[PROPOSAL] Cluster RECENT-13 - 19 candidates

• To: cve-editorial-board-list@lists.mitre.org
• Subject: [PROPOSAL] Cluster RECENT-13 - 19 candidates
• From: "Steven M. Christey" <coley@linus.mitre.org>
• Date: Tue, 21 Mar 2000 23:22:33 -0500 (EST)
• Delivery-Date: Tue Mar 21 23:22:42 2000
• Sender: owner-cve-editorial-board-list@lists.mitre.org

The following cluster contains 19 candidates that were announced
between March 4 and March 14, 2000.

The candidates are listed in order of priority.  Priority 1 and
Priority 2 candidates both deal with varying levels of vendor
confirmation, so they should be easy to review and it can be trusted
that the problems are real.

If you discover that any RECENT-XX cluster is incomplete with respect
to the problems discovered during the associated time frame, please
send that information to me so that candidates can be assigned.

- Steve


Summary of votes to use (in ascending order of "severity")
----------------------------------------------------------

ACCEPT - voter accepts the candidate as proposed
NOOP - voter has no opinion on the candidate
MODIFY - voter wants to change some MINOR detail (e.g. reference/description)
REVIEWING - voter is reviewing/researching the candidate, or needs more info
RECAST - candidate must be significantly modified, e.g. split or merged
REJECT - candidate is "not a vulnerability", or a duplicate, etc.

1) Please write your vote on the line that starts with "VOTE: ".  If
   you want to add comments or details, add them to lines after the
   VOTE: line.

2) If you see any missing references, please mention them so that they
   can be included.  References help greatly during mapping.

3) Note that a "MODIFY" is treated as an "ACCEPT" when counting votes.
   So if you don't have sufficient information for a candidate but you
   don't want to NOOP, use a REVIEWING.

********** NOTE ********** NOTE ********** NOTE ********** NOTE **********

Please keep in mind that your vote and comments will be recorded and
publicly viewable in the mailing list archives or in other formats.

=================================
Candidate: CAN-2000-0168
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF/CF/MP/SA/AN/unknown
Reference: BUGTRAQ:20000306 con\con is a old thing (anyway is cool)
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=NCBBKFKDOLAGKIAPMILPCENECCAA.labs@ussrback.com
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0087.html
Reference: MS:MS00-017
Reference: URL:http://www.securityfocus.com/templates/advisory.html?id=2126
Reference: BID:1043
Reference: URL:http://www.securityfocus.com/bid/1043

Microsoft Windows operating systems allow an attacker to cause a
denial of service via a pathname that includes file device names, aka
the "DOS Device in Path Name" vulnerability.


ED_PRI CAN-2000-0168 1


VOTE:

=================================
Candidate: CAN-2000-0173
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF
Reference: SCO:SB-00.08a
Reference: URL:ftp://ftp.sco.com/SSE/security_bulletins/SB-00.08a

Vulnerability in the EELS system in SCO UnixWare 7.1.x allows remote
attackers to cause a denial of service.


ED_PRI CAN-2000-0173 1


VOTE:

=================================
Candidate: CAN-2000-0200
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF/CF/MP/SA/AN/unknown
Reference: MS:MS00-015
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-015.asp
Reference: BID:1034
Reference: URL:http://www.securityfocus.com/bid/1034

Buffer overflow in Microsoft Clip Art Gallery allows remote attackers
to cause a denial of service or execute commands via a malformed CIL
(clip art library) file, aka the "Clip Art Buffer Overrun"
vulnerability.


ED_PRI CAN-2000-0200 1


VOTE:

=================================
Candidate: CAN-2000-0202
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF
Reference: MS:MS00-014
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-014.asp
Reference: BID:1041
Reference: URL:http://www.securityfocus.com/bid/1041

Microsoft SQL Server 7.0 and Microsoft Data Engine (MSDE) 1.0 allow
remote attackers to gain privileges via a malformed Select statement
in an SQL query.


ED_PRI CAN-2000-0202 1


VOTE:

=================================
Candidate: CAN-2000-0169
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF/CF/MP/SA/AN/unknown
Reference: NTBUGTRAQ:20000314 Oracle Web Listener 4.0.x
Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/2000-q1/0211.html
Reference: BID:1053
Reference: URL:http://www.securityfocus.com/bid/1053

Batch files in the Oracle web listener ows-bin directory allow remote
attackers to execute commands via a malformed URL that includes '?&'.


ED_PRI CAN-2000-0169 3


VOTE:

=================================
Candidate: CAN-2000-0171
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF/CF/MP/SA/AN/unknown
Reference: BUGTRAQ:20000311 TESO advisory -- atsadc
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0102.html
Reference: BID:1048
Reference: URL:http://www.securityfocus.com/bid/1048

atsadc in the atsar package for Linux does not properly check the
permissions of an output file, which allows local users to gain root
privileges.


ED_PRI CAN-2000-0171 3


VOTE:

=================================
Candidate: CAN-2000-0174
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF
Reference: BUGTRAQ:20000308 [SAFER 000309.EXP.1.4] StarScheduler (StarOffice) vulnerabilities
Reference: http://archives.neohapsis.com/archives/bugtraq/2000-03/0063.html
Reference: BID:1040
Reference: URL:http://www.securityfocus.com/bid/1040

StarOffice StarScheduler web server allows remote attackers to read
arbitrary files via a .. (dot dot) attack.


ED_PRI CAN-2000-0174 3


VOTE:

=================================
Candidate: CAN-2000-0175
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF
Reference: BUGTRAQ:20000308 [SAFER 000309.EXP.1.4] StarScheduler (StarOffice) vulnerabilities
Reference: http://archives.neohapsis.com/archives/bugtraq/2000-03/0063.html
Reference: BID:1039
Reference: URL:http://www.securityfocus.com/bid/1039

Buffer overflow in StarOffice StarScheduler web server allows remote
attackers to gain root access via a long GET command.


ED_PRI CAN-2000-0175 3


VOTE:

=================================
Candidate: CAN-2000-0180
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF/CF/MP/SA/AN/unknown
Reference: NTBUGTRAQ:20000313 SOJOURN Search engine exposes files
Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/2000-q1/0201.html
Reference: BID:1052
Reference: URL:http://www.securityfocus.com/bid/1052

Sojourn search engine allows remote attackers to read arbitrary files
via a .. (dot dot) attack.


ED_PRI CAN-2000-0180 3


VOTE:

=================================
Candidate: CAN-2000-0181
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF/CF/MP/SA/AN/unknown
Reference: BUGTRAQ:20000311 Our old friend Firewall-1
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0119.html
Reference: BID:1054
Reference: URL:http://www.securityfocus.com/bid/1054

Firewall-1 3.0 and 4.0 leaks packets with private IP address
information, which could allow remote attackers to determine the real
IP address of the host that is making the connection.


ED_PRI CAN-2000-0181 3


VOTE:

=================================
Candidate: CAN-2000-0183
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF
Reference: BUGTRAQ:20000310 Fwd: ircii-4.4 buffer overflow
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0093.html
Reference: BID:1046
Reference: URL:http://www.securityfocus.com/bid/1046

Buffer overflow in ircII 4.4 IRC client allows remote attackers to
execute commands via the DCC chat capability.


ED_PRI CAN-2000-0183 3


VOTE:

=================================
Candidate: CAN-2000-0184
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF/CF/MP/SA/AN/unknown
Reference: BUGTRAQ:20000309
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0082.html
Reference: BID:1037
Reference: URL:http://www.securityfocus.com/bid/1037

Linux printtool sets the permissions of printer configuration files to
be world-readable, which allows local attackers to obtain printer
share passwords.


ED_PRI CAN-2000-0184 3


VOTE:

=================================
Candidate: CAN-2000-0185
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF/CF/MP/SA/AN/unknown
Reference: BUGTRAQ:20000308 RealServer exposes internal IP addresses
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0069.html
Reference: BID:1049
Reference: URL:http://www.securityfocus.com/bid/1049

RealMedia RealServer reveals the real IP address of a Real Server,
even if the address is supposed to be private.


ED_PRI CAN-2000-0185 3


VOTE:

=================================
Candidate: CAN-2000-0192
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF/CF/MP/SA/AN/unknown
Reference: BUGTRAQ:20000304 OpenLinux 2.3: rpm_query
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0029.html
Reference: BID:1036
Reference: URL:http://www.securityfocus.com/bid/1036

The default installation of Caldera OpenLinux 2.3 includes the CGI
program rpm_query, which allows remote attackers to determine what
packages are installed on the system.


ED_PRI CAN-2000-0192 3


VOTE:

=================================
Candidate: CAN-2000-0197
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF
Reference: NTBUGTRAQ:20000313 AT Jobs - Denial of serice/Privilege Elevation
Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/current/0202.html
Reference: BID:1050
Reference: URL:http://www.securityfocus.com/bid/1050

The Windows NT scheduler uses the drive mapping of the interactive
user who is currently logged onto the system, which allows the local
user to gain privileges by providing a Trojan horse batch file in
place of the original batch file.


ED_PRI CAN-2000-0197 3


VOTE:

=================================
Candidate: CAN-2000-0198
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF/CF/MP/SA/AN/unknown
Reference: NTBUGTRAQ:20000314 Local / Remote Multiples Remote DoS Attacks in MERCUR v3.2* for Windows 98/NT Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/current/0206.html
Reference: BUGTRAQ:20000314 Local / Remote Multiples Remote DoS Attacks in MERCUR v3.2* for Windows 98/NT Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/current/0137.html
Reference: BID:1051
Reference: URL:http://www.securityfocus.com/bid/1051

Buffer overflow in POP3 and IMAP servers in the MERCUR mail server
suite allows remote attackers to cause a denial of service.


ED_PRI CAN-2000-0198 3


VOTE:

=================================
Candidate: CAN-2000-0199
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF/CF/MP/SA/AN/unknown
Reference: ISS:20000314 Vulnerability in Microsoft SQL Server 7.0 Encryption Used to Store Administrative Login ID
Reference: BID:1055
Reference: URL:http://www.securityfocus.com/bid/1055

When a new SQL Server is registered in Enterprise Manager for
Microsoft SQL Server 7.0 and the "Always prompt for login name and
password" option is not set, then the Enterprise Manager uses weak
encryption to store the login ID and password.


ED_PRI CAN-2000-0199 3


VOTE:

=================================
Candidate: CAN-2000-0206
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF/CF/MP/SA/AN/unknown
Reference: BUGTRAQ:20000305 Oracle installer problem
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0023.html
Reference: BID:1035
Reference: URL:http://www.securityfocus.com/bid/1035

The installation of Oracle 8.1.5.x on Linux follows symlinks and
creates the orainstRoot.sh file with world-writeable permissions,
which allows local users to gain privileges.


ED_PRI CAN-2000-0206 3


VOTE:

=================================
Candidate: CAN-2000-0223
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF/CF/MP/SA/AN/unknown
Reference: BUGTRAQ:20000311 TESO advisory -- wmcdplay
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0107.html
Reference: BID:1047
Reference: URL:http://www.securityfocus.com/bid/1047

Buffer overflow in the wmcdplay CD player program for the WindowMaker
desktop allows local users to gain root privileges via a long
parameter.


ED_PRI CAN-2000-0223 3


VOTE:

• Prev by Date: [PROPOSAL] Cluster RECENT-12 - 20 candidates
• Next by Date: [FINAL] ACCEPT 53 candidates from various clusters
• Prev by thread: [PROPOSAL] Cluster RECENT-12 - 20 candidates
• Next by thread: [FINAL] ACCEPT 53 candidates from various clusters
• Index(es):
  • Date
  • Thread