|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [PROPOSAL] Cluster CONFIRM-2003a - 51 candidates
I am proposing cluster CONFIRM-2003a for review and voting by the Editorial Board. Name: CONFIRM-2003a Description: CANs with clear vendor ack. from Jan 2003 to Mar 2003 Size: 51 You may vote on candidates by modifying this email ballot and sending it back to me, or by using the CVE voting web site. The candidates are listed in order of priority. Priority 1 and Priority 2 candidates both deal with varying levels of vendor confirmation, so they should be easy to review and it can be trusted that the problems are real. Summary of votes to use (in ascending order of "severity") ---------------------------------------------------------- ACCEPT - voter accepts the candidate as proposed NOOP - voter has no opinion on the candidate MODIFY - voter wants to change some MINOR detail (e.g. reference/description) REVIEWING - voter is reviewing/researching the candidate, or needs more info RECAST - candidate must be significantly modified, e.g. split or merged REJECT - candidate is "not a vulnerability", or a duplicate, etc. 1) Please write your vote on the line that starts with "VOTE: ". If you want to add comments or details, add them to lines after the VOTE: line. 2) If you see any missing references, please mention them so that they can be included. References help greatly during mapping. 3) Note that a "MODIFY" is treated as an "ACCEPT" when counting votes. So if you don't have sufficient information for a candidate but you don't want to NOOP, use a REVIEWING. ********** NOTE ********** NOTE ********** NOTE ********** NOTE ********** Please keep in mind that your vote and comments will be recorded and publicly viewable in the mailing list archives or in other formats. ====================================================== Candidate: CAN-2003-0016 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0016 Final-Decision: Interim-Decision: Modified: Proposed: 20030317 Assigned: 20030107 Category: SF Reference: CONFIRM:http://marc.theaimsgroup.com/?l=apache-httpd-announce&m=104313442901017&w=2 Apache before 2.0.44, when running on unpatched Windows 9x and Me operating systems, allows remote attackers to cause a denial of service or execute arbitrary code via an HTTP request containing MS-DOS device names. Analysis ---------------- ED_PRI CAN-2003-0016 1 Vendor Acknowledgement: yes advisory Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2003-0017 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0017 Final-Decision: Interim-Decision: Modified: Proposed: 20030317 Assigned: 20030107 Category: SF Reference: CONFIRM:http://marc.theaimsgroup.com/?l=apache-httpd-announce&m=104313442901017&w=2 Apache 2.0 before 2.0.44 on Windows platforms allows remote attackers to obtain certain files via an HTTP request that ends in certain illegal characters such as ">", which causes a different filename to be processed and served. Analysis ---------------- ED_PRI CAN-2003-0017 1 Vendor Acknowledgement: unknown Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2003-0022 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0022 Final-Decision: Interim-Decision: Modified: Proposed: 20030317 Assigned: 20030107 Category: SF Reference: VULNWATCH:20030224 Terminal Emulator Security Issues Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0093.html Reference: BUGTRAQ:20030224 Terminal Emulator Security Issues Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104612710031920&w=2 Reference: REDHAT:RHSA-2003:054 Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-054.html Reference: XF:terminal-emulator-screen-dump(11413) Reference: URL:http://www.iss.net/security_center/static/11413.php The "screen dump" feature in rxvt 2.7.8 allows attackers to overwrite arbitrary files via a certain character escape sequence when it is echoed to a user's terminal, e.g. when the user views a file containing the malicious sequence. Analysis ---------------- ED_PRI CAN-2003-0022 1 Vendor Acknowledgement: unknown Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2003-0023 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0023 Final-Decision: Interim-Decision: Modified: Proposed: 20030317 Assigned: 20030107 Category: SF Reference: VULNWATCH:20030224 Terminal Emulator Security Issues Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0093.html Reference: BUGTRAQ:20030224 Terminal Emulator Security Issues Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104612710031920&w=2 Reference: REDHAT:RHSA-2003:054 Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-054.html Reference: XF:terminal-emulator-menu-modification(11416) Reference: URL:http://www.iss.net/security_center/static/11416.php The menuBar feature in rxvt 2.7.8 allows attackers to modify menu options and execute arbitrary commands via a certain character escape sequence that inserts the commands into the menu. Analysis ---------------- ED_PRI CAN-2003-0023 1 Vendor Acknowledgement: unknown Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2003-0038 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0038 Final-Decision: Interim-Decision: Modified: Proposed: 20030317 Assigned: 20030127 Category: SF Reference: BUGTRAQ:20030124 Mailman: cross-site scripting bug Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104342745916111 Reference: CONFIRM:http://telia.dl.sourceforge.net/sourceforge/mailman/xss-2.1.0-patch.txt Cross-site scripting (XSS) vulnerability in options.py for Mailman 2.1 allows remote attackers to inject script or HTML into web pages via the (1) email or (2) language parameters. Analysis ---------------- ED_PRI CAN-2003-0038 1 Vendor Acknowledgement: yes patch Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2003-0045 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0045 Final-Decision: Interim-Decision: Modified: Proposed: 20030317 Assigned: 20030127 Category: SF Reference: CONFIRM:http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a/RELEASE-NOTES-3.3.1a.txt Jakarta Tomcat before 3.3.1a on certain Windows systems may allow remote attackers to cause a denial of service (thread hang and resource consumption) via a request for a JSP page containing an MS-DOS device name, such as aux.jsp. Analysis ---------------- ED_PRI CAN-2003-0045 1 Vendor Acknowledgement: yes advisory Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2003-0049 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0049 Final-Decision: Interim-Decision: Modified: Proposed: 20030317 Assigned: 20030128 Category: SF Reference: CONFIRM:http://docs.info.apple.com/article.html?artnum=61798 Reference: CONFIRM:http://lists.apple.com/archives/security-announce/2003/Feb/25/applesa20030225macosx102.txt Reference: XF:macos-afp-unauthorized-access(11333) Reference: URL:http://www.iss.net/security_center/static/11333.php AFP in Mac OS X before 10.2.4 allows administrators to log in as other users by using the administrator password. Analysis ---------------- ED_PRI CAN-2003-0049 1 Vendor Acknowledgement: yes changelog Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2003-0050 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0050 Final-Decision: Interim-Decision: Modified: Proposed: 20030317 Assigned: 20030128 Category: SF Reference: ATSTAKE:A032403-1 Reference: BUGTRAQ:20030224 QuickTime/Darwin Streaming Administration Server Multiple vulnerabilities Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104618904330226&w=2 Reference: CONFIRM:http://lists.apple.com/archives/security-announce/2003/Feb/25/applesa20030225macosx102.txt Reference: XF:quicktime-darwin-command-execution(11401) Reference: URL:http://www.iss.net/security_center/static/11401.php parse_xml.cgi in Apple Darwin Streaming Administration Server 4.1.2 and QuickTime Streaming Server 4.1.1 allows remote attackers to execute arbitrary code via shell metacharacters. Analysis ---------------- ED_PRI CAN-2003-0050 1 Vendor Acknowledgement: yes Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2003-0051 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0051 Final-Decision: Interim-Decision: Modified: Proposed: 20030317 Assigned: 20030128 Category: SF Reference: ATSTAKE:A032403-1 Reference: BUGTRAQ:20030224 QuickTime/Darwin Streaming Administration Server Multiple vulnerabilities Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104618904330226&w=2 Reference: CONFIRM:http://lists.apple.com/archives/security-announce/2003/Feb/25/applesa20030225macosx102.txt Reference: XF:quicktime-darwin-path-disclosure(11402) Reference: URL:http://www.iss.net/security_center/static/11402.php parse_xml.cgi in Apple Darwin Streaming Administration Server 4.1.2 and QuickTime Streaming Server 4.1.1 allows remote attackers to obtain the physical path of the server's installation path via a NULL file parameter. Analysis ---------------- ED_PRI CAN-2003-0051 1 Vendor Acknowledgement: unknown Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2003-0052 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0052 Final-Decision: Interim-Decision: Modified: Proposed: 20030317 Assigned: 20030128 Category: SF Reference: ATSTAKE:A032403-1 Reference: BUGTRAQ:20030224 QuickTime/Darwin Streaming Administration Server Multiple vulnerabilities Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104618904330226&w=2 Reference: CONFIRM:http://lists.apple.com/archives/security-announce/2003/Feb/25/applesa20030225macosx102.txt Reference: XF:quicktime-darwin-directory-disclosure(11403) Reference: URL:http://www.iss.net/security_center/static/11403.php parse_xml.cgi in Apple Darwin Streaming Administration Server 4.1.2 and QuickTime Streaming Server 4.1.1 allows remote attackers to list arbitrary directories. Analysis ---------------- ED_PRI CAN-2003-0052 1 Vendor Acknowledgement: unknown Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2003-0053 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0053 Final-Decision: Interim-Decision: Modified: Proposed: 20030317 Assigned: 20030128 Category: SF Reference: ATSTAKE:A032403-1 Reference: BUGTRAQ:20030224 QuickTime/Darwin Streaming Administration Server Multiple vulnerabilities Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104618904330226&w=2 Reference: CONFIRM:http://lists.apple.com/archives/security-announce/2003/Feb/25/applesa20030225macosx102.txt Reference: XF:quicktime-darwin-parsexml-xss(11404) Reference: URL:http://www.iss.net/security_center/static/11404.php Cross-site scripting (XSS) vulnerability in parse_xml.cgi in Apple Darwin Streaming Administration Server 4.1.2 and QuickTime Streaming Server 4.1.1 allows remote attackers to insert arbitrary script via the filename parameter, which is inserted into an error message. Analysis ---------------- ED_PRI CAN-2003-0053 1 Vendor Acknowledgement: unknown Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2003-0054 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0054 Final-Decision: Interim-Decision: Modified: Proposed: 20030317 Assigned: 20030128 Category: SF Reference: ATSTAKE:A032403-1 Reference: BUGTRAQ:20030224 QuickTime/Darwin Streaming Administration Server Multiple vulnerabilities Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104618904330226&w=2 Reference: CONFIRM:http://lists.apple.com/archives/security-announce/2003/Feb/25/applesa20030225macosx102.txt Reference: XF:quicktime-darwin-describe-xss(11405) Reference: URL:http://www.iss.net/security_center/static/11405.php Apple Darwin Streaming Administration Server 4.1.2 and QuickTime Streaming Server 4.1.1 allows remote attackers to execute certain code via a request to port 7070 with the script in an argument to the rtsp DESCRIBE method, which is inserted into a log file and executed when the log is viewed using a browser. Analysis ---------------- ED_PRI CAN-2003-0054 1 Vendor Acknowledgement: unknown Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2003-0055 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0055 Final-Decision: Interim-Decision: Modified: Proposed: 20030317 Assigned: 20030128 Category: SF Reference: ATSTAKE:A032403-1 Reference: BUGTRAQ:20030224 QuickTime/Darwin Streaming Administration Server Multiple vulnerabilities Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104618904330226&w=2 Reference: CONFIRM:http://lists.apple.com/archives/security-announce/2003/Feb/25/applesa20030225macosx102.txt Reference: XF:quicktime-darwin-mp3-bo(11406) Reference: URL:http://www.iss.net/security_center/static/11406.php Buffer overflow in the MP3 broadcasting module of Apple Darwin Streaming Administration Server 4.1.2 and QuickTime Streaming Server 4.1.1 allows remote attackers to execute arbitrary code via a long filename. Analysis ---------------- ED_PRI CAN-2003-0055 1 Vendor Acknowledgement: unknown Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2003-0066 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0066 Final-Decision: Interim-Decision: Modified: Proposed: 20030317 Assigned: 20030204 Category: SF Reference: VULNWATCH:20030224 Terminal Emulator Security Issues Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0093.html Reference: BUGTRAQ:20030224 Terminal Emulator Security Issues Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104612710031920&w=2 Reference: REDHAT:RHSA-2003:054 Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-054.html Reference: XF:terminal-emulator-window-title(11414) Reference: URL:http://www.iss.net/security_center/static/11414.php The rxvt terminal emulator 2.7.8 allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands. Analysis ---------------- ED_PRI CAN-2003-0066 1 Vendor Acknowledgement: unknown Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2003-0088 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0088 Final-Decision: Interim-Decision: Modified: Proposed: 20030317 Assigned: 20030210 Category: SF Reference: ATSTAKE:A021403-1 Reference: URL:http://www.atstake.com/research/advisories/2003/a021403-1.txt Reference: CONFIRM:http://docs.info.apple.com/article.html?artnum=61798 Reference: CONFIRM:http://lists.apple.com/archives/security-announce/2003/Feb/25/applesa20030225macosx102.txt Reference: XF:macos-trublueenvironment-gain-privileges(11332) Reference: URL:http://www.iss.net/security_center/static/11332.php TruBlueEnvironment for MacOS 10.2.3 and earlier allows local users to overwrite or create arbitrary files and gain root privileges by setting a certain environment variable that is used to write debugging information. Analysis ---------------- ED_PRI CAN-2003-0088 1 Vendor Acknowledgement: yes Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2003-0097 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0097 Final-Decision: Interim-Decision: Modified: Proposed: 20030317 Assigned: 20030218 Category: SF Reference: BUGTRAQ:20030217 PHP Security Advisory: CGI vulnerability in PHP version 4.3.0 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104550977011668&w=2 Reference: VULNWATCH:20030217 PHP Security Advisory: CGI vulnerability in PHP version 4.3.0 Reference: BUGTRAQ:20030219 GLSA: mod_php (200302-09.1) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104567137502557&w=2 Reference: BUGTRAQ:20030219 GLSA: mod_php php Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104567042700840&w=2 Reference: CONFIRM:http://www.slackware.com/changelog/current.php?cpu=i386 Reference: XF:php-cgi-sapi-access(11343) Reference: URL:http://www.iss.net/security_center/static/11343.php Unknown vulnerability in CGI module for PHP 4.3.0 allows attackers to access arbitrary files as the PHP user, and possibly execute PHP code, by bypassing the CGI force redirect settings (cgi.force_redirect or --enable-force-cgi-redirect). Analysis ---------------- ED_PRI CAN-2003-0097 1 Vendor Acknowledgement: yes advisory Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2003-0103 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0103 Final-Decision: Interim-Decision: Modified: Proposed: 20030317 Assigned: 20030225 Category: SF Reference: ATSTAKE:A022503-1 Reference: XF:nokia-6210-vcard-dos(11421) Reference: URL:http://www.iss.net/security_center/static/11421.php Format string vulnerability in Nokia 6210 handset allows remote attackers to cause a denial of service (crash, lockup, or restart) via a Multi-Part vCard with fields containing a large number of format string specifiers. Analysis ---------------- ED_PRI CAN-2003-0103 1 Vendor Acknowledgement: yes advisory Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2003-0122 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0122 Final-Decision: Interim-Decision: Modified: Proposed: 20030317 Assigned: 20030310 Category: SF Reference: BUGTRAQ:20030313 R7-0010: Buffer Overflow in Lotus Notes Protocol Authentication Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104757319829443&w=2 Reference: VULNWATCH:20030313 R7-0010: Buffer Overflow in Lotus Notes Protocol Authentication Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0125.html Reference: MISC:http://www.rapid7.com/advisories/R7-0010.html Reference: CONFIRM:http://www-1.ibm.com/support/docview.wss?rs=482&q=Domino&uid=swg21105101 Reference: BID:7037 Buffer overflow in Notes server before Lotus Notes R4, R5 before 5.0.11, and early R6 allows remote attackers to execute arbitrary code via a long distinguished name (DN) during NotesRPC authentication and an outer field length that is less than that of the DN field. Analysis ---------------- ED_PRI CAN-2003-0122 1 Vendor Acknowledgement: unknown Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2003-0123 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0123 Final-Decision: Interim-Decision: Modified: Proposed: 20030317 Assigned: 20030310 Category: SF Reference: BUGTRAQ:20030313 R7-0011: Lotus Notes/Domino Web Retriever HTTP Status Buffer Overflow Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104757545500368&w=2 Reference: MISC:http://www.rapid7.com/advisories/R7-0011.html Reference: CONFIRM:http://www-1.ibm.com/support/docview.wss?rs=482&q=Domino&uid=swg21105060 Reference: BID:7038 Buffer overflow in Web Retriever client for Lotus Notes/Domino R4.5 through R6 allows remote malicious web servers to cause a denial of service (crash) via a long HTTP status line. Analysis ---------------- ED_PRI CAN-2003-0123 1 Vendor Acknowledgement: yes advisory Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2003-0125 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0125 Final-Decision: Interim-Decision: Modified: Proposed: 20030317 Assigned: 20030312 Category: SF Reference: MISC:http://www.krusesecurity.dk/advisories/routefind550bof.txt Reference: VULNWATCH:20030311 SOHO Routefinder 550 VPN, DoS and Buffer Overflow Reference: CONFIRM:ftp://ftp.multitech.com/Routers/RF550VPN.TXT Buffer overflow in the web interface for SOHO Routefinder 550 before firmware 4.63 allows remote attackers to cause a denial of service (reboot) and execute arbitrary code via a long GET /OPTIONS value. Analysis ---------------- ED_PRI CAN-2003-0125 1 Vendor Acknowledgement: yes Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2003-0145 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0145 Final-Decision: Interim-Decision: Modified: Proposed: 20030317 Assigned: 20030314 Category: SF Reference: CONFIRM:http://www.tcpdump.org/tcpdump-changes.txt Unknown vulnerability in tcpdump before 3.7.2 related to an inability to "Handle unknown RADIUS attributes properly," allows remote attackers to cause a denial of service (infinite loop), a different vulnerability than CAN-2003-0093. Analysis ---------------- ED_PRI CAN-2003-0145 1 Vendor Acknowledgement: yes changelog ACCURACY: Via email on March 14, 2003, Martin Schulze confirmed that this is a different issue than CAN-2003-0093. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0387 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0387 Final-Decision: Interim-Decision: Modified: Proposed: 20030317 Assigned: 20020522 Category: SF Reference: ATSTAKE:A031303-1 Reference: URL:http://www.atstake.com/research/advisories/2003/a031303-1.txt Buffer overflow in gxnsapi6.dll NSAPI plugin of the Connector Module for Sun ONE Application Server before 6.5 allows remote attackers to execute arbitrary code via a long HTTP request URL. Analysis ---------------- ED_PRI CAN-2002-0387 2 Vendor Acknowledgement: unknown Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-1252 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1252 Final-Decision: Interim-Decision: Modified: Proposed: 20030317 Assigned: 20021101 Category: SF Reference: ISS:20030120 PeopleSoft XML External Entities Vulnerability Reference: URL:http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21811 Reference: XF:peoplesoft-xxe-read-files(10520) Reference: URL:http://www.iss.net/security_center/static/10520.php The Application Messaging Gateway for PeopleTools 8.1x before 8.19, as used in various PeopleSoft products, allows remote attackers to read arbitrary files via certain XML External Entities (XXE) fields in an HTTP POST request that is processed by the SimpleFileHandler handler. Analysis ---------------- ED_PRI CAN-2002-1252 2 Vendor Acknowledgement: unknown Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2003-0021 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0021 Final-Decision: Interim-Decision: Modified: Proposed: 20030317 Assigned: 20030107 Category: SF Reference: VULNWATCH:20030224 Terminal Emulator Security Issues Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0093.html Reference: BUGTRAQ:20030224 Terminal Emulator Security Issues Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104612710031920&w=2 Reference: BUGTRAQ:20030303 GLSA: eterm (200303-1) Reference: XF:terminal-emulator-screen-dump(11413) Reference: URL:http://www.iss.net/security_center/static/11413.php The "screen dump" feature in Eterm 0.9.1 and earlier allows attackers to overwrite arbitrary files via a certain character escape sequence when it is echoed to a user's terminal, e.g. when the user views a file containing the malicious sequence. Analysis ---------------- ED_PRI CAN-2003-0021 2 Vendor Acknowledgement: yes advisory Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2003-0074 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0074 Final-Decision: Interim-Decision: Modified: Proposed: 20030317 Assigned: 20030205 Category: SF Reference: BUGTRAQ:20030129 Local root vuln in SuSE 8.0 plptools package Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104385772908969&w=2 Reference: BUGTRAQ:20030129 Re: Local root vuln in SuSE 8.0 plptools package Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104386699725019&w=2 Reference: XF:plptools-plpnsfd-format-string(11193) Reference: URL:http://www.iss.net/security_center/static/11193.php Format string vulnerability in mpmain.c for plpnfsd of the plptools package allows remote attackers to execute arbitrary code via the functions (1) debuglog, (2) errorlog, and (3) infolog. Analysis ---------------- ED_PRI CAN-2003-0074 2 Vendor Acknowledgement: yes followup Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2003-0075 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0075 Final-Decision: Interim-Decision: Modified: Proposed: 20030317 Assigned: 20030205 Category: SF Reference: BUGTRAQ:20030202 Bladeenc 0.94.2 code execution Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104428700106672&w=2 Reference: MISC:http://www.pivx.com/luigi/adv/blade942-adv.txt Reference: BUGTRAQ:20030205 GLSA: bladeenc Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104446346127432&w=2 Reference: XF:bladeenc-myfseek-code-execution(11227) Reference: URL:http://www.iss.net/security_center/static/11227.php Integer signedness error in myFseek function of samplein.c for Blade encoder 0.94.2 and earlier allows remote attackers to execute arbitrary code via a negative offset value following a "fmt" wave chunk. Analysis ---------------- ED_PRI CAN-2003-0075 2 Vendor Acknowledgement: yes advisory Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2003-0100 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0100 Final-Decision: Interim-Decision: Modified: Proposed: 20030317 Assigned: 20030224 Category: SF Reference: BUGTRAQ:20030220 Cisco IOS OSPF exploit Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104576100719090&w=2 Reference: BUGTRAQ:20030221 Re: Cisco IOS OSPF exploit Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104587206702715&w=2 Reference: XF:cisco-ios-ospf-bo(11373) Reference: URL:http://www.iss.net/security_center/static/11373.php Buffer overflow in Cisco IOS 11.2.x to 12.0.x allows remote attackers to cause a denial of service and possibly execute commands via a large number of OSPF neighbor announcements. Analysis ---------------- ED_PRI CAN-2003-0100 2 Vendor Acknowledgement: yes followup Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2003-0104 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0104 Final-Decision: Interim-Decision: Modified: Proposed: 20030317 Assigned: 20030225 Category: SF Reference: ISS:20030310 PeopleSoft PeopleTools Remote Command Execution Vulnerability Reference: URL:http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21999 Reference: XF:peoplesoft-schedulertransfer-create-files(10962) Reference: URL:http://www.iss.net/security_center/static/10962.php Directory traversal vulnerability in PeopleTools 8.10 through 8.18, 8.40, and 8.41 allows remote attackers to overwrite arbitrary files via the SchedulerTransfer servlet. Analysis ---------------- ED_PRI CAN-2003-0104 2 Vendor Acknowledgement: unknown Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2003-0137 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0137 Final-Decision: Interim-Decision: Modified: Proposed: 20030317 Assigned: 20030313 Category: SF Reference: ATSTAKE:A031303-2 Reference: URL:http://www.atstake.com/research/advisories/2003/a031303-2.txt SNMP daemon in the DX200 based network element for Nokia Serving GPRS support node (SGSN) allows remote attackers to read SNMP options via arbitrary community strings. Analysis ---------------- ED_PRI CAN-2003-0137 2 Vendor Acknowledgement: unknown Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2003-0147 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0147 Final-Decision: Interim-Decision: Modified: Proposed: 20030317 Assigned: 20030314 Category: SF Reference: BUGTRAQ:20030313 Vulnerability in OpenSSL Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104766550528628&w=2 Reference: VULNWATCH:20030313 OpenSSL Private Key Disclosure Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0130.html Reference: BUGTRAQ:20030317 [ADVISORY] Timing Attack on OpenSSL Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104792570615648&w=2 Reference: MISC:http://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf OpenSSL does not use RSA blinding by default, which allows local and remote attackers to obtain the server's private key by determining factors using timing differences on (1) the number of extra reductions during Montgomery reduction, and (2) the use of different integer multiplication algorithms ("Karatsuba" and normal). Analysis ---------------- ED_PRI CAN-2003-0147 2 Vendor Acknowledgement: yes Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2003-0020 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020 Final-Decision: Interim-Decision: Modified: Proposed: 20030317 Assigned: 20030107 Category: SF Reference: VULNWATCH:20030224 Terminal Emulator Security Issues Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0093.html Reference: BUGTRAQ:20030224 Terminal Emulator Security Issues Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104612710031920&w=2 Reference: XF:apache-esc-seq-injection(11412) Reference: URL:http://www.iss.net/security_center/static/11412.php Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences. Analysis ---------------- ED_PRI CAN-2003-0020 3 Vendor Acknowledgement: unknown Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2003-0024 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0024 Final-Decision: Interim-Decision: Modified: Proposed: 20030317 Assigned: 20030107 Category: SF Reference: VULNWATCH:20030224 Terminal Emulator Security Issues Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0093.html Reference: BUGTRAQ:20030224 Terminal Emulator Security Issues Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104612710031920&w=2 Reference: XF:terminal-emulator-menu-modification(11416) Reference: URL:http://www.iss.net/security_center/static/11416.php The menuBar feature in aterm 0.42 allows attackers to modify menu options and execute arbitrary commands via a certain character escape sequence that inserts the commands into the menu. Analysis ---------------- ED_PRI CAN-2003-0024 3 Vendor Acknowledgement: unknown Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2003-0046 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0046 Final-Decision: Interim-Decision: Modified: Proposed: 20030317 Assigned: 20030128 Category: SF Reference: BUGTRAQ:20030129 iDEFENSE Security Advisory 01.28.03: SSH2 Clients Insecurely Store Passwords Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104386492422014&w=2 Reference: MISC:http://www.idefense.com/advisory/01.28.03.txt Reference: CONFIRM:http://www.celestialsoftware.net/telnet/beta_software.html AbsoluteTelnet SSH2 client does not clear logon credentials from memory, including plaintext passwords, which could allow attackers with access to memory to steal the SSH credentials. Analysis ---------------- ED_PRI CAN-2003-0046 3 Vendor Acknowledgement: unknown Content Decisions: INCLUSION, DESIGN-WEAK-ENCRYPTION ACKNOWLEDGEMENT: The beta announcement for 2.12 RC9 includes "Fixes to keep the password from appearing in memory in plaintext." Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2003-0047 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0047 Final-Decision: Interim-Decision: Modified: Proposed: 20030317 Assigned: 20030128 Category: SF Reference: BUGTRAQ:20030129 iDEFENSE Security Advisory 01.28.03: SSH2 Clients Insecurely Store Passwords Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104386492422014&w=2 Reference: MISC:http://www.idefense.com/advisory/01.28.03.txt SSH2 clients for VanDyke (1) SecureCRT 4.0.2 and 3.4.7, (2) SecureFX 2.1.2 and 2.0.4, and (3) Entunnel 1.0.2 and earlier, do not clear logon credentials from memory, including plaintext passwords, which could allow attackers with access to memory to steal the SSH credentials. Analysis ---------------- ED_PRI CAN-2003-0047 3 Vendor Acknowledgement: unknown Content Decisions: INCLUSION, DESIGN-WEAK-ENCRYPTION Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2003-0048 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0048 Final-Decision: Interim-Decision: Modified: Proposed: 20030317 Assigned: 20030128 Category: SF Reference: BUGTRAQ:20030129 iDEFENSE Security Advisory 01.28.03: SSH2 Clients Insecurely Store Passwords Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104386492422014&w=2 Reference: MISC:http://www.idefense.com/advisory/01.28.03.txt PuTTY 0.53b and earlier does not clear logon credentials from memory, including plaintext passwords, which could allow attackers with access to memory to steal the SSH credentials. Analysis ---------------- ED_PRI CAN-2003-0048 3 Vendor Acknowledgement: unknown Content Decisions: INCLUSION, DESIGN-WEAK-ENCRYPTION Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2003-0057 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0057 Final-Decision: Interim-Decision: Modified: Proposed: 20030317 Assigned: 20030130 Category: SF Reference: BUGTRAQ:20030127 Hypermail buffer overflows Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104369136703903&w=2 Multiple buffer overflows in Hypermail 2 before 2.1.6 allows remote attackers to cause a denial of service and possibly execute arbitrary code (1) via a long attachment filename that is not properly handled by the hypermail executable, or (2) by connecting to the mail CGI program from an IP address that reverse-resolves to a long hostname. Analysis ---------------- ED_PRI CAN-2003-0057 3 Vendor Acknowledgement: yes Content Decisions: SF-LOC Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2003-0062 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0062 Final-Decision: Interim-Decision: Modified: Proposed: 20030317 Assigned: 20030204 Category: SF Reference: BUGTRAQ:20030210 iDEFENSE Security Advisory 02.10.03: Buffer Overflow In NOD32 Antivirus Software for Unix Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104490777824360&w=2 Reference: MISC:http://www.idefense.com/advisory/02.10.03.txt Reference: XF:nod32-pathname-bo(11282) Reference: URL:http://www.iss.net/security_center/static/11282.php Buffer overflow in Eset Software NOD32 for UNIX before 1.013 allows local users to execute arbitrary code via a long path name. Analysis ---------------- ED_PRI CAN-2003-0062 3 Vendor Acknowledgement: unknown Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2003-0063 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0063 Final-Decision: Interim-Decision: Modified: Proposed: 20030317 Assigned: 20030204 Category: SF Reference: VULNWATCH:20030224 Terminal Emulator Security Issues Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0093.html Reference: BUGTRAQ:20030224 Terminal Emulator Security Issues Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104612710031920&w=2 Reference: XF:terminal-emulator-window-title(11414) Reference: URL:http://www.iss.net/security_center/static/11414.php The xterm terminal emulator in XFree86 4.2.0 allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands. Analysis ---------------- ED_PRI CAN-2003-0063 3 Vendor Acknowledgement: unknown Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2003-0064 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0064 Final-Decision: Interim-Decision: Modified: Proposed: 20030317 Assigned: 20030204 Category: SF Reference: VULNWATCH:20030224 Terminal Emulator Security Issues Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0093.html Reference: BUGTRAQ:20030224 Terminal Emulator Security Issues Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104612710031920&w=2 Reference: XF:terminal-emulator-window-title(11414) Reference: URL:http://www.iss.net/security_center/static/11414.php The dtterm terminal emulator allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands. Analysis ---------------- ED_PRI CAN-2003-0064 3 Vendor Acknowledgement: unknown Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2003-0065 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0065 Final-Decision: Interim-Decision: Modified: Proposed: 20030317 Assigned: 20030204 Category: SF Reference: VULNWATCH:20030224 Terminal Emulator Security Issues Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0093.html Reference: BUGTRAQ:20030224 Terminal Emulator Security Issues Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104612710031920&w=2 Reference: XF:terminal-emulator-window-title(11414) Reference: URL:http://www.iss.net/security_center/static/11414.php The uxterm terminal emulator allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands. Analysis ---------------- ED_PRI CAN-2003-0065 3 Vendor Acknowledgement: unknown Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2003-0067 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0067 Final-Decision: Interim-Decision: Modified: Proposed: 20030317 Assigned: 20030204 Category: SF Reference: VULNWATCH:20030224 Terminal Emulator Security Issues Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0093.html Reference: BUGTRAQ:20030224 Terminal Emulator Security Issues Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104612710031920&w=2 Reference: XF:terminal-emulator-window-title(11414) Reference: URL:http://www.iss.net/security_center/static/11414.php The aterm terminal emulator 0.42 allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands. Analysis ---------------- ED_PRI CAN-2003-0067 3 Vendor Acknowledgement: unknown Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2003-0068 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0068 Final-Decision: Interim-Decision: Modified: Proposed: 20030317 Assigned: 20030204 Category: SF Reference: VULNWATCH:20030224 Terminal Emulator Security Issues Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0093.html Reference: BUGTRAQ:20030224 Terminal Emulator Security Issues Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104612710031920&w=2 Reference: BUGTRAQ:20030303 GLSA: eterm (200303-1) Reference: XF:terminal-emulator-window-title(11414) Reference: URL:http://www.iss.net/security_center/static/11414.php The Eterm terminal emulator 0.9.1 and earlier allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands. Analysis ---------------- ED_PRI CAN-2003-0068 3 Vendor Acknowledgement: unknown Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2003-0069 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0069 Final-Decision: Interim-Decision: Modified: Proposed: 20030317 Assigned: 20030204 Category: SF Reference: VULNWATCH:20030224 Terminal Emulator Security Issues Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0093.html Reference: BUGTRAQ:20030224 Terminal Emulator Security Issues Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104612710031920&w=2 Reference: XF:terminal-emulator-window-title(11414) Reference: URL:http://www.iss.net/security_center/static/11414.php The PuTTY terminal emulator 0.53 allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands. Analysis ---------------- ED_PRI CAN-2003-0069 3 Vendor Acknowledgement: unknown Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2003-0071 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0071 Final-Decision: Interim-Decision: Modified: Proposed: 20030317 Assigned: 20030204 Category: SF Reference: VULNWATCH:20030224 Terminal Emulator Security Issues Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0093.html Reference: BUGTRAQ:20030224 Terminal Emulator Security Issues Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104612710031920&w=2 Reference: XF:terminal-emulator-dec-udk(11415) Reference: URL:http://www.iss.net/security_center/static/11415.php The DEC UDK processing feature in the xterm terminal emulator in XFree86 4.2.99.4 and earlier allows attackers to cause a denial of service via a certain character escape sequence that causes the terminal to enter a tight loop. Analysis ---------------- ED_PRI CAN-2003-0071 3 Vendor Acknowledgement: unknown Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2003-0076 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0076 Final-Decision: Interim-Decision: Modified: Proposed: 20030317 Assigned: 20030205 Category: SF Reference: CONFIRM:http://dc.ketelhot.de/pipermail/dc/2003-January/000094.html Reference: BUGTRAQ:20030204 GLSA: qt-dcgui Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104437720116243&w=2 Reference: XF:qtdcgui-directory-download-files(11246) Reference: URL:http://www.iss.net/security_center/static/11246.php Unknown vulnerability in the directory parser for Direct Connect 4 Linux (dcgui) before 0.2.2 allows remote attackers to read files outside the sharelist. Analysis ---------------- ED_PRI CAN-2003-0076 3 Vendor Acknowledgement: yes advisory Content Decisions: VAGUE Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2003-0077 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0077 Final-Decision: Interim-Decision: Modified: Proposed: 20030317 Assigned: 20030210 Category: SF Reference: VULNWATCH:20030224 Terminal Emulator Security Issues Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0093.html Reference: BUGTRAQ:20030224 Terminal Emulator Security Issues Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104612710031920&w=2 Reference: XF:terminal-emulator-window-title(11414) Reference: URL:http://www.iss.net/security_center/static/11414.php The hanterm (hanterm-xf) terminal emulator before 2.0.5 allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands. Analysis ---------------- ED_PRI CAN-2003-0077 3 Vendor Acknowledgement: unknown Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2003-0079 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0079 Final-Decision: Interim-Decision: Modified: Proposed: 20030317 Assigned: 20030210 Category: SF Reference: VULNWATCH:20030224 Terminal Emulator Security Issues Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0093.html Reference: BUGTRAQ:20030224 Terminal Emulator Security Issues Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104612710031920&w=2 Reference: XF:terminal-emulator-dec-udk(11415) Reference: URL:http://www.iss.net/security_center/static/11415.php The DEC UDK processing feature in the hanterm (hanterm-xf) terminal emulator before 2.0.5 allows attackers to cause a denial of service via a certain character escape sequence that causes the terminal to enter a tight loop. Analysis ---------------- ED_PRI CAN-2003-0079 3 Vendor Acknowledgement: unknown Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2003-0107 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0107 Final-Decision: Interim-Decision: Modified: Proposed: 20030317 Assigned: 20030226 Category: SF Reference: BUGTRAQ:20030222 buffer overrun in zlib 1.1.4 Reference: URL:http://online.securityfocus.com/archive/1/312869 Reference: BUGTRAQ:20030223 poc zlib sploit just for fun :) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104610337726297&w=2 Reference: BUGTRAQ:20030224 Re: buffer overrun in zlib 1.1.4 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104610536129508&w=2 Reference: BUGTRAQ:20030225 [sorcerer-spells] ZLIB-SORCERER2003-02-25 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104620610427210&w=2 Reference: BID:6913 Reference: URL:http://online.securityfocus.com/bid/6913 Reference: XF:zlib-gzprintf-bo(11381) Reference: URL:http://www.iss.net/security_center/static/11381.php Buffer overflow in the gzprintf function in zlib 1.1.4, when zlib is compiled without vsnprintf or when long inputs are truncated using vsnprintf, allows attackers to cause a denial of service or possibly execute arbitrary code. Analysis ---------------- ED_PRI CAN-2003-0107 3 Vendor Acknowledgement: unknown Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2003-0124 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0124 Final-Decision: Interim-Decision: Modified: Proposed: 20030317 Assigned: 20030312 Category: SF Reference: BUGTRAQ:20030311 Vulnerability in man < 1.5l Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104740927915154&w=2 man before 1.51 allows attackers to execute arbitrary code via a malformed man file with improper quotes, which causes the my_xsprintf function to return a string with the value "unsafe," which is then executed as a program via a system call. Analysis ---------------- ED_PRI CAN-2003-0124 3 Vendor Acknowledgement: unknown Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2003-0126 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0126 Final-Decision: Interim-Decision: Modified: Proposed: 20030317 Assigned: 20030312 Category: SF Reference: MISC:http://www.krusesecurity.dk/advisories/routefind550bof.txt Reference: VULNWATCH:20030311 SOHO Routefinder 550 VPN, DoS and Buffer Overflow The web interface for SOHO Routefinder 550 firmware 4.63 and earlier, and possibly later versions, has a default "admin" account with a blank password, which could allow attackers on the LAN side to conduct unauthorized activities. Analysis ---------------- ED_PRI CAN-2003-0126 3 Vendor Acknowledgement: unknown Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2003-0146 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0146 Final-Decision: Interim-Decision: Modified: Proposed: 20030317 Assigned: 20030314 Category: SF Reference: BUGTRAQ:20030228 NetPBM, multiple vulnerabilities Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104644687816522&w=2 Reference: DEBIAN:DSA-263 Reference: URL:http://www.debian.org/security/2003/dsa-263 Multiple vulnerabilities in NetPBM 9.20 and earlier, and possibly other versions, may allow remote attackers to cause a denial of service or execute arbitrary code via "maths overflow errors" such as (1) integer signedness errors or (2) integer overflows. Analysis ---------------- ED_PRI CAN-2003-0146 3 Vendor Acknowledgement: yes advisory Content Decisions: SF-LOC Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS:
|
||||
