[VOTEPRI] 17 high priority candidates as of 7/5/2000

["Steven M. Christey" <coley@linus.mitre.org>]

The following candidates have vendor acknowledgement and require one
more vote to be accepted.

- Steve



Summary of votes to use (in ascending order of "severity")
----------------------------------------------------------

ACCEPT - voter accepts the candidate as proposed
NOOP - voter has no opinion on the candidate
MODIFY - voter wants to change some MINOR detail (e.g. reference/description)
REVIEWING - voter is reviewing/researching the candidate, or needs more info
RECAST - candidate must be significantly modified, e.g. split or merged
REJECT - candidate is "not a vulnerability", or a duplicate, etc.

1) Please write your vote on the line that starts with "VOTE: ".  If
   you want to add comments or details, add them to lines after the
   VOTE: line.

2) If you see any missing references, please mention them so that they
   can be included.  References help greatly during mapping.

3) Note that a "MODIFY" is treated as an "ACCEPT" when counting votes.
   So if you don't have sufficient information for a candidate but you
   don't want to NOOP, use a REVIEWING.

********** NOTE ********** NOTE ********** NOTE ********** NOTE **********

Please keep in mind that your vote and comments will be recorded and
publicly viewable in the mailing list archives or in other formats.

KEY FOR INFERRED ACTIONS
------------------------

Inferred actions capture the voting status of a candidate.  They may
be used by the Editor to determine whether or not a candidate is added
to CVE.  Where there is disagreement, the Editor must resolve the
issue and achieve consensus, or make the final decision if consensus
cannot be reached.

- ACCEPT = 3 non-MITRE votes to ACCEPT/MODIFY, and no REVIEWING or REJECT
- ACCEPT_ACK = 2 non-MITRE ACCEPT/MODIFY, and vendor acknowledgement
- MOREVOTES = needs more votes
- ACCEPT_REV = 3 non-MITRE ACCEPT's but is delayed due to a REVIEWING
- SMC_REJECT = REJECT by Steve Christey; likely to be rejected outright
- SMC_REVIEW = REVIEWING by Steve Christey; likely related to CD's
- REVIEWING = at least one member is REVIEWING
- REJECT = at least one member REJECTed
- REVOTE = members should review their vote on this candidate

=================================
Candidate: CAN-1999-0247
Published:
Final-Decision:
Interim-Decision:
Modified: 19991130-01
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: NAI:17

Buffer overflow in nnrpd program in INN up to version 1.6 allows
remote users to execute arbitrary commands.

Modifications:
  ADDREF NAI:17
  add version number

INFERRED ACTION: CAN-1999-0247 MOREVOTES-1 (1 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(1) Stracener
   NOOP(1) Northcutt


VOTE:

=================================
Candidate: CAN-1999-0298
Published:
Final-Decision:
Interim-Decision:
Modified: 20000524-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: NAI:19970205 Vulnerabilities in Ypbind when run with -ypset/-ypsetme
Reference: URL:http://www.nai.com/nai_labs/asp_set/advisory/06_ypbindsetme_adv.asp

ypbind with -ypset and -ypsetme options activated in Linux Slackware
and SunOS allows local and remote attackers to overwrite files via a
.. (dot dot) attack.

Modifications:
  CHANGEREF NAI:NAI-6
  Add details to description.

INFERRED ACTION: CAN-1999-0298 MOREVOTES-1 (1 accept, 1 ack, 1 review)

Current Votes:
   ACCEPT(1) Northcutt
   NOOP(1) Shostack
   REVIEWING(1) Frech


VOTE:

=================================
Candidate: CAN-2000-0045
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: BUGTRAQ:20000111 Serious bug in MySQL password handling.
Reference: BUGTRAQ:20000113 New MySQL Available
Reference: BID:926
Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=926

MySQL allows local users to modify passwords for arbitrary MySQL users
via the GRANT privilege.

INFERRED ACTION: CAN-2000-0045 MOREVOTES-1 (1 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(1) Stracener


VOTE:

=================================
Candidate: CAN-2000-0063
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: BUGTRAQ:20000118 Nortel Contivity Vulnerability
Reference: BID:938
Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=938

cgiproc CGI script in Nortel Contivity HTTP server allows remote
attackers to read arbitrary files by specifying the filename in a
parameter to the script.

INFERRED ACTION: CAN-2000-0063 MOREVOTES-1 (1 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(1) Stracener


VOTE:

=================================
Candidate: CAN-2000-0064
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: BUGTRAQ:20000118 Nortel Contivity Vulnerability
Reference: BID:938
Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=938

cgiproc CGI script in Nortel Contivity HTTP server allows remote
attackers to cause a denial of service via a malformed URL that
includes shell metacharacters.

INFERRED ACTION: CAN-2000-0064 MOREVOTES-1 (1 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(1) Stracener


VOTE:

=================================
Candidate: CAN-2000-0076
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: BUGTRAQ:19991230 vibackup.sh
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94709988232618&w=2
Reference: DEBIAN:20000109 nvi: incorrect file removal in boot script
Reference: URL:http://www.debian.org/security/2000/20000108

nviboot boot script in the Debian nvi package allows local users to
delete files via malformed entries in vi.recover.

INFERRED ACTION: CAN-2000-0076 MOREVOTES-1 (1 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(1) Stracener
   NOOP(3) Levy, Wall, Cole


VOTE:

=================================
Candidate: CAN-2000-0094
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000208
Assigned: 20000202
Category: SF
Reference: BUGTRAQ:20000121 *BSD procfs vulnerability
Reference: FREEBSD:FreeBSD-SA-00:02
Reference: BID:940
Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=940

procfs in BSD systems allows local users to gain root privileges by
modifying the /proc/pid/mem interface via a modified file descriptor
for stderr.

INFERRED ACTION: CAN-2000-0094 MOREVOTES-1 (1 accept, 1 ack, 1 review)

Current Votes:
   MODIFY(1) Frech
   NOOP(2) Wall, Christey
   REVIEWING(1) Cole

Comments:
 Christey> BID:987 and NETBSD:2000-001 refer to a NetBSD procfs mem
   problem that's probably the same problem as this one.
 Frech> XF:netbsd-procfs
 Christey> BID:987 has since been deleted, so I guess they agree ;-)


VOTE:

=================================
Candidate: CAN-2000-0117
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000208
Assigned: 20000208
Category: SF
Reference: BUGTRAQ:20000127 Cobalt RaQ2 - a user of mine changed my admin password..
Reference: BUGTRAQ:20000131 [ Cobalt ] Security Advisory -- 01.31.2000

The siteUserMod.cgi program in Cobalt RaQ2 servers allows any Site
Administrator to modify passwords for other users, site
administrators, and possibly admin (root).

INFERRED ACTION: CAN-2000-0117 MOREVOTES-1 (1 accept, 1 ack, 1 review)

Current Votes:
   MODIFY(1) Frech
   NOOP(1) Wall
   REVIEWING(1) Cole

Comments:
 Frech> XF:http-cgi-cobalt-passwords


VOTE:

=================================
Candidate: CAN-2000-0120
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000208
Assigned: 20000208
Category: SF
Reference: ALLAIRE:ASB00-04
Reference: BID:955
Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=955

The Remote Access Service invoke.cfm template in Allaire Spectra 1.0
allows users to bypass authentication via the bAuthenticated
parameter.

INFERRED ACTION: CAN-2000-0120 MOREVOTES-1 (1 accept, 1 ack, 2 review)

Current Votes:
   MODIFY(1) Frech
   REVIEWING(2) Wall, Cole

Comments:
 Frech> XF:allaire-spectra-ras-access


VOTE:

=================================
Candidate: CAN-2000-0264
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000426
Assigned: 20000426
Category: SF/CF/MP/SA/AN/unknown
Reference: BUGTRAQ:20000417 bugs in Panda Security 3.0
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=38FB45F2.550EA000@teleline.es
Reference: BID:1119
Reference: URL:http://www.securityfocus.com/bid/1119

Panda Security 3.0 with registry editing disabled allows users to edit
the registry and gain privileges by directly executing a .reg file or
using other methods.

INFERRED ACTION: CAN-2000-0264 MOREVOTES-1 (1 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(1) Stracener
   NOOP(3) Wall, Cole, Christey

Comments:
 Christey> CONFIRM:http://updates.pandasoftware.com/docs/us/Avoidvulnerability.zip


VOTE:

=================================
Candidate: CAN-2000-0265
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000426
Assigned: 20000426
Category: SF
Reference: BUGTRAQ:20000417 bugs in Panda Security 3.0
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=38FB45F2.550EA000@teleline.es
Reference: BID:1119
Reference: URL:http://www.securityfocus.com/bid/1119

Panda Security 3.0 allows users to uninstall the Panda software via
its Add/Remove Programs applet.

INFERRED ACTION: CAN-2000-0265 MOREVOTES-1 (1 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(1) Stracener
   NOOP(3) Wall, Cole, Christey

Comments:
 Christey> CONFIRM:http://updates.pandasoftware.com/docs/us/Avoidvulnerability.zip


VOTE:

=================================
Candidate: CAN-2000-0353
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000524
Assigned: 20000523
Category: SF
Reference: MISC:http://www.securiteam.com/unixfocus/HHP-Pine_remote_exploit.html
Reference: SUSE:19990628 Execution of commands in Pine 4.x
Reference: URL:http://www.suse.de/de/support/security/suse_security_announce_6.txt
Reference: SUSE:19990911 Update for Pine (fixed IMAP support)
Reference: URL:http://www.suse.de/de/support/security/pine_update_announcement.txt

Pine 4.x allows a remote attacker to execute arbitrary commands via an
index.html file which executes lynx and obtains a uudecoded file from
a malicious web server, which is then executed by Pine.

INFERRED ACTION: CAN-2000-0353 MOREVOTES-1 (1 accept, 1 ack, 1 review)

Current Votes:
   ACCEPT(1) Stracener
   NOOP(1) Christey
   REVIEWING(1) Frech

Comments:
 Christey> ADDREF BID:1247


VOTE:

=================================
Candidate: CAN-2000-0359
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000524
Assigned: 20000523
Category: SF
Reference: BUGTRAQ:19991113 thttpd 2.04 stack overflow (VD#6)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/1626.html
Reference: SUSE:19991116 Security hole in thttpd 1.90a - 2.04
Reference: URL:http://www.suse.de/de/support/security/suse_security_announce_30.txt

Buffer overflow in Trivial HTTP (THTTPd) allows remote attackers to
cause a denial of service or execute arbitrary commands via a long
If-Modified-Since header.

INFERRED ACTION: CAN-2000-0359 MOREVOTES-1 (1 accept, 1 ack, 1 review)

Current Votes:
   ACCEPT(1) Stracener
   NOOP(1) Christey
   REVIEWING(1) Frech

Comments:
 Christey> ADDREF BID:1248
 Frech> (not thttpd-file-read)


VOTE:

=================================
Candidate: CAN-2000-0366
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000524
Assigned: 20000523
Category: SF
Reference: DEBIAN:19991202 problem restoring symlinks
Reference: URL:http://www.debian.org/security/1999/19991202

dump in Debian Linux 2.1 does not properly restore symlinks, which
allows a local user to modify the ownership of arbitrary files.

INFERRED ACTION: CAN-2000-0366 MOREVOTES-1 (1 accept, 1 ack, 1 review)

Current Votes:
   ACCEPT(1) Stracener
   REVIEWING(1) Frech


VOTE:

=================================
Candidate: CAN-2000-0369
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000524
Assigned: 20000523
Category: SF
Reference: CALDERA:CSSA-1999-029.1
Reference: URL:ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-1999-029.1.txt

The IDENT server in Caldera Linux 2.3 creates multiple threads for
each IDENT request, which allows remote attackers to cause a denial of
service.

INFERRED ACTION: CAN-2000-0369 MOREVOTES-1 (1 accept, 1 ack, 1 review)

Current Votes:
   ACCEPT(1) Stracener
   NOOP(1) Christey
   REVIEWING(1) Frech

Comments:
 Christey> ADDREF BID:1266
 Christey> ADDREF BID:1266


VOTE:

=================================
Candidate: CAN-2000-0370
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000524
Assigned: 20000523
Category: SF
Reference: CALDERA:CSSA-1999-001.0
Reference: URL:ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-1999-001.0.txt

The debug option in Caldera Linux smail allows remote attackers to
execute commands via shell metacharacters in the -D option for the
rmail command.

INFERRED ACTION: CAN-2000-0370 MOREVOTES-1 (1 accept, 1 ack, 1 review)

Current Votes:
   ACCEPT(1) Stracener
   NOOP(1) Christey
   REVIEWING(1) Frech

Comments:
 Christey> ADDREF BID:1268
 Christey> ADDREF BID:1268
   URL:http://www.securityfocus.com/bid/1268


VOTE:

=================================
Candidate: CAN-2000-0374
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000524
Assigned: 20000523
Category: SF
Reference: CALDERA:CSSA-1999-021.0
Reference: URL:ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-1999-021.0.txt

The default configuration of kdm in Caldera Linux allows XDMCP
connections from any host, which allows remote attackers to obtain
sensitive information or bypass additional access restrictions.

INFERRED ACTION: CAN-2000-0374 MOREVOTES-1 (1 accept, 1 ack, 1 review)

Current Votes:
   ACCEPT(1) Stracener
   REVIEWING(1) Frech

Comments:
 Frech> (not xdm-xdmcp-remote-bo)


VOTE: