
Reference: BID:1081
Reference: URL:http://www.securityfocus.com/bid/1081
Reference: XF:iis-virtual-unc-share

IIS 4.0 and 5.0 does not properly perform ISAPI extension processing
if a virtual directory is mapped to a UNC share, which allows remote
attackers to read the source code of ASP and other files, aka the
"Virtualized UNC Share" vulnerability.

Modifications:
  ADDREF XF:iis-virtual-unc-share
  DESC include "Virtualized UNC Share" phrase.

INFERRED ACTION: CAN-2000-0246 ACCEPT_ACK (2 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(1) Cole
   MODIFY(1) Frech
   NOOP(1) Christey

Comments:
 Frech> XF:iis-virtual-unc-share
 Christey> Modify desc to include "Virtualized UNC Share" phrase.


=================================
Candidate: CAN-2000-0258
Published:
Final-Decision:
Interim-Decision: 20000530
Modified:
Proposed: 20000426
Assigned: 20000426
Category: SF
Reference: MS:MS00-023
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-023.asp
Reference: BID:1101
Reference: URL:http://www.securityfocus.com/bid/1101

IIS 4.0 and 5.0 allows remote attackers to cause a denial of service
by sending many URLs with a large number of escaped characters, aka
the "Myriad Escaped Characters" Vulnerability.

INFERRED ACTION: CAN-2000-0258 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Wall, Cole


=================================
Candidate: CAN-2000-0260
Published:
Final-Decision:
Interim-Decision: 20000530
Modified:
Proposed: 20000426
Assigned: 20000426
Category: SF
Reference: MS:MS00-025
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-025.asp
Reference: BID:1109
Reference: URL:http://www.securityfocus.com/bid/1109

Buffer overflow in the dvwssr.dll DLL in Microsoft Visual Interdev 1.0
allows users to cause a denial of service or execute commands, aka
the "Link View Server-Side Component" vulnerability.

INFERRED ACTION: CAN-2000-0260 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Wall, Cole


=================================
Candidate: CAN-2000-0267
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 20000426
Assigned: 20000426
Category: SF
Reference: CISCO:20000419 Cisco Catalyst Enable Password Bypass Vulnerability
Reference: URL:http://www.cisco.com/warp/public/707/catos-enable-bypass-pub.shtml
Reference: XF:cisco-catalyst-password-bypass
Reference: BID:1122
Reference: URL:http://www.securityfocus.com/bid/1122

Cisco Catalyst 5.4.x allows a user to gain access to the "enable" mode
without a password.

Modifications:
  ADDREF XF:cisco-catalyst-password-bypass

INFERRED ACTION: CAN-2000-0267 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Stracener, Northcutt
   MODIFY(1) Frech
   NOOP(3) Wall, LeBlanc, Armstrong

Comments:
 Frech> XF:cisco-catalyst-password-bypass


=================================
Candidate: CAN-2000-0268
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 20000426
Assigned: 20000426
Category: SF
Reference: CISCO:20000420 Cisco IOS Software TELNET Option Handling Vulnerability
Reference: URL:http://www.cisco.com/warp/public/707/iostelnetopt-pub.shtml
Reference: BID:1123
Reference: URL:http://www.securityfocus.com/bid/1123
Reference: XF:cisco-ios-option-handling

Cisco IOS 11.x and 12.x allows remote attackers to cause a denial of
service by sending the ENVIRON option to the Telnet daemon before it
is ready to accept it, which causes the system to reboot.

Modifications:
  ADDREF XF:cisco-ios-option-handling

INFERRED ACTION: CAN-2000-0268 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Stracener, Northcutt
   MODIFY(1) Frech
   NOOP(3) Wall, LeBlanc, Armstrong

Comments:
 Frech> ADDREF XF:cisco-ios-option-handling


=================================
Candidate: CAN-2000-0274
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 20000426
Assigned: 20000426
Category: SF
Reference: BUGTRAQ:20000410 linux trustees 1.5 long path name vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0035.html
Reference: CONFIRM:http://www.braysystems.com/linux/trustees.html
Reference: XF:linux-trustees-patch-dos
Reference: BID:1096
Reference: URL:http://www.securityfocus.com/bid/1096

The Linux trustees kernel patch allows attackers to cause a denial of
service by accessing a file or directory with a long name.

Modifications:
  ADDREF XF:linux-trustees-patch-dos

INFERRED ACTION: CAN-2000-0274 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Stracener, Northcutt
   MODIFY(1) Frech
   NOOP(4) Wall, Christey, LeBlanc, Armstrong

Comments:
 Christey> This problem is confirmed in the News section for Mar 31,2000,
 Christey> which mentions "a fix for the 'extra long directory name' problem."
 Frech> XF:linux-trustees-patch-dos


=================================
Candidate: CAN-2000-0277
Published:
Final-Decision:
Interim-Decision: 20000530
Modified:
Proposed: 20000426
Assigned: 20000426
Category: SF
Reference: MS:MS00-022
Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS00-022.asp
Reference: BID:1087
Reference: URL:http://www.securityfocus.com/bid/1087

Microsoft Excel 97 and 2000 does not warn the user when executing
Excel Macro Language (XLM) macros in external text files, which could
allow an attacker to execute a macro virus, aka the "XLM Text Macro"
vulnerability.

INFERRED ACTION: CAN-2000-0277 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Wall, Cole


=================================
Candidate: CAN-2000-0294
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 20000426
Assigned: 20000426
Category: SF
Reference: FREEBSD:FreeBSD-SA-00:12
Reference: URL:http://www.securityfocus.com/templates/advisory.html?id=2162
Reference: BID:1107
Reference: URL:http://www.securityfocus.com/bid/1107
Reference: XF:freebsd-healthd

Buffer overflow in healthd for FreeBSD allows local users to gain root
privileges.

Modifications:
  ADDREF XF:freebsd-healthd

INFERRED ACTION: CAN-2000-0294 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Stracener, Northcutt
   MODIFY(1) Frech
   NOOP(3) Wall, LeBlanc, Armstrong

Comments:
 Frech> XF:freebsd-healthd
Prev by Date: [INTERIM] ACCEPT 22 legacy candidates (Final 6/1)
Next by Date: [BOARD] Marcus Ranum has joined the Editorial Board
Prev by thread: [INTERIM] ACCEPT 22 legacy candidates (Final 6/1)
Next by thread: [BOARD] Marcus Ranum has joined the Editorial Board
Index(es):
- Date
- Thread