[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PROPOSAL] Cluster RECENT-39 - 29 candidates



The following cluster contains 29 candidates that were announced
between August 10 and September 24, 2000.

Note that the voting web site will not be updated with this cluster
until sometime Wednesday.

The candidates are listed in order of priority.  Priority 1 and
Priority 2 candidates both deal with varying levels of vendor
confirmation, so they should be easy to review and it can be trusted
that the problems are real.

If you discover that any RECENT-XX cluster is incomplete with respect
to the problems discovered during the associated time frame, please
send that information to me so that candidates can be assigned.

- Steve


Summary of votes to use (in ascending order of "severity")
----------------------------------------------------------

ACCEPT - voter accepts the candidate as proposed
NOOP - voter has no opinion on the candidate
MODIFY - voter wants to change some MINOR detail (e.g. reference/description)
REVIEWING - voter is reviewing/researching the candidate, or needs more info
RECAST - candidate must be significantly modified, e.g. split or merged
REJECT - candidate is "not a vulnerability", or a duplicate, etc.

1) Please write your vote on the line that starts with "VOTE: ".  If
   you want to add comments or details, add them to lines after the
   VOTE: line.

2) If you see any missing references, please mention them so that they
   can be included.  References help greatly during mapping.

3) Note that a "MODIFY" is treated as an "ACCEPT" when counting votes.
   So if you don't have sufficient information for a candidate but you
   don't want to NOOP, use a REVIEWING.

********** NOTE ********** NOTE ********** NOTE ********** NOTE **********

Please keep in mind that your vote and comments will be recorded and
publicly viewable in the mailing list archives or in other formats.

======================================================
Candidate: CAN-2000-0901
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0901
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: SF
Reference: BUGTRAQ:20000906 Screen-3.7.6 local compromise
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0530.html
Reference: BUGTRAQ:20000905 screen 3.9.5 root vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/80178
Reference: DEBIAN:20000902 screen: local exploit
Reference: URL:http://www.debian.org/security/2000/20000902a
Reference: MANDRAKE:MDKSA-2000:044
Reference: URL:http://www.linux-mandrake.com/en/updates/MDKSA-2000-044.php3
Reference: SUSE:20000906 screen format string parsing security problem
Reference: URL:http://www.suse.com/de/support/security/adv6_draht_screen_txt.txt
Reference: REDHAT:RHSA-2000:058-03
Reference: URL:http://www.redhat.com
Reference: FREEBSD:FreeBSD-SA-00:46
Reference: ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:46.screen.asc
Reference: BID:1641
Reference: URL:http://www.securityfocus.com/bid/1641
Reference: XF:screen-format-string
Reference: URL:http://xforce.iss.net/static/5188.php

Format string vulnerability in screen 3.9.5 and earlier allows local
users to gain root privileges via format characters in the vbell_msg
initialization variable.

Analysis
----------------
ED_PRI CAN-2000-0901 1
Vendor Acknowledgement: yes

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0909
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0909
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: SF
Reference: BUGTRAQ:20000922  [ no subject ]
Reference: URL:http://www.securityfocus.com/archive/1/84901
Reference: BUGTRAQ:20001031 FW: Pine 4.30 now available
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0441.html
Reference: FREEBSD:FreeBSD-SA-00:59
Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:59.pine.asc
Reference: REDHAT:RHSA-2000-102-04
Reference: URL:http://www.redhat.com/support/errata/RHSA-2000-102.html
Reference: BID:1709
Reference: URL:http://www.securityfocus.com/bid/1709
Reference: XF:pine-check-mail-bo
Reference: URL:http://xforce.iss.net/static/5283.php

Buffer overflow in the automatic mail checking component of Pine 4.21
and earlier allows remote attackers to execute arbitrary commands via
a long From: header.

Analysis
----------------
ED_PRI CAN-2000-0909 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0910
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0910
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: SF
Reference: BUGTRAQ:20000908 horde library bug - unchecked from-address
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0051.html
Reference: DEBIAN:20000910 imp: remote compromise
Reference: URL:http://www.debian.org/security/2000/20000910
Reference: CONFIRM:http://ssl.coc-ag.de/sec/hordelib-1.2.0.frombug.patch
Reference: BID:1674
Reference: URL:http://www.securityfocus.com/bid/1674
Reference: XF:horde-imp-sendmail-command
Reference: URL:http://xforce.iss.net/static/5278.php

Horde library 1.02 allows attackers to execute arbitrary commands via
shell metacharacters in the "from" address.

Analysis
----------------
ED_PRI CAN-2000-0910 1
Vendor Acknowledgement: yes patch

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0934
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0934
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: SF
Reference: REDHAT:RHSA-2000:062-03
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0250.html
Reference: BID:1703
Reference: URL:http://www.securityfocus.com/bid/1703
Reference: XF:glint-symlink
Reference: URL:http://xforce.iss.net/static/5271.php

Glint in Red Hat Linux 5.2 allows local users to overwrite arbitrary
files and cause a denial of service via a symlink attack.

Analysis
----------------
ED_PRI CAN-2000-0934 1
Vendor Acknowledgement: yes

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-1022
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1022
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: SF
Reference: BUGTRAQ:20000919 Cisco PIX Firewall (smtp content filtering hack)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0222.html
Reference: BUGTRAQ:20000920 Re: Cisco PIX Firewall (smtp content filtering hack) - Version 4.2(1) not exploitable
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0241.html
Reference: CISCO:20001005 Cisco Secure PIX Firewall Mailguard Vulnerability
Reference: URL:http://www.cisco.com/warp/public/707/PIXfirewallSMTPfilter-pub.shtml
Reference: BID:1698
Reference: URL:http://www.securityfocus.com/bid/1698
Reference: XF:cisco-pix-smtp-filtering
Reference: URL:http://xforce.iss.net/static/5277.php

The mailguard feature in Cisco Secure PIX Firewall 5.2(2) and earlier
does not properly restrict access to SMTP commands, which allows
remote attackers to execute restricted commands by sending a DATA
command before sending the restricted commands.

Analysis
----------------
ED_PRI CAN-2000-1022 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-1031
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1031
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: SF
Reference: BUGTRAQ:20000810 Re: Possible vulnerability in HPUX ( Add vulnerability List )
Reference: URL:http://www.securityfocus.com/archive/1/75188
Reference: HP:HPSBUX0011-128
Reference: URL:http://archives.neohapsis.com/archives/hp/2000-q4/0034.html
Reference: BID:1889
Reference: URL:http://www.securityfocus.com/bid/1889

Buffer overflow in dtterm in HP-UX 11.0 allows a local user to gain
privileges via a long -tn option.

Analysis
----------------
ED_PRI CAN-2000-1031 1
Vendor Acknowledgement: yes advisory

REFERENCE:

HP:HPSBUX0011-128 does not provide enough details to be certain that
it addresses the vulnerability described in the August 10th Bugtraq
post.

ABSTRACTION:

The dtterm buffer overflow as described in CVE-1999-0112 occurs via a
different option, so it probably isn't the same as this overflow.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-1054
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1054
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001129
Category: SF
Reference: CISCO:20000921 Multiple Vulnerabilities in CiscoSecure ACS for Windows NT Server
Reference: URL:http://www.cisco.com/warp/public/707/csecureacsnt-pub.shtml
Reference: BID:1705
Reference: URL:http://www.securityfocus.com/bid/1705
Reference: XF:ciscosecure-csadmin-bo
Reference: URL:http://xforce.iss.net/static/5272.php

Buffer overflow in CSAdmin module in CiscoSecure ACS Server 2.4(2) and
earlier allows remote attackers to cause a denial of service and
possibly execute arbitrary commands via a large packet.

Analysis
----------------
ED_PRI CAN-2000-1054 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-1055
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1055
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001129
Category: SF
Reference: CISCO:20000921 Multiple Vulnerabilities in CiscoSecure ACS for Windows NT Server
Reference: URL:http://www.cisco.com/warp/public/707/csecureacsnt-pub.shtml
Reference: BID:1706
Reference: URL:http://www.securityfocus.com/bid/1706
Reference: XF:ciscosecure-tacacs-dos
Reference: URL:http://xforce.iss.net/static/5273.php

Buffer overflow in CiscoSecure ACS Server 2.4(2) and earlier allows
remote attackers to cause a denial of service and possibly execute
arbitrary commands via a large TACACS+ packet.

Analysis
----------------
ED_PRI CAN-2000-1055 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-1056
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1056
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001129
Category: SF
Reference: CISCO:20000921 Multiple Vulnerabilities in CiscoSecure ACS for Windows NT Server
Reference: URL:http://www.cisco.com/warp/public/707/csecureacsnt-pub.shtml
Reference: BID:1708
Reference: URL:http://www.securityfocus.com/bid/1708
Reference: XF:ciscosecure-ldap-bypass-authentication
Reference: URL:http://xforce.iss.net/static/5274.php

CiscoSecure ACS Server 2.4(2) and earlier allows remote attackers to
bypass LDAP authentication on the server if the LDAP server allows
null passwords.

Analysis
----------------
ED_PRI CAN-2000-1056 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-1057
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1057
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001129
Category: unknown
Reference: HP:HPSBUX0009-120
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0140.html
Reference: BID:1682
Reference: URL:http://www.securityfocus.com/bid/1682
Reference: XF:hp-openview-nnm-scripts
Reference: URL:http://xforce.iss.net/static/5229.php

Vulnerabilities in database configuration scripts in HP OpenView
Network Node Manager (NNM) 6.1 and earlier allows local users to gain
privileges, possibly via insecure permissions.

Analysis
----------------
ED_PRI CAN-2000-1057 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0908
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0908
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: SF
Reference: BUGTRAQ:20000921 DST2K0031: DoS in BrowseGate(Home) v2.80(H)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96956211605302&w=2
Reference: WIN2KSEC:20000921 DST2K0031: DoS in BrowseGate(Home) v2.80(H)
Reference: URL:http://archives.neohapsis.com/archives/win2ksecadvice/2000-q3/0128.html
Reference: CONFIRM:http://www.netcplus.com/browsegate.htm#BGLatest
Reference: XF:browsegate-http-dos
Reference: URL:http://xforce.iss.net/static/5270.php
Reference: BID:1702
Reference: URL:http://www.securityfocus.com/bid/1702

BrowseGate 2.80 allows remote attackers to cause a denial of service
and possibly execute arbitrary commands via long Authorization or
Referer MIME headers in the HTTP request.

Analysis
----------------
ED_PRI CAN-2000-0908 2
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT:

This is acknowledged in the change log under the "v2.80.1 and later"
section.  The vendor states: "A request buffer problem has been
fixed."  However, Delphis is not directly credited, so the vendor may
have fixed a different buffer problem.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0911
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0911
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: SF
Reference: BUGTRAQ:20000912  (SRADV00003) Arbitrary file disclosure through IMP
Reference: URL:http://www.securityfocus.com/archive/1/82088
Reference: BID:1679
Reference: URL:http://www.securityfocus.com/bid/1679
Reference: XF:imp-attach-file
Reference: URL:http://xforce.iss.net/static/5227.php

IMP 2.2 and earlier allows attackers to read and delete arbitrary
files by modifying the attachment_name hidden form variable, which
causes IMP to send the file to the attacker as an attachment.

Analysis
----------------
ED_PRI CAN-2000-0911 2
Vendor Acknowledgement: yes patch

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0912
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0912
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: SF
Reference: BUGTRAQ:20000913 MultiHTML vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0146.html
Reference: XF:http-cgi-multihtml
Reference: URL:http://xforce.iss.net/static/5285.php

MultiHTML CGI script allows remote attackers to read arbitrary files
and possibly execute arbitrary commands by specifying the file name to
the "multi" parameter.

Analysis
----------------
ED_PRI CAN-2000-0912 2
Vendor Acknowledgement: yes changelog

The initial report says that a call to open(FILE, "$multi") is used.
If the $multi variable isn't cleansed of shell metacharacters, then
it's possible that the attacker could execute commands.  I don't have
the source code to analyze the software, though.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-1016
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1016
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: CF
Reference: BUGTRAQ:20000921 httpd.conf in Suse 6.4
Reference: URL:http://www.securityfocus.com/archive/1/84360
Reference: BID:1707
Reference: URL:http://www.securityfocus.com/bid/1707
Reference: XF:suse-installed-packages-exposed
Reference: URL:http://xforce.iss.net/static/5276.php

The default configuration of Apache (httpd.conf) on SuSE 6.4 includes
an alias for the /usr/doc directory, which allows remote attackers to
read package documentation and obtain system configuration information
via an HTTP request for the /doc/packages URL.

Analysis
----------------
ED_PRI CAN-2000-1016 2
Vendor Acknowledgement: yes followup

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-1038
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1038
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: SF
Reference: AIXAPAR:SA90544
Reference: CONFIRM:http://as400service.rochester.ibm.com/n_dir/nas4apar.NSF/5ec6cdc6ab42894a862568f90073c74a/9ce636030a58807186256955003d128d?OpenDocument
Reference: XF:as400-firewall-dos
Reference: URL:http://xforce.iss.net/static/5266.php

The web administration interface for IBM AS/400 Firewall allows remote
attackers to cause a denial of service via an empty GET request.

Analysis
----------------
ED_PRI CAN-2000-1038 2
Vendor Acknowledgement: yes

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-1079
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1079
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001129
Category: SF
Reference: NAI:20000829 Windows NetBIOS Unsolicited Cache Corruption
Reference: URL:http://www.pgp.com/research/covert/advisories/045.asp
Reference: NTBUGTRAQ:20000829 Re: [COVERT-2000-10] Windows NetBIOS Unsolicited Cache Corruption
Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/2000-q3/0116.html
Reference: BID:1620
Reference: URL:http://www.securityfocus.com/bid/1620
Reference: XF:win-netbios-corrupt-cache
Reference: URL:http://xforce.iss.net/static/5168.php

Interactions between the CIFS Browser Protocol and NetBIOS as
implemented in Microsoft Windows 95, 98, NT, and 2000 allow remote
attackers to modify dynamic NetBIOS name cache entries via a spoofed
Browse Frame Request in a unicast or UDP broadcast datagram.

Analysis
----------------
ED_PRI CAN-2000-1079 2
Vendor Acknowledgement: unknown disputed

DESCRIPTION:

In a followup post, Russ Cooper says that the vulnerability is not an
implementation flaw per se, but a design flaw in NetBIOS/CIFS.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0902
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0902
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: SF
Reference: BUGTRAQ:20000907 Re: PhotoAlbum 0.9.9 explorer.php Vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/80858
Reference: XF:phpphotoalbum-getalbum-directory-traversal
Reference: URL:http://xforce.iss.net/static/5209.php

getalbum.php in PhotoAlbum before 0.9.9 allows remote attackers to read
arbitrary files via a .. (dot dot) attack.

Analysis
----------------
ED_PRI CAN-2000-0902 3
Vendor Acknowledgement:
Content Decisions: SF-EXEC

CAN-2000-0872 is a close match.  For this one, getalbum.php was in
earlier versions.  CD:SF-EXEC might suggest SPLIT, but was the program
just renamed?

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0903
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0903
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: SF
Reference: BUGTRAQ:20000901 Multiple QNX Voyager Issues
Reference: URL:http://www.securityfocus.com/archive/1/79956
Reference: BID:1648
Reference: URL:http://www.securityfocus.com/bid/1648

Directory traversal vulnerability in Voyager web server 2.01B in the
demo disks for QNX 405 allows remote attackers to read arbitrary files
via a .. (dot dot) attack.

Analysis
----------------
ED_PRI CAN-2000-0903 3
Vendor Acknowledgement:

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0904
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0904
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: SF
Reference: BUGTRAQ:20000901 Multiple QNX Voyager Issues
Reference: URL:http://www.securityfocus.com/archive/1/79956
Reference: BID:1648
Reference: URL:http://www.securityfocus.com/bid/1648

Voyager web server 2.01B in the demo disks for QNX 405 stores
sensitive web client information in the .photon directory in the web
document root, which allows remote attackers to obtain that
information.

Analysis
----------------
ED_PRI CAN-2000-0904 3
Vendor Acknowledgement:

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0905
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0905
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: SF
Reference: BUGTRAQ:20000901 Multiple QNX Voyager Issues
Reference: URL:http://www.securityfocus.com/archive/1/79956
Reference: BID:1648
Reference: URL:http://www.securityfocus.com/bid/1648

QNX Embedded Resource Manager in Voyager web server 2.01B in the demo
disks for QNX 405 allows remote attackers to read sensitive system
statistics information via the embedded.html web page.

Analysis
----------------
ED_PRI CAN-2000-0905 3
Vendor Acknowledgement:

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0918
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0918
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: SF
Reference: BID:1700
Reference: URL:http://www.securityfocus.com/bid/1700
Reference: BUGTRAQ:20000919 kvt format bug
Reference: URL:http://www.securityfocus.com/archive/1/83914

Format string vulnerability in kvt in KDE 1.1.2 may allow local users
to execute arbitrary commands via a DISPLAY environmental variable
that contains formatting characters.

INCLUSION:
It has not been proven that this bug is exploitable.

Analysis
----------------
ED_PRI CAN-2000-0918 3
Vendor Acknowledgement:

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-1020
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1020
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: SF
Reference: BUGTRAQ:20000917 VIGILANTE-2000012: Mdaemon Web Services Heap Overflow DoS
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96925269716274&w=2
Reference: BID:1689
Reference: URL:http://www.securityfocus.com/bid/1689
Reference: XF:mdaemon-url-dos
Reference: URL:http://xforce.iss.net/static/5250.php

Heap overflow in Worldclient in Mdaemon 3.1.1 and earlier allows
remote attackers to cause a denial of service and possibly execute
arbitrary commands via a long URL.

Analysis
----------------
ED_PRI CAN-2000-1020 3
Vendor Acknowledgement: unknown claimed
Content Decisions: SF-EXEC

This would appear to be a duplicate of CAN-1999-0844 at first glance,
but VIGILANTE says this is not the case in their advisory.  CD:SF-EXEC
also suggests that separate entries might need to be created for
WorldClient and WebConfig.  Since Board members have voted to RECAST
CAN-1999-0844 (which combines WorldClient and WebConfig), that also
suggests that separate items should be recorded for WorldClient versus
WebConfig.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-1021
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1021
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: SF
Reference: BUGTRAQ:20000917 VIGILANTE-2000012: Mdaemon Web Services Heap Overflow DoS
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96925269716274&w=2
Reference: BID:1689
Reference: URL:http://www.securityfocus.com/bid/1689
Reference: XF:mdaemon-url-dos
Reference: URL:http://xforce.iss.net/static/5250.php

Heap overflow in WebConfig in Mdaemon 3.1.1 and earlier allows remote
attackers to cause a denial of service and possibly execute arbitrary
commands via a long URL.

Analysis
----------------
ED_PRI CAN-2000-1021 3
Vendor Acknowledgement: unknown claimed
Content Decisions: SF-EXEC

This would appear to be a duplicate of CAN-1999-0844 at first glance,
but VIGILANTE says this is not the case in their advisory.  CD:SF-EXEC
also suggests that separate entries might need to be created for
WorldClient and WebConfig.  Since Board members have voted to RECAST
CAN-1999-0844 (which combines WorldClient and WebConfig), that also
suggests that separate items should be recorded for WorldClient versus
WebConfig.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-1023
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1023
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: SF
Reference: BUGTRAQ:20000924 Major Vulnerability in Alabanza Control Panel
Reference: URL:http://www.securityfocus.com/archive/1/84766
Reference: BID:1710
Reference: URL:http://www.securityfocus.com/bid/1710
Reference: XF:alabanza-unauthorized-access
Reference: URL:http://xforce.iss.net/static/5284.php

The Alabanza Control Panel does not require passwords to access
administrative commands, which allows remote attackers to modify
domain name information via the nsManager.cgi CGI program.

Analysis
----------------
ED_PRI CAN-2000-1023 3
Vendor Acknowledgement:
Content Decisions: EX-ONLINE-SVC

INCLUSION:
It is not clear if Alabanza is an online service/ASP whose server is
centrally located, though a page at http://www.alabanza.com says
"verything is managed automatically and online with no administration
required by you or any member of your staff."  If a single fix at
Alabanza could solve the problem without client intervention, then
CD:EX-ONLINE-SVC suggests that this item should not be included in
CVE.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-1035
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1035
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: SF
Reference: BUGTRAQ:20000912 TYPSoft FTP Server remote DoS Problem
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96879389027478&w=2
Reference: MISC:http://www.synnergy.net/Archives/Advisories/dethy/typsoft-ftpd.txt
Reference: BID:1690
Reference: URL:http://www.securityfocus.com/bid/1690

Buffer overflows in TYPSoft FTP Server 0.78 and earlier allows remote
attackers to cause a denial of service and possibly execute arbitrary
commands via a long USER, PASS, or CWD command.

Analysis
----------------
ED_PRI CAN-2000-1035 3
Vendor Acknowledgement:
Content Decisions: SF-LOC

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-1036
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1036
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: SF
Reference: BUGTRAQ:20000920 Extent RBS directory Transversal.
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0252.html
Reference: BID:1704
Reference: URL:http://www.securityfocus.com/bid/1704
Reference: XF:rbs-isp-directory-traversal
Reference: URL:http://xforce.iss.net/static/5275.php

Directory traversal vulnerability in Extent RBS ISP web server allows
remote attackers to read sensitive information via a .. (dot dot)
attack on the Image parameter.

Analysis
----------------
ED_PRI CAN-2000-1036 3
Vendor Acknowledgement: unknown claimed

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-1037
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1037
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: SF
Reference: BUGTRAQ:20000815 Firewall-1 session agent 3.0 -> 4.1, dictionnary and brute force attack
Reference: URL:http://www.securityfocus.com/archive/1/76389
Reference: BID:1662
Reference: URL:http://www.securityfocus.com/bid/1662

Check Point Firewall-1 session agent 3.0 through 4.1 generates
different error messages for invalid user names versus invalid
passwords, which allows remote attackers to determine valid usernames
and guess a password via a brute force attack.

Analysis
----------------
ED_PRI CAN-2000-1037 3
Vendor Acknowledgement: unknown vague advisory

INCLUSION:

It is possible that this is a duplicate of CAN-2000-0808.  However,
the Check Point advisory for CAN-2000-0808 was released in July, and
it seems to fault S/Key's seed generation mechanism.  This item was
announced in mid-August and does not seem to be related to S/Key.
Consultation with FW1 experts or the vendor would help resolve this
issue.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-1046
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1046
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001129
Category: SF
Reference: BUGTRAQ:20000911 Advisory Code: VIGILANTE-2000011 Lotus Domino ESMTP Service Buffer overflow
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0093.html

Buffer overflows in ESMTP service of Lotus Domino 5.0.2c and earlier
allows remote attackers to cause a denial of service and possibly
execute arbitrary commands via a long "RCPT TO," "SAML FROM," or "SOML
FROM" command.

Analysis
----------------
ED_PRI CAN-2000-1046 3
Vendor Acknowledgement: unknown claimed

CD:SF-LOC indicates that this item may need to be split, since there
may be multiple bugs in a single program.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-1047
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1047
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001129
Category: SF
Reference: BUGTRAQ:20001103 [SAFER] Buffer overflow in Lotus Domino SMTP Server
Reference: URL:http://www.securityfocus.com/archive/1/143071
Reference: BID:1905
Reference: URL:http://www.securityfocus.com/bid/1905

Buffer overflow in SMTP service of Lotus Domino 5.0.4 and earlier
allows remote attackers to cause a denial of service and possibly
execute arbitrary commands via a long ENVID keyword in the "MAIL FROM"
command.

Analysis
----------------
ED_PRI CAN-2000-1047 3
Vendor Acknowledgement: unknown claimed

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

Page Last Updated or Reviewed: May 22, 2007