[Date Prev][
Date Next][Thread Prev][
Thread Next][
Date Index][
Thread Index]
[INTERIM] ACCEPT 12 candidates from 1999 (Final 5/7)
I have made an Interim Decision to ACCEPT the following 12 candidates,
all of which were proposed in 1999.
I will make a Final Decision on May 7.
These candidates can be accepted at this time due to one or more of
the following factors:
- an Editorial Board member from a software vendor has voted to
accept a candidate in their own product (recent offline activities
collected these "missing" votes)
- vendor acknowledgement has been located and recorded
- David Baker has used MITRE's "right-to-vote" to accept these
candidates
Voters:
Levy REVIEWING(2)
Shostack NOOP(2)
Wall NOOP(3)
LeBlanc ACCEPT(1)
Cole ACCEPT(8)
Baker ACCEPT(12)
Dik ACCEPT(1)
Frech MODIFY(4)
Christey NOOP(3)
Northcutt ACCEPT(1) NOOP(3)
Bollinger ACCEPT(1)
Prosser NOOP(1)
======================================================
Candidate: CAN-1999-0115
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0115
Final-Decision:
Interim-Decision: 20010502
Modified: 20010501-02
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19970909 AIX bugfiler
Reference: XF:ibm-bugfiler
Reference: BID:1800
Reference: URL:http://www.securityfocus.com/bid/1800
AIX bugfiler program allows local users to gain root access.
Modifications:
ADDREF BUGTRAQ:19970909 AIX bugfiler
ADDREF XF:ibm-bugfiler
ADDREF BID:1800
INFERRED ACTION: CAN-1999-0115 ACCEPT_REV (3 accept, 1 ack, 1 review)
Current Votes:
ACCEPT(2) Baker, Bollinger
MODIFY(1) Frech
NOOP(4) Christey, Northcutt, Shostack, Wall
REVIEWING(1) Levy
Voter Comments:
Frech> XF:ibm-bugfiler
Christey> I could not find any acknowledgement of this bug on the IBM
web site.
Christey> BID:1800
URL:http://www.securityfocus.com/bid/1800
======================================================
Candidate: CAN-1999-0223
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0223
Final-Decision:
Interim-Decision: 20010502
Modified: 20010501-02
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19961109 Syslogd and Solaris 2.4
Reference: SUNBUG:1249320
Reference: CONFIRM:http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?patchid=103291&collection=fpatches
Reference: XF:sol-syslogd-crash
Reference: BID:1878
Solaris syslogd crashes when receiving a message from a host that
doesn't have an inverse DNS entry.
Modifications:
ADDREF BUGTRAQ:19961109 Syslogd and Solaris 2.4
ADDREF XF:sol-syslogd-crash
ADDREF SUNBUG:1249320
ADDREF CONFIRM:http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?patchid=103291&collection=fpatches
ADDREF BID:1878
INFERRED ACTION: CAN-1999-0223 ACCEPT_REV (3 accept, 2 ack, 1 review)
Current Votes:
ACCEPT(2) Dik, Baker
MODIFY(1) Frech
NOOP(4) Christey, Northcutt, Shostack, Wall
REVIEWING(1) Levy
Voter Comments:
Frech> XF:sol-syslogd-crash
Dik> bug 1249320
Christey> BID:1878
URL:http://www.securityfocus.com/bid/1878
======================================================
Candidate: CAN-1999-0268
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0268
Final-Decision:
Interim-Decision: 20010502
Modified: 20010425-02
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19980630 Security vulnerabilities in MetaInfo products
Reference: XF:metaweb-server-dot-attack
MetaInfo MetaWeb web server allows users to upload and execute scripts.
Modifications:
ADDREF XF:metaweb-server-dot-attack
INFERRED ACTION: CAN-1999-0268 ACCEPT (3 accept, 0 ack, 0 review)
Current Votes:
ACCEPT(2) Baker, Northcutt
MODIFY(1) Frech
NOOP(1) Prosser
Voter Comments:
Frech> Normalize Bugtraq reference; suggestion:
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Fstart%3D1998-06-27%26fromthread%3D0%26mid%3D9727%26list%3D1%26threads%3D0%26end%3D1998-07-03%26
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> ADDREF XF:metaweb-server-dot-attack
======================================================
Candidate: CAN-1999-0608
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0608
Final-Decision:
Interim-Decision: 20010502
Modified: 20010425-01
Proposed: 19990728
Assigned: 19990607
Category: CF
Reference: BUGTRAQ:19990420 Shopping Carts exposing CC data
Reference: CONFIRM:http://www.pdgsoft.com/Security/security.html.
Reference: XF:pdgsoftcart-misconfig(3857)
An incorrect configuration of the PDG Shopping Cart CGI program
"shopper.cgi" could disclose private information.
Modifications:
ADDREF CONFIRM:http://www.pdgsoft.com/Security/security.html.
ADDREF XF:pdgsoftcart-misconfig(3857)
INFERRED ACTION: CAN-1999-0608 ACCEPT_ACK (2 accept, 1 ack, 0 review)
Current Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(3) Wall, Christey, Northcutt
Voter Comments:
Frech> XF:pdgsoftcart-misconfig(3857)
Christey> CONFIRM:http://www.pdgsoft.com/Security/security.html.
The statement reads:
Recently, PDG Software, Inc. has been associated with speculations
on the security of Web stores running shopping cart software... The
speculation revealed a security "hole" on several online stores,
rendering sensitive information vulnerable to fraud. PDG Software
isolated the problem and offered assistance to server administrators
to close the potential hole. It is important to understand that the
problem stems not from the shopping cart software itself, but rather
from improper installation of the software.
Also see http://ecommerce.internet.com/outlook/article/0,1467,7761_239511,00.html
======================================================
Candidate: CAN-1999-0681
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0681
Final-Decision:
Interim-Decision: 20010502
Modified:
Proposed: 20010214
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990807 Crash FrontPage Remotely...
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/1999-q3/0381.html
Reference: XF:frontpage-pws-dos
Reference: URL:http://xforce.iss.net/static/3117.php
Reference: BID:568
Reference: URL:http://www.securityfocus.com/bid/568
Buffer overflow in Microsoft FrontPage Server Extensions (PWS)
3.0.2.926 on Windows 95, and possibly other versions, allows remote
attackers to cause a denial of service via a long URL.
INFERRED ACTION: CAN-1999-0681 ACCEPT (3 accept, 1 ack, 0 review)
Current Votes:
ACCEPT(3) LeBlanc, Baker, Cole
Voter Comments:
LeBlanc> Fixed in some FrontPage update - I don't recall which.
======================================================
Candidate: CAN-1999-0729
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0729
Final-Decision:
Interim-Decision: 20010502
Modified:
Proposed: 20010214
Assigned: 19991125
Category: SF
Reference: ISS:19990823 Denial of Service Attack against Lotus Notes Domino Server 4.6
Reference: URL:http://xforce.iss.net/alerts/advise34.php
Reference: CIAC:J-061
Reference: URL:http://www.ciac.org/ciac/bulletins/j-061.shtml
Reference: BID:601
Reference: URL:http://www.securityfocus.com/bid/601
Reference: XF:lotus-ldap-bo
Buffer overflow in Lotus Notes LDAP (NLDAP) allows an attacker to
conduct a denial of service through the ldap_search request.
INFERRED ACTION: CAN-1999-0729 ACCEPT_ACK (2 accept, 2 ack, 0 review)
Current Votes:
ACCEPT(2) Baker, Cole
======================================================
Candidate: CAN-1999-0758
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0758
Final-Decision:
Interim-Decision: 20010502
Modified:
Proposed: 20010214
Assigned: 19991125
Category: SF
Reference: ALLAIRE:ASB99-06
Reference: XF:netscape-space-view
Netscape Enterprise 3.5.1 and FastTrack 3.01 servers allow a remote
attacker to view source code to scripts by appending a %20 to the
script's URL.
INFERRED ACTION: CAN-1999-0758 ACCEPT_ACK (2 accept, 1 ack, 0 review)
Current Votes:
ACCEPT(2) Baker, Cole
======================================================
Candidate: CAN-1999-0760
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0760
Final-Decision:
Interim-Decision: 20010502
Modified:
Proposed: 20010214
Assigned: 19991125
Category: SF
Reference: ALLAIRE:ASB99-10
Reference: URL:http://www.allaire.com/handlers/index.cfm?ID=11714&Method=Full
Reference: BID:550
Reference: URL:http://www.securityfocus.com/bid/550
Reference: XF:coldfusion-server-cfml-tags
Reference: URL:http://xforce.iss.net/static/3288.php
Undocumented ColdFusion Markup Language (CFML) tags and functions in
the ColdFusion Administrator allow users to gain additional
privileges.
INFERRED ACTION: CAN-1999-0760 ACCEPT_ACK (2 accept, 1 ack, 0 review)
Current Votes:
ACCEPT(2) Baker, Cole
======================================================
Candidate: CAN-1999-0800
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0800
Final-Decision:
Interim-Decision: 20010502
Modified:
Proposed: 20010214
Assigned: 19991125
Category: SF
Reference: ALLAIRE:ASB99-05
Reference: URL:http://www.allaire.com/handlers/index.cfm?ID=9602&Method=Full
Reference: NTBUGTRAQ:19990211 ACFUG List: Alert: Allaire Forums GetFile bug
Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/1998-1999/msg00332.html
The GetFile.cfm file in Allaire Forums allows remote attackers to read
files through a parameter to GetFile.cfm.
INFERRED ACTION: CAN-1999-0800 ACCEPT_ACK (2 accept, 1 ack, 0 review)
Current Votes:
ACCEPT(2) Baker, Cole
======================================================
Candidate: CAN-1999-0922
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0922
Final-Decision:
Interim-Decision: 20010502
Modified:
Proposed: 20010214
Assigned: 19991208
Category: SF
Reference: ALLAIRE:ASB99-02
Reference: URL:http://www.allaire.com/handlers/index.cfm?ID=8739&Method=Full
Reference: XF:coldfusion-sourcewindow
An example application in ColdFusion Server 4.0 allows remote
attackers to view source code via the sourcewindow.cfm file.
INFERRED ACTION: CAN-1999-0922 ACCEPT_ACK (2 accept, 1 ack, 0 review)
Current Votes:
ACCEPT(2) Baker, Cole
======================================================
Candidate: CAN-1999-0924
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0924
Final-Decision:
Interim-Decision: 20010502
Modified:
Proposed: 20010214
Assigned: 19991208
Category: SF
Reference: ALLAIRE:ASB99-02
Reference: URL:http://www.allaire.com/handlers/index.cfm?ID=8739&Method=Full
The Syntax Checker in ColdFusion Server 4.0 allows remote attackers to
conduct a denial of service.
INFERRED ACTION: CAN-1999-0924 ACCEPT_ACK (2 accept, 1 ack, 0 review)
Current Votes:
ACCEPT(2) Baker, Cole
======================================================
Candidate: CAN-1999-0945
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0945
Final-Decision:
Interim-Decision: 20010502
Modified:
Proposed: 20010214
Assigned: 19991208
Category: SF
Reference: ISS:19980724 Denial of Service attacks against Microsoft Exchange 5.0 to 5.5
Reference: URL:http://xforce.iss.net/alerts/advise4.php
Reference: CIAC:I-080
Reference: URL:http://www.ciac.org/ciac/bulletins/i-080.shtml
Reference: MSKB:Q169174
Buffer overflow in Internet Mail Service (IMS) for Microsoft Exchange
5.5 and 5.0 allows remote attackers to conduct a denial of service via
AUTH or AUTHINFO commands.
INFERRED ACTION: CAN-1999-0945 ACCEPT_ACK (2 accept, 3 ack, 0 review)
Current Votes:
ACCEPT(2) Baker, Cole