[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[TECH] CD:VAGUE and its effect on 46 candidates



46 candidates have enough ACCEPT votes to be moved to Interim Decision
and ultimately be promoted to CVE entries.  However, they are being
held back due to the issues regarding CD:VAGUE.

The total number of CANs that are *really* affected by CD:VAGUE is
uncertain.  I only labeled the CANs that I was considering for Interim
Decision, which is a subset of all active CANs (others don't have
enough votes, were already labeled with other CDs, etc.).  Some CVE
entries may also be affected.

As I reviewed the candidates, I ran into a few issues:

1) How vague is *too* vague?  Some vulnerability reports give you an
   idea of the attack vector without describing the underlying
   vulnerability, or vice versa.  Examples: CAN-1999-1287,
   CAN-1999-1308, CAN-1999-1313, CAN-1999-1314, CAN-1999-1362,
   CAN-1999-1391, CAN-1999-1392, CAN-1999-1554. CAN-2001-0101

2) I was not initially aware that CD:VAGUE was an issue until some
   Board members brought it up in their voting comments.  In fact,
   many CD's arise as a result of voting comments.

   This led me to realize that Board members who vote on candidates
   can drive the creation of content decisions, because they question
   the assumptions of CVE, or they indirectly reinforce them.
   Non-voting members are implicitly trusting that voting members will
   find any CD-related issues that the non-voting members care about.

3) To illuminate #2, here are the voters for the 46 CANs that could be
   ACCEPTed today were it not for CD:VAGUE:

     Green ACCEPT(3)
     Cole ACCEPT(46)
     Balinsky ACCEPT(2)
     Foat ACCEPT(40) NOOP(5)
     Williams ACCEPT(2)
     Wall ACCEPT(2) NOOP(27)
     Ziese ACCEPT(3)
     Dik ACCEPT(1)
     Frech ACCEPT(17) MODIFY(24)
     Stracener ACCEPT(37)
     Bollinger MODIFY(1)
     Baker ACCEPT(8)
     Bishop ACCEPT(4)
     Armstrong ACCEPT(14)
     Prosser ACCEPT(1)

   These voters have implicitly agreed to some portion of CD:VAGUE.
   They may wish to review the candidates below to see if they still
   agree.

4) Following is a summary of the major CVE reference sources whose
   associated CANs are affected by CD:VAGUE.

       3  AIXAPAR
      13  CERT
       2  CERT-VN
      17  CIAC
       2  CISCO
       1  COMPAQ
       5  CONFIRM
       1  FREEBSD
      13  HP
       1  ISS
       1  REDHAT
       6  SCO
       1  SGI
       1  TURBO

   e.g., 13 candidates are associated with vague CERT advisories.
   "CONFIRM" is used for acknowledgement by other, non-major vendors.

   This issue was a little broader than I thought.  I was a little
   surprised to see some open source vendors, for example.


Board members are encouraged to consider these statistics while
reviewing CD:VAGUE.

The specific (pardon the pun) candidates are listed below.

- Steve



======================================================
Candidate: CAN-1999-1079
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1079
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010912
Assigned: 20010831
Category: SF
Reference: BUGTRAQ:19990506 AIX Security Fixes Update
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92601792420088&w=2
Reference: BUGTRAQ:19990825 AIX security summary
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93587956513233&w=2
Reference: AIXAPAR:IX80470
Reference: URL:http://www-1.ibm.com/servlet/support/manager?rs=0&rt=0&org=apars&doc=08E0B1A1B85472A1852567C90031BB36
Reference: BID:439
Reference: URL:http://www.securityfocus.com/bid/439

Vulnerability in ptrace in AIX 4.3 allows local users to gain
privileges by attaching to a setgid program.

CONTENT-DECISIONS: VAGUE

INFERRED ACTION: CAN-1999-1079 ACCEPT (4 accept, 1 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(3) Foat, Cole, Stracener
   MODIFY(1) Frech

Voter Comments:
 Frech> XF:aix-ptrace-setgid(7487)


======================================================
Candidate: CAN-1999-1213
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1213
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010912
Assigned: 20010831
Category: SF
Reference: HP:HPSBUX9710-070
Reference: URL:http://www2.dataguard.no/bugtraq/1997_4/0001.html
Reference: XF:hp-telnetdos(571)
Reference: URL:http://xforce.iss.net/static/571.php

Vulnerability in telnet service in HP-UX 10.30 allows attackers to
cause a denial of service.

CONTENT-DECISIONS: VAGUE

INFERRED ACTION: CAN-1999-1213 ACCEPT (4 accept, 1 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(4) Foat, Cole, Frech, Stracener


======================================================
Candidate: CAN-1999-1216
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1216
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010912
Assigned: 20010831
Category: SF
Reference: CERT:CA-1993-07
Reference: URL:http://www.cert.org/advisories/CA-1993-07.html
Reference: CIAC:D-15
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/d-15.shtml
Reference: XF:cisco-sourceroute(541)
Reference: URL:http://xforce.iss.net/static/541.php

Cisco routers 9.17 and earlier allow remote attackers to bypass
security restrictions via certain IP source routed packets that should
normally be denied using the "no ip source-route" command.

CONTENT-DECISIONS: VAGUE

INFERRED ACTION: CAN-1999-1216 ACCEPT (4 accept, 2 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(4) Foat, Cole, Frech, Stracener
   NOOP(1) Wall


======================================================
Candidate: CAN-1999-1218
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1218
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010912
Assigned: 20010831
Category: SF
Reference: CERT:CA-1993-04
Reference: URL:http://www.cert.org/advisories/CA-1993-04.html
Reference: XF:amiga-finger(522)
Reference: URL:http://xforce.iss.net/static/522.php

Vulnerability in finger in Commodore Amiga UNIX 2.1p2a and earlier
allows local users to read arbitrary files.

CONTENT-DECISIONS: VAGUE

INFERRED ACTION: CAN-1999-1218 ACCEPT (4 accept, 1 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(4) Foat, Cole, Frech, Stracener
   NOOP(1) Wall


======================================================
Candidate: CAN-1999-1238
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1238
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010912
Assigned: 20010831
Category: SF
Reference: HP:HPSBUX9409-017
Reference: URL:http://www.securityfocus.com/advisories/1531
Reference: XF:hp-core-diag-fileset(2262)
Reference: URL:http://xforce.iss.net/static/2262.php

Vulnerability in CORE-DIAG fileset in HP message catalog in HP-UX 9.05
and earlier allows local users to gain privileges.

CONTENT-DECISIONS: VAGUE

INFERRED ACTION: CAN-1999-1238 ACCEPT (4 accept, 1 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(4) Foat, Cole, Frech, Stracener


======================================================
Candidate: CAN-1999-1239
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1239
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010912
Assigned: 20010831
Category: SF
Reference: HP:HPSBUX9407-015
Reference: URL:http://www.securityfocus.com/advisories/1559
Reference: XF:hp-xauthority(2261)
Reference: URL:http://xforce.iss.net/static/2261.php

HP-UX 9.x does not properly enable the Xauthority mechanism in certain
conditions, which could allow local users to access the X display even
when they have not explicitly been authorized to do so.

CONTENT-DECISIONS: VAGUE

INFERRED ACTION: CAN-1999-1239 ACCEPT (4 accept, 1 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(4) Foat, Cole, Frech, Stracener


======================================================
Candidate: CAN-1999-1242
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1242
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010912
Assigned: 20010831
Category: SF
Reference: HP:HPSBUX9402-003
Reference: URL:http://packetstormsecurity.org/advisories/hpalert/003
Reference: XF:hp-subnet-config(2162)
Reference: URL:http://xforce.iss.net/static/2162.php

Vulnerability in subnetconfig in HP-UX 9.01 and 9.0 allows local users
to gain privileges.

CONTENT-DECISIONS: VAGUE

INFERRED ACTION: CAN-1999-1242 ACCEPT (4 accept, 1 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(4) Foat, Cole, Frech, Stracener


======================================================
Candidate: CAN-1999-1247
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1247
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010912
Assigned: 20010831
Category: SF
Reference: HP:HPSBUX9402-006
Reference: URL:http://packetstormsecurity.org/advisories/hpalert/006
Reference: XF:hp-dce9000(2061)
Reference: URL:http://xforce.iss.net/static/2061.php

Vulnerability in HP Camera component of HP DCE/9000 in HP-UX 9.x
allows attackers to gain root privileges.

CONTENT-DECISIONS: VAGUE

INFERRED ACTION: CAN-1999-1247 ACCEPT (4 accept, 1 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(4) Foat, Cole, Frech, Stracener


======================================================
Candidate: CAN-1999-1248
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1248
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010912
Assigned: 20010831
Category: SF
Reference: HP:HPSBUX9411-019
Reference: URL:http://packetstormsecurity.org/advisories/hpalert/019
Reference: XF:hp-supportwatch(2058)
Reference: URL:http://xforce.iss.net/static/2058.php

Vulnerability in Support Watch (aka SupportWatch) in HP-UX 8.0 through
9.0 allows local users to gain privileges.

CONTENT-DECISIONS: VAGUE

INFERRED ACTION: CAN-1999-1248 ACCEPT (4 accept, 1 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(4) Foat, Cole, Frech, Stracener


======================================================
Candidate: CAN-1999-1251
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1251
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010912
Assigned: 20010831
Category: SF
Reference: HP:HPSBUX9612-043
Reference: URL:http://packetstormsecurity.org/advisories/hpalert/043
Reference: XF:hp-audio-panic(2010)
Reference: URL:http://xforce.iss.net/static/2010.php

Vulnerability in direct audio user space code on HP-UX 10.20 and 10.10
allows local users to cause a denial of service.

CONTENT-DECISIONS: VAGUE

INFERRED ACTION: CAN-1999-1251 ACCEPT (4 accept, 1 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(4) Foat, Cole, Frech, Stracener


======================================================
Candidate: CAN-1999-1252
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1252
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010912
Assigned: 20010831
Category:
Reference: CERT:VB-96.15
Reference: URL:http://www.cert.org/vendor_bulletins/VB-96.15.sco
Reference: SCO:96:002
Reference: URL:ftp://ftp.sco.COM/SSE/security_bulletins/SB.96:02a
Reference: XF:sco-system-call(1966)
Reference: URL:http://xforce.iss.net/static/1966.php

Vulnerability in a certain system call in SCO UnixWare 2.0.x and 2.1.0
allows local users to access arbitrary files and gain root privileges.

CONTENT-DECISIONS: VAGUE

INFERRED ACTION: CAN-1999-1252 ACCEPT (4 accept, 1 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(4) Foat, Cole, Frech, Stracener
   NOOP(1) Wall


======================================================
Candidate: CAN-1999-1253
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1253
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010912
Assigned: 20010831
Category:
Reference: CERT:VB-96.10
Reference: URL:http://www.cert.org/vendor_bulletins/VB-96.10.sco
Reference: SCO:96:001
Reference: URL:ftp://ftp.sco.com/SSE/security_bulletins/SB.96:01a
Reference: XF:sco-kernel(1965)
Reference: URL:http://xforce.iss.net/static/1965.php

Vulnerability in a kernel error handling routine in SCO OpenServer
5.0.2 and earlier, and SCO Internet FastStart 1.0, allows local users
to gain root privileges.

CONTENT-DECISIONS: VAGUE

INFERRED ACTION: CAN-1999-1253 ACCEPT (4 accept, 1 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(4) Foat, Cole, Frech, Stracener
   NOOP(1) Wall


======================================================
Candidate: CAN-1999-1287
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1287
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010912
Assigned: 20010831
Category: SF
Reference: CONFIRM:http://www.statslab.cam.ac.uk/~sret1/analog/security.html
Reference: XF:analog-remote-file(1410)
Reference: URL:http://xforce.iss.net/static/1410.php

Vulnerability in Analog 3.0 and earlier allows remote attackers to
read arbitrary files via the forms interface.

CONTENT-DECISIONS: VAGUE

INFERRED ACTION: CAN-1999-1287 ACCEPT (5 accept, 1 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(5) Foat, Cole, Armstrong, Frech, Stracener
   NOOP(1) Wall


======================================================
Candidate: CAN-1999-1293
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1293
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010912
Assigned: 20010831
Category: SF
Reference: BUGTRAQ:19980106 Apache security advisory
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88413292830649&w=2
Reference: CONFIRM:http://www.apache.org/info/security_bulletin_1.2.5.html

mod_proxy in Apache 1.2.5 and earlier allows remote attackers to cause
a denial of service via malformed FTP commands, which causes Apache to
dump core.

CONTENT-DECISIONS: VAGUE

INFERRED ACTION: CAN-1999-1293 ACCEPT (5 accept, 1 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(4) Foat, Cole, Armstrong, Stracener
   MODIFY(1) Frech
   NOOP(1) Wall

Voter Comments:
 Frech> XF:apache-mod-proxy-dos(7249)
   CONFIRM reference no longer seems to exist. BugTraq message
   seems to be a confirmation/advisory, however.


======================================================
Candidate: CAN-1999-1295
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1295
Final-Decision:
Interim-Decision:
Modified: 20020218-01
Proposed: 20010912
Assigned: 20010831
Category: SF
Reference: CERT:VB-96.16
Reference: URL:http://www.cert.org/vendor_bulletins/VB-96.16.transarc
Reference: XF:dfs-login-groups(7154)
Reference: URL:http://xforce.iss.net/static/7154.php

Transarc DCE Distributed File System (DFS) 1.1 for Solaris 2.4 and 2.5
does not properly initialize the grouplist for users who belong to a
large number of groups, which could allow those users to gain access
to resources that are protected by DFS.


Modifications:
  ADDREF XF:dfs-login-groups(7154)

CONTENT-DECISIONS: VAGUE

INFERRED ACTION: CAN-1999-1295 ACCEPT (4 accept, 1 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(3) Foat, Cole, Stracener
   MODIFY(1) Frech
   NOOP(1) Wall

Voter Comments:
 Frech> XF:dfs-login-groups(7154)


======================================================
Candidate: CAN-1999-1300
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1300
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010912
Assigned: 20010831
Category: SF
Reference: CIAC:B-31
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/b-31.shtml

Vulnerability in accton in Cray UNICOS 6.1 and 6.0 allows local users
to read arbitrary files and modify system accounting configuration.

CONTENT-DECISIONS: VAGUE

INFERRED ACTION: CAN-1999-1300 ACCEPT (5 accept, 1 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(4) Foat, Cole, Armstrong, Stracener
   MODIFY(1) Frech
   NOOP(1) Wall

Voter Comments:
 Frech> XF: unicos-accton-read-files(7210)


======================================================
Candidate: CAN-1999-1302
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1302
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010912
Assigned: 20010831
Category: SF
Reference: CIAC:F-05
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-05.shtml
Reference: SCO:94:001
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-05.shtml

Vulnerability in pt_chmod in SCO UNIX 4.2 and earlier allows local
users to gain root access.

CONTENT-DECISIONS: VAGUE

INFERRED ACTION: CAN-1999-1302 ACCEPT (4 accept, 1 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(3) Foat, Cole, Stracener
   MODIFY(1) Frech

Voter Comments:
 Frech> XF:sco-pt_chmod(7586)


======================================================
Candidate: CAN-1999-1303
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1303
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010912
Assigned: 20010831
Category: SF
Reference: CIAC:F-05
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-05.shtml
Reference: SCO:94:001
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-05.shtml

Vulnerability in prwarn in SCO UNIX 4.2 and earlier allows local users
to gain root access.

CONTENT-DECISIONS: VAGUE

INFERRED ACTION: CAN-1999-1303 ACCEPT (4 accept, 1 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(3) Foat, Cole, Stracener
   MODIFY(1) Frech

Voter Comments:
 Frech> XF:sco-prwarn(7587)


======================================================
Candidate: CAN-1999-1304
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1304
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010912
Assigned: 20010831
Category: SF
Reference: CIAC:F-05
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-05.shtml
Reference: SCO:94:001
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-05.shtml

Vulnerability in login in SCO UNIX 4.2 and earlier allows local users
to gain root access.

CONTENT-DECISIONS: VAGUE

INFERRED ACTION: CAN-1999-1304 ACCEPT (4 accept, 1 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(3) Foat, Cole, Stracener
   MODIFY(1) Frech

Voter Comments:
 Frech> XF:sco-login(7588)


======================================================
Candidate: CAN-1999-1305
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1305
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010912
Assigned: 20010831
Category: SF
Reference: CIAC:F-05
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-05.shtml
Reference: SCO:94:001
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-05.shtml

Vulnerability in "at" program in SCO UNIX 4.2 and earlier allows local
users to gain root access.

CONTENT-DECISIONS: VAGUE

INFERRED ACTION: CAN-1999-1305 ACCEPT (4 accept, 1 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(3) Foat, Cole, Stracener
   MODIFY(1) Frech

Voter Comments:
 Frech> XF:sco-at(7589)


======================================================
Candidate: CAN-1999-1307
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1307
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010912
Assigned: 20010831
Category: unknown
Reference: BUGTRAQ:19941209 Novell security advisory on sadc, urestore and the suid_exec feature
Reference: URL:http://www.dataguard.no/bugtraq/1994_4/0676.html
Reference: CIAC:F-06
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-06.shtml

Vulnerability in urestore in Novell UnixWare 1.1 allows local users to
gain root privileges.

CONTENT-DECISIONS: VAGUE

INFERRED ACTION: CAN-1999-1307 ACCEPT (5 accept, 1 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(4) Foat, Cole, Armstrong, Stracener
   MODIFY(1) Frech
   NOOP(1) Wall

Voter Comments:
 Frech> XF;novell-unixware-urestore-root(7211)


======================================================
Candidate: CAN-1999-1308
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1308
Final-Decision:
Interim-Decision:
Modified: 20020218-01
Proposed: 20010912
Assigned: 20010831
Category: SF
Reference: HP:HPSBUX9611-041
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-91.shtml
Reference: CIAC:H-09
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-09.shtml
Reference: CIAC:H-91
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-91.shtml
Reference: XF:hp-large-uid-gid(7594)
Reference: URL:http://www.iss.net/security_center/static/7594.php

Certain programs in HP-UX 10.20 do not properly handle large user IDs
(UID) or group IDs (GID) over 60000, which could allow local users to
gain privileges.


Modifications:
  ADDREF XF:hp-large-uid-gid(7594)
  ADDREF http://ciac.llnl.gov/ciac/bulletins/h-09.shtml

CONTENT-DECISIONS: VAGUE

INFERRED ACTION: CAN-1999-1308 ACCEPT (4 accept, 2 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(3) Foat, Cole, Stracener
   MODIFY(1) Frech

Voter Comments:
 Frech> XF:hp-large-uid-gid(7594)


======================================================
Candidate: CAN-1999-1311
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1311
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010912
Assigned: 20010831
Category: SF
Reference: HP:HPSBUX9701-046
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-21.shtml
Reference: CIAC:H-21
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-21.shtml

Vulnerability in dtlogin and dtsession in HP-UX 10.20 and 10.10 allows
local users to bypass authentication and gain privileges.

CONTENT-DECISIONS: VAGUE

INFERRED ACTION: CAN-1999-1311 ACCEPT (3 accept, 2 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(3) Foat, Cole, Stracener


======================================================
Candidate: CAN-1999-1313
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1313
Final-Decision:
Interim-Decision:
Modified: 20020218-01
Proposed: 20010912
Assigned: 20010831
Category: SF
Reference: CIAC:G-24
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/g-24.shtml
Reference: FREEBSD:FreeBSD-SA-96:11
Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/old/FreeBSD-SA-96:11.man.asc
Reference: XF:bsd-man-command-sequence(7348)
Reference: URL:http://xforce.iss.net/static/7348.php

Manual page reader (man) in FreeBSD 2.2 and earlier allows local users
to gain privileges via a sequence of commands.


Modifications:
  ADDREF XF:bsd-man-command-sequence(7348)

CONTENT-DECISIONS: VAGUE

INFERRED ACTION: CAN-1999-1313 ACCEPT (4 accept, 2 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(3) Foat, Cole, Stracener
   MODIFY(1) Frech

Voter Comments:
 Frech> XF:bsd-man-command-sequence(7348)


======================================================
Candidate: CAN-1999-1315
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1315
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010912
Assigned: 20010831
Category: SF
Reference: CIAC:F-04
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/f-04.shtml

Vulnerabilities in DECnet/OSI for OpenVMS before 5.8 on DEC Alpha AXP
and VAX/VMS systems allow local users to gain privileges or cause a
denial of service.

CONTENT-DECISIONS: VAGUE

INFERRED ACTION: CAN-1999-1315 ACCEPT (5 accept, 1 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(4) Foat, Cole, Armstrong, Stracener
   MODIFY(1) Frech
   NOOP(1) Wall

Voter Comments:
 Frech> XF:openvms-decnetosi-gain-privileges(7212)


======================================================
Candidate: CAN-1999-1319
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1319
Final-Decision:
Interim-Decision:
Modified: 20020218-01
Proposed: 20010912
Assigned: 20010831
Category: SF
Reference: SGI:19960101-01-PX
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19960101-01-PX
Reference: XF:irix-object-server(7430)
Reference: URL:http://www.iss.net/security_center/static/7430.php

Vulnerability in object server program in SGI IRIX 5.2 through 6.1
allows remote attackers to gain root privileges in certain
configurations.


Modifications:
  ADDREF XF:irix-object-server(7430)

CONTENT-DECISIONS: VAGUE

INFERRED ACTION: CAN-1999-1319 ACCEPT (4 accept, 1 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(3) Foat, Cole, Stracener
   MODIFY(1) Frech

Voter Comments:
 Frech> XF:irix-object-server(7430)


======================================================
Candidate: CAN-1999-1391
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1391
Final-Decision:
Interim-Decision:
Modified: 20020218-01
Proposed: 20010912
Assigned: 20010831
Category: SF
Reference: CERT:CA-1990-06
Reference: URL:http://www.cert.org/advisories/CA-1990-06.html
Reference: CIAC:B-01
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/b-01.shtml
Reference: BID:10
Reference: URL:http://www.securityfocus.com/bid/10
Reference: XF:nextstep-npd-root-access(7143)
Reference: URL:http://www.iss.net/security_center/static/7143.php

Vulnerability in NeXT 1.0a and 1.0 with publicly accessible printers
allows local users to gain privileges via a combination of the npd
program and weak directory permissions.


Modifications:
  ADDREF XF:nextstep-npd-root-access(7143)

CONTENT-DECISIONS: VAGUE

INFERRED ACTION: CAN-1999-1391 ACCEPT (4 accept, 2 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(3) Foat, Cole, Stracener
   MODIFY(1) Frech
   NOOP(1) Wall

Voter Comments:
 Frech> XF:nextstep-npd-root-access(7143)


======================================================
Candidate: CAN-1999-1395
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1395
Final-Decision:
Interim-Decision:
Modified: 20020218-01
Proposed: 20010912
Assigned: 20010831
Category: SF
Reference: CERT:CA-1992-18
Reference: URL:http://www.cert.org/advisories/CA-1992-18.html
Reference: CERT:CA-92.16
Reference: URL:http://www.cert.org/advisories/CA-92.16.VMS.Monitor.vulnerability
Reference: BID:51
Reference: URL:http://www.securityfocus.com/bid/51
Reference: XF:vms-monitor-gain-privileges(7136)
Reference: URL:http://www.iss.net/security_center/static/7136.php

Vulnerability in Monitor utility (SYS$SHARE:SPISHR.EXE) in VMS 5.0
through 5.4-2 allows local users to gain privileges.


Modifications:
  ADDREF XF:vms-monitor-gain-privileges(7136)

CONTENT-DECISIONS: VAGUE

INFERRED ACTION: CAN-1999-1395 ACCEPT (4 accept, 1 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(3) Foat, Cole, Stracener
   MODIFY(1) Frech
   NOOP(2) Christey, Wall

Voter Comments:
 Frech> XF:vms-monitor-gain-privileges(7136)
   Duplicate of CAN-1999-1056? If not, indicate why in Analysis
   comments.
 Christey> Note that CAN-1999-1056
 Christey> CAN-1999-1056 is in fact a duplicate.  This candidate will
   be kept, and CAN-1999-1056 will be REJECTed, because this
   candidate has more references.


======================================================
Candidate: CAN-1999-1415
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1415
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010912
Assigned: 20010831
Category: SF
Reference: CERT:CA-91.13
Reference: URL:http://www.cert.org/advisories/CA-91.13.Ultrix.mail.vulnerability
Reference: BID:27
Reference: URL:http://www.securityfocus.com/bid/27

Vulnerability in /usr/bin/mail in DEC ULTRIX before 4.2 allows local
users to gain privileges.

CONTENT-DECISIONS: VAGUE

INFERRED ACTION: CAN-1999-1415 ACCEPT (4 accept, 1 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(3) Foat, Cole, Stracener
   MODIFY(1) Frech
   NOOP(2) Christey, Wall

Voter Comments:
 Frech> XF:bsd-binmail(515)
   CA-1991-13 was superseded by CA-1995-02.
 Christey> Is there overlap between CAN-1999-1415 and CAN-1999-1438?
   Both CERT advisories are vague.


======================================================
Candidate: CAN-1999-1462
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1462
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010912
Assigned: 20010831
Category: SF
Reference: BUGTRAQ:19990426 FW: Security Notice: Big Brother 1.09b/c
Reference: URL:http://www.securityfocus.com/archive/1/13440
Reference: CONFIRM:http://bb4.com/README.CHANGES
Reference: BID:142
Reference: URL:http://www.securityfocus.com/bid/142
Reference: XF:http-cgi-bigbrother-bbhist(3755)
Reference: URL:http://xforce.iss.net/static/3755.php

Vulnerability in bb-hist.sh CGI History module in Big Brother 1.09b
and 1.09c allows remote attacker to read portions of arbitrary files.

CONTENT-DECISIONS: VAGUE

INFERRED ACTION: CAN-1999-1462 ACCEPT (5 accept, 1 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(5) Foat, Cole, Armstrong, Frech, Stracener
   NOOP(1) Wall


======================================================
Candidate: CAN-1999-1464
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1464
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010912
Assigned: 20010831
Category: SF
Reference: CISCO:19981105 Cisco IOS DFS Access List Leakage
Reference: URL:http://www.cisco.com/warp/public/770/iosdfsacl-pub.shtml
Reference: CIAC:J-016
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/j-016.shtml
Reference: XF:cisco-acl-leakage(1401)
Reference: URL:http://xforce.iss.net/static/1401.php

Vulnerability in Cisco IOS 11.1CC and 11.1CT with distributed fast
switching (DFS) enabled allows remote attackers to bypass certain
access control lists when the router switches traffic from a
DFS-enabled interface to an interface that does not have DFS enabled,
as described by Cisco bug CSCdk35564.

CONTENT-DECISIONS: SF-LOC, VAGUE

INFERRED ACTION: CAN-1999-1464 ACCEPT (6 accept, 2 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(6) Balinsky, Foat, Cole, Armstrong, Frech, Stracener
   NOOP(1) Wall


======================================================
Candidate: CAN-1999-1465
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1465
Final-Decision:
Interim-Decision:
Modified: 20020228-01
Proposed: 20010912
Assigned: 20010831
Category: SF
Reference: CISCO:19981105 Cisco IOS DFS Access List Leakage
Reference: URL:http://www.cisco.com/warp/public/770/iosdfsacl-pub.shtml
Reference: CIAC:J-016
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/j-016.shtml
Reference: XF:cisco-acl-leakage(1401)
Reference: URL:http://xforce.iss.net/static/1401.php

Vulnerability in Cisco IOS 11.1 through 11.3 with distributed fast
switching (DFS) enabled allows remote attackers to bypass certain
access control lists when the router switches traffic from a
DFS-enabled input interface to an output interface with a logical
subinterface, as described by Cisco bug CSCdk43862.


Modifications:
  DESC add bug ID

CONTENT-DECISIONS: SF-LOC, VAGUE

INFERRED ACTION: CAN-1999-1465 ACCEPT (6 accept, 2 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(6) Balinsky, Foat, Cole, Armstrong, Frech, Stracener
   NOOP(1) Wall


======================================================
Candidate: CAN-1999-1474
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1474
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010912
Assigned: 20010831
Category: SF
Reference: CONFIRM:http://www.microsoft.com/windows/ie/security/powerpoint.asp
Reference: XF:nt-ppt-patch(179)
Reference: URL:http://xforce.iss.net/static/179.php

PowerPoint 95 and 97 allows remote attackers to cause an application
to be run automatically without prompting the user, possibly through
the slide show, when the document is opened in browsers such as
Internet Explorer.

CONTENT-DECISIONS: VAGUE

INFERRED ACTION: CAN-1999-1474 ACCEPT (6 accept, 1 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(6) Wall, Foat, Cole, Armstrong, Frech, Stracener

Voter Comments:
 Frech> Looks like CONFIRM URL is too old for Microsoft to keep
   (currently cached at
   http://www.google.com/search?q=cache:86loHcRhaL4:www.microsoft.com/ie/
   security/powerpoint.htm+%22PowerPoint+Browsing+Security+Issue%22&hl=en
   ). Same information is available at BugTraq at
   http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=6724


======================================================
Candidate: CAN-1999-1487
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1487
Final-Decision:
Interim-Decision:
Modified: 20020218-01
Proposed: 20010912
Assigned: 20010831
Category: SF
Reference: AIXAPAR:IX74599
Reference: URL:http://www-1.ibm.com/servlet/support/manager?rt=0&rs=0&org=apars&doc=41D8B61D1E1C4FAB852567C9002C546C
Reference: BID:405
Reference: URL:http://www.securityfocus.com/bid/405
Reference: XF:aix-digest(7477)
Reference: URL:http://www.iss.net/security_center/static/7477.php

Vulnerability in digest in AIX 4.3 allows printq users to gain root
privileges by creating and/or modifing any file on the system.


Modifications:
  ADDREF XF:aix-digest(7477)

CONTENT-DECISIONS: VAGUE

INFERRED ACTION: CAN-1999-1487 ACCEPT (4 accept, 1 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(3) Foat, Cole, Stracener
   MODIFY(1) Frech

Voter Comments:
 Frech> XF:aix-digest(7477)


======================================================
Candidate: CAN-1999-1506
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1506
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010912
Assigned: 20010831
Category: SF
Reference: CERT:CA-1990-01
Reference: URL:http://www.cert.org/advisories/CA-90.01.sun.sendmail.vulnerability
Reference: BID:6
Reference: URL:http://www.securityfocus.com/bid/6

Vulnerability in SMI Sendmail 4.0 and earlier, on SunOS up to 4.0.3,
allows remote attackers to access user bin.

CONTENT-DECISIONS: VAGUE

INFERRED ACTION: CAN-1999-1506 ACCEPT (5 accept, 1 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(4) Foat, Cole, Dik, Stracener
   MODIFY(1) Frech
   NOOP(1) Wall

Voter Comments:
 Frech> XF:sunos-sendmail-bin-access(7161)
 Dik> sun bug 1028173


======================================================
Candidate: CAN-1999-1554
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1554
Final-Decision:
Interim-Decision:
Modified: 20020218-01
Proposed: 20010912
Assigned: 20010831
Category: SF
Reference: CERT:CA-1990-08
Reference: URL:http://www.cert.org/advisories/CA-1990-08.html
Reference: BID:13
Reference: URL:http://www.securityfocus.com/bid/13
Reference: XF:sgi-irix-reset(3164)
Reference: URL:http://www.iss.net/security_center/static/3164.php

/usr/sbin/Mail on SGI IRIX 3.3 and 3.3.1 does not properly set the
group ID to the group ID of the user who started Mail, which allows
local users to read the mail of other users.


Modifications:
  ADDREF XF:sgi-irix-reset(3164)

CONTENT-DECISIONS: VAGUE

INFERRED ACTION: CAN-1999-1554 ACCEPT (4 accept, 1 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(3) Foat, Cole, Stracener
   MODIFY(1) Frech
   NOOP(1) Wall

Voter Comments:
 Frech> XF:sgi-irix-reset(3164)


======================================================
Candidate: CAN-1999-1558
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1558
Final-Decision:
Interim-Decision:
Modified: 20020218-01
Proposed: 20010912
Assigned: 20010831
Category: SF
Reference: CIAC:I-071A
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/i-071a.shtml
Reference: CERT:VB-98.07
Reference: BID:161
Reference: URL:http://www.securityfocus.com/bid/161
Reference: XF:openvms-loginout-unauth-access(7151)
Reference: URL:http://www.iss.net/security_center/static/7151.php

Vulnerability in loginout in Digital OpenVMS 7.1 and earlier allows
unauthorized access when external authentication is enabled.


Modifications:
  ADDREF XF:openvms-loginout-unauth-access(7151)

CONTENT-DECISIONS: VAGUE

INFERRED ACTION: CAN-1999-1558 ACCEPT (4 accept, 2 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(3) Foat, Cole, Stracener
   MODIFY(1) Frech
   NOOP(1) Wall

Voter Comments:
 Frech> XF:openvms-loginout-unauth-access(7151)


======================================================
Candidate: CAN-1999-1560
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1560
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010912
Assigned: 20010831
Category: SF
Reference: BUGTRAQ:19990720 tiger vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93252050203589&w=2
Reference: XF:tiger-script-execute(2369)
Reference: URL:http://xforce.iss.net/static/2369.php

Vulnerability in a script in Texas A&M University (TAMU) Tiger allows
local users to execute arbitrary commands as the Tiger user, usually
root.

CONTENT-DECISIONS: VAGUE

INFERRED ACTION: CAN-1999-1560 ACCEPT_ACK (2 accept, 1 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(2) Foat, Cole
   NOOP(1) Wall


======================================================
Candidate: CAN-2001-0101
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0101
Final-Decision:
Interim-Decision:
Modified: 20020222-01
Proposed: 20010202
Assigned: 20010201
Category:
Reference: TURBO:TLSA2000024-1
Reference: URL:http://www.turbolinux.com/pipermail/tl-security-announce/2000-December/000027.html
Reference: REDHAT:RHBA-2000:106-04
Reference: URL:http://www.redhat.com/support/errata/RHBA-2000-106.html
Reference: XF:fetchmail-authenticate-gssapi(7455)
Reference: URL:http://xforce.iss.net/static/7455.php

Vulnerability in fetchmail 5.5.0-2 and earlier in the AUTHENTICATE
GSSAPI command.


Modifications:
  ADDREF XF:fetchmail-authenticate-gssapi(7455)

CONTENT-DECISIONS: VAGUE

INFERRED ACTION: CAN-2001-0101 ACCEPT (5 accept, 1 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(4) Baker, Cole, Ziese, Prosser
   MODIFY(1) Frech
   NOOP(1) Wall

Voter Comments:
 Prosser> TURBO:TLSA2000024-1
   http://www.turbolinux.com/pipermail/tl-security-announce/2000-December/000027.html
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:fetchmail-authenticate-gssapi(7455)


======================================================
Candidate: CAN-2001-0606
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0606
Final-Decision:
Interim-Decision:
Modified: 20020225-01
Proposed: 20010727
Assigned: 20010727
Category: SF
Reference: HP:HPSBUX0102-139
Reference: URL:http://archives.neohapsis.com/archives/hp/2001-q1/0041.html
Reference: XF:hp-virtualvault-iws-dos(6110)
Reference: URL:http://xforce.iss.net/static/6110.php

Vulnerability in iPlanet Web Server 4.X in HP-UX 11.04 (VVOS) with
VirtualVault A.04.00 allows a remote attacker to create a denial of
service via the HTTPS service.


Modifications:
  ADDREF XF:hp-virtualvault-iws-dos(6110)

CONTENT-DECISIONS: VAGUE

INFERRED ACTION: CAN-2001-0606 ACCEPT (7 accept, 1 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(6) Williams, Wall, Baker, Cole, Bishop, Ziese
   MODIFY(1) Frech
   NOOP(1) Foat

Voter Comments:
 Frech> XF:hp-virtualvault-iws-dos(6110)
 CHANGE> [Williams changed vote from REVIEWING to ACCEPT]


======================================================
Candidate: CAN-2001-0608
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0608
Final-Decision:
Interim-Decision:
Modified: 20020225-01
Proposed: 20010727
Assigned: 20010727
Category: SF
Reference: HP:HPSBMP0103-011
Reference: URL:http://archives.neohapsis.com/archives/hp/2001-q1/0087.html
Reference: XF:hp-aif-gain-privileges(6951)
Reference: URL:http://xforce.iss.net/static/6951.php
Reference: CERT-VN:VU#895496
Reference: URL:http://www.kb.cert.org/vuls/id/895496

HP architected interface facility (AIF) as includes with MPE/iX 5.5
through 6.5 running on a HP3000 allows an attacker to gain additional
privileges and gain access to databases via the AIF - AIFCHANGELOGON
program.


Modifications:
  ADDREF XF:hp-aif-gain-privileges(6951)
  ADDREF CERT-VN:VU#895496

CONTENT-DECISIONS: VAGUE

INFERRED ACTION: CAN-2001-0608 ACCEPT (6 accept, 2 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(5) Williams, Baker, Cole, Bishop, Ziese
   MODIFY(1) Frech
   NOOP(2) Wall, Foat

Voter Comments:
 Frech> XF:hp-aif-gain-privileges(6951)


======================================================
Candidate: CAN-2001-0817
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0817
Final-Decision:
Interim-Decision:
Modified: 20020226-01
Proposed: 20011122
Assigned: 20011115
Category: SF
Reference: ISS:20011120 Remote Logic Flaw Vulnerability in HP-UX Line Printer Daemon
Reference: URL:http://xforce.iss.net/alerts/advise102.php
Reference: HP:HPSBUX0111-176
Reference: URL:http://archives.neohapsis.com/archives/hp/2001-q4/0047.html
Reference: CERT:CA-2001-32
Reference: URL:http://www.cert.org/advisories/CA-2001-32.html
Reference: CERT-VN:VU#638011
Reference: URL:http://www.kb.cert.org/vuls/id/638011
Reference: CIAC:M-021
Reference: URL:http://www.ciac.org/ciac/bulletins/m-021.shtml
Reference: BID:3561
Reference: URL:http://www.securityfocus.com/bid/3561
Reference: XF:hpux-rlpdaemon-logic-flaw(7234)
Reference: URL:http://xforce.iss.net/static/7234.php

Vulnerability in HP-UX line printer daemon (rlpdaemon) in HP-UX 10.01
through 11.11 allows remote attackers to modify arbitrary files and
gain root privileges via a certain print request.


Modifications:
  ADDREF CERT:CA-2001-32
  ADDREF CERT-VN:VU#638011
  ADDREF BID:3561
  ADDREF CIAC:M-021

CONTENT-DECISIONS: VAGUE

INFERRED ACTION: CAN-2001-0817 ACCEPT (5 accept, 5 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(6) Baker, Foat, Cole, Armstrong, Frech, Bishop
   NOOP(2) Christey, Wall

Voter Comments:
 Christey> CERT:CA-2001-32
   URL:http://www.cert.org/advisories/CA-2001-32.html
   CERT-VN:VU#638011
   URL:http://www.kb.cert.org/vuls/id/638011
 Christey> BID:3561
   URL:http://www.securityfocus.com/bid/3561
   CIAC:M-021
   http://www.ciac.org/ciac/bulletins/m-021.shtml


======================================================
Candidate: CAN-2001-0845
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0845
Final-Decision:
Interim-Decision:
Modified: 20020226-01
Proposed: 20011122
Assigned: 20011122
Category:
Reference: COMPAQ:SSRT0738
Reference: URL:http://ftp.support.compaq.com/patches/.new/html/SSRT0738.shtml
Reference: XF:openvms-dms-unauthorized-access(7425)
Reference: URL:http://xforce.iss.net/static/7425.php
Reference: BID:3492
Reference: URL:http://online.securityfocus.com/bid/3492

Vulnerability in DECwindows Motif Server on OpenVMS VAX or Alpha 6.2
through 7.3, and SEVMS VAX or Alpha 6.2, allows local users to gain
access to unauthorized resources.


Modifications:
  ADDREF XF:openvms-dms-unauthorized-access(7425)
  ADDREF BID:3492

CONTENT-DECISIONS: VAGUE

INFERRED ACTION: CAN-2001-0845 ACCEPT (6 accept, 1 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(5) Baker, Foat, Cole, Armstrong, Bishop
   MODIFY(1) Frech
   NOOP(1) Wall

Voter Comments:
 Frech> XF:openvms-dms-unauthorized-access(7425)


======================================================
Candidate: CAN-2001-0976
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0976
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: HP:HPSBUX0108-165
Reference: URL:http://archives.neohapsis.com/archives/hp/2001-q3/0048.html

Vulnerability in HP Process Resource Manager (PRM) C.01.08.2 and
earlier, as used by HP-UX Workload Manager (WLM), allows local users
to gain root privileges via modified libraries or environment
variables.

CONTENT-DECISIONS: VAGUE

INFERRED ACTION: CAN-2001-0976 ACCEPT (4 accept, 1 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(4) Green, Baker, Cole, Armstrong
   NOOP(2) Wall, Foat


======================================================
Candidate: CAN-2001-1061
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1061
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: AIXAPAR:IY22255
Reference: URL:http://archives.neohapsis.com/archives/aix/2001-q3/0003.html

Vulnerability in lsmcode in unknown versions of AIX, possibly related
to a usage error.

CONTENT-DECISIONS: VAGUE

INFERRED ACTION: CAN-2001-1061 ACCEPT (5 accept, 1 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(4) Baker, Cole, Armstrong, Green
   MODIFY(1) Bollinger
   NOOP(2) Wall, Foat

Voter Comments:
 Bollinger> Affects AIX 4.3 with bos.diag.util versions less than
   4.3.3.75 and AIX 5.1 with bos.diag.util versions less than 5.1.0.10.
   The 4.3 APAR is IY22255 and the 5.1 APAR is IY22266.


======================================================
Candidate: CAN-2001-1082
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1082
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: CONFIRM:http://freshmeat.net/releases/52020/

Directory traversal vulnerability in Livingston/Lucent RADIUS before
2.1.va.1 may allow attackers to read arbitrary files via a .. (dot
dot) attack.

CONTENT-DECISIONS: VAGUE

INFERRED ACTION: CAN-2001-1082 ACCEPT (4 accept, 1 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(4) Baker, Cole, Armstrong, Green
   NOOP(2) Wall, Foat

Page Last Updated or Reviewed: May 22, 2007