[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PROPOSAL] Cluster RECENT-25 - 16 candidates



* Steven M. Christey (coley@LINUS.MITRE.ORG) [000719 23:35]:
> The following cluster contains 16 candidates that were announced
> between 6/19/2000 and 6/25/2000.
> 
> The candidates are listed in order of priority.  Priority 1 and
> Priority 2 candidates both deal with varying levels of vendor
> confirmation, so they should be easy to review and it can be trusted
> that the problems are real.
> 
> If you discover that any RECENT-XX cluster is incomplete with respect
> to the problems discovered during the associated time frame, please
> send that information to me so that candidates can be assigned.
> 
> - Steve
> 
> 
> Summary of votes to use (in ascending order of "severity")
> ----------------------------------------------------------
> 
> ACCEPT - voter accepts the candidate as proposed
> NOOP - voter has no opinion on the candidate
> MODIFY - voter wants to change some MINOR detail (e.g. reference/description)
> REVIEWING - voter is reviewing/researching the candidate, or needs more info
> RECAST - candidate must be significantly modified, e.g. split or merged
> REJECT - candidate is "not a vulnerability", or a duplicate, etc.
> 
> 1) Please write your vote on the line that starts with "VOTE: ".  If
>    you want to add comments or details, add them to lines after the
>    VOTE: line.
> 
> 2) If you see any missing references, please mention them so that they
>    can be included.  References help greatly during mapping.
> 
> 3) Note that a "MODIFY" is treated as an "ACCEPT" when counting votes.
>    So if you don't have sufficient information for a candidate but you
>    don't want to NOOP, use a REVIEWING.
> 
> ********** NOTE ********** NOTE ********** NOTE ********** NOTE **********
> 
> Please keep in mind that your vote and comments will be recorded and
> publicly viewable in the mailing list archives or in other formats.
> 
> =================================
> Candidate: CAN-2000-0573
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000719
> Assigned: 20000719
> Category: SF
> Reference: BUGTRAQ:20000622 WuFTPD: Providing *remote* root since at least1994
> Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96171893218000&w=2
> Reference: BUGTRAQ:20000623 WUFTPD 2.6.0 remote root exploit
> Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96179429114160&w=2
> Reference: BUGTRAQ:20000707 New Released Version of the WuFTPD Sploit
> Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96299933720862&w=2
> Reference: BUGTRAQ:20000623 ftpd: the advisory version
> Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000623091822.3321.qmail@fiver.freemessage.com
> Reference: AUSCERT:AA-2000.02
> Reference: URL:ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-2000.02
> Reference: CERT:CA-2000-13
> Reference: URL:http://www.cert.org/advisories/CA-2000-13.html
> Reference: DEBIAN:20000622 wu-ftp: remote root exploit in wu-ftp
> Reference: URL:http://www.debian.org/security/2000/20000623
> Reference: CALDERA:CSSA-2000-020.0
> Reference: URL:http://www.calderasystems.com/support/security/advisories/CSSA-2000-020.0.txt
> Reference: REDHAT:RHSA-2000:039-02
> Reference: URL:http://www.redhat.com/support/errata/RHSA-2000-039-02.html
> Reference: BUGTRAQ:20000723 CONECTIVA LINUX SECURITY ANNOUNCEMENT - WU-FTPD (re-release)
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0244.html
> Reference: BUGTRAQ:20000702 [Security Announce] wu-ftpd update
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0017.html
> Reference: FREEBSD:FreeBSD-SA-00:29
> Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:29.wu-ftpd.asc.v1.1
> Reference: NETBSD:NetBSD-SA2000-009
> Reference: URL:ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-010.txt.asc
> Reference: XF:wuftp-format-string-stack-overwrite
> Reference: BID:1387
> Reference: URL:http://www.securityfocus.com/bid/1387
> 
> The lreply function in wu-ftpd 2.6.0 and earlier does not properly
> cleanse an untrusted format string, which allows remote attackers to
> execute arbitrary commands via the SITE EXEC command.
> 
> 
> ED_PRI CAN-2000-0573 1
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0577
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000719
> Assigned: 20000719
> Category: SF
> Reference: BUGTRAQ:20000621 Netscape FTP Server - "Professional" as hell :>
> Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.21.0006211351280.23780-100000@nimue.tpi.pl
> Reference: BUGTRAQ:20000629 (forw) Re: Netscape ftp Server (fwd)
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0345.html
> Reference: BID:1411
> Reference: URL:http://www.securityfocus.com/bid/1411
> Reference: XF:netscape-ftpserver-chroot
> 
> Netscape Professional Services FTP Server 1.3.6 allows remote
> attackers to read arbitrary files via a .. (dot dot) attack.
> 
> 
> ED_PRI CAN-2000-0577 2
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0578
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000719
> Assigned: 20000719
> Category: SF
> Reference: BUGTRAQ:20000621 Predictability Problems in IRIX Cron and Compilers
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0204.html
> Reference: BID:1412
> Reference: URL:http://www.securityfocus.com/bid/1412
> 
> SGI MIPSPro compilers C, C++, F77 and F90 generate temporary files in
> /tmp with predictable file names, which could allow local users to
> insert malicious contents into these files as they are being compiled
> by another user.
> 
> 
> ED_PRI CAN-2000-0578 3
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0579
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000719
> Assigned: 20000719
> Category: SF
> Reference: BUGTRAQ:20000621 Predictability Problems in IRIX Cron and Compilers
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0204.html
> Reference: BID:1413
> Reference: URL:http://www.securityfocus.com/bid/1413
> 
> IRIX crontab creates temporary files with predictable file names and
> with the umask of the user, which could allow local users to modify
> another user's crontab file as it is being edited.
> 
> 
> ED_PRI CAN-2000-0579 3
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0601
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000719
> Assigned: 20000719
> Category: SF
> Reference: BUGTRAQ:20000625 LeafChat Denial of Service
> Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.BSF.4.10.10006252056110.74551-100000@unix.za.net
> Reference: XF:irc-leafchat-dos
> Reference: BID:1396
> Reference: URL:http://www.securityfocus.com/bid/1396
> 
> LeafChat 1.7 IRC client allows a remote IRC server to cause a denial
> of service by rapidly sending a large amount of error messages.
> 
> 
> ED_PRI CAN-2000-0601 3
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0602
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000719
> Assigned: 20000719
> Category: SF
> Reference: BUGTRAQ:20000621 rh 6.2 - gid compromises, etc
> Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.21.0006211209500.22969-100000@nimue.tpi.pl
> Reference: XF:redhat-secure-locate-path
> Reference: BID:1385
> Reference: URL:http://www.securityfocus.com/bid/1385
> 
> Secure Locate (slocate) in Red Hat Linux allows local users to gain
> privileges via a malformed configuration file that is specified in the
> LOCATE_PATH environmental variable.
> 
> 
> ED_PRI CAN-2000-0602 3
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0604
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000719
> Assigned: 20000719
> Category: CF
> Reference: BUGTRAQ:20000621 rh 6.2 - gid compromises, etc
> Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.21.0006211209500.22969-100000@nimue.tpi.pl
> Reference: BID:1383
> Reference: URL:http://www.securityfocus.com/bid/1383
> Reference: XF:redhat-gkermit
> 
> gkermit in Red Hat Linux is improperly installed with setgid uucp,
> which allows local users to modify files owned by uucp.
> 
> 
> ED_PRI CAN-2000-0604 3
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0606
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000719
> Assigned: 20000719
> Category: SF
> Reference: BUGTRAQ:20000619 Problems with "kon2" package
> Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.21.0006192340340.19998-100000@ferret.lmh.ox.ac.uk
> Reference: XF:linux-kon-bo
> Reference: BID:1371
> Reference: URL:http://www.securityfocus.com/bid/1371
> 
> Buffer overflow in kon program in Kanji on Console (KON) package on
> Linux may allow local users to gain root privileges via a long
> -StartupMessage parameter.
> 
> 
> ED_PRI CAN-2000-0606 3
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0607
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000719
> Assigned: 20000719
> Category: SF
> Reference: BUGTRAQ:20000619 Problems with "kon2" package
> Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.21.0006192340340.19998-100000@ferret.lmh.ox.ac.uk
> Reference: XF:linux-kon-bo
> Reference: BID:1371
> Reference: URL:http://www.securityfocus.com/bid/1371
> 
> Buffer overflow in fld program in Kanji on Console (KON) package on
> Linux may allow local users to gain root privileges via an input file
> containing long CHARSET_REGISTRY or CHARSET_ENCODING settings.
> 
> 
> ED_PRI CAN-2000-0607 3
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0608
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000719
> Assigned: 20000719
> Category: SF
> Reference: BUGTRAQ:20000620 NetWin dMailWeb Denial of Service
> Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-06-15&msg=4.1.20000621113334.00996820@qlink.queensu.ca
> Reference: BID:1376
> Reference: URL:http://www.securityfocus.com/bid/1376
> Reference: XF:dmailweb-long-pophost-dos
> 
> NetWin dMailWeb and cwMail 2.6i and earlier allows remote attackers to
> cause a denial of service via a long POP parameter (pophost).
> 
> 
> ED_PRI CAN-2000-0608 3
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0609
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000719
> Assigned: 20000719
> Category: SF
> Reference: BUGTRAQ:20000620 NetWin dMailWeb Denial of Service
> Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-06-15&msg=4.1.20000621113334.00996820@qlink.queensu.ca
> Reference: XF:dmailweb-long-username-dos
> Reference: BID:1376
> Reference: URL:http://www.securityfocus.com/bid/1376
> 
> NetWin dMailWeb and cwMail 2.6g and earlier allows remote attackers to
> cause a denial of service via a long username parameter.
> 
> 
> ED_PRI CAN-2000-0609 3
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0610
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000719
> Assigned: 20000719
> Category: SF
> Reference: BUGTRAQ:20000623 NetWin dMailWeb Unrestricted Mail Relay
> Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=4.1.20000623203007.00944760@qlink.queensu.ca
> Reference: BID:1390
> Reference: URL:http://www.securityfocus.com/bid/1390
> 
> NetWin dMailWeb and cwMail 2.6g and earlier allows remote attackers to
> bypass authentication and use the server for mail relay via a username
> that contains a carriage return.
> 
> 
> ED_PRI CAN-2000-0610 3
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0611
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000719
> Assigned: 20000719
> Category: CF
> Reference: BUGTRAQ:20000623 NetWin dMailWeb Unrestricted Mail Relay
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0243.html
> Reference: BID:1391
> Reference: URL:http://www.securityfocus.com/bid/1391
> 
> The default configuration of NetWin dMailWeb and cwMail trusts all POP
> servers, which allows attackers to bypass normal authentication and
> cause a denial of service.
> 
> 
> ED_PRI CAN-2000-0611 3
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0617
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000719
> Assigned: 20000719
> Category: SF
> Reference: BUGTRAQ:20000622 RHL 6.2 xconq package - overflows yield gid games
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0222.html
> 
> Buffer overflow in xconq and cconq game programs on Red Hat Linux
> allows local users to gain additional privileges via long USER
> environmental variable.
> 
> 
> ED_PRI CAN-2000-0617 3
> 
> 
> VOTE: REVIEWING
> 
> =================================
> Candidate: CAN-2000-0618
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000719
> Assigned: 20000719
> Category: SF
> Reference: BUGTRAQ:20000622 RHL 6.2 xconq package - overflows yield gid games
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0222.html
> 
> Buffer overflow in xconq and cconq game programs on Red Hat Linux
> allows local users to gain additional privileges via long DISPLAY
> environmental variable.
> 
> 
> ED_PRI CAN-2000-0618 3
> 
> 
> VOTE: REVIEWING
> 
> =================================
> Candidate: CAN-2000-0620
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000719
> Assigned: 20000719
> Category: SF
> Reference: BID:1409
> Reference: URL:http://www.securityfocus.com/bid/1409
> 
> libX11 X library allows remote attackers to cause a denial of service
> via a resource mask of 0, which causes libX11 to go into an infinite
> loop.
> 
> 
> ED_PRI CAN-2000-0620 3
> 
> 
> VOTE: ACCEPT

-- 
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum

Page Last Updated or Reviewed: May 22, 2007