[OOB] Out-of-band candidates for August 11, 2000

["Steven M. Christey" <coley@linus.mitre.org>]

The following candidate number has been *assigned* to a highly
publicized security problem.  This "out-of-band" candidate is being
posted to the Editorial Board list so that candidate numbers can be
made available as soon as possible for the most serious security
issues.  As a reminder, Board members can request out-of-band
candidates for recently publicized security issues that have a broad
effect.

This out-of-band candidate is *not* being proposed for votes at this
time.  It will be included in the next round of RECENT-XX clusters.

As we begin to work more closely with software vendors, we may be able
to identify a more appropriate way to make such candidates more widely
and rapidly available, e.g. by annotating advisories with candidate
numbers.  However, out-of-band assignment (and candidate reservation,
aka pre-publication candidate assignment) are currently the best
approaches available.

Out-of-band assignment will be discussed in more detail at the
upcoming Board meeting.

- Steve


=================================
Candidate: CAN-2000-0676
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed:
Assigned: 20000811
Category: SF
Reference: CERT:CA-2000-15
Reference: URL:http://www.cert.org/advisories/CA-2000-15.html
Reference: BID:1546
Reference: URL:http://www.securityfocus.com/bid/1546

Netscape Communicator and Navigator 4.04 through 4.74 allows remote
attackers to read arbitrary files by using a Java applet to open a
connection to a URL using the "file", "http", "https", and "ftp"
protocols, as demonstrated by Brown Orifice.