[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FINAL] ACCEPT 12 candidates from 1999

I have made a Final Decision to ACCEPT the following candidates.
These candidates are now assigned CVE names as noted below.  The
resulting CVE entries will be published in the near future in a new
version of CVE.  Voting details and comments are provided at the end
of this report.

- Steve


Candidate	CVE Name
---------	----------
CAN-1999-0115	CVE-1999-0115
CAN-1999-0223	CVE-1999-0223
CAN-1999-0268	CVE-1999-0268
CAN-1999-0608	CVE-1999-0608
CAN-1999-0681	CVE-1999-0681
CAN-1999-0729	CVE-1999-0729
CAN-1999-0758	CVE-1999-0758
CAN-1999-0760	CVE-1999-0760
CAN-1999-0800	CVE-1999-0800
CAN-1999-0922	CVE-1999-0922
CAN-1999-0924	CVE-1999-0924
CAN-1999-0945	CVE-1999-0945


======================================================
Candidate: CAN-1999-0115
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0115
Final-Decision: 20010507
Interim-Decision: 20010502
Modified: 20010501-02
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19970909 AIX bugfiler
Reference: XF:ibm-bugfiler
Reference: BID:1800
Reference: URL:http://www.securityfocus.com/bid/1800

AIX bugfiler program allows local users to gain root access.


Modifications:
  ADDREF BUGTRAQ:19970909 AIX bugfiler
  ADDREF XF:ibm-bugfiler
  ADDREF BID:1800

INFERRED ACTION: CAN-1999-0115 FINAL (Final Decision 20010507)

Current Votes:
   ACCEPT(2) Baker, Bollinger
   MODIFY(1) Frech
   NOOP(4) Christey, Northcutt, Shostack, Wall
   REVIEWING(1) Levy

Voter Comments:
 Frech> XF:ibm-bugfiler
 Christey> I could not find any acknowledgement of this bug on the IBM
   web site.
 Christey> BID:1800
   URL:http://www.securityfocus.com/bid/1800


======================================================
Candidate: CAN-1999-0223
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0223
Final-Decision: 20010507
Interim-Decision: 20010502
Modified: 20010501-02
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19961109 Syslogd and Solaris 2.4
Reference: SUNBUG:1249320
Reference: CONFIRM:http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?patchid=103291&collection=fpatches
Reference: XF:sol-syslogd-crash
Reference: BID:1878

Solaris syslogd crashes when receiving a message from a host that
doesn't have an inverse DNS entry.


Modifications:
  ADDREF BUGTRAQ:19961109 Syslogd and Solaris 2.4
  ADDREF XF:sol-syslogd-crash
  ADDREF SUNBUG:1249320
  ADDREF CONFIRM:http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?patchid=103291&collection=fpatches
  ADDREF BID:1878

INFERRED ACTION: CAN-1999-0223 FINAL (Final Decision 20010507)

Current Votes:
   ACCEPT(2) Dik, Baker
   MODIFY(1) Frech
   NOOP(4) Christey, Northcutt, Shostack, Wall
   REVIEWING(1) Levy

Voter Comments:
 Frech> XF:sol-syslogd-crash
 Dik> bug 1249320
 Christey> BID:1878
   URL:http://www.securityfocus.com/bid/1878


======================================================
Candidate: CAN-1999-0268
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0268
Final-Decision: 20010507
Interim-Decision: 20010502
Modified: 20010425-02
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19980630 Security vulnerabilities in MetaInfo products
Reference: XF:metaweb-server-dot-attack

MetaInfo MetaWeb web server allows users to upload and execute scripts.


Modifications:
  ADDREF XF:metaweb-server-dot-attack

INFERRED ACTION: CAN-1999-0268 FINAL (Final Decision 20010507)

Current Votes:
   ACCEPT(2) Baker, Northcutt
   MODIFY(1) Frech
   NOOP(1) Prosser

Voter Comments:
 Frech> Normalize Bugtraq reference; suggestion:
   http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Fstart%3D1998-06-27%26fromthread%3D0%26mid%3D9727%26list%3D1%26threads%3D0%26end%3D1998-07-03%26
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> ADDREF XF:metaweb-server-dot-attack


======================================================
Candidate: CAN-1999-0608
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0608
Final-Decision: 20010507
Interim-Decision: 20010502
Modified: 20010425-01
Proposed: 19990728
Assigned: 19990607
Category: CF
Reference: BUGTRAQ:19990420 Shopping Carts exposing CC data
Reference: CONFIRM:http://www.pdgsoft.com/Security/security.html.
Reference: XF:pdgsoftcart-misconfig(3857)

An incorrect configuration of the PDG Shopping Cart CGI program
"shopper.cgi" could disclose private information.


Modifications:
  ADDREF CONFIRM:http://www.pdgsoft.com/Security/security.html.
  ADDREF XF:pdgsoftcart-misconfig(3857)

INFERRED ACTION: CAN-1999-0608 FINAL (Final Decision 20010507)

Current Votes:
   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(3) Wall, Christey, Northcutt

Voter Comments:
 Frech> XF:pdgsoftcart-misconfig(3857)
 Christey> CONFIRM:http://www.pdgsoft.com/Security/security.html.
   The statement reads:

   Recently, PDG Software, Inc. has been associated with speculations
   on the security of Web stores running shopping cart software...  The
   speculation revealed a security "hole" on several online stores,
   rendering sensitive information vulnerable to fraud.  PDG Software
   isolated the problem and offered assistance to server administrators
   to close the potential hole.  It is important to understand that the
   problem stems not from the shopping cart software itself, but rather
   from improper installation of the software.

   Also see http://ecommerce.internet.com/outlook/article/0,1467,7761_239511,00.html


======================================================
Candidate: CAN-1999-0681
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0681
Final-Decision: 20010507
Interim-Decision: 20010502
Modified:
Proposed: 20010214
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990807 Crash FrontPage Remotely...
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/1999-q3/0381.html
Reference: XF:frontpage-pws-dos
Reference: URL:http://xforce.iss.net/static/3117.php
Reference: BID:568
Reference: URL:http://www.securityfocus.com/bid/568

Buffer overflow in Microsoft FrontPage Server Extensions (PWS)
3.0.2.926 on Windows 95, and possibly other versions, allows remote
attackers to cause a denial of service via a long URL.

INFERRED ACTION: CAN-1999-0681 FINAL (Final Decision 20010507)

Current Votes:
   ACCEPT(4) LeBlanc, Frech, Baker, Cole

Voter Comments:
 LeBlanc> Fixed in some FrontPage update - I don't recall which.


======================================================
Candidate: CAN-1999-0729
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0729
Final-Decision: 20010507
Interim-Decision: 20010502
Modified:
Proposed: 20010214
Assigned: 19991125
Category: SF
Reference: ISS:19990823 Denial of Service Attack against Lotus Notes Domino Server 4.6
Reference: URL:http://xforce.iss.net/alerts/advise34.php
Reference: CIAC:J-061
Reference: URL:http://www.ciac.org/ciac/bulletins/j-061.shtml
Reference: BID:601
Reference: URL:http://www.securityfocus.com/bid/601
Reference: XF:lotus-ldap-bo

Buffer overflow in Lotus Notes LDAP (NLDAP) allows an attacker to
conduct a denial of service through the ldap_search request.

INFERRED ACTION: CAN-1999-0729 FINAL (Final Decision 20010507)

Current Votes:
   ACCEPT(3) Frech, Baker, Cole


======================================================
Candidate: CAN-1999-0758
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0758
Final-Decision: 20010507
Interim-Decision: 20010502
Modified:
Proposed: 20010214
Assigned: 19991125
Category: SF
Reference: ALLAIRE:ASB99-06
Reference: XF:netscape-space-view

Netscape Enterprise 3.5.1 and FastTrack 3.01 servers allow a remote
attacker to view source code to scripts by appending a %20 to the
script's URL.

INFERRED ACTION: CAN-1999-0758 FINAL (Final Decision 20010507)

Current Votes:
   ACCEPT(3) Frech, Baker, Cole


======================================================
Candidate: CAN-1999-0760
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0760
Final-Decision: 20010507
Interim-Decision: 20010502
Modified:
Proposed: 20010214
Assigned: 19991125
Category: SF
Reference: ALLAIRE:ASB99-10
Reference: URL:http://www.allaire.com/handlers/index.cfm?ID=11714&Method=Full
Reference: BID:550
Reference: URL:http://www.securityfocus.com/bid/550
Reference: XF:coldfusion-server-cfml-tags
Reference: URL:http://xforce.iss.net/static/3288.php

Undocumented ColdFusion Markup Language (CFML) tags and functions in
the ColdFusion Administrator allow users to gain additional
privileges.

INFERRED ACTION: CAN-1999-0760 FINAL (Final Decision 20010507)

Current Votes:
   ACCEPT(3) Frech, Baker, Cole


======================================================
Candidate: CAN-1999-0800
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0800
Final-Decision: 20010507
Interim-Decision: 20010502
Modified: 20010502-01
Proposed: 20010214
Assigned: 19991125
Category: SF
Reference: ALLAIRE:ASB99-05
Reference: URL:http://www.allaire.com/handlers/index.cfm?ID=9602&Method=Full
Reference: NTBUGTRAQ:19990211 ACFUG List: Alert: Allaire Forums GetFile bug
Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/1998-1999/msg00332.html
Reference: XF:allaire-forums-file-read(1748)

The GetFile.cfm file in Allaire Forums allows remote attackers to read
files through a parameter to GetFile.cfm.


Modifications:
  ADDREF XF:allaire-forums-file-read(1748)

INFERRED ACTION: CAN-1999-0800 FINAL (Final Decision 20010507)

Current Votes:
   ACCEPT(2) Baker, Cole
   MODIFY(1) Frech

Voter Comments:
 Frech> XF:allaire-forums-file-read(1748)


======================================================
Candidate: CAN-1999-0922
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0922
Final-Decision: 20010507
Interim-Decision: 20010502
Modified:
Proposed: 20010214
Assigned: 19991208
Category: SF
Reference: ALLAIRE:ASB99-02
Reference: URL:http://www.allaire.com/handlers/index.cfm?ID=8739&Method=Full
Reference: XF:coldfusion-sourcewindow

An example application in ColdFusion Server 4.0 allows remote
attackers to view source code via the sourcewindow.cfm file.

INFERRED ACTION: CAN-1999-0922 FINAL (Final Decision 20010507)

Current Votes:
   ACCEPT(3) Frech, Baker, Cole


======================================================
Candidate: CAN-1999-0924
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0924
Final-Decision: 20010507
Interim-Decision: 20010502
Modified: 20010502-01
Proposed: 20010214
Assigned: 19991208
Category: SF
Reference: ALLAIRE:ASB99-02
Reference: URL:http://www.allaire.com/handlers/index.cfm?ID=8739&Method=Full
Reference: XF:coldfusion-syntax-checker(1742)

The Syntax Checker in ColdFusion Server 4.0 allows remote attackers to
conduct a denial of service.


Modifications:
  ADDREF XF:coldfusion-syntax-checker(1742)

INFERRED ACTION: CAN-1999-0924 FINAL (Final Decision 20010507)

Current Votes:
   ACCEPT(2) Baker, Cole
   MODIFY(1) Frech

Voter Comments:
 Frech> XF:coldfusion-syntax-checker(1742)


======================================================
Candidate: CAN-1999-0945
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0945
Final-Decision: 20010507
Interim-Decision: 20010502
Modified: 20010502-01
Proposed: 20010214
Assigned: 19991208
Category: SF
Reference: ISS:19980724 Denial of Service attacks against Microsoft Exchange 5.0 to 5.5
Reference: URL:http://xforce.iss.net/alerts/advise4.php
Reference: CIAC:I-080
Reference: URL:http://www.ciac.org/ciac/bulletins/i-080.shtml
Reference: MSKB:Q169174
Reference: XF:exchange-dos(1223)

Buffer overflow in Internet Mail Service (IMS) for Microsoft Exchange
5.5 and 5.0 allows remote attackers to conduct a denial of service via
AUTH or AUTHINFO commands.


Modifications:
  ADDREF XF:exchange-dos(1223)

INFERRED ACTION: CAN-1999-0945 FINAL (Final Decision 20010507)

Current Votes:
   ACCEPT(2) Baker, Cole
   MODIFY(1) Frech

Voter Comments:
 Frech> XF:exchange-dos(1223)
Page Last Updated or Reviewed: May 22, 2007