[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[INTERIM] ACCEPT 12 candidates from 1999 (Final 5/7)



I have made an Interim Decision to ACCEPT the following 12 candidates,
all of which were proposed in 1999.

I will make a Final Decision on May 7.

These candidates can be accepted at this time due to one or more of
the following factors:

- an Editorial Board member from a software vendor has voted to
  accept a candidate in their own product (recent offline activities
  collected these "missing" votes)
- vendor acknowledgement has been located and recorded
- David Baker has used MITRE's "right-to-vote" to accept these
  candidates


Voters:
  Levy REVIEWING(2)
  Shostack NOOP(2)
  Wall NOOP(3)
  LeBlanc ACCEPT(1)
  Cole ACCEPT(8)
  Baker ACCEPT(12)
  Dik ACCEPT(1)
  Frech MODIFY(4)
  Christey NOOP(3)
  Northcutt ACCEPT(1) NOOP(3)
  Bollinger ACCEPT(1)
  Prosser NOOP(1)



======================================================
Candidate: CAN-1999-0115
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0115
Final-Decision:
Interim-Decision: 20010502
Modified: 20010501-02
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19970909 AIX bugfiler
Reference: XF:ibm-bugfiler
Reference: BID:1800
Reference: URL:http://www.securityfocus.com/bid/1800

AIX bugfiler program allows local users to gain root access.


Modifications:
  ADDREF BUGTRAQ:19970909 AIX bugfiler
  ADDREF XF:ibm-bugfiler
  ADDREF BID:1800

INFERRED ACTION: CAN-1999-0115 ACCEPT_REV (3 accept, 1 ack, 1 review)

Current Votes:
   ACCEPT(2) Baker, Bollinger
   MODIFY(1) Frech
   NOOP(4) Christey, Northcutt, Shostack, Wall
   REVIEWING(1) Levy

Voter Comments:
 Frech> XF:ibm-bugfiler
 Christey> I could not find any acknowledgement of this bug on the IBM
   web site.
 Christey> BID:1800
   URL:http://www.securityfocus.com/bid/1800


======================================================
Candidate: CAN-1999-0223
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0223
Final-Decision:
Interim-Decision: 20010502
Modified: 20010501-02
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19961109 Syslogd and Solaris 2.4
Reference: SUNBUG:1249320
Reference: CONFIRM:http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?patchid=103291&collection=fpatches
Reference: XF:sol-syslogd-crash
Reference: BID:1878

Solaris syslogd crashes when receiving a message from a host that
doesn't have an inverse DNS entry.


Modifications:
  ADDREF BUGTRAQ:19961109 Syslogd and Solaris 2.4
  ADDREF XF:sol-syslogd-crash
  ADDREF SUNBUG:1249320
  ADDREF CONFIRM:http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?patchid=103291&collection=fpatches
  ADDREF BID:1878

INFERRED ACTION: CAN-1999-0223 ACCEPT_REV (3 accept, 2 ack, 1 review)

Current Votes:
   ACCEPT(2) Dik, Baker
   MODIFY(1) Frech
   NOOP(4) Christey, Northcutt, Shostack, Wall
   REVIEWING(1) Levy

Voter Comments:
 Frech> XF:sol-syslogd-crash
 Dik> bug 1249320
 Christey> BID:1878
   URL:http://www.securityfocus.com/bid/1878


======================================================
Candidate: CAN-1999-0268
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0268
Final-Decision:
Interim-Decision: 20010502
Modified: 20010425-02
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19980630 Security vulnerabilities in MetaInfo products
Reference: XF:metaweb-server-dot-attack

MetaInfo MetaWeb web server allows users to upload and execute scripts.


Modifications:
  ADDREF XF:metaweb-server-dot-attack

INFERRED ACTION: CAN-1999-0268 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Baker, Northcutt
   MODIFY(1) Frech
   NOOP(1) Prosser

Voter Comments:
 Frech> Normalize Bugtraq reference; suggestion:
   http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Fstart%3D1998-06-27%26fromthread%3D0%26mid%3D9727%26list%3D1%26threads%3D0%26end%3D1998-07-03%26
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> ADDREF XF:metaweb-server-dot-attack


======================================================
Candidate: CAN-1999-0608
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0608
Final-Decision:
Interim-Decision: 20010502
Modified: 20010425-01
Proposed: 19990728
Assigned: 19990607
Category: CF
Reference: BUGTRAQ:19990420 Shopping Carts exposing CC data
Reference: CONFIRM:http://www.pdgsoft.com/Security/security.html.
Reference: XF:pdgsoftcart-misconfig(3857)

An incorrect configuration of the PDG Shopping Cart CGI program
"shopper.cgi" could disclose private information.


Modifications:
  ADDREF CONFIRM:http://www.pdgsoft.com/Security/security.html.
  ADDREF XF:pdgsoftcart-misconfig(3857)

INFERRED ACTION: CAN-1999-0608 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(3) Wall, Christey, Northcutt

Voter Comments:
 Frech> XF:pdgsoftcart-misconfig(3857)
 Christey> CONFIRM:http://www.pdgsoft.com/Security/security.html.
   The statement reads:

   Recently, PDG Software, Inc. has been associated with speculations
   on the security of Web stores running shopping cart software...  The
   speculation revealed a security "hole" on several online stores,
   rendering sensitive information vulnerable to fraud.  PDG Software
   isolated the problem and offered assistance to server administrators
   to close the potential hole.  It is important to understand that the
   problem stems not from the shopping cart software itself, but rather
   from improper installation of the software.

   Also see http://ecommerce.internet.com/outlook/article/0,1467,7761_239511,00.html


======================================================
Candidate: CAN-1999-0681
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0681
Final-Decision:
Interim-Decision: 20010502
Modified:
Proposed: 20010214
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990807 Crash FrontPage Remotely...
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/1999-q3/0381.html
Reference: XF:frontpage-pws-dos
Reference: URL:http://xforce.iss.net/static/3117.php
Reference: BID:568
Reference: URL:http://www.securityfocus.com/bid/568

Buffer overflow in Microsoft FrontPage Server Extensions (PWS)
3.0.2.926 on Windows 95, and possibly other versions, allows remote
attackers to cause a denial of service via a long URL.

INFERRED ACTION: CAN-1999-0681 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) LeBlanc, Baker, Cole

Voter Comments:
 LeBlanc> Fixed in some FrontPage update - I don't recall which.


======================================================
Candidate: CAN-1999-0729
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0729
Final-Decision:
Interim-Decision: 20010502
Modified:
Proposed: 20010214
Assigned: 19991125
Category: SF
Reference: ISS:19990823 Denial of Service Attack against Lotus Notes Domino Server 4.6
Reference: URL:http://xforce.iss.net/alerts/advise34.php
Reference: CIAC:J-061
Reference: URL:http://www.ciac.org/ciac/bulletins/j-061.shtml
Reference: BID:601
Reference: URL:http://www.securityfocus.com/bid/601
Reference: XF:lotus-ldap-bo

Buffer overflow in Lotus Notes LDAP (NLDAP) allows an attacker to
conduct a denial of service through the ldap_search request.

INFERRED ACTION: CAN-1999-0729 ACCEPT_ACK (2 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(2) Baker, Cole


======================================================
Candidate: CAN-1999-0758
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0758
Final-Decision:
Interim-Decision: 20010502
Modified:
Proposed: 20010214
Assigned: 19991125
Category: SF
Reference: ALLAIRE:ASB99-06
Reference: XF:netscape-space-view

Netscape Enterprise 3.5.1 and FastTrack 3.01 servers allow a remote
attacker to view source code to scripts by appending a %20 to the
script's URL.

INFERRED ACTION: CAN-1999-0758 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Baker, Cole


======================================================
Candidate: CAN-1999-0760
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0760
Final-Decision:
Interim-Decision: 20010502
Modified:
Proposed: 20010214
Assigned: 19991125
Category: SF
Reference: ALLAIRE:ASB99-10
Reference: URL:http://www.allaire.com/handlers/index.cfm?ID=11714&Method=Full
Reference: BID:550
Reference: URL:http://www.securityfocus.com/bid/550
Reference: XF:coldfusion-server-cfml-tags
Reference: URL:http://xforce.iss.net/static/3288.php

Undocumented ColdFusion Markup Language (CFML) tags and functions in
the ColdFusion Administrator allow users to gain additional
privileges.

INFERRED ACTION: CAN-1999-0760 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Baker, Cole


======================================================
Candidate: CAN-1999-0800
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0800
Final-Decision:
Interim-Decision: 20010502
Modified:
Proposed: 20010214
Assigned: 19991125
Category: SF
Reference: ALLAIRE:ASB99-05
Reference: URL:http://www.allaire.com/handlers/index.cfm?ID=9602&Method=Full
Reference: NTBUGTRAQ:19990211 ACFUG List: Alert: Allaire Forums GetFile bug
Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/1998-1999/msg00332.html

The GetFile.cfm file in Allaire Forums allows remote attackers to read
files through a parameter to GetFile.cfm.

INFERRED ACTION: CAN-1999-0800 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Baker, Cole


======================================================
Candidate: CAN-1999-0922
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0922
Final-Decision:
Interim-Decision: 20010502
Modified:
Proposed: 20010214
Assigned: 19991208
Category: SF
Reference: ALLAIRE:ASB99-02
Reference: URL:http://www.allaire.com/handlers/index.cfm?ID=8739&Method=Full
Reference: XF:coldfusion-sourcewindow

An example application in ColdFusion Server 4.0 allows remote
attackers to view source code via the sourcewindow.cfm file.

INFERRED ACTION: CAN-1999-0922 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Baker, Cole


======================================================
Candidate: CAN-1999-0924
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0924
Final-Decision:
Interim-Decision: 20010502
Modified:
Proposed: 20010214
Assigned: 19991208
Category: SF
Reference: ALLAIRE:ASB99-02
Reference: URL:http://www.allaire.com/handlers/index.cfm?ID=8739&Method=Full

The Syntax Checker in ColdFusion Server 4.0 allows remote attackers to
conduct a denial of service.

INFERRED ACTION: CAN-1999-0924 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Baker, Cole


======================================================
Candidate: CAN-1999-0945
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0945
Final-Decision:
Interim-Decision: 20010502
Modified:
Proposed: 20010214
Assigned: 19991208
Category: SF
Reference: ISS:19980724 Denial of Service attacks against Microsoft Exchange 5.0 to 5.5
Reference: URL:http://xforce.iss.net/alerts/advise4.php
Reference: CIAC:I-080
Reference: URL:http://www.ciac.org/ciac/bulletins/i-080.shtml
Reference: MSKB:Q169174

Buffer overflow in Internet Mail Service (IMS) for Microsoft Exchange
5.5 and 5.0 allows remote attackers to conduct a denial of service via
AUTH or AUTHINFO commands.

INFERRED ACTION: CAN-1999-0945 ACCEPT_ACK (2 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(2) Baker, Cole

Page Last Updated or Reviewed: May 22, 2007