[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PROPOSAL] Cluster RECENT-40 - 42 candidates



The following cluster contains 29 candidates that were announced
between September 25 and October 4, 2000.

Note that the voting web site will not be updated with this cluster
until sometime Wednesday.

The candidates are listed in order of priority.  Priority 1 and
Priority 2 candidates both deal with varying levels of vendor
confirmation, so they should be easy to review and it can be trusted
that the problems are real.

If you discover that any RECENT-XX cluster is incomplete with respect
to the problems discovered during the associated time frame, please
send that information to me so that candidates can be assigned.

- Steve



Summary of votes to use (in ascending order of "severity")
----------------------------------------------------------

ACCEPT - voter accepts the candidate as proposed
NOOP - voter has no opinion on the candidate
MODIFY - voter wants to change some MINOR detail (e.g. reference/description)
REVIEWING - voter is reviewing/researching the candidate, or needs more info
RECAST - candidate must be significantly modified, e.g. split or merged
REJECT - candidate is "not a vulnerability", or a duplicate, etc.

1) Please write your vote on the line that starts with "VOTE: ".  If
   you want to add comments or details, add them to lines after the
   VOTE: line.

2) If you see any missing references, please mention them so that they
   can be included.  References help greatly during mapping.

3) Note that a "MODIFY" is treated as an "ACCEPT" when counting votes.
   So if you don't have sufficient information for a candidate but you
   don't want to NOOP, use a REVIEWING.

********** NOTE ********** NOTE ********** NOTE ********** NOTE **********

Please keep in mind that your vote and comments will be recorded and
publicly viewable in the mailing list archives or in other formats.

======================================================
Candidate: CAN-2000-0803
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0803
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20000922
Category: SF
Reference: ISS:20001004 GNU Groff utilities read untrusted commands from current working directory

GNU Groff uses the current working directory to find a device
description file, which allows a local user to gain additional
privileges by including a malicious postpro directive in the
description file, which is executed when another user runs groff.

Analysis
----------------
ED_PRI CAN-2000-0803 1
Vendor Acknowledgement: yes

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0913
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0913
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: SF
Reference: BUGTRAQ:20000929 Security vulnerability in Apache mod_rewrite
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0352.html
Reference: MANDRAKE:MDKSA-2000:060
Reference: URL:http://www.linux-mandrake.com/en/security/MDKSA-2000-060-2.php3?dis=7.1
Reference: REDHAT:RHSA-2000:088-04
Reference: URL:http://www.redhat.com/support/errata/RHSA-2000-088-04.html
Reference: CALDERA:CSSA-2000-035.0
Reference: URL:http://www.calderasystems.com/support/security/advisories/CSSA-2000-035.0.txt
Reference: HP:HPSBUX0010-126
Reference: URL:http://archives.neohapsis.com/archives/hp/2000-q4/0021.html
Reference: BUGTRAQ:20001011 Conectiva Linux Security Announcement - apache
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0174.html
Reference: BID:1728
Reference: URL:http://www.securityfocus.com/bid/1728
Reference: XF:apache-rewrite-view-files
Reference: URL:http://xforce.iss.net/static/5310.php

mod_rewrite in Apache 1.3.12 and earlier allows remote attackers to
read arbitrary files if a RewriteRule directive is expanded to include
a filename whose name contains a regular expression.

Analysis
----------------
ED_PRI CAN-2000-0913 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0917
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0917
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: SF
Reference: BUGTRAQ:20000925 Format strings: bug #2: LPRng
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0293.html
Reference: CALDERA:CSSA-2000-033.0
Reference: URL:http://www.calderasystems.com/support/security/advisories/CSSA-2000-033.0.txt
Reference: REDHAT:RHSA-2000:065-06
Reference: URL:http://www.redhat.com/support/errata/RHSA-2000-065-06.html
Reference: FREEBSD:FreeBSD-SA-00:56
Reference: ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:56.lprng.asc
Reference: XF:lprng-format-string
Reference: URL:http://xforce.iss.net/static/5287.php
Reference: BID:1712
Reference: URL:http://www.securityfocus.com/bid/1712

Format string vulnerability in use_syslog() function in LPRng 3.6.24
allows remote attackers to execute arbitrary commands.

Analysis
----------------
ED_PRI CAN-2000-0917 1
Vendor Acknowledgement: yes

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0929
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0929
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: SF
Reference: BUGTRAQ:20000929 Malformed Embedded Windows Media Player 7 "OCX Attachment"
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97024839222747&w=2
Reference: MS:MS00-068
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-068.asp
Reference: BID:1714
Reference: URL:http://www.securityfocus.com/bid/1714
Reference: XF:mediaplayer-outlook-dos
Reference: URL:http://xforce.iss.net/static/5309.php

Microsoft Windows Media Player 7 allows attackers to cause a denial of
service in RTF-enabled email clients via an embedded OCX control that
is not closed properly, aka the "OCX Attachment" vulnerability.

Analysis
----------------
ED_PRI CAN-2000-0929 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0933
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0933
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: SF
Reference: MS:MS00-069
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-069.asp
Reference: BID:1729
Reference: URL:http://www.securityfocus.com/bid/1729
Reference: XF:win2k-simplified-chinese-ime
Reference: URL:http://xforce.iss.net/static/5301.php

The Input Method Editor (IME) in the Simplified Chinese version of
Windows 2000 does not disable access to privileged functionality that
should normally be restricted, which allows local users to gain
privileges, aka the "Simplified Chinese IME State Recognition"
vulnerability.

Analysis
----------------
ED_PRI CAN-2000-0933 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0947
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0947
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: SF
Reference: BUGTRAQ:20001002 Very probable remote root vulnerability in cfengine
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0004.html
Reference: MANDRAKE:MDKSA-2000:061
Reference: URL:http://www.linux-mandrake.com/en/security/MDKSA-2000-061.php3?dis=7.1
Reference: NETBSD:NetBSD-SA2000-013
Reference: ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-013.txt.asc
Reference: BID:1757
Reference: URL:http://www.securityfocus.com/bid/1757

Format string vulnerability in cfd daemon in GNU CFEngine before
1.6.0a11 allows attackers to execute arbitrary commands via format
characters in the CAUTH command.

Analysis
----------------
ED_PRI CAN-2000-0947 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0948
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0948
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: SF
Reference: BUGTRAQ:20001002 GnoRPM local /tmp vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/136866
Reference: BUGTRAQ:20001003 Conectiva Linux Security Announcement - gnorpm
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0043.html
Reference: MANDRAKE:MDKSA-2000:055
Reference: URL:http://www.linux-mandrake.com/en/security/MDKSA-2000-055.php3?dis=7.0
Reference: REDHAT:RHSA-2000:072-07
Reference: URL:http://www.redhat.com/support/errata/RHSA-2000-072.html
Reference: BUGTRAQ:20001011 Immunix OS Security Update for gnorpm package
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0184.html
Reference: BID:1761
Reference: URL:http://www.securityfocus.com/bid/1761
Reference: XF:gnorpm-temp-symlink
Reference: URL:http://xforce.iss.net/static/5317.php

GnoRPM before 0.95 allows local users to modify arbitrary files via a
symlink attack.

Analysis
----------------
ED_PRI CAN-2000-0948 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0949
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0949
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: SF
Reference: BUGTRAQ:20000928 Very interesting traceroute flaw
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0344.html
Reference: CALDERA:CSSA-2000-034.0
Reference: URL:http://www.calderasystems.com/support/security/advisories/CSSA-2000-034.0.txt
Reference: MANDRAKE:MDKSA-2000:053
Reference: URL:http://www.linux-mandrake.com/en/security/MDKSA-2000-053.php3?dis=7.1
Reference: REDHAT:RHSA-2000:078-02
Reference: URL:http://www.redhat.com/support/errata/RHSA-2000-078-02.html
Reference: DEBIAN:20001013 traceroute: local root exploit
Reference: URL:http://www.debian.org/security/2000/20001013
Reference: TURBO:TLSA2000023-1
Reference: URL:http://www.turbolinux.com/pipermail/tl-security-announce/2000-October/000025.html
Reference: BUGTRAQ:20000930 Conectiva Linux Security Announcement - traceroute
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0357.html
Reference: BID:1739
Reference: URL:http://www.securityfocus.com/bid/1739
Reference: XF:traceroute-heap-overflow
Reference: URL:http://xforce.iss.net/static/5311.php

Heap overflow in savestr function in LBNL traceroute 1.4a5 and earlier
allows a local user to execute arbitrary commands via the -g option.

Analysis
----------------
ED_PRI CAN-2000-0949 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0951
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0951
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: CF
Reference: ATSTAKE:A100400-1
Reference: URL:http://www.atstake.com/research/advisories/2000/a100400-1.txt
Reference: MSKB:Q272079
Reference: URL:http://www.microsoft.com/technet/support/kb.asp?ID=272079
Reference: BID:1756
Reference: URL:http://www.securityfocus.com/bid/1756
Reference: XF:iis-index-dir-traverse
Reference: URL:http://xforce.iss.net/static/5335.php

A misconfiguration in IIS 5.0 with Index Server enabled and the Index
property set allows remote attackers to list directories in the web
root via a Web Distributed Authoring and Versioning (WebDAV) search.

Analysis
----------------
ED_PRI CAN-2000-0951 1
Vendor Acknowledgement: yes

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0962
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0962
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category:
Reference: BUGTRAQ:20000925 Nmap Protocol Scanning DoS against OpenBSD IPSEC
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0299.html
Reference: OPENBSD:20000918 Bad ESP/AH packets could cause a crash under certain conditions.
Reference: BID:1723
Reference: URL:http://www.securityfocus.com/bid/1723

The IPSEC implementation in OpenBSD 2.7 does not properly handle empty
AH/ESP packets, which allows remote attackers to cause a denial of
service.

Analysis
----------------
ED_PRI CAN-2000-0962 1
Vendor Acknowledgement: yes

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0993
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0993
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: SF
Reference: OPENBSD:20001003 A format string vulnerability exists in the pw_error(3) function.
Reference: URL:http://www.openbsd.org/errata27.html#pw_error
Reference: NETBSD:NetBSD-SA2000-015
Reference: URL:ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-015.txt.asc
Reference: FREEBSD:FreeBSD-SA-00:58
Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:58.chpass.asc
Reference: BUGTRAQ:20001004 Re: OpenBSD Security Advisory
Reference: URL:http://www.securityfocus.com/archive/1/137482
Reference: BID:1744
Reference: URL:http://www.securityfocus.com/bid/1744
Reference: XF:bsd-libutil-format
Reference: URL:http://xforce.iss.net/static/5339.php

Format string vulnerability in pw_error function in BSD libutil
library allows local users to gain root privileges via a malformed
password in commands such as chpass or passwd.

Analysis
----------------
ED_PRI CAN-2000-0993 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0994
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0994
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: SF
Reference: BUGTRAQ:20001004 Re: OpenBSD Security Advisory
Reference: URL:http://www.securityfocus.com/archive/1/137482
Reference: OPENBSD:20001006 There are printf-style format string bugs in several privileged programs.
Reference: MISC:ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.7/common/028_format_strings.patch
Reference: BID:1746
Reference: URL:http://www.securityfocus.com/bid/1746
Reference: XF:bsd-fstat-format
Reference: URL:http://xforce.iss.net/static/5338.php

Format string vulnerability in OpenBSD fstat program (and possibly
other BSD-based operating systems) allows local users to gain root
privileges via the PWD environmental variable.

Analysis
----------------
ED_PRI CAN-2000-0994 1
Vendor Acknowledgement: yes

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0995
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0995
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: SF
Reference: OPENBSD:20001006 There are printf-style format string bugs in several privileged programs.
Reference: MISC:ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.7/common/028_format_strings.patch

Format string vulnerability in OpenBSD yp_passwd program (and possibly
other BSD-based operating systems) allows attackers to gain root
privileges a malformed name.

Analysis
----------------
ED_PRI CAN-2000-0995 1
Vendor Acknowledgement: yes

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0996
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0996
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: SF
Reference: OPENBSD:20001006 There are printf-style format string bugs in several privileged programs.
Reference: MISC:ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.7/common/028_format_strings.patch

Format string vulnerability in OpenBSD su program (and possibly other
BSD-based operating systems) allows local attackers to gain root
privileges via a malformed shell.

Analysis
----------------
ED_PRI CAN-2000-0996 1
Vendor Acknowledgement: yes

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0997
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0997
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: SF
Reference: OPENBSD:20001006 There are printf-style format string bugs in several privileged programs.
Reference: MISC:ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.7/common/028_format_strings.patch
Reference: BID:1752
Reference: URL:http://www.securityfocus.com/bid/1752
Reference: XF:bsd-eeprom-format
Reference: URL:http://xforce.iss.net/static/5337.php

Format string vulnerabilities in eeprom program in OpenBSD, NetBSD,
and possibly other operating systems allows local attackers to gain
root privileges.

Analysis
----------------
ED_PRI CAN-2000-0997 1
Vendor Acknowledgement: yes

It is not certain from the OpenBSD source code patch what conditions
are required to trigger the vulnerabilities.  One might list the line
numbers or affected functions, but that could vary with other OSes.
CD:SF-LOC applies here because there are 3 different lines of code in
eeprom that require patches, so this item should probably be SPLIT.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0998
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0998
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: SF
Reference: OPENBSD:20001006 There are printf-style format string bugs in several privileged programs.
Reference: MISC:ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.7/common/028_format_strings.patch
Reference: FREEBSD:FreeBSD-SA-00:62
Reference: ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:62.top.v1.1.asc
Reference: BID:1895
Reference: URL:http://www.securityfocus.com/bid/1895

Format string vulnerability in top program allows local attackers to
gain root privileges via the "kill" or "renice" function.

Analysis
----------------
ED_PRI CAN-2000-0998 1
Vendor Acknowledgement: yes

ABSTRACTION:

CD:SF-LOC applies because there are multiple lines of code in top that
have the vulnerabilities - one in the error message generated by
kill_procs(), and another message generated by renice_procs().

The FreeBSD patch is applied in 3 different places, so CD:SF-LOC
suggests having separate entries for each.  However, it is difficult
to describe these differences without extensive source code review of
all the affected codebases.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0999
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0999
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: SF
Reference: OPENBSD:20001006 There are printf-style format string bugs in several privileged programs.
Reference: MISC:ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.7/common/028_format_strings.patch

Format string vulnerabilities in OpenBSD ssh program (and possibly
other BSD-based operating systems) allow attackers to gain root
privileges.

Analysis
----------------
ED_PRI CAN-2000-0999 1
Vendor Acknowledgement: yes

CD:SF-LOC applies because there are multiple lines of code in ssh that
have the vulnerabilities - see the OPenBSD patch info - but how to
indicate the differences in a CVE description?

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-1011
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1011
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: SF
Reference: FREEBSD:FreeBSD-SA-00:53
Reference: ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:53.catopen.asc

Buffer overflow in catopen() function in FreeBSD 5.0 and earlier, and
possibly other OSes, allows local users to gain root privileges via a
long environmental variable.

Analysis
----------------
ED_PRI CAN-2000-1011 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-1058
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1058
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001129
Category: SF
Reference: BUGTRAQ:20000926 DST2K0014: BufferOverrun in HP Openview Network Node Manager v6.1 (Round2)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97004856403173&w=2
Reference: HP:HPSBUX0009-121
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0274.html
Reference: XF:openview-nmm-snmp-bo
Reference: URL:http://xforce.iss.net/static/5282.php

Buffer overflow in OverView5 CGI program in HP OpenView Network Node
Manager (NNM) 6.1 and earlier allows remote attackers to cause a
denial of service, and possibly execute arbitrary commands, in the
SNMP service (snmp.exe), aka the "Java SNMP MIB Browser Object ID
parsing problem."

Analysis
----------------
ED_PRI CAN-2000-1058 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0900
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0900
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: SF
Reference: BUGTRAQ:20001002 thttpd ssi: retrieval of arbitrary world-readable files
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0025.html
Reference: XF:acme-thttpd-ssi
Reference: URL:http://xforce.iss.net/static/5313.php
Reference: BID:1737
Reference: URL:http://www.securityfocus.com/bid/1737

Directory traversal vulnerability in ssi CGI program in thttpd 2.19
and earlier allows remote attackers to read arbitrary files via a
"%2e%2e" string, a variation of the .. (dot dot) attack.

Analysis
----------------
ED_PRI CAN-2000-0900 2
Vendor Acknowledgement: yes changelog

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0930
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0930
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: SF
Reference: BUGTRAQ:20001003 Pegasus mail file reading vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0039.html
Reference: BUGTRAQ:20001030 Pegasus Mail file reading vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0436.html
Reference: BID:1738
Reference: URL:http://www.securityfocus.com/bid/1738
Reference: XF:pegasus-file-forwarding
Reference: URL:http://xforce.iss.net/static/5326.php

Pegasus Mail 3.12 allows remote attackers to read arbitrary files via
an embedded URL that calls the mailto: protocol with a -F switch.

Analysis
----------------
ED_PRI CAN-2000-0930 2
Vendor Acknowledgement: yes patch

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0932
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0932
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: SF
Reference: NTBUGTRAQ:20000926 FW: DOS for Content Technologies' MAILsweeper for SMTP.
Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/2000-q3/0181.html

MAILsweeper for SMTP 3.x does not properly handle corrupt CDA
documents in a ZIP file and hangs, which allows remote attackers to
cause a denial of service.

Analysis
----------------
ED_PRI CAN-2000-0932 2
Vendor Acknowledgement: yes followup

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-1059
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1059
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001129
Category: CF
Reference: BUGTRAQ:20000929 Mandrake 7.1 bypasses Xauthority X session security.
Reference: URL:http://www.securityfocus.com/archive/1/136495
Reference: MANDRAKE:MDKSA-2000:052
Reference: URL:http://www.linux-mandrake.com/en/security/MDKSA-2000-052.php3
Reference: BID:1735
Reference: URL:http://www.securityfocus.com/bid/1735
Reference: XF:xinitrc-bypass-xauthority
Reference: URL:http://xforce.iss.net/static/5305.php

The default configuration of the Xsession file in Mandrake Linux 7.1
and 7.0 bypasses the Xauthority access control mechanism with an
"xhost + localhost" command, which allows local users to sniff X
Windows events and gain privileges.

Analysis
----------------
ED_PRI CAN-2000-1059 2
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0906
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0906
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category:
Reference: BUGTRAQ:20001002 Moreover Cached_Feed CGI Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0013.html
Reference: XF:moreover-cgi-dir-traverse
Reference: URL:http://xforce.iss.net/static/5334.php
Reference: BID:1762
Reference: URL:http://www.securityfocus.com/bid/1762

Directory traversal vulnerability in Moreover.com cached_feed.cgi
script version 4.July.00 allows remote attackers to read arbitrary
files via a .. (dot dot) attack on the category or format parameters.

Analysis
----------------
ED_PRI CAN-2000-0906 3
Vendor Acknowledgement: unknown poster claimed, generic comment
Content Decisions: SF-LOC

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0907
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0907
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: SF
Reference: WIN2KSEC:20000925 DST2K0030: DoS in EServ 2.92 Build 2982
Reference: URL:http://archives.neohapsis.com/archives/win2ksecadvice/2000-q3/0131.html

EServ 2.92 Build 2982 allows remote attackers to cause a denial of
service and possibly execute arbitrary commands via long HELO and MAIL
FROM commands.

Analysis
----------------
ED_PRI CAN-2000-0907 3
Vendor Acknowledgement: no discloser attempted contact
Content Decisions: SF-LOC

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0925
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0925
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: CF
Reference: BUGTRAQ:20001002 DST2K0035: Credit card (customer) details exposed within CyberOff ice Shopping Cart v2
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97050819812055&w=2
Reference: WIN2KSEC:20001002 DST2K0035: Credit card (customer) details exposed within CyberOff ice Shopping Cart v2
Reference: URL:http://archives.neohapsis.com/archives/win2ksecadvice/2000-q4/0001.html
Reference: BID:1734
Reference: URL:http://www.securityfocus.com/bid/1734

The default installation of SmartWin CyberOffice Shopping Cart 2 (aka
CyberShop) installs the _private directory with world readable
permissions, which allows remote attackers to obtain sensitive
information.

Analysis
----------------
ED_PRI CAN-2000-0925 3
Vendor Acknowledgement: unknown claimed

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0926
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0926
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: SF
Reference: BUGTRAQ:20001002 DST2K0036: Price modification possible in CyberOffice Shopping Cart
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97050627707128&w=2
Reference: WIN2KSEC:20001002 DST2K0036: Price modification possible in CyberOffice Shopping Ca rt
Reference: URL:http://archives.neohapsis.com/archives/win2ksecadvice/2000-q4/0000.html
Reference: BID:1733
Reference: URL:http://www.securityfocus.com/bid/1733

SmartWin CyberOffice Shopping Cart 2 (aka CyberShop) allows remote
attackers to modify price information by changing the "Price" hidden
form variable.

Analysis
----------------
ED_PRI CAN-2000-0926 3
Vendor Acknowledgement: unknown claimed

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0927
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0927
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: SF
Reference: NTBUGTRAQ:20000928 DST2K0037: QuotaAdvisor 4.1 by WQuinn is susceptible to alternati ve datastreams to bypass quotas.
Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/2000-q3/0173.html
Reference: BUGTRAQ:20000928 DST2K0037: QuotaAdvisor 4.1 by WQuinn is susceptible to alternati ve datastreams to bypass quotas.
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09//0331.html
Reference: BID:1724
Reference: URL:http://www.securityfocus.com/bid/1724
Reference: XF:quotaadvisor-quota-bypass
Reference: URL:http://xforce.iss.net/static/5302.php

WQuinn QuotaAdvisor 4.1 does not properly record file sizes if they
are stored in alternative data streams, which allows users to bypass
quota restrictions.

Analysis
----------------
ED_PRI CAN-2000-0927 3
Vendor Acknowledgement:

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0931
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0931
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: SF
Reference: BUGTRAQ:20001004 Another Pegasus Mail vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/137518
Reference: BID:1750
Reference: URL:http://www.securityfocus.com/bid/1750

Buffer overflow in Pegasus Mail 3.11 allows remote attackers to cause
a denial of service and possibly execute arbitrary commands via a long
email message containing binary data.

Analysis
----------------
ED_PRI CAN-2000-0931 3
Vendor Acknowledgement: unknown claimed informed

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0959
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0959
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: SF
Reference: BUGTRAQ:20000926 ld.so bug - LD_DEBUG_OUTPUT follows symlinks
Reference: URL:http://www.securityfocus.com/archive/1/85028
Reference: BID:1719
Reference: URL:http://www.securityfocus.com/bid/1719
Reference: XF:glibc-unset-symlink
Reference: http://xforce.iss.net/static/5299.php

glibc2 does not properly clear the LD_DEBUG_OUTPUT and LD_DEBUG
environmental variables when a program is spawned from a setuid
program, which could allow local users to overwrite files via a
symlink attack.

Analysis
----------------
ED_PRI CAN-2000-0959 3
Vendor Acknowledgement:

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0964
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0964
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: SF
Reference: BUGTRAQ:20000928 Another thingy.
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0336.html
Reference: BID:1727
Reference: URL:http://www.securityfocus.com/bid/1727
Reference: XF:hinet-ipphone-get-bo
Reference: URL:http://xforce.iss.net/static/5298.php

Buffer overflow in the web administration service for the HiNet LP5100
IP-phone allows remote attackers to cause a denial of service and
possibly execute arbitrary commands via a long GET request.

Analysis
----------------
ED_PRI CAN-2000-0964 3
Vendor Acknowledgement:

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0992
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0992
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: SF
Reference: BUGTRAQ:20000930 scp file transfer hole
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0359.html
Reference: MANDRAKE:MDKSA-2000:057
Reference: BID:1742
Reference: URL:http://www.securityfocus.com/bid/1742

Directory traversal vulnerability in scp in sshd 1.2.xx allows a
remote malicious scp server to overwrite arbitrary files via a .. (dot
dot) attack.

Analysis
----------------
ED_PRI CAN-2000-0992 3
Vendor Acknowledgement: unknown claimed

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-1000
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1000
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: SF
Reference: BUGTRAQ:20001003 AOL Instant Messenger DoS
Reference: URL:http://www.securityfocus.com/archive/1/137374
Reference: BID:1747
Reference: URL:http://www.securityfocus.com/bid/1747
Reference: XF:aim-file-transfer-dos
Reference: URL:http://xforce.iss.net/static/5314.php

Format string vulnerability in AOL Instant Messenger (AIM) 4.1.2010
allows remote attackers to cause a denial of service and possibly
execute arbitrary commands by transferring a file whose name includes
format characters.

Analysis
----------------
ED_PRI CAN-2000-1000 3
Vendor Acknowledgement:

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-1004
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1004
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: SF
Reference: BUGTRAQ:20001004 Re: OpenBSD Security Advisory
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97068555106135&w=2
Reference: XF:bsd-photurisd-format
Reference: URL:http://xforce.iss.net/static/5336.php

Format string vulnerability in OpenBSD photurisd allows local users to
execute arbitrary commands via a configuration file directory name
that contains formatting characters.

Analysis
----------------
ED_PRI CAN-2000-1004 3
Vendor Acknowledgement:

This was initially assigned BID:1755, but that BID is no longer
available.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-1008
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1008
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: SF
Reference: ATSTAKE:A092600- 1
Reference: URL:http://www.atstake.com/research/advisories/2000/a092600-1.txt
Reference: BID:1715
Reference: URL:http://www.securityfocus.com/bid/1715

PalmOS 3.5.2 and earlier uses weak encryption to store the user
password, which allows attackers with physical access to the Palm
device to decrypt the password and gain access to the device.

Analysis
----------------
ED_PRI CAN-2000-1008 3
Vendor Acknowledgement: yes severity disputed
Content Decisions: DESIGN-WEAK-ENCRYPTION

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-1012
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1012
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: SF
Reference: FREEBSD:FreeBSD-SA-00:53
Reference: ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:53.catopen.asc

The catopen function in FreeBSD 5.0 and earlier, and possibly other
OSes, allows local users to read arbitrary files via the LANG
environmental variable.

Analysis
----------------
ED_PRI CAN-2000-1012 3
Vendor Acknowledgement: yes advisory
Content Decisions: SF-LOC

Analysis of the patches suggested by FreeBSD reveal that the LANG
variable was the culprit.

ABSTRACTION:

CD:SF-LOC dictates that catopen() and setlocale() should be split,
since they are different bugs on different lines of code in different
source files.  This was inferred by examining the FreeBSD patches.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-1013
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1013
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: SF
Reference: FREEBSD:FreeBSD-SA-00:53
Reference: ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:53.catopen.asc

The setlocale function in FreeBSD 5.0 and earlier, and possibly other
OSes, allows local users to read arbitrary files via the LANG
environmental variable.

Analysis
----------------
ED_PRI CAN-2000-1013 3
Vendor Acknowledgement: yes advisory
Content Decisions: SF-LOC

Analysis of the patches suggested by FreeBSD reveal that the LANG
variable was the culprit.

ABSTRACTION:

CD:SF-LOC dictates that catopen() and setlocale() should be split,
since they are different bugs on different lines of code in different
source files.  This was inferred by examining the FreeBSD patches.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-1014
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1014
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: SF
Reference: BUGTRAQ:20000927 Unixware SCOhelp http server format string vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0325.html
Reference: BID:1717
Reference: URL:http://www.securityfocus.com/bid/1717
Reference: XF:unixware-scohelp-format
Reference: URL:http://xforce.iss.net/static/5291.php

Format string vulnerability in the search97.cgi CGI script in SCO help
http server for Unixware 7 allows remote attackers to execute
arbitrary commands via format characters in the queryText parameter.

Analysis
----------------
ED_PRI CAN-2000-1014 3
Vendor Acknowledgement:

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-1015
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1015
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: CF
Reference: BUGTRAQ:20000929 Default admin password with Slashcode.
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0366.html
Reference: BID:1731
Reference: URL:http://www.securityfocus.com/bid/1731
Reference: XF:slashcode-default-admin-passwords
Reference: URL:http://xforce.iss.net/static/5306.php

The default configuration of Slashcode before version 2.0 Alpha has a
default administrative password, which allows remote attackers to gain
Slashcode priviliges and possibly execute arbitrary commands.

Analysis
----------------
ED_PRI CAN-2000-1015 3
Vendor Acknowledgement: yes post
Content Decisions: CF-PASS

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-1017
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1017
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category:
Reference: BUGTRAQ:20001002 DST2K0039: Webteachers Webdata: Importing files lower than web ro ot possible in to database
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0007.html
Reference: BUGTRAQ:20001003 Update to DST2K0039: Webteachers Webdata: Importing files lower t han web root possible in to database
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0032.html
Reference: BID:1732
Reference: URL:http://www.securityfocus.com/bid/1732

Webteachers Webdata allows remote attackers with valid Webdata
accounts to read arbitrary files by posting a request to import the
file into the WebData database.

Analysis
----------------
ED_PRI CAN-2000-1017 3
Vendor Acknowledgement: unknown claimed patch

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-1027
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1027
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: SF
Reference: BUGTRAQ:20001003 Cisco PIX Firewall allow external users to discover internal IPs
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97059440000367&w=2
Reference: BID:1877
Reference: URL:http://www.securityfocus.com/bid/1877

Cisco Secure PIX Firewall 5.2(2) allows remote attackers to determine
the real IP address of a target FTP server by flooding the server with
PASV requests, which includes the real IP address in the response when
passive mode is established.

Analysis
----------------
ED_PRI CAN-2000-1027 3
Vendor Acknowledgement:

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-1060
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1060
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001129
Category: CF
Reference: BUGTRAQ:20001002 Local vulnerability in XFCE 3.5.1
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0022.html
Reference: BID:1736
Reference: URL:http://www.securityfocus.com/bid/1736
Reference: XF:xinitrc-bypass-xauthority
Reference: URL:http://xforce.iss.net/static/5305.php

The default configuration of XFCE 3.5.1 bypasses the Xauthority access
control mechanism with an "xhost + localhost" command in the xinitrc
program, which allows local users to sniff X Windows traffic and gain
privileges.

Analysis
----------------
ED_PRI CAN-2000-1060 3
Vendor Acknowledgement:

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

Page Last Updated or Reviewed: May 22, 2007