[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PROPOSAL] Cluster RECENT-27 - 15 candidates

The following cluster contains 15 candidates that were announced
between 7/1/2000 and 7/18/2000 (but all except CAN-2000-0567 were
announced on or before 7/11).

The candidates are listed in order of priority.  Priority 1 and
Priority 2 candidates both deal with varying levels of vendor
confirmation, so they should be easy to review and it can be trusted
that the problems are real.

If you discover that any RECENT-XX cluster is incomplete with respect
to the problems discovered during the associated time frame, please
send that information to me so that candidates can be assigned.

- Steve


Summary of votes to use (in ascending order of "severity")
----------------------------------------------------------

ACCEPT - voter accepts the candidate as proposed
NOOP - voter has no opinion on the candidate
MODIFY - voter wants to change some MINOR detail (e.g. reference/description)
REVIEWING - voter is reviewing/researching the candidate, or needs more info
RECAST - candidate must be significantly modified, e.g. split or merged
REJECT - candidate is "not a vulnerability", or a duplicate, etc.

1) Please write your vote on the line that starts with "VOTE: ".  If
   you want to add comments or details, add them to lines after the
   VOTE: line.

2) If you see any missing references, please mention them so that they
   can be included.  References help greatly during mapping.

3) Note that a "MODIFY" is treated as an "ACCEPT" when counting votes.
   So if you don't have sufficient information for a candidate but you
   don't want to NOOP, use a REVIEWING.

********** NOTE ********** NOTE ********** NOTE ********** NOTE **********

Please keep in mind that your vote and comments will be recorded and
publicly viewable in the mailing list archives or in other formats.

=================================
Candidate: CAN-2000-0566
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000719
Assigned: 20000712
Category: SF
Reference: ISS:20000712 Insecure temporary file handling in Linux makewhatis
Reference: REDHAT:RHSA-2000:041-02
Reference: BID:1434
Reference: CALDERA:CSSA-2000-021.0
Reference: BUGTRAQ:20000707 [Security Announce] man update

makewhatis in Linux man package allows local users to overwrite files
via a symlink attack.


ED_PRI CAN-2000-0566 1


VOTE:

=================================
Candidate: CAN-2000-0567
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000719
Assigned: 20000719
Category: SF
Reference: MS:MS00-043
Reference: BUGTRAQ:20000719 Buffer Overflow in MS Outlook Email Clients
Reference: BUGTRAQ:20000719 Aaron Drew - Security Advisory: Buffer Overflow in MS Outlook & Outlook Express Email Clients
Reference: BID:1481
Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=1481

Buffer overflow in Microsoft Outlook and Outlook Express allows remote
attackers to execute arbitrary commands via a long Date field in an
email header, aka the "Malformed E-mail Header" vulnerability.


ED_PRI CAN-2000-0567 1


VOTE:

=================================
Candidate: CAN-2000-0584
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000719
Assigned: 20000719
Category: SF
Reference: MISC:http://shadowpenguin.backsection.net/advisories/advisory038.html
Reference: DEBIAN:20000701 canna server: buffer overflow
Reference: URL:http://archives.neohapsis.com/archives/vendor/2000-q2/0062.html
Reference: FREEBSD:FreeBSD-SA-00:31
Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:31.canna.asc.v1.1
Reference: BID:1445
Reference: URL:http://www.securityfocus.com/bid/1445

Buffer overflow in Canna input system allows remote attackers to
execute arbitrary commands via an SR_INIT command with a long user
name or group name.


ED_PRI CAN-2000-0584 1


VOTE:

=================================
Candidate: CAN-2000-0594
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000719
Assigned: 20000719
Category: SF
Reference: VULN-DEV:20000704 BitchX /ignore bug
Reference: URL:http://archives.neohapsis.com/archives/vuln-dev/2000-q3/0018.html
Reference: BUGTRAQ:20000704 BitchX exploit possibly waiting to happen, certain DoS
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0026.html
Reference: REDHAT:RHSA-2000:042-01
Reference: URL:
Reference: FREEBSD:FreeBSD-SA-00:32
Reference: URL:http://archives.neohapsis.com/archives/freebsd/2000-07/0042.html
Reference: CALDERA:CSSA-2000-022.0
Reference: URL:
Reference: BUGTRAQ:20000707 BitchX update
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0105.html
Reference: BUGTRAQ:20000707 CONECTIVA LINUX SECURITY ANNOUNCEMENT - BitchX
Reference: http://archives.neohapsis.com/archives/bugtraq/2000-07/0098.html
Reference: BID:1436
Reference: URL:http://www.securityfocus.com/bid/1436

BitchX IRC client does not properly cleanse an untrusted format
string, which allows remote attackers to cause a denial of service via
an invite to a channel whose name includes special formatting
characters.


ED_PRI CAN-2000-0594 1


VOTE:

=================================
Candidate: CAN-2000-0595
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000719
Assigned: 20000719
Category: SF
Reference: FREEBSD:FreeBSD-SA-00:24
Reference: URL:http://archives.neohapsis.com/archives/freebsd/2000-07/0035.html
Reference: BID:1437
Reference: URL:http://www.securityfocus.com/bid/1437

libedit searches for the .editrc file in the current directory instead
of the user's home directory, which may allow local users to execute
arbitrary commands by installing a modified .editrc in another
directory.


ED_PRI CAN-2000-0595 1


VOTE:

=================================
Candidate: CAN-2000-0603
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000719
Assigned: 20000719
Category: SF
Reference: MS:MS00-048
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-048.asp
Reference: BID:1444
Reference: URL:http://www.securityfocus.com/bid/1444

Microsoft SQL Server 7.0 allows a local user to bypass permissions for
stored procedures by referencing them via a temporary stored
procedure, aka the "Stored Procedure Permissions" vulnerability.


ED_PRI CAN-2000-0603 1


VOTE:

=================================
Candidate: CAN-2000-0613
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000719
Assigned: 20000719
Category: SF
Reference: BUGTRAQ:20000320 PIX DMZ Denial of Service - TCP Resets
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=B3D6883199DBD311868100A0C9FC2CDC046B72@protea.citec.net
Reference: CISCO:20000711 Cisco Secure PIX Firewall TCP Reset Vulnerability
Reference: URL:http://www.cisco.com/warp/public/707/pixtcpreset-pub.shtml
Reference: BID:1454
Reference: URL:http://www.securityfocus.com/bid/1454

Cisco Secure PIX Firewall does not properly identify forged TCP Reset
(RST) packets, which allows remote attackers to force the firewall to
close legitimate connections.


ED_PRI CAN-2000-0613 1


VOTE:

=================================
Candidate: CAN-2000-0614
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000719
Assigned: 20000719
Category: SF
Reference: SUSE:20000710 Security Hole in tnef < 0-124
Reference: URL:http://archives.neohapsis.com/archives/vendor/2000-q3/0002.html
Reference: BID:1450
Reference: URL:http://www.securityfocus.com/bid/1450

Tnef program in Linux systems allows remote attackers to overwrite
arbitrary files via TNEF encoded compressed attachments which specify
absolute path names for the decompressed output.


ED_PRI CAN-2000-0614 1


VOTE:

=================================
Candidate: CAN-2000-0591
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000719
Assigned: 20000719
Category: SF
Reference: BUGTRAQ:20000705 Novell BorderManager 3.0 EE - Encoded URL rule bypass
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0038.html
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0075.html
Reference: BID:1432
Reference: URL:http://www.securityfocus.com/bid/1432

Novell BorderManager 3.0 and 3.5 allows remote attackers to bypass URL
filtering by encoding characters in the requested URL.


ED_PRI CAN-2000-0591 2


VOTE:

=================================
Candidate: CAN-2000-0571
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000719
Assigned: 20000719
Category: SF
Reference: BUGTRAQ:20000703 Remote DoS Attack in LocalWEB HTTP Server 1.2.0 Vulnerability
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-07-8&msg=NCBBKFKDOLAGKIAPMILPCEIHCFAA.labs@ussrback.com
Reference: BID:1423
Reference: URL:http://www.securityfocus.com/bid/1423

LocalWEB HTTP server 1.2.0 allows remote attackers to cause a denial
of service via a long GET request.


ED_PRI CAN-2000-0571 3


VOTE:

=================================
Candidate: CAN-2000-0572
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000719
Assigned: 20000719
Category: SF
Reference: BUGTRAQ:20000704 Recovering Passwords in Visible Systems' Razor
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-07-8&msg=613309F30B6DD2118C020000F809376C05CABD49@emss03m09.orl.lmco.com
Reference: BID:1424
Reference: URL:http://www.securityfocus.com/bid/1424

The Razor configuration management tool uses weak encryption for its
password file, which allows local users to gain privileges.


ED_PRI CAN-2000-0572 3


VOTE:

=================================
Candidate: CAN-2000-0574
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000719
Assigned: 20000719
Category: SF
Reference: BUGTRAQ:20000705 proftp advisory
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0031.html
Reference: BUGTRAQ:20000706 ftpd and setproctitle()
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0061.html
Reference: CERT:CA-2000-13
Reference: URL:http://www.cert.org/advisories/CA-2000-13.html
Reference: BUGTRAQ:20000710 opieftpd setproctitle() patches
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0121.html
Reference: NETBSD:NetBSD-SA2000-009
Reference: URL:ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-009.txt.asc
Reference: BID:1425
Reference: URL:http://www.securityfocus.com/bid/1425
Reference: BID:1438
Reference: URL:http://www.securityfocus.com/bid/1438

FTP servers such as OpenBSD ftpd, NetBSD ftpd, ProFTPd and Opieftpd do
not properly cleanse untrusted format strings that are used in the
setproctitle function (sometimes called by set_proc_title), which
allows remote attackers to cause a denial of service or execute
arbitrary commands.


ED_PRI CAN-2000-0574 3


VOTE:

=================================
Candidate: CAN-2000-0576
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000719
Assigned: 20000719
Category: SF
Reference: BUGTRAQ:20000704 Oracle Web Listener for AIX DoS
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0027.html
Reference: BID:1427
Reference: URL:http://www.securityfocus.com/bid/1427

Oracle Web Listener for AIX versions 4.0.7.0.0 and 4.0.8.1.0 allows
remote attackers to cause a denial of service via a malformed URL.


ED_PRI CAN-2000-0576 3


VOTE:

=================================
Candidate: CAN-2000-0590
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000719
Assigned: 20000719
Category: SF
Reference: BUGTRAQ:20000706 Vulnerability in Poll_It cgi v2.0
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0076.html
Reference: BID:1431
Reference: URL:http://www.securityfocus.com/bid/1431

Poll It 2.0 CGI script allows remote attackers to read arbitrary files
by specifying the file name in the data_dir parameter.


ED_PRI CAN-2000-0590 3


VOTE:

=================================
Candidate: CAN-2000-0605
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000719
Assigned: 20000719
Category: unknown
Reference: NTBUGTRAQ:20000710 Two issues: Blackboard CourseInfo 4.0 stores admin password in clear text; strange settings on the winreg key.
Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0007&L=NTBUGTRAQ&P=R1647
Reference: BID:1460
Reference: URL:http://www.securityfocus.com/bid/1460

Blackboard CourseInfo 4.0 stores the local and SQL administrator user
names and passwords in cleartext in a registry key whose access
control allows users to access the passwords.


ED_PRI CAN-2000-0605 3


VOTE:
Page Last Updated or Reviewed: May 22, 2007