[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PROPOSAL] Cluster RECENT-27 - 15 candidates

* Steven M. Christey (coley@LINUS.MITRE.ORG) [000719 23:42]:
> The following cluster contains 15 candidates that were announced
> between 7/1/2000 and 7/18/2000 (but all except CAN-2000-0567 were
> announced on or before 7/11).
> 
> The candidates are listed in order of priority.  Priority 1 and
> Priority 2 candidates both deal with varying levels of vendor
> confirmation, so they should be easy to review and it can be trusted
> that the problems are real.
> 
> If you discover that any RECENT-XX cluster is incomplete with respect
> to the problems discovered during the associated time frame, please
> send that information to me so that candidates can be assigned.
> 
> - Steve
> 
> 
> Summary of votes to use (in ascending order of "severity")
> ----------------------------------------------------------
> 
> ACCEPT - voter accepts the candidate as proposed
> NOOP - voter has no opinion on the candidate
> MODIFY - voter wants to change some MINOR detail (e.g. reference/description)
> REVIEWING - voter is reviewing/researching the candidate, or needs more info
> RECAST - candidate must be significantly modified, e.g. split or merged
> REJECT - candidate is "not a vulnerability", or a duplicate, etc.
> 
> 1) Please write your vote on the line that starts with "VOTE: ".  If
>    you want to add comments or details, add them to lines after the
>    VOTE: line.
> 
> 2) If you see any missing references, please mention them so that they
>    can be included.  References help greatly during mapping.
> 
> 3) Note that a "MODIFY" is treated as an "ACCEPT" when counting votes.
>    So if you don't have sufficient information for a candidate but you
>    don't want to NOOP, use a REVIEWING.
> 
> ********** NOTE ********** NOTE ********** NOTE ********** NOTE **********
> 
> Please keep in mind that your vote and comments will be recorded and
> publicly viewable in the mailing list archives or in other formats.
> 
> =================================
> Candidate: CAN-2000-0566
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000719
> Assigned: 20000712
> Category: SF
> Reference: ISS:20000712 Insecure temporary file handling in Linux makewhatis
> Reference: REDHAT:RHSA-2000:041-02
> Reference: BID:1434
> Reference: CALDERA:CSSA-2000-021.0
> Reference: BUGTRAQ:20000707 [Security Announce] man update
> 
> makewhatis in Linux man package allows local users to overwrite files
> via a symlink attack.
> 
> 
> ED_PRI CAN-2000-0566 1
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0567
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000719
> Assigned: 20000719
> Category: SF
> Reference: MS:MS00-043
> Reference: BUGTRAQ:20000719 Buffer Overflow in MS Outlook Email Clients
> Reference: BUGTRAQ:20000719 Aaron Drew - Security Advisory: Buffer Overflow in MS Outlook & Outlook Express Email Clients
> Reference: BID:1481
> Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=1481
> 
> Buffer overflow in Microsoft Outlook and Outlook Express allows remote
> attackers to execute arbitrary commands via a long Date field in an
> email header, aka the "Malformed E-mail Header" vulnerability.
> 
> 
> ED_PRI CAN-2000-0567 1
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0584
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000719
> Assigned: 20000719
> Category: SF
> Reference: MISC:http://shadowpenguin.backsection.net/advisories/advisory038.html
> Reference: DEBIAN:20000701 canna server: buffer overflow
> Reference: URL:http://archives.neohapsis.com/archives/vendor/2000-q2/0062.html
> Reference: FREEBSD:FreeBSD-SA-00:31
> Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:31.canna.asc.v1.1
> Reference: BID:1445
> Reference: URL:http://www.securityfocus.com/bid/1445
> 
> Buffer overflow in Canna input system allows remote attackers to
> execute arbitrary commands via an SR_INIT command with a long user
> name or group name.
> 
> 
> ED_PRI CAN-2000-0584 1
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0594
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000719
> Assigned: 20000719
> Category: SF
> Reference: VULN-DEV:20000704 BitchX /ignore bug
> Reference: URL:http://archives.neohapsis.com/archives/vuln-dev/2000-q3/0018.html
> Reference: BUGTRAQ:20000704 BitchX exploit possibly waiting to happen, certain DoS
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0026.html
> Reference: REDHAT:RHSA-2000:042-01
> Reference: URL:
> Reference: FREEBSD:FreeBSD-SA-00:32
> Reference: URL:http://archives.neohapsis.com/archives/freebsd/2000-07/0042.html
> Reference: CALDERA:CSSA-2000-022.0
> Reference: URL:
> Reference: BUGTRAQ:20000707 BitchX update
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0105.html
> Reference: BUGTRAQ:20000707 CONECTIVA LINUX SECURITY ANNOUNCEMENT - BitchX
> Reference: http://archives.neohapsis.com/archives/bugtraq/2000-07/0098.html
> Reference: BID:1436
> Reference: URL:http://www.securityfocus.com/bid/1436
> 
> BitchX IRC client does not properly cleanse an untrusted format
> string, which allows remote attackers to cause a denial of service via
> an invite to a channel whose name includes special formatting
> characters.
> 
> 
> ED_PRI CAN-2000-0594 1
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0595
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000719
> Assigned: 20000719
> Category: SF
> Reference: FREEBSD:FreeBSD-SA-00:24
> Reference: URL:http://archives.neohapsis.com/archives/freebsd/2000-07/0035.html
> Reference: BID:1437
> Reference: URL:http://www.securityfocus.com/bid/1437
> 
> libedit searches for the .editrc file in the current directory instead
> of the user's home directory, which may allow local users to execute
> arbitrary commands by installing a modified .editrc in another
> directory.
> 
> 
> ED_PRI CAN-2000-0595 1
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0603
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000719
> Assigned: 20000719
> Category: SF
> Reference: MS:MS00-048
> Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-048.asp
> Reference: BID:1444
> Reference: URL:http://www.securityfocus.com/bid/1444
> 
> Microsoft SQL Server 7.0 allows a local user to bypass permissions for
> stored procedures by referencing them via a temporary stored
> procedure, aka the "Stored Procedure Permissions" vulnerability.
> 
> 
> ED_PRI CAN-2000-0603 1
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0613
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000719
> Assigned: 20000719
> Category: SF
> Reference: BUGTRAQ:20000320 PIX DMZ Denial of Service - TCP Resets
> Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=B3D6883199DBD311868100A0C9FC2CDC046B72@protea.citec.net
> Reference: CISCO:20000711 Cisco Secure PIX Firewall TCP Reset Vulnerability
> Reference: URL:http://www.cisco.com/warp/public/707/pixtcpreset-pub.shtml
> Reference: BID:1454
> Reference: URL:http://www.securityfocus.com/bid/1454
> 
> Cisco Secure PIX Firewall does not properly identify forged TCP Reset
> (RST) packets, which allows remote attackers to force the firewall to
> close legitimate connections.
> 
> 
> ED_PRI CAN-2000-0613 1
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0614
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000719
> Assigned: 20000719
> Category: SF
> Reference: SUSE:20000710 Security Hole in tnef < 0-124
> Reference: URL:http://archives.neohapsis.com/archives/vendor/2000-q3/0002.html
> Reference: BID:1450
> Reference: URL:http://www.securityfocus.com/bid/1450
> 
> Tnef program in Linux systems allows remote attackers to overwrite
> arbitrary files via TNEF encoded compressed attachments which specify
> absolute path names for the decompressed output.
> 
> 
> ED_PRI CAN-2000-0614 1
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0591
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000719
> Assigned: 20000719
> Category: SF
> Reference: BUGTRAQ:20000705 Novell BorderManager 3.0 EE - Encoded URL rule bypass
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0038.html
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0075.html
> Reference: BID:1432
> Reference: URL:http://www.securityfocus.com/bid/1432
> 
> Novell BorderManager 3.0 and 3.5 allows remote attackers to bypass URL
> filtering by encoding characters in the requested URL.
> 
> 
> ED_PRI CAN-2000-0591 2
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0571
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000719
> Assigned: 20000719
> Category: SF
> Reference: BUGTRAQ:20000703 Remote DoS Attack in LocalWEB HTTP Server 1.2.0 Vulnerability
> Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-07-8&msg=NCBBKFKDOLAGKIAPMILPCEIHCFAA.labs@ussrback.com
> Reference: BID:1423
> Reference: URL:http://www.securityfocus.com/bid/1423
> 
> LocalWEB HTTP server 1.2.0 allows remote attackers to cause a denial
> of service via a long GET request.
> 
> 
> ED_PRI CAN-2000-0571 3
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0572
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000719
> Assigned: 20000719
> Category: SF
> Reference: BUGTRAQ:20000704 Recovering Passwords in Visible Systems' Razor
> Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-07-8&msg=613309F30B6DD2118C020000F809376C05CABD49@emss03m09.orl.lmco.com
> Reference: BID:1424
> Reference: URL:http://www.securityfocus.com/bid/1424
> 
> The Razor configuration management tool uses weak encryption for its
> password file, which allows local users to gain privileges.
> 
> 
> ED_PRI CAN-2000-0572 3
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0574
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000719
> Assigned: 20000719
> Category: SF
> Reference: BUGTRAQ:20000705 proftp advisory
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0031.html
> Reference: BUGTRAQ:20000706 ftpd and setproctitle()
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0061.html
> Reference: CERT:CA-2000-13
> Reference: URL:http://www.cert.org/advisories/CA-2000-13.html
> Reference: BUGTRAQ:20000710 opieftpd setproctitle() patches
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0121.html
> Reference: NETBSD:NetBSD-SA2000-009
> Reference: URL:ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-009.txt.asc
> Reference: BID:1425
> Reference: URL:http://www.securityfocus.com/bid/1425
> Reference: BID:1438
> Reference: URL:http://www.securityfocus.com/bid/1438
> 
> FTP servers such as OpenBSD ftpd, NetBSD ftpd, ProFTPd and Opieftpd do
> not properly cleanse untrusted format strings that are used in the
> setproctitle function (sometimes called by set_proc_title), which
> allows remote attackers to cause a denial of service or execute
> arbitrary commands.
> 
> 
> ED_PRI CAN-2000-0574 3
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0576
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000719
> Assigned: 20000719
> Category: SF
> Reference: BUGTRAQ:20000704 Oracle Web Listener for AIX DoS
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0027.html
> Reference: BID:1427
> Reference: URL:http://www.securityfocus.com/bid/1427
> 
> Oracle Web Listener for AIX versions 4.0.7.0.0 and 4.0.8.1.0 allows
> remote attackers to cause a denial of service via a malformed URL.
> 
> 
> ED_PRI CAN-2000-0576 3
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0590
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000719
> Assigned: 20000719
> Category: SF
> Reference: BUGTRAQ:20000706 Vulnerability in Poll_It cgi v2.0
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0076.html
> Reference: BID:1431
> Reference: URL:http://www.securityfocus.com/bid/1431
> 
> Poll It 2.0 CGI script allows remote attackers to read arbitrary files
> by specifying the file name in the data_dir parameter.
> 
> 
> ED_PRI CAN-2000-0590 3
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0605
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000719
> Assigned: 20000719
> Category: unknown
> Reference: NTBUGTRAQ:20000710 Two issues: Blackboard CourseInfo 4.0 stores admin password in clear text; strange settings on the winreg key.
> Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0007&L=NTBUGTRAQ&P=R1647
> Reference: BID:1460
> Reference: URL:http://www.securityfocus.com/bid/1460
> 
> Blackboard CourseInfo 4.0 stores the local and SQL administrator user
> names and passwords in cleartext in a registry key whose access
> control allows users to access the passwords.
> 
> 
> ED_PRI CAN-2000-0605 3
> 
> 
> VOTE: ACCEPT

-- 
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum
Page Last Updated or Reviewed: May 22, 2007