[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[INTERIM] ACCEPT 22 legacy candidates (Final 6/1)



I have made an Interim Decision to ACCEPT the following 22 candidates
from various legacy clusters, most of which were originally proposed
sometime in 1999.  I will make a Final Decision on the evening of June
1, 2000.

The candidates come from the following clusters:

   1 CERT
   1 MULT
   1 NTLOW
   1 RESTLOW
   2 NOREFS
   3 VERIFY-BUGTRAQ
   1 VERIFY-TOOL
   1 PRIVACY
   2 MS
   1 CERT2
   1 MISC-01
   1 UNIX-UNCONF
   6 MS-99

Voters:
  Levy ACCEPT(4) MODIFY(1)
  Shostack ACCEPT(1) MODIFY(1) NOOP(1)
  Wall ACCEPT(9) MODIFY(1) NOOP(6)
  LeBlanc ACCEPT(8) NOOP(3)
  Ozancin ACCEPT(3) NOOP(1)
  Cole ACCEPT(13) NOOP(5) RECAST(1)
  Stracener ACCEPT(7) MODIFY(3)
  Dik MODIFY(1)
  Frech ACCEPT(2) MODIFY(18)
  Hill ACCEPT(3)
  Northcutt ACCEPT(6) NOOP(2) RECAST(1)
  Magdych ACCEPT(1)
  Armstrong ACCEPT(6) NOOP(6)
  Prosser ACCEPT(8) RECAST(1)


=================================
Candidate: CAN-1999-0031
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: CERT:CA-97.20.javascript
Reference: HP:HPSBUX9707-065
Reference: URL:http://www.codetalker.com/advisories/vendor/hp/hpsbux9707-065.html

JavaScript in Internet Explorer 3.x and 4.x, and Netscape 2.x, 3.x and
4.x, allows remote attackers to monitor a user's web activities, aka
the Bell Labs vulnerability.

Modifications:
  ADDREF HP:HPSBUX9707-065
  DESC add affected browsers and versions, mentioned Bell Labs

INFERRED ACTION: CAN-1999-0031 ACCEPT (3 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(1) Cole
   MODIFY(2) Levy, Wall
   NOOP(2) Northcutt, Christey

Comments:
 Christey> The CERT advisory is at http://www.cert.org/advisories/CA-97.20.javascript.html
 Christey>
 Christey> ADDREF HP:HPSBUX9707-065
 Christey> http://www.codetalker.com/advisories/vendor/hp/hpsbux9707-065.html
 Christey>
 Christey> According to the CERT advisory, this issue affects Internet
 Christey> Explorer 3.x and 4.x, and Netscape 2.x, 3.x, and 4.x.
 Christey> Include this in the description.
 Levy> Need a better description of the vulnerability there were several JS
 Levy> vulnerabilities in the same time frame that had similar results but
 Levy> were porly documented. This, the Bell Labs vulnerability, was one of them.
 Levy> This is one of the other ones:
 Levy> http://www.securityfocus.com/templates/archive.pike?list=1&msg=c%3dDE%25a%3dDBP%25p%3dSCN%25l%3dMCHH9EEA-970711140700Z-21724@de-mch-he01a.exchange.pn.siemens.de
 Wall> Add Internet Explorer 5 also.  See
 Wall> http://www.microsoft.com/technet/security/bulletin/ms99-043.asp which allows
 Wall> JavaScript to read files on other computers.
 Christey> MS:MS99-043 is already handled by CVE-1999-0793.  This one is
 Christey> different because IE 3.x and 4.x are affected; for
 Christey> CVE-1999-0793, it affected 4.x and 5.x.  Also, this one
 Christey> just allows someone to read cookies, HTML form data, and
 Christey> what URLs were visited.  CVE-1999-0793 allows the attacker
 Christey> to read files on the target's computer.  Thus this one is
 Christey> different than CVE-1999-0793, and MS:MS99-043 should not be
 Christey> added.
 Christey>
 Christey> The reference that Elias provided describes 2 bugs, neither
 Christey> of which is the "Bell Labs" bug, i.e. this candidate (just to
 Christey> confirm what Elias said; the CERT advisory explicitly thanks
 Christey> Bell Labs). The first bug *sounds* a lot like this candidate, but
 Christey> didn't need Javascript.  Refer to this as the "Danish bug"
 Christey> since it was "discovered by a Danish IS consultant company."
 Christey>
 Christey> The second bug describes the same symptoms as CVE-1999-0793.
 Christey> However, this reference only describes the problem for
 Christey> Netscape Nagivator; CVE-1999-0793 only mentions IE.
 Christey> Thus it's possible that the problem was identified and fixed
 Christey> for Netscape, and later "rediscovered" by Microsoft and
 Christey> addressed for Internet Explorer.  (The CD:DISCOVERY-DATE content
 Christey> decision, when reviewed by the Board, will dictate what to
 Christey> do in these sorts of cases).  But then again, they could be
 Christey> different bugs entirely, but they just happen to have the same
 Christey> symptoms.  If the bug is more in the Javascript model than in
 Christey> the implementation, then maybe CD:SF-CODEBASE won't apply.
 Christey> We might be able to roll this second bug in with
 Christey> CVE-1999-0793; thus we may need to REASSESS CVE-1999-0793 in
 Christey> the future.
 Christey>
 Christey> It is possible that this second bug is the same as the
 Christey> "Singapore privacy bug" described here:
 Christey> http://www.securityfocus.com/templates/archive.pike?list=1&date=1997-07-28&msg=Pine.SUN.3.94.970728112219.25473B-100000@dfw.dfw.net
 Christey> http://www.securityfocus.com/templates/archive.pike?list=1&date=1997-07-22&msg=Pine.SUN.3.94.970726193056.27668B-100000@dfw.dfw.net
 Christey>
 Christey> These posts were on July 22 and 28.  Singapore is dated after
 Christey> the initial CERT advisory and references LiveConnect, which
 Christey> "enables communication between JavaScript and Java applets."
 Christey> Kuo Chiang, the person referenced in the above posts as the
 Christey> discovered, sent a followup a week later on August 1:
 Christey>
 Christey> http://marc.theaimsgroup.com/?l=bugtraq&m=87602746719458&w=2
 Christey> But this is merely a clarification of the earlier problem, as
 Christey> his post includes a reference to a ZDNet article written
 Christey> on July 25.
 Christey>
 Christey> The poster referred to by Elias, Matthias Dominick, sent a
 Christey> followup to the CERT advisory saying that the Danish bug
 Christey> appeared to be fixed, but the Bell Labs bug wasn't.
 Christey>
 Christey> http://www.securityfocus.com/templates/archive.pike?list=1&date=1997-07-8&msg=c%3dDE%25a%3dDBP%25p%3dSCN%25l%3dMCHH9EEA-970710145437Z-20375@de-mch-he01a.exchange.pn.siemens.de
 Christey>
 Christey> Two legacy candidates will eventually be created to handle
 Christey> these 2 other bugs, i.e. Singapore and Danish.
 Christey>
 Christey> In the meantime, the description for this one can be extended
 Christey> to mention the Bell Labs bug and include pointers back to some
 Christey> of the related posts.
 Christey>
 Christey> If this mess isn't an argument for a naming standard, I don't
 Christey> know what is :-) :-)  On a more serious note, this is an
 Christey> indicator of why it may be important for CVE to provide a way
 Christey> of distinguishing between different bugs discovered in the
 Christey> same software at around the same time (CD:SF-LOC will address this,
 Christey> and is one of the first CD's we will discuss when I reintroduce
 Christey> them).
 Levy> Add "Bell Labs" to the description or name.


=================================
Candidate: CAN-1999-0118
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000106-02
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19981119 RSI.0011.11-09-98.AIX.INFOD
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91158980826979&w=2
Reference: XF:aix-infod

AIX infod allows local users to gain root access through an X display.

Modifications:
  ADDREF XF:aix-infod
  ADDREF BUGTRAQ:19981119 RSI.0011.11-09-98.AIX.INFOD

INFERRED ACTION: CAN-1999-0118 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Stracener, Northcutt
   MODIFY(1) Frech
   NOOP(6) Shostack, Wall, Christey, LeBlanc, Cole, Armstrong

Comments:
 Frech> XF:aix-infod
 Christey> See BUGTRAQ:19981119 RSI.0011.11-09-98.AIX.INFOD
 Christey> AIX APAR's confirm this problem: IX84642, IX89281, and IX84642


=================================
Candidate: CAN-1999-0124
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:CA-93:11.UMN.UNIX.gopher.vulnerability
Reference: XF:gopher-vuln

Vulnerabilities in UMN gopher and gopher+ versions 1.12 and 2.0x allow
an intruder to read any files that can be accessed by the gopher
daemon.

Modifications:
  DESC Add versions

INFERRED ACTION: CAN-1999-0124 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Frech, Levy
   NOOP(3) Christey, Wall, Cole

Comments:
 Christey> Modify the description to include the version numbers
 Christey> 1.12 and 2.0x
 Christey>
 Christey> The advisory is at
 Christey> http://www.cert.org/advisories/CA-93.11.UMN.UNIX.gopher.vulnerability.html
 Christey>


=================================
Candidate: CAN-1999-0142
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000526-02
Proposed: 19990607
Assigned: 19990607
Category: SF
Reference: CERT:CA-96.05.java_applet_security_mgr
Reference: XF:http-java-appletsecmgr

The Java Applet Security Manager implementation in Netscape Navigator
2.0 and Java Developer's Kit 1.0 allows an applet to connect to
arbitrary hosts.

Modifications:
  DESC include Netscape and JDK, with version numbers
  ADDREF XF:http-java-appletsecmgr

INFERRED ACTION: CAN-1999-0142 RECAST (1 recast, 3 accept, 0 review)

Current Votes:
   ACCEPT(3) Hill, Shostack, Wall
   MODIFY(1) Frech
   NOOP(1) Christey
   RECAST(1) Northcutt

Comments:
 Northcutt> Please note I am not a Java expert, but I think jdk 2.0 and
 Northcutt> so forth do not have a sandbox notion and applets (perhaps trusted
 Northcutt> applets) can connect to arbitrary hosts as a matter of course.  You
 Northcutt> might want to contact Li Gong (li.gong@sun.com) or a similar
 Northcutt> expert before issuing this one.  NOTE: another reason to consider
 Northcutt> the original date!!!
 Christey> Noting Steve Northcutt's comments, perhaps we would need to modify the
 Christey> description somewhat to distinguish between current Java versions and
 Christey> the one that had this vulnerability.  However, the CERT reference
 Christey> associates a general place and time for where this vulnerability
 Christey> arose, so I don't think it's too big of a deal.
 Frech> Reference: XF:http-java-appletsecmgr


=================================
Candidate: CAN-1999-0210
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000526-02
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19971126 Solaris 2.5.1 automountd exploit (fwd)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88053459921223&w=2
Reference: BUGTRAQ:19990103 SUN almost has a clue! (automountd)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91547759121289&w=2
Reference: HP:HPSBUX9910-104
Reference: CERT:CA-99-05
Reference: BID:235

Automount daemon automountd allows local or remote users to gain
privileges via shell metacharacters.

Modifications:
  Changed description and added references.
  ADDREF BID:235

INFERRED ACTION: CAN-1999-0210 ACCEPT (4 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(2) Levy, Cole
   MODIFY(2) Shostack, Frech
   NOOP(3) Northcutt, Christey, Wall

Comments:
 Shostack> I think there was an SNI advisory on this
 Frech> Not enough information; POSSIBLY XF:sun-automountd (changing mount options)
 Christey>
 Christey> SNI did not publish an advisory; however, Oliver Friedrichs
 Christey> sent a post saying that SNI's security tool tested for it.
 Christey> See http://marc.theaimsgroup.com/?l=bugtraq&m=91553343311719&w=2
 Christey>
 Christey> This is a tough one.  There's an old automount bug that's
 Christey> only locally exploitable, then a newer rpc.statd bug allows
 Christey> it to be remotely exploitable.  There's at least two bugs,
 Christey> but should there be three?
 Christey>
 Christey> Also see CAN-1999-0493
 Levy> ADDREF: BID:235
 Levy> The are three vulns. BID 235, BID 729, and BID 450.


=================================
Candidate: CAN-1999-0225
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000524-02
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: NAI:19980214 Windows NT Logon Denial of Service
Reference: URL:http://www.nai.com/nai_labs/asp_set/advisory/25_windows_nt_dos_adv.asp
Reference: MSKB:Q180963
Reference: URL:http://www.microsoft.com/technet/support/kb.asp?ID=180963
Reference: XF:nt-logondos

Windows NT 4.0 allows remote attackers to cause a denial of service
via a malformed SMB logon request in which the actual data size does
not match the specified size.

Modifications:
  ADDREF MSKB:Q180963
  ADDREF XF:nt-logondos
  reword description
  Canonicalize NAI advisory

INFERRED ACTION: CAN-1999-0225 ACCEPT (7 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(7) Hill, Magdych, Stracener, LeBlanc, Northcutt, Cole, Armstrong
   MODIFY(1) Frech
   NOOP(1) Wall

Comments:
 Frech> XF:nt-logondos


=================================
Candidate: CAN-1999-0323
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000524-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: FreeBSD:FreeBSD-SA-98:04
Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-98:04.mmap.asc
Reference: NETBSD:1998-003
Reference: URL:ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA1998-003.txt.asc
Reference: XF:bsd-mmap

FreeBSD mmap function allows users to modify append-only or immutable
files.

Modifications:
  ADDREF NETBSD:1998-003
  ADDREF XF:bsd-mmap

INFERRED ACTION: CAN-1999-0323 ACCEPT (5 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(5) Hill, Stracener, Northcutt, Cole, Armstrong
   MODIFY(1) Frech
   NOOP(1) LeBlanc

Comments:
 Frech> ADDREF XF:bsd-mmap (was REVIEWING)


=================================
Candidate: CAN-1999-0407
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19990209 ALERT: IIS4 allows proxied password attacks over NetBIOS
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91983486431506&w=2
Reference: BUGTRAQ:19990209 Re: IIS4 allows proxied password attacks over NetBIOS
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92000623021036&w=2
Reference: XF:iis-iisadmpwd

By default, IIS 4.0 has a virtual directory /IISADMPWD which contains
files that can be used as proxies for brute force password attacks, or
to identify valid users on the system.

Modifications:
  Modified Bugtraq ref, added KB article and ISS ref
  DELREF MSKB:Q184619 - doesn't refer to this problem

INFERRED ACTION: CAN-1999-0407 ACCEPT (5 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(4) Stracener, LeBlanc, Northcutt, Cole
   MODIFY(1) Frech
   NOOP(2) Christey, Armstrong

Comments:
 Frech> ADDREF XF:iis-iisadmpwd
 Christey> Q184619 doesn't appear to describe this problem.  However,
 Christey> Russ Cooper confirms it in a followup email.


=================================
Candidate: CAN-1999-0464
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 19991205-01
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19990104 Tripwire mess..
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91553066310826&w=2
Reference: CONFIRM:http://marc.theaimsgroup.com/?l=bugtraq&m=91592136122066&w=2

Local users can perform a denial of service in Tripwire 1.2 and
earlier using long filenames.

Modifications:
  ADDREF BUGTRAQ:19990104 Tripwire mess..

INFERRED ACTION: CAN-1999-0464 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Stracener, Northcutt
   MODIFY(1) Frech
   NOOP(4) Christey, LeBlanc, Cole, Armstrong

Comments:
 Frech> XF:tripwire-long-filename-dos
 Christey> XF:tripwire-long-filename-dos doesn't exist.


=================================
Candidate: CAN-1999-0491
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000418-02
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19990420 Bash Bug
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.10.9904202114070.6623-100000@smooth.Operator.org
Reference: CALDERA:CSSA-1999-008.0
Reference: URL:ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-1999-008.0.txt
Reference: BID:119
Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=119

The prompt parsing in bash allows a local user to execute commands as
another user by creating a directory with the name of the command
to execute.

Modifications:
  CHANGEREF BUGTRAQ [title]
  ADDREF CALDERA:CSSA-1999-008.0

INFERRED ACTION: CAN-1999-0491 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(1) Levy
   MODIFY(1) Frech
   NOOP(3) Christey, Wall, Cole

Comments:
 Frech> bash-prompt-pars-dir
 Christey> XF:bash-prompt-pars-dir doesn't exist.
 Christey>
 Christey> ADDREF CALDERA:CSSA-1999-008.0


=================================
Candidate: CAN-1999-0493
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: CERT:CA-99-05
Reference: URL:http://www.cert.org/advisories/CA-99-05-statd-automountd.html
Reference: SUN:00186
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/186&type=0&nav=sec.sba
Reference: CIAC:J-045
Reference: BUGTRAQ:19990103 SUN almost has a clue! (automountd)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91547759121289&w=2
Reference: BID:450

rpc.statd allows remote attackers to forward RPC calls to the local
operating system via the SM_MON and SM_NOTIFY commands, which in turn
could be used to remotely exploit other bugs such as in automountd.

Modifications:
  Added numerous references
  ADDREF BID:450
  ADDREF CIAC:J-045

INFERRED ACTION: CAN-1999-0493 ACCEPT (3 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(3) Northcutt, Levy, Cole
   NOOP(2) Christey, Wall

Comments:
 Christey> This candidate has been modified heavily.
 Levy> ADDREF: BID:450
 Christey> ADDREF CIAC:J-045


=================================
Candidate: CAN-1999-0668
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 19991227-01
Proposed: 19991208
Assigned: 19991123
Category: SF
Reference: BUGTRAQ:19990821 IE 5.0 allows executing programs
Reference: MS:MS99-032
Reference: CIAC:J-064
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/j-064.shtml
Reference: BID:598
Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=598
Reference: XF:ms-scriptlet-eyedog-unsafe
Reference: MSKB:Q240308

The scriptlet.typelib ActiveX control is marked as "safe for
scripting" for Internet Explorer, which allows a remote attacker to
execute arbitrary commands as demonstrated by Bubbleboy.

Modifications:
  ADDREF XF:ms-scriptlet-eyedog-unsafe
  ADDREF MSKB:Q240308

INFERRED ACTION: CAN-1999-0668 SMC_REVIEW (6 accept, 1 review)

Current Votes:
   ACCEPT(4) Cole, Wall, Prosser, Ozancin
   MODIFY(2) Frech, Stracener
   REVIEWING(1) Christey

Comments:
 Frech> XF:ms-scriptlet-eyedog-unsafe
 Wall> Note:  Was this not CVE 199-0376?
 Stracener> Add Ref: MSKB Q240308
 Christey> Should CAN-1999-0669 and 668 be merged?  If not, then this is
 Christey> a reason for not merging CAN-1999-0988 and CAN-1999-0828.


=================================
Candidate: CAN-1999-0696
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990709 Exploit of rpc.cmsd
Reference: SCO:SB-99.12
Reference: SUN:00188
Reference: SUNBUG:4230754
Reference: HP:HPSBUX9908-102
Reference: COMPAQ:SSRT0614U_RPC_CMSD
Reference: CERT:CA-99-08
Reference: CIAC:J-051
Reference: XF:sun-cmsd-bo

Buffer overflow in CDE Calendar Manager Service Daemon (rpc.cmsd)

Modifications:
  ADDREF XF:sun-cmsd-bo
  ADDREF SUNBUG:4230754
  ADDREF BUGTRAQ:19990709 Exploit of rpc.cmsd
  ADDREF SCO:SB-99.12
  CHANGEREF HP:00102 HP:HPSBUX9908-102

INFERRED ACTION: CAN-1999-0696 RECAST (1 recast, 6 accept, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Ozancin
   MODIFY(3) Frech, Stracener, Dik
   NOOP(1) Christey
   RECAST(1) Prosser

Comments:
 Frech> XF:sun-cmsd-bo
 Prosser> Correct me if I am wrong as I don't have the facilities to test this, but
 Prosser> Sun originally reported this vulnerability in Sun Bulletin 0166, Mar 1998.
 Prosser> The CVE Board accepted it as CVE-1999-0320.  The 00188 Sun Bulletin in July
 Prosser> 1999 is an exact dupe of the 98 bulletin with the exception of some
 Prosser> additional patches for CDE on later versions of SunOS/Solaris. The CERT and
 Prosser> other vendor alerts are additional information on this BO for other vendor's
 Prosser> systems(why it took over a year?), but we already have a CVE number
 Prosser> outstanding for this vulnerability.  Are these seperate vulnerabilities?  Or
 Prosser> the same one just found to affect more than originally thought?  If so,
 Prosser> recommend merging this CAN into the existing CVE, and just adjust the
 Prosser> description in the existing CVE to reflect the additional vulnerable vendor
 Prosser> systems.
 Prosser> Additional reference:  BID 486 and 524
 Stracener> Redundant references to J-051.
 Christey> The confusion appears to be related to patch versions; 104976-03 is
 Christey> recommended for SUN:00166, and 104976-04 is recommended for SUN:00188.
 Christey> Did Sun create a new version, with the same patch ID, for the new bug?
 Christey> Or was there an error in the patch for the older bug?
 Dik> #166 addresses Sun bug 1265008: a file overwrite/remove vulnerability
 Dik> #188 addresses Sun bug 4230754: buffer overflows.
 Dik>
 Dik> (I.e., the reverse from what you state)
 Dik>
 Dik> These are two separate problems: first one is lack of checking the
 Dik> names of calendars for reserved characters (/) the second is lack
 Dik> of bounds checking.
 Dik>
 Dik> Sun typically assigns only one patchid to patch a certain part
 Dik> of Solaris.  When more problems are found, the patch gets rev'ed.
 Dik>
 Dik> The #166 problem was addressed, e.g., w/ patch 104976-03; subsequently,
 Dik> we address the #188 problem w/ 104976-04.
 Dik>
 Dik> The history is recorded in the README file of each patch.
 Dik>
 Dik> ADDREF SUNBUG 4230754
 Christey> ADDREF SCO:SB-99.12
 Christey> URL:ftp://ftp.sco.com/SSE/security_bulletins/SB-99.12a
 Christey>
 Christey> ADDREF BUGTRAQ:19990709 Exploit of rpc.cmsd
 Christey> http://marc.theaimsgroup.com/?l=bugtraq&m=93154214531199&w=2
 Christey>
 Christey> CHANGEREF HP:00102 HP:HPSBUX9908-102


=================================
Candidate: CAN-1999-0719
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990802 Gnumeric potential security hole.
Reference: REDHAT:RHSA-1999:023-01
Reference: XF:gnu-guile-plugin-export
Reference: BID:563
Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=563

The Guile plugin for the Gnumeric spreadsheet package allows attackers
to execute arbitrary code.

Modifications:
  ADDREF BUGTRAQ:19990802 Gnumeric potential security hole.
  ADDREF XF:gnu-guile-plugin-export
  ADDREF REDHAT:RHSA-1999:023-01
  DESC include "gnumeric spreadsheet package"

INFERRED ACTION: CAN-1999-0719 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   MODIFY(3) Stracener, Frech, Christey

Comments:
 Stracener> Add Ref: BUGTRAQ:19990803 Gnumeric Potential Security Hole
 Stracener> Add Ref: REDHAT:RHSA-1999:023-01
 Frech> XF:gnu-guile-plugin-export
 Christey> BUGTRAQ:19990802 Gnumeric potential security hole.
 Christey> http://www.securityfocus.com/templates/archive.pike?list=1&msg=199908031423.JAA12210@erandi.nuclecu.unam.mx
 Christey>
 Christey> Change desc to include "gnumeric spreadsheet package"


=================================
Candidate: CAN-1999-0754
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000418-01
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990511 INN 2.0 and higher. Root compromise potential
Reference: CALDERA:CSSA-1999-011.0
Reference: SUSE:19990518 Security hole in INN
Reference: MISC:http://www.redhat.com/corp/support/errata/inn99_05_22.html
Reference: BID:255
Reference: XF:inn-innconf-env

The INN inndstart program allows local users to gain privileges by
specifying an alternate configuration file using the INNCONF
environmental variable.

Modifications:
  ADDREF CALDERA:CSSA-1999-011.0
  ADDREF SUSE:19990518 Security hole in INN
  ADDREF MISC:http://www.redhat.com/corp/support/errata/inn99_05_22.html
  ADDREF BID:255

INFERRED ACTION: CAN-1999-0754 ACCEPT_ACK (2 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(2) Stracener, Frech
   NOOP(2) Ozancin, Christey

Comments:
 Christey> BID:255 and BID:254 have a good explanation for why this is
 Christey> different than CAN-1999-0785
 Christey>
 Christey> ADDREF CALDERA:CSSA-1999-011.0
 Christey> ADDREF SUSE:19990518 Security hole in INN
 Christey> Also see http://www.redhat.com/corp/support/errata/inn99_05_22.html


=================================
Candidate: CAN-1999-0874
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: MS:MS99-019
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-019.asp
Reference: MSKB:Q234905
Reference: EEYE:AD06081999
Reference: CERT:CA-99-07
Reference: CIAC:J-048
Reference: XF:iis-htr-overflow

Buffer overflow in IIS 4.0 allows remote attackers to cause a denial
of service via a malformed request for files with .HTR, .IDC, or .STM
extensions.

Modifications:
  ADDREF XF:iis-htr-overflow
  DESC Add version number, remote, DoS

INFERRED ACTION: CAN-1999-0874 RECAST (1 recast, 5 accept, 0 review)

Current Votes:
   ACCEPT(4) Wall, Prosser, Ozancin, Stracener
   MODIFY(1) Frech
   RECAST(1) Cole

Comments:
 Frech> XF:iis-htr-overflow
 Cole> This description is very general and covers about 5 different
 Cole> exploits with IIS.
 Cole> The thing to remember is that with Microsoft there are so many
 Cole> vulenrabilities that
 Cole> you must be very specific.  I would add the following:
 Cole> Microsoft has released a patch that eliminates a vulnerability in
 Cole> the Taskpads feature, which is provided as
 Cole> part of the Microsoft® Windows® 98 Resource Kit, Windows 98
 Cole> Resource Kit Sampler, and BackOffice®
 Cole> Resource Kit, second edition. The vulnerability could allow a
 Cole> malicious web site operator to run executables
 Cole> on the computer of a visiting user. Only customers who have
 Cole> installed one of the affected products and who
 Cole> surf the web using the machines on which they are installed are at
 Cole> risk from this vulnerability.


=================================
Candidate: CAN-1999-1011
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 20000518
Assigned: 19991221
Category: SF
Reference: MS:MS98-004
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms98-004.asp
Reference: MS:MS99-025
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-025.asp
Reference: CIAC:J-054
Reference: ISS:19990809 Vulnerabilities in Microsoft Remote Data Service
Reference: BID:529
Reference: URL:http://www.ciac.org/ciac/bulletins/j-054.shtml
Reference: XF:nt-iis-rds

The Remote Data Service (RDS) DataFactory component of Microsoft Data
Access Components (MDAC) in IIS 3.x and 4.x exposes unsafe methods,
which allows remote attackers to execute arbitrary commands.

Modifications:
  ADDREF XF:nt-iis-rds
  ADDREF BID:529
  ADDREF ISS:19990809 Vulnerabilities in Microsoft Remote Data Service

INFERRED ACTION: CAN-1999-1011 ACCEPT (5 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(4) LeBlanc, Cole, Prosser, Wall
   MODIFY(1) Frech
   NOOP(2) Christey, Armstrong

Comments:
 Frech> XF:nt-iis-rds
 Frech> ISS:ISS Security Advisory #32, Vulnerabilities in Microsoft Remote Data
 Frech> Service, http://xforce.iss.net/alerts/advise32.php3		
 Christey> ADDREF BID:529


=================================
Candidate: CAN-2000-0323
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 20000518
Assigned: 20000511
Category: SF
Reference: BUGTRAQ:19990728 Alert : MS Office 97 Vulnerability
Reference: http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-08-22&msg=19990729195531.25108.qmail@underground.org
Reference: http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-08-22&msg=D1A11CCE78ADD111A35500805FD43F58019792A3@RED-MSG-04
Reference: MS:MS99-030
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-030.asp
Reference: XF:jet-text-isam
Reference: BID:595
Reference: URL:http://www.securityfocus.com/level2/?go=vulnerabilities&id=595

The Microsoft Jet database engine allows an attacker to modify text
files via a database query, aka the "Text I-ISAM" vulnerability.

Modifications:
  ADDREF XF:jet-text-isam

INFERRED ACTION: CAN-2000-0323 ACCEPT (6 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) LeBlanc, Cole, Prosser, Wall, Armstrong
   MODIFY(1) Frech

Comments:
 Frech> XF:jet-text-isam


=================================
Candidate: CAN-2000-0327
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 20000518
Assigned: 20000511
Category: SF
Reference: BUGTRAQ:19991014 Another Microsoft Java Flaw Disovered
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93993545118416&w=2
Reference: MS:MS99-045
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-045.asp
Reference: XF:msvm-verifier-java

Microsoft Virtual Machine (VM) allows remote attackers to escape the
Java sandbox and execute commands via an applet containing an illegal
cast operation, aka the "Virtual Machine Verifier" vulnerability.

Modifications:
  ADDREF XF:msvm-verifier-java

INFERRED ACTION: CAN-2000-0327 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) LeBlanc, Cole, Prosser, Wall
   MODIFY(1) Frech
   NOOP(1) Armstrong

Comments:
 Frech> XF:msvm-verifier-java
 Frech> (Note: this XF tag is also assigned to "CVE-1999-0766: The Microsoft Java
 Frech> Virtual Machine allows a malicious Java applet to execute arbitrary commands
 Frech> outside of the sandbox environment." Reason: MS99-031 is vague and refers to
 Frech> the same Java issue.)


=================================
Candidate: CAN-2000-0328
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 20000518
Assigned: 20000511
Category: SF
Reference: BUGTRAQ:19990824 NT Predictable Initial TCP Sequence numbers - changes observed with SP4
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=4.1.19990824165629.00abcb40@192.168.124.1
Reference: MS:MS99-046
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-046.asp
Reference: BID:604
Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=604
Reference: XF:nt-sequence-prediction-sp4
Reference: XF:tcp-seq-predict

Windows NT 4.0 generates predictable random TCP initial sequence
numbers (ISN), which allows remote attackers to perform spoofing and
session hijacking.

Modifications:
  ADDREF XF:nt-sequence-prediction-sp4
  ADDREF XF:tcp-seq-predict

INFERRED ACTION: CAN-2000-0328 ACCEPT (6 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) LeBlanc, Cole, Prosser, Wall, Armstrong
   MODIFY(1) Frech

Comments:
 Frech> XF:nt-sequence-prediction-sp4
 Frech> XF:tcp-seq-predict
 Cole> ACTUALLY A DOUBLE ACCEPT:)


=================================
Candidate: CAN-2000-0329
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 20000518
Assigned: 20000511
Category: SF
Reference: MS:MS99-048
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-048.asp
Reference: XF:ie-active-setup-control

A Microsoft ActiveX control allows a remote attacker to execute a
malicious cabinet file via an attachment and an embedded script in an
HTML mail, aka the "Active Setup Control" vulnerability.

Modifications:
  ADDREF XF:ie-active-setup-control

INFERRED ACTION: CAN-2000-0329 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) LeBlanc, Prosser, Wall
   MODIFY(1) Frech
   NOOP(2) Cole, Armstrong

Comments:
 Frech> XF:ie-active-setup-control


=================================
Candidate: CAN-2000-0330
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 20000518
Assigned: 20000511
Category: SF
Reference: MS:MS99-049
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-049.asp
Reference: XF:win-fileurl-overflow

The networking software in Windows 95 and Windows 98 allows remote
attackers to execute commands via a long file name string, aka the
"File Access URL" vulnerability.

Modifications:
  ADDREF XF:win-fileurl-overflow

INFERRED ACTION: CAN-2000-0330 ACCEPT (6 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) LeBlanc, Cole, Prosser, Wall, Armstrong
   MODIFY(1) Frech

Comments:
 Frech> XF:win-fileurl-overflow

Page Last Updated or Reviewed: May 22, 2007