[VOTE] MOREVOTES-2000-A: Candidates from 2000 needing 1 more vote

To: cve-editorial-board-list@lists.mitre.org
Subject: [VOTE] MOREVOTES-2000-A: Candidates from 2000 needing 1 more vote
From: "Steven M. Christey" <coley@linus.mitre.org>
Date: Tue, 3 Oct 2000 00:01:20 -0400 (EDT)
Delivery-Date: Tue Oct 3 00:18:49 2000
Sender: owner-cve-editorial-board-list@lists.mitre.org
Each of the following 30 candidates needs just one more ACCEPT vote.
If you can help out, it is appreciated.

There are 4 other messages similar to this one, with different
candidates.  Feel free to pick one at random if you don't have the
time to vote on them all.

It is strongly preferred that you get your votes in by October 9.

Thanks,
- Steve


Summary of votes to use (in ascending order of "severity")
----------------------------------------------------------

ACCEPT - voter accepts the candidate as proposed
NOOP - voter has no opinion on the candidate
MODIFY - voter wants to change some MINOR detail (e.g. reference/description)
REVIEWING - voter is reviewing/researching the candidate, or needs more info
RECAST - candidate must be significantly modified, e.g. split or merged
REJECT - candidate is "not a vulnerability", or a duplicate, etc.

1) Please write your vote on the line that starts with "VOTE: ".  If
   you want to add comments or details, add them to lines after the
   VOTE: line.

2) If you see any missing references, please mention them so that they
   can be included.  References help greatly during mapping.

3) Note that a "MODIFY" is treated as an "ACCEPT" when counting votes.
   So if you don't have sufficient information for a candidate but you
   don't want to NOOP, use a REVIEWING.

********** NOTE ********** NOTE ********** NOTE ********** NOTE **********

Please keep in mind that your vote and comments will be recorded and
publicly viewable in the mailing list archives or in other formats.

KEY FOR INFERRED ACTIONS
------------------------

Inferred actions capture the voting status of a candidate.  They may
be used by the Editor to determine whether or not a candidate is added
to CVE.  Where there is disagreement, the Editor must resolve the
issue and achieve consensus, or make the final decision if consensus
cannot be reached.

- ACCEPT = 3 non-MITRE votes to ACCEPT/MODIFY, and no REVIEWING or REJECT
- ACCEPT_ACK = 2 non-MITRE ACCEPT/MODIFY, and vendor acknowledgement
- MOREVOTES = needs more votes
- ACCEPT_REV = 3 non-MITRE ACCEPT's but is delayed due to a REVIEWING
- SMC_REJECT = REJECT by Steve Christey; likely to be rejected outright
- SMC_REVIEW = REVIEWING by Steve Christey; likely related to CD's
- REVIEWING = at least one member is REVIEWING
- REJECT = at least one member REJECTed
- REVOTE = members should review their vote on this candidate

======================================================
Candidate: CAN-2000-0002
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0002
Final-Decision:
Interim-Decision:
Modified: 20000501-01
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: NTBUGTRAQ:19991223 Local / Remote GET Buffer Overflow Vulnerability in ZBServer 1.5 Pro Edition for Win98/NT
Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9912&L=NTBUGTRAQ&P=R3556
Reference: BUGTRAQ:19991223 Local / Remote GET Buffer Overflow Vulnerability in ZBServer 1.5 Pro Edition for Win98/NT
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94598388530358&w=2
Reference: BUGTRAQ:20000128 ZBServer 1.50-r1x exploit (WinNT)
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=36B0596E.8D111D66@teleline.es

Buffer overflow in ZBServer Pro allows remote attackers to execute
commands via a long GET request.


Modifications:
  ADDREF BUGTRAQ:20000128 ZBServer 1.50-r1x exploit (WinNT)

INFERRED ACTION: CAN-2000-0002 MOREVOTES-1 (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Stracener
   MODIFY(1) Frech
   NOOP(1) Armstrong

Comments:
 Frech> XF:zbserver-get-bo
 CHANGE> [Armstrong changed vote from REVIEWING to NOOP]


VOTE:

======================================================
Candidate: CAN-2000-0006
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0006
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991225 strace can lie

strace allows local users to read arbitrary files via memory mapped
file names.

INFERRED ACTION: CAN-2000-0006 MOREVOTES-1 (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Stracener
   MODIFY(1) Frech
   NOOP(1) Armstrong

Comments:
 Frech> XF:linux-strace


VOTE:

======================================================
Candidate: CAN-2000-0009
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0009
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991230 bna,sh
Reference: BID:907
Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=907

bna_pass program in Optivity NETarchitect allows local users to gain
privileges via a symlink attack.

INFERRED ACTION: CAN-2000-0009 MOREVOTES-1 (2 accept, 0 ack, 0 review)

Current Votes:
   MODIFY(2) Stracener, Frech
   NOOP(1) Armstrong

Comments:
 Stracener> Not a symlink attack. Descritpion should be re-written. Thumbnail
   sketch: 1) script cd's to /tmp, 2) Creates ".logincheck" (bna_pass tries
   to delete this file by calling "rm"), 3) "PATH=.:" where the (dot)
   causes the PATH to first execute in the local environment, 4) "export
   PATH" resets the environment to the local dir (to /tmp via step 1), 5) a
   trojaned version of "rm" is created in /tmp such that when executed (due
   to the corrupted path environment) creates a setuid csh, 6) script
   executes "bna_pass". As a result of the ".:PATH" and its
   export,"bna_pass" uses /tmp and calls the trojaned "rm" = execution of
   code. Perhaps this description: "bna_pass program in Optivity
   NETarchitect allows local users to gain privileges via a trojaned
   version of rm."
 Frech> XF:netarchitect-path-vulnerability
 CHANGE> [Armstrong changed vote from REVIEWING to NOOP]


VOTE:

======================================================
Candidate: CAN-2000-0027
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0027
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991227 IBM NetStation/UnixWare local root exploit
Reference: BID:900
Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=900

IBM Network Station Manager NetStation allows local users to gain
privileges via a symlink attack.

INFERRED ACTION: CAN-2000-0027 MOREVOTES-1 (2 accept, 0 ack, 1 review)

Current Votes:
   ACCEPT(2) Stracener, Armstrong
   REVIEWING(1) Frech


VOTE:

======================================================
Candidate: CAN-2000-0056
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0056
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: BUGTRAQ:20000105 Local / Remote D.o.S Attack in IMail IMONITOR Server for WinNT Version 5.08
Reference: BID:914
Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=914

IMail IMONITOR status.cgi CGI script allows remote attackers to cause
a denial of service with many calls to status.cgi.

INFERRED ACTION: CAN-2000-0056 MOREVOTES-1 (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Blake
   MODIFY(1) Frech

Comments:
 Frech> XF:imail-imonitor-status-dos


VOTE:

======================================================
Candidate: CAN-2000-0090
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0090
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000208
Assigned: 20000202
Category: SF
Reference: BUGTRAQ:20000124 VMware 1.1.2 Symlink Vulnerability
Reference: XF:linux-vmware-symlink
Reference: BID:943
Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=943

VMWare 1.1.2 allows local users to cause a denial of service via a
symlink attack.

INFERRED ACTION: CAN-2000-0090 MOREVOTES-1 (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Frech, Cole
   NOOP(1) Wall


VOTE:

======================================================
Candidate: CAN-2000-0116
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0116
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000208
Assigned: 20000208
Category: SF
Reference: NTBUGTRAQ:20000129 "Strip Script Tags" in FW-1 can be circumvented
Reference: BUGTRAQ:20000129 "Strip Script Tags" in FW-1 can be circumvented

Firewall-1 does not properly filter script tags, which allows remote
attackers to bypass the "Strip Script Tags" restriction by including
an extra < in front of the SCRIPT tag.

INFERRED ACTION: CAN-2000-0116 MOREVOTES-1 (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Cole
   MODIFY(1) Frech
   NOOP(2) Christey, Wall

Comments:
 Christey> ADDREF BID:954
 Frech> XF:http-script-bypass


VOTE:

======================================================
Candidate: CAN-2000-0127
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0127
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000208
Assigned: 20000208
Category: SF
Reference: BUGTRAQ:20000203 Webspeed security issue
Reference: BID:969
Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=969

The Webspeed configuration program does not properly disable access to
the WSMadmin utility, which allows remote attackers to gain
privileges.

INFERRED ACTION: CAN-2000-0127 MOREVOTES-1 (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Cole
   MODIFY(1) Frech
   NOOP(2) Christey, Wall

Comments:
 Frech> XF:webspeed-adminutil-auth
 Christey> URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=003a01bf6ebf$25e867a0$0a1a90d8@eniac


VOTE:

======================================================
Candidate: CAN-2000-0128
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0128
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000208
Assigned: 20000208
Category: SF
Reference: BUGTRAQ:20000204 "The Finger Server"

The Finger Server 0.82 allows remote attackers to execute commands via
shell metacharacters.

INFERRED ACTION: CAN-2000-0128 MOREVOTES-1 (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Cole
   MODIFY(1) Frech
   NOOP(1) Wall

Comments:
 Frech> XF:finger-server-input
   Also, the owner's web site (http://www.glazed.org/finger/) indicates that
   versions up to 0.83BETA are vulnerable. You should make the appropriate
   modifications to the description.


VOTE:

======================================================
Candidate: CAN-2000-0129
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0129
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000208
Assigned: 20000208
Category: SF
Reference: NTBUGTRAQ:20000204 Local / Remote D.o.S Attack in Serv-U FTP-Server v2.5b for Win9x/WinNT Vulnerability
Reference: BUGTRAQ:20000204 Local / Remote D.o.S Attack in Serv-U FTP-Server v2.5b for Win9x/WinNT Vulnerability
Reference: NTBUGTRAQ:20000204 Windows Api SHGetPathFromIDList Buffer Overflow
Reference: BUGTRAQ:20000204 Windows Api SHGetPathFromIDList Buffer Overflow

Buffer overflow in the SHGetPathFromIDList function of the Serv-U FTP
server allows attackers to cause a denial of service by performing a
LIST command on a malformed .lnk file.

INFERRED ACTION: CAN-2000-0129 MOREVOTES-1 (2 accept, 0 ack, 1 review)

Current Votes:
   ACCEPT(1) Cole
   MODIFY(1) Frech
   REVIEWING(1) Wall

Comments:
 Frech> XF:win-shortcut-api-bo
   The real problem seems to be with the Windows API call, not the Serv-U FTP
   app. As the "Windows Api SHGetPathFromIDList Buffer Overflow" reference
   states, [The bug can] "cause whatever handles the shortcuts to crash."
   As a suggestion, rephrase the description from Windows's context, and state
   that the Serv-U FTP server is an example of an app that exhibits this
   problem.


VOTE:

======================================================
Candidate: CAN-2000-0164
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0164
Final-Decision:
Interim-Decision:
Modified: 20000321-01
Proposed: 20000223
Assigned: 20000223
Category: SF
Reference: BUGTRAQ:20000220 Sun Internet Mail Server
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-15&msg=Pine.SOL.4.21.0002200031320.22675-100000@klayman.hq.formus.pl
Reference: BID:1004
Reference: URL:http://www.securityfocus.com/bid/1004

The installation of Sun Internet Mail Server (SIMS) creates a
world-readable file that allows local users to obtain passwords.


Modifications:
  ADDREF BID:1004

INFERRED ACTION: CAN-2000-0164 MOREVOTES-1 (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Cole
   MODIFY(1) Frech
   NOOP(2) Wall, LeBlanc

Comments:
 Frech> XF:sims-temp-world-readable


VOTE:

======================================================
Candidate: CAN-2000-0166
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0166
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000223
Assigned: 20000223
Category: SF
Reference: BUGTRAQ:20000221 Local / Remote Exploiteable Buffer Overflow Vulnerability in InterAccess TelnetD Server 4.0 for Windows NT
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=NCBBKFKDOLAGKIAPMILPGEJHCCAA.labs@ussrback.com
Reference: BID:995
Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=995

Buffer overflow in the InterAccess telnet server TelnetD allows remote
attackers to execute commands via a long login name.

INFERRED ACTION: CAN-2000-0166 MOREVOTES-1 (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Cole
   MODIFY(1) Frech
   NOOP(3) Christey, Wall, LeBlanc

Comments:
 Christey> BUGTRAQ:20000223 Pragma Systems response to USSRLabs report

   is a followup from the vendor that acknowledges that this
   may be a problem in older builds, but not the current one.
   USSR's response questions this conclusion.

   Also see:
   BUGTRAQ:20000223 Local / Remote Exploiteable Buffer Overflow Vulnerability in InterAccess TelnetD (fwd)

 Frech> XF:interaccess-telnet-login-bo


VOTE:

======================================================
Candidate: CAN-2000-0191
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0191
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF/CF/MP/SA/AN/unknown
Reference: BUGTRAQ:20000229 Infosec.20000229.axisstorpointcd.a
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=41256894.00492503.00@mailgw.backupcentralen.se
Reference: BID:1025
Reference: URL:http://www.securityfocus.com/bid/1025

Axis StorPoint CD allows remote attackers to access administrator URLs
without authentication via a .. (dot dot) attack.

INFERRED ACTION: CAN-2000-0191 MOREVOTES-1 (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Ozancin
   MODIFY(1) Frech
   NOOP(4) Wall, Cole, Blake, LeBlanc

Comments:
 Frech> XF:axis-storpoint-auth(4078)


VOTE:

======================================================
Candidate: CAN-2000-0193
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0193
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF/CF/MP/SA/AN/unknown
Reference: BUGTRAQ:20000302 Corel Linux 1.0 dosemu default configuration: Local root vuln
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=200003020436.PAA20168@jawa.chilli.net.au
Reference: BID:1030
Reference: URL:http://www.securityfocus.com/bid/1030

The default configuration of Dosemu in Corel Linux 1.0 allows local
users to execute the system.com program and gain privileges.

INFERRED ACTION: CAN-2000-0193 MOREVOTES-1 (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Ozancin
   MODIFY(1) Frech
   NOOP(4) Wall, Cole, Blake, LeBlanc

Comments:
 Frech> XF:linux-dosemu-config(4066)


VOTE:

======================================================
Candidate: CAN-2000-0227
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0227
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000412
Assigned: 20000412
Category: SF
Reference: BUGTRAQ:20000323 Local Denial-of-Service attack against Linux
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000323175509.A23709@clearway.com
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0254.html
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0272.html
Reference: BID:1072
Reference: URL:http://www.securityfocus.com/bid/1072
Reference: XF:linux-domain-socket-dos

The Linux 2.2.x kernel does not restrict the number of Unix domain
sockets as defined by the wmem_max paremeter, which allows local users
to cause a denial of service by requesting a large number of sockets.

INFERRED ACTION: CAN-2000-0227 MOREVOTES-1 (2 accept, 0 ack, 1 review)

Current Votes:
   ACCEPT(2) Frech, Cole
   NOOP(1) Christey
   REVIEWING(1) Magdych

Comments:
 Christey> Fix typo: 'paremeter'
 Magdych> I remember when this came up...  seems like there were some wildly
   mixed results for the exploit.


VOTE:

======================================================
Candidate: CAN-2000-0237
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0237
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000412
Assigned: 20000412
Category: SF
Reference: MISC:http://zsh.stupidphat.com/advisory.cgi?000311-1
Reference: BID:1075
Reference: URL:http://www.securityfocus.com/bid/1075

Netscape Enterprise Server with Web Publishing enabled allows remote
attackers to list arbitrary directories via a GET request for the
/publisher directory, which provides a Java applet that allows the
attacker to browse the directories.

INFERRED ACTION: CAN-2000-0237 MOREVOTES-1 (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Magdych
   MODIFY(1) Frech
   NOOP(1) Cole

Comments:
 Frech> XF:netscape-webpublisher-invalid-access


VOTE:

======================================================
Candidate: CAN-2000-0238
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0238
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000412
Assigned: 20000412
Category: SF
Reference: BUGTRAQ:20000317 DoS with NAVIEG
Reference: URL:http://www.securityfocus..com/templates/archive.pike?list=1&msg=s8d1f3e3.036@kib.co.kodiak.ak.us
Reference: XF:nav-email-gateway-dos
Reference: BID:1064
Reference: URL:http://www.securityfocus.com/bid/1064

Buffer overflow in the web server for Norton AntiVirus for Internet
Email Gateways allows remote attackers to cause a denial of service
via a long URL.

INFERRED ACTION: CAN-2000-0238 MOREVOTES-1 (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Frech, Magdych
   NOOP(2) Christey, Cole

Comments:
 Christey> Remove extra dot in URL for securityfocus..com


VOTE:

======================================================
Candidate: CAN-2000-0257
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0257
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000426
Assigned: 20000426
Category: SF
Reference: BUGTRAQ:20000418 Novell Netware 5.1 (server 5.00h, Dec 11, 1999)...
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.21.0004171825340.10088-100000@nimue.tpi.pl
Reference: BID:1118
Reference: URL:http://www.securityfocus.com/bid/1118

Buffer overflow in the Netware remote web administration utility
allows remote attackers to cause a denial of service or execute
commands via a long URL.

INFERRED ACTION: CAN-2000-0257 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Levy, Cole
   MODIFY(1) Frech
   NOOP(1) Wall

Comments:
 Frech> XF:netware-remote-admin-overflow
   In the description, Novell's product is spelled NetWare.


VOTE:

======================================================
Candidate: CAN-2000-0263
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0263
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000426
Assigned: 20000426
Category: SF
Reference: BUGTRAQ:20000416 xfs
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0079.html
Reference: BID:1111
Reference: URL:http://www.securityfocus.com/bid/1111

The X font server xfs in Red Hat Linux 6.x allows an attacker to cause
a denial of service via a malformed request.

INFERRED ACTION: CAN-2000-0263 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Levy, Cole
   MODIFY(1) Frech
   NOOP(2) Christey, Wall

Comments:
 Frech> XF:redhat-fontserver-dos
   POTENTIAL DUPE: CAN-2000-0286: X fontserver xfs allows local users to cause
   a denial of service via malformed input to the server.
 Christey> As Andre observed, this is a duplicate of CAN-2000-0286.
   CAN-2000-0286 has been slated for rejection.


VOTE:

======================================================
Candidate: CAN-2000-0273
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0273
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000426
Assigned: 20000426
Category: SF
Reference: BUGTRAQ:20000409 A funny way to DOS pcANYWHERE8.0 and 9.0
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0031.html
Reference: BID:1095
Reference: URL:http://www.securityfocus.com/bid/1095

PCAnywhere allows remote attackers to cause a denial of service by
terminating the connection before PCAnywhere provides a login prompt.

INFERRED ACTION: CAN-2000-0273 MOREVOTES-1 (2 accept, 0 ack, 1 review)

Current Votes:
   ACCEPT(1) Cole
   MODIFY(1) Frech
   NOOP(1) Christey
   REVIEWING(1) Wall

Comments:
 Christey> ADDREF XF:pcanywhere-login-dos
 Frech> XF:pcanywhere-login-dos


VOTE:

======================================================
Candidate: CAN-2000-0285
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0285
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000426
Assigned: 20000426
Category: SF
Reference: BUGTRAQ:20000416 XFree86 server overflow
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0076.html

Buffer overflow in XFree86 3.3.x allows local users to execute
arbitrary commands via a long -xkbmap parameter.

INFERRED ACTION: CAN-2000-0285 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Levy, Cole
   MODIFY(1) Frech
   NOOP(2) Christey, Wall

Comments:
 Christey> ADDREF BID:1306
 Frech> XF:xfree86-xkbmap-parameter-bo(4867)


VOTE:

======================================================
Candidate: CAN-2000-0289
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0289
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000426
Assigned: 20000426
Category: SF
Reference: BUGTRAQ:20000327 Security Problems with Linux 2.2.x IP Masquerading
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0284.html
Reference: BID:1078
Reference: URL:http://www.securityfocus.com/bid/1078

IP masquerading in Linux 2.2.x allows remote attackers to route UDP
packets through the internal interface by modifying the external
source IP address and port number to match those of an established
connection.

INFERRED ACTION: CAN-2000-0289 MOREVOTES-1 (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Cole
   MODIFY(1) Frech
   NOOP(2) Christey, Wall

Comments:
 Christey> ADDREF XF:linux-masquerading-dos
   ADDREF SUSE:20000520 Security hole in kernel < 2.2.15
   http://www.suse.de/de/support/security/suse_security_announce_48.txt
 Frech> XF:linux-ip-masquerading


VOTE:

======================================================
Candidate: CAN-2000-0290
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0290
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000426
Assigned: 20000426
Category: SF
Reference: BUGTRAQ:20000331 Webstar 4.0 Buffer overflow vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0005.html

Buffer overflow in Webstar HTTP server allows remote attackers to
cause a denial of service via a long GET request.

INFERRED ACTION: CAN-2000-0290 MOREVOTES-1 (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Cole
   MODIFY(1) Frech
   NOOP(1) Wall

Comments:
 Frech> XF:macos-webstar-get-bo


VOTE:

======================================================
Candidate: CAN-2000-0298
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0298
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000426
Assigned: 20000426
Category: CF
Reference: NTBUGTRAQ:20000407 All Users startup folder left open if unattended install and OEMP reinstall=1
Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/2000-q2/0027.html

The unattended installation of Windows 2000 with the OEMPreinstall
option sets insecure permissions for the All Users and Default Users
directories.

INFERRED ACTION: CAN-2000-0298 MOREVOTES-1 (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Wall
   MODIFY(1) Frech
   NOOP(2) Christey, Cole

Comments:
 Christey> ADDREF XF:win2k-unattended-install
 Frech> XF:win2k-unattended-install


VOTE:

======================================================
Candidate: CAN-2000-0318
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0318
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000518
Assigned: 20000511
Category: SF
Reference: NTBUGTRAQ:20000413 Security problems with Atrium Mercur Mailserver 3.20
Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/2000-q2/0057.html
Reference: BID:1144
Reference: URL:http://www.securityfocus.com/bid/1144

Atrium Mercur Mail Server 3.2 allows local attackers to read other
user's email and create arbitrary files via a dot dot (..) attack.

INFERRED ACTION: CAN-2000-0318 MOREVOTES-1 (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Levy
   MODIFY(1) Frech
   NOOP(3) Wall, Cole, LeBlanc

Comments:
 Frech> XF:mercur-remote-dot-attack


VOTE:

======================================================
Candidate: CAN-2000-0320
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0320
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000518
Assigned: 20000511
Category: SF
Reference: BUGTRAQ:20000421 unsafe fgets() in qpopper
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=9763.000421@SECURITY.NNOV.RU
Reference: BID:1133
Reference: URL:http://www.securityfocus.com/bid/1133

Qpopper 2.53 and 3.0 does not properly identify the \n string which
identifies the end of message text, which allows a remote attacker to
cause a denial of service or corrupt mailboxes via a message line that
is 1023 characters long and ends in \n.

INFERRED ACTION: CAN-2000-0320 MOREVOTES-1 (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Levy
   MODIFY(1) Frech
   NOOP(4) Christey, Wall, Cole, LeBlanc

Comments:
 Frech> XF:qpopper-fgets-spoofing
 Christey> CONFIRM:http://marc.theaimsgroup.com/?l=bugtraq&m=95715275707934&w=2


VOTE:

======================================================
Candidate: CAN-2000-0322
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0322
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000518
Assigned: 20000511
Category: SF
Reference: BUGTRAQ:20000424 piranha default password/exploit
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Enip.BSO.23.0004241601140.28851-100000@www.whitehats.com
Reference: BID:1149
Reference: URL:http://www.securityfocus.com/bid/1149

The passwd.php3 CGI script in the Red Hat Piranha Virtual Server
Package allows local users to execure arbitrary commands via shell
metacharacters.

INFERRED ACTION: CAN-2000-0322 MOREVOTES-1 (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Levy
   MODIFY(1) Frech
   NOOP(4) Christey, Wall, Cole, LeBlanc

Comments:
 Frech> XF:piranha-passwd-execute
 Christey> CONFIRM:http://www.redhat.com/support/errata/RHSA-2000014-10.html

   CD:SF-LOC says to distinguish between this and CAN-2000-0248.
   CAN-2000-0248 is the default password that allowed anyone to
   become a piranha admin.  This one is a shell metacharacter
   problem that's only accessible to a piranha admin - the
   default password just makes this bug accessible to
   arbitrary attackers.
   However, if someone needs to be an admin to run piranha in
   the first place, this candidate doesn't give anyone any
   additional privileges, so maybe it should be REJECTed.


VOTE:

======================================================
Candidate: CAN-2000-0332
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0332
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000518
Assigned: 20000511
Category: SF
Reference: BUGTRAQ:20000502 Fun with UltraBoard V1.6X
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000503091316.99073.qmail@hotmail.com
Reference: BID:1164
Reference: URL:http://www.securityfocus.com/bid/1164

UltraBoard.pl or UltraBoard.cgi CGI scripts in UltraBoard 1.6 allows
remote attackers to read arbitrary files via a pathname string that
includes a dot dot (..) and ends with a null byte.

INFERRED ACTION: CAN-2000-0332 MOREVOTES-1 (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Levy
   MODIFY(1) Frech
   NOOP(3) Wall, Cole, Armstrong

Comments:
 Frech> XF:ultraboard-printabletopic-fileread


VOTE:

======================================================
Candidate: CAN-2000-0335
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0335
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000518
Assigned: 20000511
Category: SF
Reference: BUGTRAQ:20000502 glibc resolver weakness
Reference: BID:1166
Reference: URL:http://www.securityfocus.com/bid/1166

The resolver in glibc 2.1.3 uses predictable IDs, which allows a local
attacker to spoof DNS query results.

INFERRED ACTION: CAN-2000-0335 MOREVOTES-1 (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Levy
   MODIFY(1) Frech
   NOOP(3) Wall, Cole, Armstrong

Comments:
 Frech> XF:glibc-resolver-id-predictable


VOTE:

======================================================
Candidate: CAN-2000-0338
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0338
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000518
Assigned: 20000511
Category: SF
Reference: BID:1136
Reference: URL:http://www.securityfocus.com/bid/1136

Concurrent Versions Software (CVS) uses predictable temporary file
names for locking, which allows local users to cause a denial of
service by creating the lock directory before it is created for use by
a legitimate CVS user.

INFERRED ACTION: CAN-2000-0338 MOREVOTES-1 (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Levy
   MODIFY(1) Frech
   NOOP(3) Wall, Cole, LeBlanc

Comments:
 Frech> XF:cvs-tempfile-dos


VOTE:
Prev by Date: [VOTE] MOREVOTES-1999-B: Candidates from 1999 needing 1 more vote
Next by Date: [VOTE] MOREVOTES-2000-B: Candidates from 2000 needing 1 more vote
Prev by thread: [VOTE] MOREVOTES-1999-B: Candidates from 1999 needing 1 more vote
Next by thread: [VOTE] MOREVOTES-2000-B: Candidates from 2000 needing 1 more vote
Index(es):
- Date
- Thread