[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PROPOSAL] Cluster RECENT-22 - 33 candidates



The following cluster contains 33 candidates that were announced
between 5/21/2000 and 6/5/2000.

The candidates are listed in order of priority.  Priority 1 and
Priority 2 candidates both deal with varying levels of vendor
confirmation, so they should be easy to review and it can be trusted
that the problems are real.

If you discover that any RECENT-XX cluster is incomplete with respect
to the problems discovered during the associated time frame, please
send that information to me so that candidates can be assigned.

- Steve



Summary of votes to use (in ascending order of "severity")
----------------------------------------------------------

ACCEPT - voter accepts the candidate as proposed
NOOP - voter has no opinion on the candidate
MODIFY - voter wants to change some MINOR detail (e.g. reference/description)
REVIEWING - voter is reviewing/researching the candidate, or needs more info
RECAST - candidate must be significantly modified, e.g. split or merged
REJECT - candidate is "not a vulnerability", or a duplicate, etc.

1) Please write your vote on the line that starts with "VOTE: ".  If
   you want to add comments or details, add them to lines after the
   VOTE: line.

2) If you see any missing references, please mention them so that they
   can be included.  References help greatly during mapping.

3) Note that a "MODIFY" is treated as an "ACCEPT" when counting votes.
   So if you don't have sufficient information for a candidate but you
   don't want to NOOP, use a REVIEWING.

********** NOTE ********** NOTE ********** NOTE ********** NOTE **********

Please keep in mind that your vote and comments will be recorded and
publicly viewable in the mailing list archives or in other formats.

=================================
Candidate: CAN-2000-0467
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000712
Assigned: 20000711
Category: SF
Reference: BUGTRAQ:20000614 Splitvt exploit
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0125.html
Reference: DEBIAN:20000605 root exploit in splitvt
Reference: URL:http://www.debian.org/security/2000/20000605a
Reference: BID:1346
Reference: URL:http://www.securityfocus.com/bid/1346

Buffer overflow in Linux splitvt 1.6.3 and earlier allows local users
to gain root privileges via a long password in the screen locking
function.


ED_PRI CAN-2000-0467 1


VOTE:

=================================
Candidate: CAN-2000-0495
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000712
Assigned: 20000711
Category: SF
Reference: MS:MS00-038
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-038.asp
Reference: BID:1282
Reference: URL:http://www.securityfocus.com/bid/1282

Microsoft Windows Media Encoder allows remote attackers to cause a
denial of service via a malformed request, aka the "Malformed Windows
Media Encoder Request" vulnerability.


ED_PRI CAN-2000-0495 1


VOTE:

=================================
Candidate: CAN-2000-0517
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000712
Assigned: 20000711
Category: SF
Reference: CERT:CA-2000-08
Reference: URL:http://www.cert.org/advisories/CA-2000-08.html
Reference: BID:1260
Reference: URL:http://www.securityfocus.com/bid/1260

Netscape 4.73 and earlier does not properly warn users about a
potentially invalid certificate if the user has previously accepted
the certificate for a different web site, which could allow remote
attackers to spoof a legitimate web site by compromising that site's
DNS information.


ED_PRI CAN-2000-0517 1


VOTE:

=================================
Candidate: CAN-2000-0518
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000712
Assigned: 20000711
Category: SF
Reference: MS:MS00-039
Reference: http://www.microsoft.com/technet/security/bulletin/ms00-039.asp
Reference: BID:1309
Reference: URL:http://www.securityfocus.com/bid/1309

Internet Explorer 4.0 and 5.0 does not properly verify all contents of
an SSL certificate if a connection is made to the server via an image
or a frame, aka one of two different "SSL Certificate Validation"
vulnerabilities.


ED_PRI CAN-2000-0518 1


VOTE:

=================================
Candidate: CAN-2000-0519
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000712
Assigned: 20000711
Category: SF
Reference: MS:MS00-039
Reference: http://www.microsoft.com/technet/security/bulletin/ms00-039.asp
Reference: BID:1309
Reference: URL:http://www.securityfocus.com/bid/1309

Internet Explorer 4.0 and 5.0 does not properly re-validate an SSL
certificate if the user establishes a new SSL session with the same
server during the same Internet Explorer session, aka one of two
different "SSL Certificate Validation" vulnerabilities.


ED_PRI CAN-2000-0519 1


VOTE:

=================================
Candidate: CAN-2000-0530
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000712
Assigned: 20000711
Category: SF
Reference: BUGTRAQ:20000531 KDE::KApplication feature?
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0387.html
Reference: CALDERA:CSSA-2000-015.0
Reference: URL:ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-2000-015.0.txt
Reference: BID:1291
Reference: URL:http://www.securityfocus.com/bid/1291

The KApplication class in the KDE 1.1.2 configuration file management
capability allows local users to overwrite arbitrary files.


ED_PRI CAN-2000-0530 1


VOTE:

=================================
Candidate: CAN-2000-0537
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000712
Assigned: 20000711
Category: SF
Reference: BUGTRAQ:20000606 BRU Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0013.html
Reference: CALDERA:CSSA-2000-018.0
Reference: URL:http://www.calderasystems.com/support/security/advisories/CSSA-2000-018.0.txt
Reference: BID:1321
Reference: URL:http://www.securityfocus.com/bid/1321

BRU backup software allows local users to append data to arbitrary
files by specifying an alternate configuration file with the
BRUEXECLOG environmental variable.


ED_PRI CAN-2000-0537 1


VOTE:

=================================
Candidate: CAN-2000-0545
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000712
Assigned: 20000711
Category: SF
Reference: BUGTRAQ:20000602 /usr/bin/Mail exploit for Slackware 7.0 (mail-slack.c)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0435.html
Reference: DEBIAN:20000605 mailx: mail group exploit in mailx
Reference: URL:http://www.debian.org/security/2000/20000605
Reference: BID:1305
Reference: URL:http://www.securityfocus.com/bid/1305

Buffer overflow in mailx mail command (aka Mail) on Linux systems
allows local users to gain privileges via a long -c (carbon copy)
parameter.


ED_PRI CAN-2000-0545 1


VOTE:

=================================
Candidate: CAN-2000-0474
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000712
Assigned: 20000711
Category: SF
Reference: BUGTRAQ:20000601 Remote DoS attack in Real Networks Real Server (Strike #2) Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0410.html
Reference: BUGTRAQ:20000601 Remote DoS attack in RealServer: USSR-2000043
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0427.html
Reference: BID:1288
Reference: URL:http://www.securityfocus.com/bid/1288

Real Networks RealServer 7.x allows remote attackers to cause a denial
of service via a malformed request for a page in the viewsource
directory.


ED_PRI CAN-2000-0474 2


VOTE:

=================================
Candidate: CAN-2000-0486
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000712
Assigned: 20000711
Category: SF
Reference: BUGTRAQ:20000530 An Analysis of the TACACS+ Protocol and its Implementations
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0369.html
Reference: CONFIRM:http://archives.neohapsis.com/archives/bugtraq/2000-05/0370.html
Reference: BID:1293
Reference: URL:http://www.securityfocus.com/bid/1293

Buffer overflow in Cisco TACACS+ tac_plus server allows remote
attackers to cause a denial of service via a malformed packet with a
long length field.


ED_PRI CAN-2000-0486 2


VOTE:

=================================
Candidate: CAN-2000-0505
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000712
Assigned: 20000711
Category: SF
Reference: BUGTRAQ:20000603 Re: IBM HTTP SERVER / APACHE
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.BSF.4.20.0006031912360.45740-100000@alive.znep.com
Reference: BID:1284
Reference: URL:http://www.securityfocus.com/bid/1284

The Apache 1.3.x HTTP server for Windows platforms allows remote
attackers to list directory contents by requesting a URL containing a
large number of / characters.


ED_PRI CAN-2000-0505 2


VOTE:

=================================
Candidate: CAN-2000-0536
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000712
Assigned: 20000711
Category: SF
Reference: CONFIRM:http://www.synack.net/xinetd/
Reference: BID:1381
Reference: URL:http://www.securityfocus.com/bid/1381

xinetd 2.1.8.x does not properly restrict connections if hostnames are
used for access control and the connecting host does not have a
reverse DNS entry.


ED_PRI CAN-2000-0536 2


VOTE:

=================================
Candidate: CAN-2000-0468
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000712
Assigned: 20000711
Category: SF
Reference: BUGTRAQ:20000601 HP Security vulnerability in the man command
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.SOL.4.02.10006021014400.4779-100000@nofud.nwest.attws.com
Reference: BID:1302
Reference: URL:http://www.securityfocus.com/bid/1302

man in HP-UX 10.20 and 11 allows local attackers to overwrite files
via a symlink attack.


ED_PRI CAN-2000-0468 3


VOTE:

=================================
Candidate: CAN-2000-0470
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000712
Assigned: 20000711
Category: SF
Reference: BUGTRAQ:20000601 Hardware Exploit - Gets network Down
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0398.html
Reference: BID:1290
Reference: URL:http://www.securityfocus.com/bid/1290

Allegro RomPager HTTP server allows remote attackers to cause a denial
of service via a malformed authentication request.


ED_PRI CAN-2000-0470 3


VOTE:

=================================
Candidate: CAN-2000-0476
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000712
Assigned: 20000711
Category: SF
Reference: BUGTRAQ:20000601 [rootshell.com] Xterm DoS Attack
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0409.html
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0420.html
Reference: BID:1298
Reference: URL:http://www.securityfocus.com/bid/1298

xterm, Eterm, and rxvt allow an attacker to cause a denial of service
by embedding certain escape characters which force the window to be
resized.


ED_PRI CAN-2000-0476 3


VOTE:

=================================
Candidate: CAN-2000-0481
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000712
Assigned: 20000711
Category: SF
Reference: VULN-DEV:20000601 Kmail heap overflow
Reference: URL:http://securityfocus.com/templates/archive.pike?list=82&date=2000-06-22&msg=00060200422401.01667@lez
Reference: BID:1380
Reference: URL:http://www.securityfocus.com/bid/1380

Buffer overflow in KDE Kmail allows a remote attacker to cause a
denial of service via an attachment with a long file name.


ED_PRI CAN-2000-0481 3


VOTE:

=================================
Candidate: CAN-2000-0487
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000712
Assigned: 20000711
Category: SF
Reference: MS:MS00-032
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-032.asp
Reference: BID:1295
Reference: URL:http://www.securityfocus.com/bid/1295

The Protected Store in Windows 2000 does not properly select the
strongest encryption when available, which causes it to use a default
of 40-bit encryption instead of 56-bit DES encryption, aka the
"Protected Store Key Length" vulnerability.


ED_PRI CAN-2000-0487 3


VOTE:

=================================
Candidate: CAN-2000-0488
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000712
Assigned: 20000711
Category: SF
Reference: BUGTRAQ:20000601 DST2K0007: Buffer Overrun in ITHouse Mail Server v1.04
Reference: URL:http://archives.neohapsis.com/archives/win2ksecadvice/2000-q2/0148.html
Reference: BID:1285
Reference: URL:http://www.securityfocus.com/bid/1285

Buffer overflow in ITHouse mail server 1.04 allows remote attackers to
execute arbitrary commands via a long RCPT TO mail command.


ED_PRI CAN-2000-0488 3


VOTE:

=================================
Candidate: CAN-2000-0489
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000712
Assigned: 20000711
Category: SF
Reference: BUGTRAQ:19990826 Local DoS in FreeBSD
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.10.9908270039010.16315-100000@thetis.deor.org
Reference: BUGTRAQ:20000601 Local FreeBSD, Openbsd, NetBSD, DoS Vulnerability - Mac OS X affected
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=NCBBKFKDOLAGKIAPMILPCEJLCEAA.labs@ussrback.com
Reference: BID:622
Reference: URL:http://www.securityfocus.com/bid/622

FreeBSD, NetBSD, and OpenBSD allow an attacker to cause a denial of
service by creating a large number of socket pairs using the
socketpair function, setting a large buffer size via setsockopt, then
writing large buffers.


ED_PRI CAN-2000-0489 3


VOTE:

=================================
Candidate: CAN-2000-0490
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000712
Assigned: 20000711
Category: SF
Reference: BUGTRAQ:20000601 Netwin's Dmail package
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0407.html
Reference: BID:1297
Reference: URL:http://www.securityfocus.com/bid/1297

Buffer overflow in the NetWin DSMTP 2.7q in the NetWin dmail package
allows remote attackers to execute arbitrary commands via a long ETRN
request.


ED_PRI CAN-2000-0490 3


VOTE:

=================================
Candidate: CAN-2000-0491
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000712
Assigned: 20000711
Category: SF
Reference: BUGTRAQ:20000521 "gdm" remote hole
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0241.html
Reference: SUSE:20000524 Security hole in gdm <= 2.0beta4-25
Reference: URL:http://www.suse.de/de/support/security/suse_security_announce_49.txt
Reference: BUGTRAQ:20000607 Conectiva Linux Security Announcement - gdm
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0025.html
Reference: CALDERA:CSSA-2000-013.0
Reference: URL:ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-2000-013.0.txt
Reference: BID:1233
Reference: URL:http://www.securityfocus.com/bid/1233
Reference: BID:1279
Reference: URL:http://www.securityfocus.com/bid/1279
Reference: BID:1370
Reference: URL:http://www.securityfocus.com/bid/1370

Buffer overflow in the XDMCP parsing code of GNOME gdm, KDE kdm, and
wdm allows remote attackers to execute arbitrary commands or cause a
denial of service via a long FORWARD_QUERY request.


ED_PRI CAN-2000-0491 3


VOTE:

=================================
Candidate: CAN-2000-0492
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000712
Assigned: 20000711
Category: SF
Reference: BUGTRAQ:20000609 Insecure encryption in PassWD v1.2
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0450.html
Reference: BID:1300
Reference: URL:http://www.securityfocus.com/bid/1300

PassWD 1.2 uses weak encryption (trivial encoding) to store passwords,
which allows an attacker who can read the password file to easliy
decrypt the passwords.


ED_PRI CAN-2000-0492 3


VOTE:

=================================
Candidate: CAN-2000-0493
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000712
Assigned: 20000711
Category: SF
Reference: VULN-DEV:20000601 Vulnerability in SNTS
Reference: URL:http://archives.neohapsis.com/archives/vuln-dev/2000-q2/0843.html
Reference: BID:1289
Reference: URL:http://www.securityfocus.com/bid/1289

Buffer overflow in Simple Network Time Sync (SMTS) daemon allows
remote attackers to cause a denial of service via a long command.


ED_PRI CAN-2000-0493 3


VOTE:

=================================
Candidate: CAN-2000-0507
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000712
Assigned: 20000711
Category: SF
Reference: BUGTRAQ:20000601 DST2K0006: Denial of Service Possibility in Imate WebMail Server
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95990195708509&w=2
Reference: BID:1286
Reference: URL:http://www.securityfocus.com/bid/1286

Imate Webmail Server 2.5 allows remote attackers to cause a denial of
service via a long HELO command.


ED_PRI CAN-2000-0507 3


VOTE:

=================================
Candidate: CAN-2000-0509
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000712
Assigned: 20000711
Category: SF
Reference: BUGTRAQ:20000601 DST2K0008: Buffer Overrun in Sambar Server 4.3
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95990103207665&w=2
Reference: BID:1287
Reference: URL:http://www.securityfocus.com/bid/1287

Buffer overflows in the finger and whois demonstration scripts in
Sambar Server 4.3 allow remote attackers to execute arbitrary commands
via a long hostname.


ED_PRI CAN-2000-0509 3


VOTE:

=================================
Candidate: CAN-2000-0521
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000712
Assigned: 20000711
Category: SF
Reference: BUGTRAQ:20000605 MDMA Advisory #5: Reading of CGI Scripts under Savant Webserver
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0469.html
Reference: BID:1313
Reference: URL:http://www.securityfocus.com/bid/1313

Savant web server allows remote attackers to read source code of CGI
scripts via a GET request that does not include the HTTP version
number.


ED_PRI CAN-2000-0521 3


VOTE:

=================================
Candidate: CAN-2000-0524
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000712
Assigned: 20000711
Category: SF
Reference: BUGTRAQ:20000604 Microsoft Outlook (Express) bug..
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0045.html
Reference: BID:1333
Reference: URL:http://www.securityfocus.com/bid/1333

Microsoft Outlook and Outlook Express allow remote attackers to cause
a denial of service by sending email messages with blank fields such
as BCC, Reply-To, Return-Path, or From.


ED_PRI CAN-2000-0524 3


VOTE:

=================================
Candidate: CAN-2000-0544
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000712
Assigned: 20000711
Category: SF
Reference: NTBUGTRAQ:20000604 anonymous SMBwriteX DoS
Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/2000-q2/0231.html
Reference: BID:1304
Reference: URL:http://www.securityfocus.com/bid/1304

Windows NT and Windows 2000 hosts allow a remote attacker to cause a
denial of service via malformed DCE/RPC SMBwriteX requests
that contain an invalid data length.


ED_PRI CAN-2000-0544 3


VOTE:

=================================
Candidate: CAN-2000-0551
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000712
Assigned: 20000711
Category: SF
Reference: BUGTRAQ:20000523 I think
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0339.html
Reference: BID:1263
Reference: URL:http://www.securityfocus.com/bid/1263

The file transfer mechanism in Danware NetOp 6.0 does not provide
authentication, which allows remote attackers to access and modify
arbitrary files.


ED_PRI CAN-2000-0551 3


VOTE:

=================================
Candidate: CAN-2000-0553
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000712
Assigned: 20000711
Category: unknown
Reference: BUGTRAQ:20000525 Security Vulnerability in IPFilter 3.3.15 and 3.4.3
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-05/0326.html
Reference: BID:1308
Reference: URL:http://www.securityfocus.com/bid/1308

Race condition in IPFilter firewall 3.4.3 and earlier, when configured
with overlapping "return-rst" and "keep state" rules, allows remote
attackers to bypass access restrictions.


ED_PRI CAN-2000-0553 3


VOTE:

=================================
Candidate: CAN-2000-0556
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000712
Assigned: 20000711
Category: SF
Reference: NTBUGTRAQ:20000608 DST2K0011: DoS & BufferOverrun in CMail v2.4.7 WebMail
Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/2000-q2/0248.html
Reference: CONFIRM:http://www.computalynx.net/news/Jun2000/news0806200001.html
Reference: BID:1319
Reference: URL:http://www.securityfocus.com/bid/1319

Buffer overflow in the web interface for Cmail 2.4.7 allows remote
attackers to cause a denial of service by sending a large user name to
the user dialog running on port 8002.


ED_PRI CAN-2000-0556 3


VOTE:

=================================
Candidate: CAN-2000-0557
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000712
Assigned: 20000711
Category: SF
Reference: NTBUGTRAQ:20000608 DST2K0011: DoS & BufferOverrun in CMail v2.4.7 WebMail
Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/2000-q2/0248.html
Reference: BID:1318
Reference: URL:http://www.securityfocus.com/bid/1318

Buffer overflow in the web interface for Cmail 2.4.7 allows remote
attackers to execute arbitrary commands via a long GET request.


ED_PRI CAN-2000-0557 3


VOTE:

=================================
Candidate: CAN-2000-0564
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000712
Assigned: 20000711
Category: SF
Reference: NTBUGTRAQ:20000529 ICQ Web Front Remote DoS Attack Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/2000-q2/0218.html

The guestbook CGI program in ICQ Web Front service for ICQ 2000a, 99b,
and others allows remote attackers to cause a denial of service via a
URL with a long name parameter.


ED_PRI CAN-2000-0564 3


VOTE:

 
Page Last Updated: May 22, 2007