[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[INTERIM] ACCEPT 480 candidates (Final Decision September 1)



I have made an Interim Decision to ACCEPT the following 480
candidates.

I will make a Final Decision on September 1.

The candidates came from the following clusters:

   1 RECENT-48
   2 RECENT-49
   1 MISC-99
   1 RECENT-60
   1 RECENT-61
   1 RECENT-62
   1 RECENT-65
   1 RECENT-66
   1 RECENT-67
   1 LEGACY-UNIX-ADV
   1 LEGACY-MISC-1997
   1 LEGACY-MISC-1998-A
   1 LEGACY-MISC-1998-B
   3 LEGACY-MISC-1999-A
   3 LEGACY-MISC-1999-B
   1 LEGACY-MISC-1999-C
   2 RECENT-69
   1 RECENT-72
   1 RECENT-73
   3 RECENT-75
   2 RECENT-76
   2 RECENT-77
   3 RECENT-78
   1 RECENT-79
   1 RECENT-80
   1 RECENT-81
   2 RECENT-82
   1 RECENT-84
   2 MISC-2001-001
   3 MISC-2001-002
   1 RECENT-86
   1 RECENT-87
   1 RECENT-88
   4 MISC-2001-004
   2 RECENT-89
   1 RECENT-90
   1 RECENT-91
  10 RECENT-93
   2 RECENT-96
   6 RECENT-97
   3 MISC-2001-005
   2 RECENT-98
   2 RECENT-103
   2 RECENT-104
  24 CERT-2003a
  17 CISCO-2003a
  27 UNIX-2002a
  35 UNIX-2002b
  22 UNIX-2002c
  21 UNIX-2003a
  36 MS-2002a
  31 CONFIRM-2002a
  28 CONFIRM-2002b
  39 CONFIRM-2003a
  23 MISC-2002b
   1 RECENT-14
   3 RECENT-31
   1 RECENT-32

Voters:
  Renaud NOOP(1)
  Ziese ACCEPT(2) NOOP(6) REVIEWING(6)
  Dik ACCEPT(2)
  Levy ACCEPT(3) REVIEWING(2)
  Green ACCEPT(253) MODIFY(1) NOOP(5) REVIEWING(3)
  Magdych NOOP(1)
  Frech ACCEPT(36) MODIFY(76)
  Cole ACCEPT(418) NOOP(62)
  Alderson ACCEPT(6) REVIEWING(1)
  Jones ACCEPT(27) MODIFY(6) NOOP(2) REVIEWING(5)
  Stracener ACCEPT(6) NOOP(1)
  Balinsky ACCEPT(13) MODIFY(2) NOOP(4)
  Foat ACCEPT(33) MODIFY(1) NOOP(43)
  Bollinger ACCEPT(8)
  Cox ACCEPT(89) MODIFY(55) NOOP(290) REVIEWING(1)
  Williams ACCEPT(16) MODIFY(4) NOOP(1) REVIEWING(2)
  Baker ACCEPT(294) MODIFY(1)
  Bishop ACCEPT(1) NOOP(2)
  Christey MODIFY(4) NOOP(155)
  Armstrong ACCEPT(212) NOOP(24)
  Wall ACCEPT(116) NOOP(206) REVIEWING(30)



======================================================
Candidate: CAN-1999-0718
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0718
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20010214
Assigned: 19991125
Category: unknown
Reference: NTBUGTRAQ:19990823 IBM Gina security warning
Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9908&L=ntbugtraq&F=&S=&P=5534
Reference: BID:608
Reference: URL:http://www.securityfocus.com/bid/608
Reference: XF:ibm-gina-group-add
Reference: URL:http://xforce.iss.net/static/3166.php

IBM GINA, when used for OS/2 domain authentication of Windows NT
users, allows local users to gain administrator privileges by changing
the GroupMapping registry key.

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-1999-0718 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Frech, Cole

Voter Comments:
 Frech> XF:ibm-gina-group-add


======================================================
Candidate: CAN-1999-1189
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1189
Final-Decision:
Interim-Decision: 20040825
Modified: 20040723
Proposed: 20010912
Assigned: 20010831
Category: SF
Reference: BUGTRAQ:19991124 Netscape Communicator 4.7 - Navigator Overflows
Reference: URL:http://www.securityfocus.com/archive/1/36306
Reference: BUGTRAQ:19991127 Netscape Communicator 4.7 - Navigator Overflows
Reference: URL:http://www.securityfocus.com/archive/1/36608
Reference: BID:822
Reference: URL:http://www.securityfocus.com/bid/822
Reference: XF:netscape-long-argument-bo(7884)
Reference: URL:http://xforce.iss.net/xforce/xfdb/7884

Buffer overflow in Netscape Navigator/Communicator 4.7 for Windows 95
and Windows 98 allows remote attackers to cause a denial of service,
and possibly execute arbitrary commands, via a long argument after the
? character in a URL that references an .asp, .cgi, .html, or .pl
file.


Modifications:
  20040723 ADDREF XF:netscape-long-argument-bo(7884)

Analysis
--------
Vendor Acknowledgement:

INFERRED ACTION: CAN-1999-1189 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Wall, Cole
   MODIFY(1) Frech
   NOOP(1) Foat

Voter Comments:
 Frech> XF:netscape-long-argument-bo(7884)


======================================================
Candidate: CAN-1999-1199
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1199
Final-Decision:
Interim-Decision: 20040825
Modified: 20040723
Proposed: 20010912
Assigned: 20010831
Category: SF
Reference: BUGTRAQ:19980807 YA Apache DoS attack
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90252779826784&w=2
Reference: BUGTRAQ:19980808 Debian Apache Security Update
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90276683825862&w=2
Reference: BUGTRAQ:19980810 Apache DoS Attack
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90286768232093&w=2
Reference: BUGTRAQ:19980811 Apache 'sioux' DOS fix for TurboLinux
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90280517007869&w=2
Reference: CONFIRM:http://www.redhat.com/support/errata/rh51-errata-general.html#apache

Apache WWW server 1.3.1 and earlier allows remote attackers to cause a
denial of service (resource exhaustion) via a large number of MIME
headers with the same name, aka the "sioux" vulnerability.


Modifications:
  20040723 ADDREF CONFIRM

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-1999-1199 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Cox, Cole
   NOOP(3) Christey, Wall, Foat

Voter Comments:
 Christey> CONFIRM:http://www.redhat.com/support/errata/rh51-errata-general.html#apache


======================================================
Candidate: CAN-1999-1201
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1201
Final-Decision:
Interim-Decision: 20040825
Modified: 20040723
Proposed: 20010912
Assigned: 20010831
Category: SF
Reference: NTBUGTRAQ:19990206 New Windows 9x Bug:  TCP Chorusing
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91849617221319&w=2
Reference: BID:225
Reference: URL:http://www.securityfocus.com/bid/225
Reference: XF:win-multiple-ip-dos(7542)
Reference: URL:http://xforce.iss.net/xforce/xfdb/7542

Windows 95 and Windows 98 systems, when configured with multiple
TCP/IP stacks bound to the same MAC address, allow remote attackers to
cause a denial of service (traffic amplification) via a certain ICMP
echo (ping) packet, which causes all stacks to send a ping response,
aka TCP Chorusing.


Modifications:
  20040723 ADDREF XF:win-multiple-ip-dos(7542)

Analysis
--------
Vendor Acknowledgement:

INFERRED ACTION: CAN-1999-1201 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Wall, Cole
   MODIFY(1) Frech
   NOOP(1) Foat

Voter Comments:
 Frech> XF:win-multiple-ip-dos(7542)


======================================================
Candidate: CAN-1999-1217
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1217
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20010912
Assigned: 20010831
Category: SF
Reference: NTBUGTRAQ:19970725 Re: NT security - why bother?
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=87602726319435&w=2
Reference: NTBUGTRAQ:19970723 NT security - why bother?
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=87602726319426&w=2
Reference: XF:nt-path(526)
Reference: URL:http://xforce.iss.net/static/526.php

The PATH in Windows NT includes the current working directory (.),
which could allow local users to gain privileges by placing Trojan
horse programs with the same name as commonly used system programs
into certain directories.

Analysis
--------
Vendor Acknowledgement:

INFERRED ACTION: CAN-1999-1217 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Frech, Foat, Cole

Voter Comments:
 CHANGE> [Foat changed vote from NOOP to ACCEPT]


======================================================
Candidate: CAN-1999-1365
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1365
Final-Decision:
Interim-Decision: 20040825
Modified: 20040723
Proposed: 20010912
Assigned: 20010831
Category: SF
Reference: NTBUGTRAQ:19990628 NT runs Explorer.exe, Taskmgr.exe etc. from wrong location
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=93069418400856&w=2
Reference: NTBUGTRAQ:19990630 Update: NT runs explorer.exe, etc...
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=93127894731200&w=2
Reference: XF:nt-login-default-folder(2336)
Reference: URL:http://xforce.iss.net/xforce/xfdb/2336
Reference: BID:0515
Reference: URL:http://www.securityfocus.com/bid/0515

Windows NT searches a user's home directory (%systemroot% by default)
before other directories to find critical programs such as
NDDEAGNT.EXE, EXPLORER.EXE, USERINIT.EXE or TASKMGR.EXE, which could
allow local users to bypass access restrictions or gain privileges by
placing a Trojan horse program into the root directory, which is
writable by default.


Modifications:
  20040723 ADDREF XF:nt-login-default-folder(2336)

Analysis
--------
Vendor Acknowledgement:

The %systemroot% being writable by users is contrary to Microsoft
recommended configuration. So, is this just one implication of a bad
configuration problem?

INFERRED ACTION: CAN-1999-1365 ACCEPT (4 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Wall, Foat, Cole
   MODIFY(1) Frech

Voter Comments:
 Frech> XF:nt-login-default-folder(2336)
 CHANGE> [Foat changed vote from NOOP to ACCEPT]
 Frech> XF:nt-login-default-folder(2336)


======================================================
Candidate: CAN-1999-1397
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1397
Final-Decision:
Interim-Decision: 20040825
Modified: 20020218-01
Proposed: 20010912
Assigned: 20010831
Category: SF
Reference: BUGTRAQ:19990323 Index Server 2.0 and the Registry
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92242671024118&w=2
Reference: NTBUGTRAQ:19990323 Index Server 2.0 and the Registry
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=92223293409756&w=2
Reference: BID:476
Reference: URL:http://www.securityfocus.com/bid/476
Reference: XF:iis-indexserver-reveal-path(7559)
Reference: URL:http://www.iss.net/security_center/static/7559.php

Index Server 2.0 on IIS 4.0 stores physical path information in the
ContentIndex\Catalogs subkey of the AllowedPaths registry key, whose
permissions allows local and remote users to obtain the physical paths
of directories that are being indexed.


Modifications:
  ADDREF XF:iis-indexserver-reveal-path(7559)

Analysis
--------
Vendor Acknowledgement:

INFERRED ACTION: CAN-1999-1397 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Wall, Cole
   MODIFY(1) Frech
   NOOP(1) Foat

Voter Comments:
 Frech> XF:iis-indexserver-reveal-path(7559)


======================================================
Candidate: CAN-1999-1486
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1486
Final-Decision:
Interim-Decision: 20040825
Modified: 20040723
Proposed: 20010912
Assigned: 20010831
Category: SF
Reference: CONFIRM:http://techsupport.services.ibm.com/aix/fixes/v4/os/bos.acct.4.3.1.0.info
Reference: AIXAPAR:IX75554
Reference: AIXAPAR:IX76853
Reference: AIXAPAR:IX76330
Reference: BID:408
Reference: URL:http://www.securityfocus.com/bid/408
Reference: XF:aix-sadc-timex(7675)
Reference: URL:http://xforce.iss.net/xforce/xfdb/7675

sadc in IBM AIX 4.1 through 4.3, when called from programs such as
timex that are setgid adm, allows local users to overwrite arbitrary
files via a symlink attack.


Modifications:
  20040723 fix desc. to show linkage with timex
  20040723 ADDREF CONFIRM

Analysis
--------
Vendor Acknowledgement: yes patch

ABSTRACTION:
This could be related to the sadc problem in other UNIXes as
discovered by 8lgm in 1994, but there are insufficient details to be
sure.

INFERRED ACTION: CAN-1999-1486 ACCEPT (4 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(4) Bollinger, Foat, Cole, Stracener
   NOOP(1) Christey

Voter Comments:
 Christey> The description needs to be modified to mention the role of
   timex.  The one-line description for the IX75554
   APAR mentions timex instead of sadc, but the BID mentions
   sadc and not timex.  This apparent discrepancy is resolved
   by a README file for the fileset that is used by IX75554:

   CONFIRM:http://techsupport.services.ibm.com/aix/fixes/v4/os/bos.acct.4.3.1.0.info

   This clearly shows the relationship between timex and sadc.
 Bollinger> The one line abstract is somewhat misleading.  The timex
   command calls sadc with a filename and it's the sadc command that can
   be tricked into modifying files owned by the adm group.  Since sadc is
   only executable by group adm, a local attacker would need to use timex
   to exploit this.  (timex is setgid adm.)  So the vulnerability is
   really in sadc and that's where the fix was made.


======================================================
Candidate: CAN-1999-1520
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1520
Final-Decision:
Interim-Decision: 20040825
Modified: 20040723
Proposed: 20010912
Assigned: 20010831
Category: CF
Reference: BUGTRAQ:19990511 [ALERT] Site Server 3.0 May Expose SQL IDs and PSWs
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92647407227303&w=2
Reference: BID:256
Reference: URL:http://www.securityfocus.com/bid/256
Reference: XF:siteserver-site-csc(2270)
Reference: URL:http://xforce.iss.net/static/2270.php

A configuration problem in the Ad Server Sample directory (AdSamples)
in Microsoft Site Server 3.0 allows an attacker to obtain the SITE.CSC
file, which exposes sensitive SQL database information.


Modifications:
  20040723 update desc style

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-1999-1520 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Frech, Wall, Cole
   NOOP(1) Foat


======================================================
Candidate: CAN-1999-1537
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1537
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20010912
Assigned: 20010831
Category: SF
Reference: NTBUGTRAQ:19990707 SSL and IIS.
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=93138827329577&w=2
Reference: BID:521
Reference: URL:http://www.securityfocus.com/bid/521
Reference: XF:ssl-iis-dos(2352)
Reference: URL:http://xforce.iss.net/static/2352.php

IIS 3.x and 4.x does not distinguish between pages requiring
encryption and those that do not, which allows remote attackers to
cause a denial of service (resource exhaustion) via SSL requests to
the HTTPS port for normally unencrypted files, which will cause IIS
to perform extra work to send the files over SSL.

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-1999-1537 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Frech, Wall, Cole
   NOOP(1) Foat


======================================================
Candidate: CAN-1999-1556
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1556
Final-Decision:
Interim-Decision: 20040825
Modified: 20040723
Proposed: 20010912
Assigned: 20010831
Category: SF
Reference: NTBUGTRAQ:19980629 MS SQL Server 6.5 stores password in unprotected registry keys
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=90222453431645&w=2
Reference: BID:109
Reference: URL:http://www.securityfocus.com/bid/109
Reference: XF:mssql-sqlexecutivecmdexec-password(7354)
Reference: URL:http://xforce.iss.net/xforce/xfdb/7354

Microsoft SQL Server 6.5 uses weak encryption for the password for the
SQLExecutiveCmdExec account and stores it in an accessible portion of
the registry, which could allow local users to gain privileges by
reading and decrypting the CmdExecAccount value.


Modifications:
  20040723 ADDREF XF:mssql-sqlexecutivecmdexec-password(7354)
  20040723 desc: fix typo "andd"

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-1999-1556 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Wall, Cole
   MODIFY(1) Frech
   NOOP(2) Christey, Foat

Voter Comments:
 Frech> XF:mssql-sqlexecutivecmdexec-password(7354)
 Christey> Need to consult MS on this issue.


======================================================
Candidate: CAN-1999-1568
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1568
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20010912
Assigned: 20010831
Category: SF
Reference: BUGTRAQ:19990223 NcFTPd remote buffer overflow
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91981352617720&w=2
Reference: BUGTRAQ:19990223 Comments on NcFTPd "theoretical root compromise"
Reference: URL:http://www.securityfocus.com/archive/1/12699
Reference: XF:ncftpd-port-bo(1833)
Reference: URL:http://xforce.iss.net/static/1833.php

Off-by-one error in NcFTPd FTP server before 2.4.1 allows a remote
attacker to cause a denial of service (crash) via a long PORT command.

Analysis
--------
Vendor Acknowledgement: yes followup

INCLUSION:
This is a UNIX based server.  The process that crashes is a child
process whose resources are released appropriately, according to
reports.  Since it's also an off-by-one error instead of a buffer
overflow, perhaps this is not "exploitable" and as such should not be
included in CVE.

INFERRED ACTION: CAN-1999-1568 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Frech, Foat, Cole
   NOOP(1) Wall


======================================================
Candidate: CAN-2000-0247
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0247
Final-Decision:
Interim-Decision: 20040825
Modified: 20040723
Proposed: 20000412
Assigned: 20000412
Category: SF
Reference: BUGTRAQ:20000322 Local root compromise in GNQS 3.50.6 and 3.50.7
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0236.html
Reference: MISC:http://ftp.gnqs.org/pub/gnqs/source/by-version-number/v3.50/Generic-NQS-3.50.8-ChangeLog.txt
Reference: FREEBSD:FreeBSD-SA-00:13
Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:13.generic-nqs.asc
Reference: BID:1842
Reference: URL:http://www.securityfocus.com/bid/1842
Reference: XF:generic-nqs-local-root(4306)
Reference: URL:http://xforce.iss.net/xforce/xfdb/4306

Unknown vulnerability in Generic-NQS (GNQS) allows local users to gain
root privileges.


Modifications:
  20040723 desc: add "unknown"
  20040723 ADDREF BID:1842
  20040723 ADDREF XF:generic-nqs-local-root(4306)
  20040723 ADDREF FREEBSD:FreeBSD-SA-00:13

Analysis
--------
Vendor Acknowledgement: yes

INFERRED ACTION: CAN-2000-0247 ACCEPT_ACK_REV (2 accept, 1 ack, 1 review)

Current Votes:
   ACCEPT(1) Baker
   MODIFY(2) Frech, Christey
   NOOP(2) Magdych, Cole
   REVIEWING(1) Levy

Voter Comments:
 Christey> ADDREF FREEBSD:FreeBSD-SA-00:13
   ADDREF ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00%3A13-generic-nqs.asc
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:generic-nqs-local-root
 CHANGE> [Magdych changed vote from REVIEWING to NOOP]
 CHANGE> [Christey changed vote from NOOP to MODIFY]
 Christey> BID:1842
   XF:generic-nqs-local-root(4306)


======================================================
Candidate: CAN-2000-0747
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0747
Final-Decision:
Interim-Decision: 20040825
Modified: 20040723
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000726 CONECTIVA LINUX SECURITY ANNOUNCEMENT - OPENLDAP
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0379.html
Reference: XF:openldap-logrotate-script-dos(5036)
Reference: URL:http://xforce.iss.net/xforce/xfdb/5036

The logrotate script for OpenLDAP before 1.2.11 in Conectiva
Linux sends an improper signal to the kernel log daemon (klogd) and
kills it.


Modifications:
  20040723 ADDREF XF:openldap-logrotate-script-dos(5036)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2000-0747 ACCEPT_ACK_REV (2 accept, 1 ack, 1 review)

Current Votes:
   ACCEPT(2) Baker, Cole
   NOOP(1) Wall
   REVIEWING(1) Levy


======================================================
Candidate: CAN-2000-0773
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0773
Final-Decision:
Interim-Decision: 20040825
Modified: 20040723
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000731 Two security flaws in Bajie Webserver
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0426.html
Reference: BID:1522
Reference: URL:http://www.securityfocus.com/bid/1522
Reference: XF:bajie-view-arbitrary-files(5021)
Reference: URL:http://xforce.iss.net/xforce/xfdb/5021

Bajie HTTP web server 0.30a allows remote attackers to read arbitrary
files via a URL that contains a "....", a variant of the dot dot
directory traversal attack.


Modifications:
  20040723 XF:bajie-view-arbitrary-files(5021)

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2000-0773 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Levy, Williams
   MODIFY(1) Christey
   NOOP(2) Wall, Cole

Voter Comments:
 Baker> Apparently the vendor fixed this issue, as it doesn't appear in later versions of the software.
 Christey> XF:bajie-view-arbitrary-files(5021)


======================================================
Candidate: CAN-2000-0781
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0781
Final-Decision:
Interim-Decision: 20040825
Modified: 20040723
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000728 Client Agent 6.62 for Unix Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0431.html
Reference: BID:1519
Reference: URL:http://www.securityfocus.com/bid/1519
Reference: XF:arcserveit-clientagent-temp-file(5023)
Reference: URL:http://xforce.iss.net/xforce/xfdb/5023

uagentsetup in ARCServeIT Client Agent 6.62 does not properly check
for the existence or ownership of a temporary file which is moved to
the agent.cfg configuration file, which allows local users to execute
arbitrary commands by modifying the temporary file before it is moved.


Modifications:
  20040723 desc fix "the the"
  20040723 XF:arcserveit-clientagent-temp-file(5023)

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2000-0781 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Levy, Williams
   MODIFY(2) Baker, Christey
   NOOP(2) Wall, Cole

Voter Comments:
 Christey> fix typo: "the the"
 Baker> Can't really access the CA website to get info on this.
 CHANGE> [Christey changed vote from NOOP to MODIFY]
 Christey> XF:arcserveit-clientagent-temp-file(5023)


======================================================
Candidate: CAN-2000-0797
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0797
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000802 [LSD] some unpublished LSD exploit codes
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=200008021924.e72JOVs12558@ix.put.poznan.pl
Reference: SGI:20040104-01-P
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20040104-01-P.asc
Reference: BID:1526
Reference: URL:http://www.securityfocus.com/bid/1526
Reference: XF:irix-grosview-bo(5062)
Reference: URL:http://xforce.iss.net/xforce/xfdb/5062
Reference: OSVDB:3815
Reference: URL:http://www.osvdb.org/3815

Buffer overflow in gr_osview in IRIX 6.2 and 6.3 allows local users to
gain privileges via a long -D option.


Modifications:
  20040723 ADDREF XF:irix-grosview-bo(5062)
  20040723 ADDREF SGI:20040104-01-P
  20040818 ADDREF OSVDB:3815

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2000-0797 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Baker, Levy
   NOOP(4) Williams, Wall, Cole, Christey

Voter Comments:
 Christey> XF:irix-grosview-bo
   http://xforce.iss.net/static/5062.php
 Christey> SGI:20040104-01-P
   URL:ftp://patches.sgi.com/support/free/security/advisories/20040104-01-P.asc


======================================================
Candidate: CAN-2000-0894
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0894
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20010202
Assigned: 20001114
Category: SF
Reference: ISS:20001214 Multiple vulnerabilities in the WatchGuard SOHO Firewall
Reference: URL:http://xforce.iss.net/alerts/advise70.php
Reference: XF:watchguard-soho-web-auth(5554)
Reference: URL:http://xforce.iss.net/xforce/xfdb/5554
Reference: BID:2119
Reference: URL:http://www.securityfocus.com/bid/2119
Reference: OSVDB:4404
Reference: URL:http://www.osvdb.org/4404

HTTP server on the WatchGuard SOHO firewall does not properly restrict
access to administrative functions such as password resets or
rebooting, which allows attackers to cause a denial of service or
conduct unauthorized activities.


Modifications:
  20040818 ADDREF OSVDB:4404

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2000-0894 ACCEPT_ACK_REV (2 accept, 1 ack, 1 review)

Current Votes:
   ACCEPT(2) Baker, Cole
   MODIFY(1) Frech
   NOOP(2) Wall, Christey
   REVIEWING(1) Ziese

Voter Comments:
 Frech> XF:watchguard-soho-web-auth(5554)
 Christey> Consider adding BID:2119


======================================================
Candidate: CAN-2000-0895
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0895
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20010202
Assigned: 20001114
Category: SF
Reference: ISS:20001214 Multiple vulnerabilities in the WatchGuard SOHO Firewall
Reference: URL:http://xforce.iss.net/alerts/advise70.php
Reference: BID:2114
Reference: URL:http://www.securityfocus.com/bid/2114
Reference: XF:watchguard-soho-web-dos(5218)
Reference: URL:http://xforce.iss.net/xforce/xfdb/5218
Reference: OSVDB:4403
Reference: URL:http://www.osvdb.org/4403

Buffer overflow in HTTP server on the WatchGuard SOHO firewall allows
remote attackers to cause a denial of service and possibly execute
arbitrary code via a long GET request.


Modifications:
  20040723 ADDREF XF:watchguard-soho-web-dos(5218)
  20040723 desc normalize to "arbitrary code"
  20040818 ADDREF OSVDB:4403

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2000-0895 ACCEPT_ACK_REV (2 accept, 1 ack, 1 review)

Current Votes:
   ACCEPT(2) Baker, Cole
   MODIFY(1) Frech
   NOOP(1) Wall
   REVIEWING(1) Ziese

Voter Comments:
 Frech> XF:watchguard-soho-web-dos(5218)


======================================================
Candidate: CAN-2000-1203
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1203
Final-Decision:
Interim-Decision: 20040825
Modified: 20030325-01
Proposed: 20020830
Assigned: 20020131
Category: SF
Reference: VULN-DEV:20000520 Infinite loop in LOTUS NOTE 5.0.3. SMTP SERVER
Reference: URL:http://marc.theaimsgroup.com/?l=vuln-dev&m=95886062521327&w=2
Reference: BUGTRAQ:20010820 Lotus Domino DoS
Reference: URL:http://www.securityfocus.com/cgi-bin/archive.pl?id=1&start=2002-01-21&end=2002-01-27&mid=209116&threads=1
Reference: BUGTRAQ:20010823 Lotus Domino DoS solution
Reference: URL:http://www.securityfocus.com/archive/1/209754
Reference: BID:3212
Reference: URL:http://www.securityfocus.com/bid/3212
Reference: XF:lotus-domino-bounced-message-dos(7012)
Reference: URL:http://xforce.iss.net/xforce/xfdb/7012

Lotus Domino SMTP server 4.63 through 5.08 allows remote attackers to
cause a denial of service (CPU consumption) by forging an email
message with the sender as bounce@[127.0.0.1] (localhost), which
causes Domino to enter a mail loop.


Modifications:
  ADDREF XF:lotus-domino-bounced-message-dos(7012)

Analysis
--------
Vendor Acknowledgement:

INFERRED ACTION: CAN-2000-1203 ACCEPT (4 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Armstrong, Green
   MODIFY(1) Frech
   NOOP(5) Cox, Wall, Foat, Cole, Christey

Voter Comments:
 Green> Since a work around involving configuration settings exists the presenting problem should also exist.
 Frech> XF:lotus-domino-bounced-message-dos(7012)
   CONFIRM:
   http://www-1.ibm.com/support/docview.wss?rs=0&org=sims&doc=DA18AA221C3
   B982085256B84000033EB
 Christey> The CONFIRM URL provided by Andre is broken


======================================================
Candidate: CAN-2001-0042
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0042
Final-Decision:
Interim-Decision: 20040825
Modified: 20040723
Proposed: 20010202
Assigned: 20010201
Category: SF
Reference: BUGTRAQ:20001206 CHINANSL Security Advisory(CSA-200011)
Reference: URL:http://www.securityfocus.com/archive/1/149210
Reference: BID:2060
Reference: URL:http://www.securityfocus.com/bid/2060
Reference: XF:apache-php-disclose-files
Reference: URL:http://xforce.iss.net/static/5659.php

PHP 3.x (PHP3) on Apache 1.3.6 allows remote attackers to read
arbitrary files via a modified .. (dot dot) attack containing "%5c"
(encoded backslash) sequences.


Modifications:
  20040723 desc normalize, add "%5c" detail

Analysis
--------
Vendor Acknowledgement:

INFERRED ACTION: CAN-2001-0042 ACCEPT_REV (3 accept, 0 ack, 1 review)

Current Votes:
   ACCEPT(3) Cole, Baker, Frech
   NOOP(1) Wall
   REVIEWING(1) Ziese


======================================================
Candidate: CAN-2001-0375
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0375
Final-Decision:
Interim-Decision: 20040825
Modified: 20040723
Proposed: 20010524
Assigned: 20010524
Category: SF
Reference: BUGTRAQ:20010406 PIX Firewall 5.1 DoS Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=98658271707833&w=2
Reference: CISCO:20011003 Cisco PIX Firewall Authentication Denial of Service Vulnerability
Reference: URL:http://www.cisco.com/warp/public/707/pixfirewall-authen-flood-pub.shtml
Reference: XF:cisco-pix-tacacs-dos(6353)
Reference: URL:http://xforce.iss.net/xforce/xfdb/6353
Reference: BID:2551
Reference: URL:http://www.securityfocus.com/bid/2551

Cisco PIX Firewall 515 and 520 with 5.1.4 OS running aaa
authentication to a TACACS+ server allows remote attackers to cause a
denial of service via a large number of authentication requests.


Modifications:
  20040723 desc normalize
  20040723 XF:cisco-pix-tacacs-dos(6353)
  20040723 CISCO:20011003 Cisco PIX Firewall Authentication Denial of Service Vulnerability

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-0375 ACCEPT_ACK_REV (2 accept, 1 ack, 1 review)

Current Votes:
   ACCEPT(1) Cole
   MODIFY(1) Frech
   NOOP(2) Wall, Christey
   REVIEWING(1) Ziese

Voter Comments:
 Frech> XF:cisco-pix-tacacs-dos(6353)
 Christey> CISCO:20011003 Cisco PIX Firewall Authentication Denial of Service Vulnerability
   URL:http://www.cisco.com/warp/public/707/pixfirewall-authen-flood-pub.shtml


======================================================
Candidate: CAN-2001-0423
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0423
Final-Decision:
Interim-Decision: 20040825
Modified: 20040723
Proposed: 20010524
Assigned: 20010524
Category: SF
Reference: BUGTRAQ:20010412 Solaris ipcs vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-04/0217.html
Reference: BID:2581
Reference: URL:http://www.securityfocus.com/bid/2581
Reference: XF:solaris-ipcs-bo(6369)
Reference: URL:http://xforce.iss.net/xforce/xfdb/6369

Buffer overflow in ipcs in Solaris 7 x86 allows local users to execute
arbitrary code via a long TZ (timezone) environmental variable, a
different vulnerability than CAN-2002-0093.


Modifications:
  20040723 desc add "different from CAN-2002-0093"
  20040723 ADDREF XF:solaris-ipcs-bo(6369)

Analysis
--------
Vendor Acknowledgement: yes cve-vote

INFERRED ACTION: CAN-2001-0423 ACCEPT_ACK_REV (2 accept, 1 ack, 2 review)

Current Votes:
   ACCEPT(1) Dik
   MODIFY(1) Frech
   NOOP(3) Wall, Cole, Christey
   REVIEWING(2) Ziese, Williams

Voter Comments:
 Frech> XF:solaris-ipcs-bo(6369)
 Dik> sun bug: 4448598
 Christey> This might be a duplicate of CAN-2002-0093, which is for
   Compaq IPCS.
 Christey> An authoritative source confirmed that this issue is in fact
   different from CAN-2002-0093.


======================================================
Candidate: CAN-2001-0485
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0485
Final-Decision:
Interim-Decision: 20040825
Modified: 20040723
Proposed: 20010524
Assigned: 20010524
Category: SF
Reference: BUGTRAQ:20010426 IRIX /usr/lib/print/netprint local root symbols exploit.
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-04/0475.html
Reference: BUGTRAQ:20010427 Re: IRIX /usr/lib/print/netprint local root symbols exploit.
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-04/0502.html
Reference: SGI:20010701-01-P
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20010701-01-P
Reference: BID:2656
Reference: URL:http://www.securityfocus.com/bid/2656
Reference: XF:irix-netprint-shared-library(6473)
Reference: URL:http://xforce.iss.net/xforce/xfdb/6473

Unknown vulnerability in netprint in IRIX 6.2, and possibly other
versions, allows local users with lp privileges attacker to execute
arbitrary commands via the -n option.


Modifications:
  20040723 ADDREF SGI:20010701-01-P
  20040723 ADDREF BID:2656
  20040723 ADDREF XF:irix-netprint-shared-library(6473)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-0485 ACCEPT_ACK_REV (2 accept, 1 ack, 1 review)

Current Votes:
   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(5) Wall, Cole, Christey, Ziese, Renaud
   REVIEWING(1) Williams

Voter Comments:
 Williams> Apply the following patch:  2022?
   See advisory 19961203-01-PX for more information?
 Frech> XF:irix-netprint-shared-library(6473)
 Christey> SGI:20010701-01-P
 Baker> SGI Patch 20010701-01-P
 Christey> ADDREF BID:2656


======================================================
Candidate: CAN-2001-0548
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0548
Final-Decision:
Interim-Decision: 20040825
Modified: 20020223-01
Proposed: 20010727
Assigned: 20010717
Category: SF
Reference: BUGTRAQ:20010724 NSFOCUS SA2001-04 : Solaris dtmail Buffer Overflow Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=99598918914068&w=2
Reference: XF:solaris-dtmail-bo(6879)
Reference: URL:http://xforce.iss.net/static/6879.php
Reference: BID:3081
Reference: URL:http://www.securityfocus.com/bid/3081

Buffer overflow in dtmail in Solaris 2.6 and 7 allows local users to
gain privileges via the MAIL environment variable.


Modifications:
  ADDREF XF:solaris-dtmail-bo(6879)
  DESC remove "possibly other OSes"

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2001-0548 ACCEPT (5 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Foat, Armstrong, Stracener
   MODIFY(2) Frech, Balinsky
   NOOP(4) Wall, Cole, Christey, Ziese

Voter Comments:
 Frech> XF:solaris-dtmail-bo(6879)
 Balinsky> Delete "and possibly other operating systems" because that is not verifiable, and add the following references from Sun, which acknowledge the problem:
   http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fpatches/105338
   http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fpatches/105339
   http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fpatches/107200
   http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fpatches/107201
 Christey> BID:3081
   URL:http://www.securityfocus.com/bid/3081
 Christey> It is not clear from the patch list whether these *particular*
   dtmail overflows have been addressed.


======================================================
Candidate: CAN-2001-0612
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0612
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20010727
Assigned: 20010727
Category: SF
Reference: BUGTRAQ:20010516 Remote Desktop DoS
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-05/0158.html
Reference: XF:remote-desktop-dos(6547)
Reference: URL:http://xforce.iss.net/static/6547.php
Reference: BID:2726
Reference: URL:http://www.securityfocus.com/bid/2726
Reference: OSVDB:6288
Reference: URL:http://www.osvdb.org/6288

McAfee Remote Desktop 3.0 and earlier allows remote attackers to cause
a denial of service (crash) via a large number of packets to port
5045.


Modifications:
  20040723 desc normalize
  20040818 ADDREF OSVDB:6288

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2001-0612 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Frech, Ziese
   NOOP(3) Wall, Foat, Bishop

Voter Comments:
 CHANGE> [Bishop changed vote from REVIEWING to NOOP]


======================================================
Candidate: CAN-2001-0643
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0643
Final-Decision:
Interim-Decision: 20040825
Modified: 20040723
Proposed: 20010829
Assigned: 20010806
Category: SF
Reference: BUGTRAQ:20010416 Double clicking on innocent looking files may be dangerous
Reference: URL:http://www.securityfocus.com/archive/1/176909
Reference: MISC:http://www.guninski.com/clsidext.html
Reference: MISC:http://vil.nai.com/vil/virusSummary.asp?virus_k=99048
Reference: MISC:http://www.sarc.com/avcenter/venc/data/vbs.postcard@mm.html
Reference: XF:ie-clsid-execute-files(6426)
Reference: URL:http://xforce.iss.net/static/6426.php
Reference: BID:2612
Reference: URL:http://www.securityfocus.com/bid/2612

A type-check flaw in Internet Explorer 5.5 does not display the Class
ID (CLSID) when it is at the end of the file name, which could allow
attackers to trick the user into executing dangerous programs by
making it appear that the document is of a safe file type.


Modifications:
  20040723 ADDREF MISC:http://www.guninski.com/clsidext.html
  20040723 ADDREF BID:2612

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2001-0643 ACCEPT (5 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(5) Wall, Foat, Cole, Baker, Frech
   NOOP(2) Stracener, Ziese

Voter Comments:
 CHANGE> [Wall changed vote from REVIEWING to ACCEPT]


======================================================
Candidate: CAN-2001-0741
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0741
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20011012
Assigned: 20011012
Category: CF
Reference: BUGTRAQ:20010503 Cisco HSRP Weakness/DoS
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-05/0035.html
Reference: MISC:http://www.cisco.com/networkers/nw00/pres/2402.pdf
Reference: XF:cisco-hsrp-dos(6497)
Reference: URL:http://xforce.iss.net/static/6497.php
Reference: BID:2684
Reference: URL:http://www.securityfocus.com/bid/2684

Cisco Hot Standby Routing Protocol (HSRP) allows local attackers to
cause a denial of service by spoofing HSRP packets.

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2001-0741 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Foat, Armstrong, Frech
   NOOP(2) Wall, Cole


======================================================
Candidate: CAN-2001-0749
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0749
Final-Decision:
Interim-Decision: 20040825
Modified: 20040723
Proposed: 20020131
Assigned: 20011012
Category: SF
Reference: BUGTRAQ:20010524 IPC@Chip Security
Reference: URL:http://www.securityfocus.com/archive/1/186418
Reference: BID:2775
Reference: URL:http://www.securityfocus.com/bid/2775
Reference: XF:ipcchip-web-root-system(8922)
Reference: URL:http://xforce.iss.net/xforce/xfdb/8922

Beck IPC GmbH IPC@CHIP Embedded-Webserver allows remote attacker to
retrieve arbitrary files via webserver root directory set to system root.


Modifications:
  20040723 ADDREF XF:ipcchip-web-root-system(8922)

Analysis
--------
Vendor Acknowledgement:

INFERRED ACTION: CAN-2001-0749 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Green
   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Armstrong

Voter Comments:
 Frech> XF:ipcchip-web-root-system(8922)


======================================================
Candidate: CAN-2001-0792
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0792
Final-Decision:
Interim-Decision: 20040825
Modified: 20020226-01
Proposed: 20011012
Assigned: 20011012
Category: SF
Reference: MISC:http://www.securiteam.com/exploits/5AP0Q2A4AQ.html
Reference: XF:xchat-nickname-format-string(7416)
Reference: URL:http://xforce.iss.net/static/7416.php

Format string vulnerability in XChat 1.2.x allows remote attackers to
execute arbitrary code via a malformed nickname.


Modifications:
  ADDREF XF:xchat-nickname-format-string(7416)

Analysis
--------
Vendor Acknowledgement:

INFERRED ACTION: CAN-2001-0792 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Armstrong
   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Christey

Voter Comments:
 Frech> XF:xchat-nickname-format-string(7416)
 Christey> Inquiry sent to xchat developer on 2/25/2002.
 Christey> Received a reply 2/26/2002: "I don't know...  It doesn't seem
   to effect [sic] any recent versions though."

   This vulnerability was reported for a *MUCH* older version.


======================================================
Candidate: CAN-2001-0825
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0825
Final-Decision:
Interim-Decision: 20040825
Modified: 20020821-02
Proposed: 20011122
Assigned: 20011122
Category: SF
Reference: SUSE:SuSE-SA:2001:022
Reference: URL:http://lists.suse.com/archives/suse-security-announce/2001-Jun/0002.html
Reference: CONECTIVA:CLA-2001:406
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000406
Reference: REDHAT:RHSA-2001:092
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-092.html
Reference: IMMUNIX:IMNX-2001-70-029-01
Reference: URL:http://download.immunix.org/ImmunixOS/7.0/updates/IMNX-2001-70-029-01
Reference: BID:2971
Reference: URL:http://www.securityfocus.com/bid/2971
Reference: XF:xinetd-zero-length-bo(6804)
Reference: URL:http://xforce.iss.net/static/6804.php

Buffer overflow in internal string handling routines of xinetd before
2.1.8.8 allows remote attackers to execute arbitrary commands via a
length argument of zero or less, which disables the length check.


Modifications:
  ADDREF XF:xinetd-zero-length-bo(6804)
  ADDREF IMMUNIX:IMNX-2001-70-024-01
  DELREF IMMUNIX:IMNX-2001-70-024-01
  DELREF BUGTRAQ:20010629 xinetd update [normalize to IMMUNIX]
  DELREF BUGTRAQ:20010608 potential buffer overflow in xinetd-2.1.8.9pre11-1

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-0825 ACCEPT (7 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(6) Wall, Foat, Cole, Armstrong, Baker, Bishop
   MODIFY(1) Frech
   NOOP(1) Christey

Voter Comments:
 Frech> XF:xinetd-zero-length-bo(6804)
 Christey> Need to sift through the references to make sure they're
   correct and appropriately distinguish from CAN-2001-0763.
 Christey> DELREF IMMUNIX:IMNX-2001-70-024-01 - it does not explicitly
   mention this issue.
   DELREF BUGTRAQ:20010608 potential buffer overflow in xinetd-2.1.8.9pre11-1
   That's for CAN-2001-0763.

   Change affected version to 2.1.8, I have no idea where 2.3.1
   came from.


======================================================
Candidate: CAN-2001-0837
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0837
Final-Decision:
Interim-Decision: 20040825
Modified: 20040723
Proposed: 20011122
Assigned: 20011122
Category: SF
Reference: BUGTRAQ:20011025 Pc-to-Phone vulnerability - broken by design
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100403691432052&w=2
Reference: XF:pc2phone-temp-account-readable(7393)
Reference: URL:http://xforce.iss.net/xforce/xfdb/7393
Reference: BID:3475
Reference: URL:http://www.securityfocus.com/bid/3475

DeltaThree Pc-To-Phone 3.0.3 places sensitive data in world-readable
locations in the installation directory, which allows local users to
read the information in (1) temp.html, (2) the log folder, and (3) the
PhoneBook folder.


Modifications:
  20040723 ADDREF XF:pc2phone-temp-account-readable(7393)

Analysis
--------
Vendor Acknowledgement: unknown discloser-claimed

INFERRED ACTION: CAN-2001-0837 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Armstrong, Baker
   MODIFY(1) Frech
   NOOP(4) Wall, Foat, Cole, Bishop

Voter Comments:
 Frech> XF:pc2phone-temp-account-readable(7393)
 Armstrong> http://www.securiteam.com/windowsntfocus/6V00P202UC.html


======================================================
Candidate: CAN-2001-0902
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0902
Final-Decision:
Interim-Decision: 20040825
Modified: 20040723
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20011120 IIS logging issue
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100626531103946&w=2
Reference: NTBUGTRAQ:20011120 IIS logging issue
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=100627497122247&w=2
Reference: XF:iis-fake-log-entry(7613)
Reference: URL:http://xforce.iss.net/xforce/xfdb/7613
Reference: BID:6795
Reference: URL:http://www.securityfocus.com/bid/6795

Microsoft IIS 5.0 allows remote attackers to spoof web log entries via
an HTTP request that includes hex-encoded newline or form-feed
characters.


Modifications:
  20040723 ADDREF XF:iis-fake-log-entry(7613)

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2001-0902 ACCEPT_REV (3 accept, 0 ack, 1 review)

Current Votes:
   ACCEPT(2) Foat, Cole
   MODIFY(1) Frech
   NOOP(1) Armstrong
   REVIEWING(1) Wall

Voter Comments:
 Frech> XF:iis-fake-log-entry(7613)


======================================================
Candidate: CAN-2001-0907
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0907
Final-Decision:
Interim-Decision: 20040825
Modified: 20020817-01
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20011018 Flaws in recent Linux kernels
Reference: URL:http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=221337
Reference: MANDRAKE:MDKSA-2001:082
Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-082-1.php3
Reference: SUSE:SuSE-SA:2001:036
Reference: URL:http://www.suse.de/de/support/security/2001_036_kernel_txt.html
Reference: IMMUNIX:IMNX-2001-70-035-01
Reference: URL:http://download.immunix.org/ImmunixOS/7.0/updates/IMNX-2001-70-035-01
Reference: CALDERA:CSSA-2001-036.0
Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2001-036.0.txt
Reference: MANDRAKE:MDKSA-2001:079
Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-079.php
Reference: ENGARDE:ESA-20011019-02
Reference: URL:http://www.linuxsecurity.com/advisories/other_advisory-1650.html
Reference: BUGTRAQ:20011019 TSLSA-2001-0028
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100350685431610&w=2
Reference: XF:linux-multiple-symlink-dos(7312)
Reference: URL:http://www.iss.net/security_center/static/7312.php
Reference: BID:3444
Reference: URL:http://www.securityfocus.com/bid/3444

Linux kernel 2.2.1 through 2.2.19, and 2.4.1 through 2.4.10, allows
local users to cause a denial of service via a series of deeply nested
symlinks, which causes the kernel to spend extra time when trying to
access the link.


Modifications:
  ADDREF SUSE:SuSE-SA:2001:036
  ADDREF IMMUNIX:IMNX-2001-70-035-01
  ADDREF CALDERA:CSSA-2001-036.0
  ADDREF MANDRAKE:MDKSA-2001:079
  ADDREF ENGARDE:ESA-20011019-02
  ADDREF BUGTRAQ:20011019 TSLSA-2001-0028
  ADDREF XF:linux-multiple-symlink-dos(7312)
  ADDREF BID:3444

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-0907 ACCEPT_REV (5 accept, 2 ack, 1 review)

Current Votes:
   ACCEPT(4) Foat, Cole, Green, Baker
   MODIFY(1) Frech
   NOOP(1) Christey
   REVIEWING(1) Wall

Voter Comments:
 Frech> XF:linux-multiple-symlink-dos(7312)
 Christey> SUSE:SuSE-SA:2001:036
   URL:http://www.suse.de/de/support/security/2001_036_kernel_txt.html
   IMMUNIX:IMNX-2001-70-035-01
   URL:http://download.immunix.org/ImmunixOS/7.0/updates/IMNX-2001-70-035-01
   CALDERA:CSSA-2001-036.0
   URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2001-036.0.txt
   MANDRAKE:MDKSA-2001:079
   ENGARDE:ESA-20011019-02
   URL:http://www.linuxsecurity.com/advisories/other_advisory-1650.html
   BUGTRAQ:20011019 TSLSA-2001-0028
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100350685431610&w=2


======================================================
Candidate: CAN-2001-0909
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0909
Final-Decision:
Interim-Decision: 20040825
Modified: 20040723
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20011121 Buffer overflow in Windows XP "helpctr.exe"
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100638955422011&w=2
Reference: XF:winxp-helpctr-bo(7605)
Reference: URL:http://xforce.iss.net/static/7605.php
Reference: BID:6802
Reference: URL:http://www.securityfocus.com/bid/6802

Buffer overflow in helpctr.exe program in Microsoft Help Center for
Windows XP allows remote attackers to execute arbitrary code via a
long hcp: URL.


Modifications:
  20040723 BID:6802

Analysis
--------
Vendor Acknowledgement: no

INFERRED ACTION: CAN-2001-0909 ACCEPT_REV (3 accept, 0 ack, 1 review)

Current Votes:
   ACCEPT(3) Foat, Cole, Frech
   NOOP(1) Armstrong
   REVIEWING(1) Wall


======================================================
Candidate: CAN-2001-0914
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0914
Final-Decision:
Interim-Decision: 20040825
Modified: 20040723
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20011121 SuSE 7.3 : Kernel 2.4.10-4GB Bug
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100638584813349&w=2
Reference: BUGTRAQ:20011122 Re: SuSE 7.3 : Kernel 2.4.10-4GB Bug
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100654787226869&w=2L:2
Reference: XF:linux-vmlinux-dos(7591)
Reference: URL:http://xforce.iss.net/xforce/xfdb/7591
Reference: BID:3570
Reference: URL:http://www.securityfocus.com/bid/3570

Linux kernel before 2.4.11pre3 in multiple Linux distributions allows
local users to cause a denial of service (crash) by starting the core
vmlinux kernel, possibly related to poor error checking during ELF
loading.


Modifications:
  20040723 ADDREF XF:linux-vmlinux-dos(7591)
  20040723 ADDREF BID:3570

Analysis
--------
Vendor Acknowledgement: yes followup

ABSTRACTION: There could be a rediscovery of CVE-2000-0729, but there
is insufficient information to be certain.

INFERRED ACTION: CAN-2001-0914 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Foat, Cole, Armstrong, Baker
   MODIFY(1) Frech
   NOOP(1) Wall

Voter Comments:
 Frech> XF:linux-vmlinux-dos(7591)


======================================================
Candidate: CAN-2001-0951
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0951
Final-Decision:
Interim-Decision: 20040825
Modified: 20040723
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20011207 UDP DoS attack in Win2k via IKE
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100774842520403&w=2
Reference: BUGTRAQ:20011211 UDP DoS attack in Win2k via IKE
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100813081913496&w=2
Reference: XF:win2k-ike-dos(7667)
Reference: URL:http://xforce.iss.net/static/7667.php
Reference: BID:3652
Reference: URL:http://www.securityfocus.com/bid/3652

Windows 2000 allows remote attackers to cause a denial of service (CPU
consumption) by flooding Internet Key Exchange (IKE) UDP port 500 with
packets that contain a large number of dot characters.


Modifications:
  20040723 desc normalize DoS term

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2001-0951 ACCEPT_REV (3 accept, 0 ack, 1 review)

Current Votes:
   ACCEPT(3) Foat, Green, Frech
   NOOP(1) Cole
   REVIEWING(1) Wall


======================================================
Candidate: CAN-2001-1029
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1029
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010920 Local vulnerability in libutil derived with FreeBSD 4.4-RC (and earlier)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-09/0173.html
Reference: XF:bsd-libutil-privilege-dropping(8697)
Reference: URL:http://xforce.iss.net/xforce/xfdb/8697
Reference: OSVDB:6073
Reference: URL:http://www.osvdb.org/6073

libutil in OpenSSH on FreeBSD 4.4 and earlier does not drop privileges
before verifying the capabilities for reading the copyright and
welcome files, which allows local users to bypass the capabilities
checks and read arbitrary files by specifying alternate copyright or
welcome files.


Modifications:
  20040723 ADDREF XF:bsd-libutil-privilege-dropping(8697)
  20040818 ADDREF OSVDB:6073

Analysis
--------
Vendor Acknowledgement: unknown discloser-claimed

INFERRED ACTION: CAN-2001-1029 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Foat, Green
   MODIFY(1) Frech
   NOOP(2) Wall, Cole

Voter Comments:
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:bsd-libutil-privilege-dropping(8697)


======================================================
Candidate: CAN-2001-1055
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1055
Final-Decision:
Interim-Decision: 20040825
Modified: 20040723
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010730 ARPNuke - 80 kb/s kills a whole subnet
Reference: URL:http://www.securityfocus.com/archive/1/200323
Reference: BID:3113
Reference: URL:http://www.securityfocus.com/bid/3113
Reference: XF:win-arp-packet-flooding-dos(6924)
Reference: URL:http://xforce.iss.net/xforce/xfdb/6924

The Microsoft Windows network stack allows remote attackers to cause a
denial of service (CPU consumption) via a flood of malformed ARP
request packets with random source IP and MAC addresses, as
demonstrated by ARPNuke.


Modifications:
  20040723 ADDREF XF:win-arp-packet-flooding-dos(6924)
  20040723 desc - add ARPNuke

Analysis
--------
Vendor Acknowledgement:

There is insufficient information to be able to narrow down which
operating systems are affected; the disclosers did not mention these
specifics.

INFERRED ACTION: CAN-2001-1055 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Foat
   MODIFY(2) Green, Frech
   NOOP(3) Wall, Cole, Armstrong

Voter Comments:
 Green> TOO VAGUE TO REACH ANY CONCLUSION
 Frech> XF:win-arp-packet-flooding-dos(6924)


======================================================
Candidate: CAN-2001-1066
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1066
Final-Decision:
Interim-Decision: 20040825
Modified: 20040725
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010827 Dangerous temp file creation during installation of Netscape 6.
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=99893667921216&w=2
Reference: VULNWATCH:20010827 Dangerous temp file creation during installation of Netscape 6.
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2001-q3/0036.html
Reference: SUNBUG:4633888
Reference: BID:3243
Reference: URL:http://www.securityfocus.com/bid/3243
Reference: XF:netscape-install-tmpfile-symlink(7042)
Reference: URL:http://xforce.iss.net/static/7042.php

ns6install installation script for Netscape 6.01 on Solaris, and other
versions including 6.2.1 beta, allows local users to overwrite
arbitrary files via a symlink attack.


Modifications:
  20040725 ADDREF SUNBUG:4633888
  20040725 ADDREF BID:3243
  20040725 ADDREF XF:netscape-install-tmpfile-symlink(7042)
  20040725 ADDREF VULNWATCH:20010827 [VulnWatch] Dangerous temp file creation during installation of Netscape 6.

Analysis
--------
Vendor Acknowledgement: yes cve-vote

INFERRED ACTION: CAN-2001-1066 ACCEPT_REV (3 accept, 1 ack, 1 review)

Current Votes:
   ACCEPT(2) Dik, Green
   MODIFY(1) Frech
   NOOP(4) Foat, Cole, Armstrong, Christey
   REVIEWING(1) Wall

Voter Comments:
 Dik> Verified by code inspection of ns6install from netscape 6.2.1 beta
   Sun bug: 4633888 (just filed)
 Christey> BID:3243
   URL:http://www.securityfocus.com/bid/3243
   XF:netscape-install-tmpfile-symlink(7042)
   URL:http://xforce.iss.net/static/7042.php
 Christey> VULNWATCH:20010827 [VulnWatch] Dangerous temp file creation during installation of Netscape 6.
   URL:http://archives.neohapsis.com/archives/vulnwatch/2001-q3/0036.html
 Frech> XF:netscape-install-tmpfile-symlink(7042)


======================================================
Candidate: CAN-2001-1069
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1069
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20020131
Assigned: 20020131
Category: CF
Reference: BUGTRAQ:20010822 Adobe Acrobat creates world writable ~/AdobeFnt.lst files
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=99849121502399&w=2
Reference: MISC:http://lists.debian.org/debian-security/2001/debian-security-200101/msg00085.html
Reference: BID:3225
Reference: URL:http://www.securityfocus.com/bid/3225
Reference: XF:adobe-acrobat-insecure-permissions(7024)
Reference: URL:http://xforce.iss.net/static/7024.php

libCoolType library as used in Adobe Acrobat (acroread) on Linux
creates the AdobeFnt.lst file with world-writable permissions, which
allows local users to modify the file and possibly modify acroread's
behavior.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1069 ACCEPT_REV (3 accept, 1 ack, 1 review)

Current Votes:
   ACCEPT(3) Foat, Green, Frech
   NOOP(3) Cole, Armstrong, Christey
   REVIEWING(1) Wall

Voter Comments:
 Christey> SGI:20020806-01-I points to this candidate, but I'm not so
   sure that's correct; the SGI advisory discusses symlink
   attacks, but this CAN is related to permissions.


======================================================
Candidate: CAN-2001-1081
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1081
Final-Decision:
Interim-Decision: 20040825
Modified: 20040725
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: CONFIRM:http://freshmeat.net/releases/52020/
Reference: MLIST:[fm-news] 20010713 Newsletter for Friday, July 13th 2001
Reference: URL:http://archives.neohapsis.com/archives/apps/freshmeat/2001-07/0009.html
Reference: VULNWATCH:20010719 [VulnWatch] Changelog maddness (14 various broken apps)
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2001-q3/0005.html
Reference: BID:2994
Reference: URL:http://www.securityfocus.com/bid/2994

Format string vulnerabilities in Livingston/Lucent RADIUS before
2.1.va.1 may allow local or remote attackers to cause a denial of
service and possibly execute arbitrary code via format specifiers that
are injected into log messages.


Modifications:
  20040725 VULNWATCH:20010719 Changelog maddness (14 various broken apps)
  20040725 MLIST:[fm-news] 20010713 Newsletter for Friday, July 13th 2001

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1081 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Armstrong, Green, Baker
   MODIFY(2) Christey, Frech
   NOOP(2) Wall, Foat

Voter Comments:
 Frech> ISS: ISS Security Advisory: Remote Buffer Overflow in Multiple RADIUS
   Implementations
   XF:lucent-radius-authentication-bo(6794)
   CONFIRM reference is no longer available.
 Christey> VULNWATCH:20010719 [VulnWatch] Changelog maddness (14 various broken apps)
   URL:http://archives.neohapsis.com/archives/vulnwatch/2001-q3/0005.html
   MISC:http://archives.neohapsis.com/archives/apps/freshmeat/2001-07/0009.html
 Christey> XF:lucent-radius-authentication-bo(6794) does not seem
   appropriate, as it deals with buffer overflows; however, this is a
   format string issue.  XF:lucent-radius-authentication-bo(6794)
   is really about CAN-2001-0534.


======================================================
Candidate: CAN-2001-1098
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1098
Final-Decision:
Interim-Decision: 20040825
Modified: 20040725
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20011010 Vulnerability: Cisco PIX Firewall Manager
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-10/0071.html
Reference: CERT-VN:VU#639507
Reference: URL:http://www.kb.cert.org/vuls/id/639507
Reference: XF:cisco-pfm-plaintext-password(7265)
Reference: URL:http://xforce.iss.net/static/7265.php
Reference: BID:3419
Reference: URL:http://www.securityfocus.com/bid/3419

Cisco PIX firewall manager (PFM) 4.3(2)g logs the enable password in
plaintext in the pfm.log file, which could allow local users to obtain
the password by reading the file.


Modifications:
  20040725 ADDREF BID:3419
  20040725 ADDREF CERT-VN:VU#639507

Analysis
--------
Vendor Acknowledgement: unknown discloser-claimed

INFERRED ACTION: CAN-2001-1098 ACCEPT_REV (3 accept, 1 ack, 1 review)

Current Votes:
   ACCEPT(3) Foat, Green, Frech
   NOOP(3) Wall, Cole, Armstrong
   REVIEWING(1) Ziese

Voter Comments:
 CHANGE> [Armstrong changed vote from REVIEWING to NOOP]
 Frech> HAS-INDEPENDENT-CONFIRMATION:http://www.kb.cert.org/vuls/id/6
   39507


======================================================
Candidate: CAN-2001-1103
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1103
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: CERT-VN:VU#320944
Reference: URL:http://www.kb.cert.org/vuls/id/320944
Reference: XF:ftp-voyager-embedded-script-execution(7119)
Reference: URL:http://xforce.iss.net/static/7119.php

FTP Voyager ActiveX control before 8.0, when it is marked as safe for
scripting (the default) or if allowed by the IObjectSafety interface,
allows remote attackers to execute arbitrary commands.

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2001-1103 ACCEPT_REV (4 accept, 1 ack, 1 review)

Current Votes:
   ACCEPT(4) Green, Baker, Frech, Ziese
   NOOP(3) Foat, Cole, Armstrong
   REVIEWING(1) Wall

Voter Comments:
 Green> Vendor appears to have acknowledged with a new release of the product, although there is no explicit citing of the vulnerability on the vendor's website


======================================================
Candidate: CAN-2001-1186
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1186
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20011211 Microsoft IIS/5 bogus Content-length bug.
Reference: URL:http://www.securityfocus.com/archive/1/244892
Reference: BUGTRAQ:20011211 Microsoft IIS/5 bogus Content-length bug Memory attack
Reference: URL:http://online.securityfocus.com/archive/1/244931
Reference: BUGTRAQ:20011212 Microsoft IIS/5.0 Content-Length DoS (proved)
Reference: URL:http://online.securityfocus.com/archive/1/245100
Reference: BID:3667
Reference: URL:http://www.securityfocus.com/bid/3667
Reference: XF:iis-false-content-length-dos(7691)
Reference: URL:http://www.iss.net/security_center/static/7691.php

Microsoft IIS 5.0 allows remote attackers to cause a denial of service
via an HTTP request with a content-length value that is larger than
the size of the request, which prevents IIS from timing out the
connection.

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2001-1186 ACCEPT_REV (3 accept, 0 ack, 1 review)

Current Votes:
   ACCEPT(3) Cole, Green, Frech
   NOOP(2) Foat, Ziese
   REVIEWING(1) Wall


======================================================
Candidate: CAN-2001-1200
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1200
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20020315
Assigned: 20020315
Category: SF
Reference: BUGTRAQ:20011217 Hot keys permissions bypass under XP
Reference: URL:http://www.securityfocus.com/archive/1/246014
Reference: BID:3703
Reference: URL:http://www.securityfocus.com/bid/3703
Reference: XF:winxp-hotkey-execute-programs(7713)
Reference: URL:http://www.iss.net/security_center/static/7713.php

Microsoft Windows XP allows local users to bypass a locked screen and
run certain programs that are associated with Hot Keys.

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2001-1200 ACCEPT_REV (3 accept, 0 ack, 1 review)

Current Votes:
   ACCEPT(3) Foat, Green, Frech
   NOOP(2) Cole, Ziese
   REVIEWING(1) Wall


======================================================
Candidate: CAN-2001-1267
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1267
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20010712 SECURITY.NNOV: directory traversal and path globing in multiple archivers
Reference: URL:http://online.securityfocus.com/archive/1/196445
Reference: CONFIRM:ftp://alpha.gnu.org/gnu/tar/tar-1.13.25.tar.gz
Reference: MANDRAKE:MDKSA-2002:066
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2002:066
Reference: REDHAT:RHSA-2002:096
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-096.html
Reference: REDHAT:RHSA-2002:138
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-138.html
Reference: REDHAT:RHSA-2003:218
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-218.html
Reference: CONECTIVA:CLA-2002:538
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000538
Reference: HP:HPSBTL0209-068
Reference: URL:http://online.securityfocus.com/advisories/4514
Reference: XF:archive-extraction-directory-traversal(10224)
Reference: URL:http://www.iss.net/security_center/static/10224.php
Reference: BID:3024
Reference: URL:http://www.securityfocus.com/bid/3024

Directory traversal vulnerability in GNU tar 1.13.19 and earlier
allows local users overwrite arbitrary files during archive extraction
via a tar file whose filenames contain a .. (dot dot).


Modifications:
  ADDREF MANDRAKE:MDKSA-2002:066
  ADDREF REDHAT:RHSA-2002:096
  ADDREF CONECTIVA:CLA-2002:538
  ADDREF HP:HPSBTL0209-068
  ADDREF XF:archive-extraction-directory-traversal(10224)
  20040725 BID:3024
  20040818 ADDREF REDHAT:RHSA-2002:138
  20040818 ADDREF REDHAT:RHSA-2003:218

Analysis
--------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: in the ChangeLog file for 1.13.25, the entry dated
2001-08-27 says "(extract_archive): Fix test for absolute pathnames
and/or '..'."

INFERRED ACTION: CAN-2001-1267 ACCEPT (4 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Green
   MODIFY(2) Frech, Cox
   NOOP(3) Wall, Foat, Christey

Voter Comments:
 Christey> MANDRAKE:MDKSA-2002:066
 CHANGE> [Cox changed vote from REVIEWING to MODIFY]
 Cox> ADDREF: RHSA-2002:096
 Frech> XF:archive-extraction-directory-traversal(10224)
 Christey> MANDRAKE:MDKSA-2002:066
   URL:http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2002:066
   CONECTIVA:CLA-2002:538
   URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000538
   HP:HPSBTL0209-068
   URL:http://online.securityfocus.com/advisories/4514
   REDHAT:RHSA-2002:096
   URL:http://www.redhat.com/support/errata/RHSA-2002-096.html
 Christey> There are a couple directory traversal variants for GNU tar
   out there.  Can we be sure the references line up correctly?


======================================================
Candidate: CAN-2001-1279
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1279
Final-Decision:
Interim-Decision: 20040825
Modified: 20030318-02
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: REDHAT:RHSA-2001:089
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-089.html
Reference: FREEBSD:FreeBSD-SA-01:48
Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:48.tcpdump.asc
Reference: CONECTIVA:CLA-2002:480
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000480
Reference: MANDRAKE:MDKSA-2002:032
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-032.php
Reference: CALDERA:CSSA-2002-025.0
Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-025.0.txt
Reference: XF:tcpdump-afs-rpc-bo(7006)
Reference: URL:http://www.iss.net/security_center/static/7006.php
Reference: BID:3065
Reference: URL:http://online.securityfocus.com/bid/3065
Reference: CERT-VN:VU#797201
Reference: URL:http://www.kb.cert.org/vuls/id/797201

Buffer overflow in print-rx.c of tcpdump 3.x (probably 3.6x) allows
remote attackers to cause a denial of service and possibly execute
arbitrary code via AFS RPC packets with invalid lengths that trigger
an integer signedness error, a different vulnerability than
CVE-2000-1026.


Modifications:
  ADDREF CONECTIVA:CLA-2002:480
  ADDREF MANDRAKE:MDKSA-2002:032
  ADDREF CALDERA:CSSA-2002-025.0
  ADDREF XF:tcpdump-afs-rpc-bo(7006)
  ADDREF CERT-VN:VU#797201

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1279 ACCEPT (4 accept, 4 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Green, Cox
   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Christey

Voter Comments:
 Christey> ADDREF CONECTIVA:CLA-2002:480
   The Conectiva advisory references the FreeBSD advisory used in
   this CAN, along with other issues that are addressed.
 Christey> CONECTIVA:CLA-2002:480
   URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000480
 Christey> MANDRAKE:MDKSA-2002:032
   CONECTIVA:CLA-2002:480
   CALDERA:CSSA-2002-025.0
 Frech> XF:tcpdump-afs-rpc-bo(7006)
 Christey> Consider whether SUSE:SuSE-SA:2002:020 addresses this
   issue or not.


======================================================
Candidate: CAN-2001-1302
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1302
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: NTBUGTRAQ:20010718 Changing NT/2000 accounts password from the command line
Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0107&L=ntbugtraq&F=P&S=&P=1911
Reference: BID:3063
Reference: URL:http://www.securityfocus.com/bid/3063
Reference: XF:win2k-change-network-passwords(6876)
Reference: URL:http://xforce.iss.net/static/6876.php

The change password option in the Windows Security interface for
Windows 2000 allows attackers to use the option to attempt to change
passwords of other users on other systems or identify valid accounts
by monitoring error messages, possibly due to a problem in the
NetuserChangePassword function.

Analysis
--------
Vendor Acknowledgement:

INFERRED ACTION: CAN-2001-1302 ACCEPT_REV (4 accept, 0 ack, 1 review)

Current Votes:
   ACCEPT(4) Foat, Cole, Green, Frech
   NOOP(1) Cox
   REVIEWING(1) Wall


======================================================
Candidate: CAN-2001-1328
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1328
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20020502
Assigned: 20020501
Category:
Reference: CIAC:L-103
Reference: AUSCERT:AA-2001.03
Reference: URL:ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-2001.03
Reference: SUN:00203
Reference: XF:solaris-ypbind-bo(6828)

Buffer overflow in ypbind daemon in Solaris 5.4 through 8 allows
remote attackers to execute arbitrary code.

Analysis
--------
Vendor Acknowledgement:

INFERRED ACTION: CAN-2001-1328 ACCEPT_ACK_REV (2 accept, 3 ack, 1 review)

Current Votes:
   ACCEPT(2) Green, Frech
   NOOP(3) Foat, Cole, Cox
   REVIEWING(1) Wall

Voter Comments:
 Green> Sun Security bulletin 00203


======================================================
Candidate: CAN-2001-1347
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1347
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20010524 Elevation of privileges with debug registers on Win2K
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-05/0232.html
Reference: XF:win2k-debug-elevate-privileges(6590)
Reference: URL:http://www.iss.net/security_center/static/6590.php
Reference: BID:2764
Reference: URL:http://www.securityfocus.com/bid/2764

Windows 2000 allows local users to cause a denial of service and
possibly gain privileges by setting a hardware breakpoint that is
handled using global debug registers, which could cause other
processes to terminate due to an exception, and allow hijacking of
resources such as named pipes.

Analysis
--------
Vendor Acknowledgement: unknown discloser-claimed

INFERRED ACTION: CAN-2001-1347 ACCEPT_REV (4 accept, 0 ack, 1 review)

Current Votes:
   ACCEPT(4) Foat, Cole, Green, Frech
   NOOP(1) Cox
   REVIEWING(1) Wall


======================================================
Candidate: CAN-2001-1350
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1350
Final-Decision:
Interim-Decision: 20040825
Modified: 20040725
Proposed: 20020611
Assigned: 20020602
Category: SF
Reference: REDHAT:RHSA-2001:162
Reference: MISC:http://search.namazu.org/ml/namazu-devel-ja/msg02114.html

Cross-site scripting vulnerability in namazu.cgi for Namazu 2.0.7 and
earlier allows remote attackers to execute arbitrary Javascript as
other web users via the lang parameter.


Modifications:
  20040725 XF:linux-namazu-css(7875)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1350 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Wall, Cole, Green, Cox
   MODIFY(1) Frech
   NOOP(2) Foat, Christey

Voter Comments:
 Frech> XF:linux-namazu-bo(7876)
 Christey> This is not a buffer overflow as suggested by the XF
   reference, it's a CSS/XSS issue (XF:linux-namazu-css(7875))


======================================================
Candidate: CAN-2001-1351
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1351
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20020611
Assigned: 20020602
Category: SF
Reference: REDHAT:RHSA-2001:162
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&w=2&r=1&s=namazu&q=b
Reference: XF:linux-namazu-css(7875)
Reference: URL:http://www.iss.net/security_center/static/7875.php
Reference: OSVDB:5690
Reference: URL:http://www.osvdb.org/5690

Cross-site scripting vulnerability in Namazu 2.0.8 and earlier allows
remote attackers to execute arbitrary Javascript as other web users
via the index file name that is displayed when displaying hit numbers.


Modifications:
  ADDREF XF:linux-namazu-css(7875)
  20040818 ADDREF OSVDB:5690

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1351 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Alderson, Green, Cox
   MODIFY(1) Frech
   NOOP(2) Wall, Foat

Voter Comments:
 Frech> XF:linux-namazu-css(7875)


======================================================
Candidate: CAN-2001-1352
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1352
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20020611
Assigned: 20020602
Category: SF
Reference: REDHAT:RHSA-2001:179
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101060476404565&w=2
Reference: BUGTRAQ:20011227 Re: [RHSA-2001:162-04] Updated namazu packages are available
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100947261916155&w=2
Reference: BUGTRAQ:20020109 Details on the updated namazu packages that are available
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101068116016472&w=2
Reference: XF:linux-namazu-css(7875)
Reference: URL:http://xforce.iss.net/xforce/xfdb/7875
Reference: OSVDB:5691
Reference: URL:http://www.osvdb.org/5691

Cross-site scripting vulnerability in Namazu 2.0.9 and earlier allows
remote attackers to execute arbitrary Javascript as other web users
via an error message that is returned when an invalid index file is
specified in the idxname parameter.


Modifications:
  20040725 ADDREF XF:linux-namazu-css(7875)
  20040818 ADDREF OSVDB:5691

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1352 ACCEPT (6 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Wall, Cole, Alderson, Green, Cox
   MODIFY(1) Frech
   NOOP(1) Foat

Voter Comments:
 Frech> XF:linux-namazu-css(7875)


======================================================
Candidate: CAN-2001-1367
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1367
Final-Decision:
Interim-Decision: 20040825
Modified: 20040725
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: CONFIRM:http://phpslice.org/comments.php?aid=1031&;
Reference: VULNWATCH:20010719 [VulnWatch] Changelog maddness (14 various broken apps)
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2001-q3/0005.html
Reference: XF:phpslice-checkaccess-function-privileges(9649)
Reference: URL:http://xforce.iss.net/xforce/xfdb/9649

The checkAccess function in PHPSlice 0.1.4, and all other versions
between 0.1.1 and 0.1.6, does not properly verify the administrative
access level, which could allow remote attackers to gain privileges.


Modifications:
  20040725 ADDREF XF:phpslice-checkaccess-function-privileges(9649)

Analysis
--------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: a post on the vendor web page states "Due to a stupid
mistake on a line in the checkAccess() function, PHPSlice 0.1.4 (and
potentially all earlier releases as well) has a gaping security hole
that allows any user to perform administrative tasks if they enter the
correct URL."
ACCURACY: while the vendor's statement implies that the problem was
fixed after 0.1.4, a review of the source code indicates that it
actually wasn't fixed until 0.1.7.

INFERRED ACTION: CAN-2001-1367 ACCEPT_REV (3 accept, 1 ack, 1 review)

Current Votes:
   ACCEPT(2) Cole, Green
   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cox
   REVIEWING(1) Alderson

Voter Comments:
 Alderson> Is there a candidate already in existence for the problem as it
   relates to 0.1.4?  If so, since this problem was not fixed, perhaps that one
   needs to be modified to include 0.1.7.
 Frech> XF:phpslice-checkaccess-function-privileges(9649)


======================================================
Candidate: CAN-2001-1386
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1386
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20020830
Assigned: 20020827
Category: SF
Reference: BUGTRAQ:20010701 WFTPD v3.00 R5 Directory Traversal
Reference: URL:http://www.securityfocus.com/archive/1/194442
Reference: XF:ftp-lnk-directory-traversal(6760)
Reference: URL:http://www.iss.net/security_center/static/6760.php
Reference: BID:2957
Reference: URL:http://www.securityfocus.com/bid/2957

WFTPD 3.00 allows remote attackers to read arbitrary files by
uploading a (link) file that ends in a ".lnk." extension, which
bypasses WFTPD's check for a ".lnk" extension.

Analysis
--------
Vendor Acknowledgement:

INFERRED ACTION: CAN-2001-1386 ACCEPT_REV (4 accept, 0 ack, 1 review)

Current Votes:
   ACCEPT(3) Green, Baker, Frech
   MODIFY(1) Foat
   NOOP(3) Cole, Armstrong, Cox
   REVIEWING(1) Wall

Voter Comments:
 Foat> If a windows shortcut file (*.lnk) linked to a directory is uploaded,
   an ftp user would be3 able to have access to the directory link points by typing
   'cd <file>.lnk'. If an ftp user uploads a *.lnk file to a known file for which
   the user does not have access and then does a 'GET' on the link, the file will
   be downloaded.


======================================================
Candidate: CAN-2001-1391
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1391
Final-Decision:
Interim-Decision: 20040825
Modified: 20040725
Proposed: 20020830
Assigned: 20020830
Category: SF
Reference: BUGTRAQ:20010405 Trustix Security Advisory #2001-0003 - kernel
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=98653252326445&w=2
Reference: BUGTRAQ:20010409 PROGENY-SA-2001-01: execve()/ptrace() exploit in Linux kernels
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=98684172109474&w=2
Reference: CONFIRM:http://www.linux.org.uk/VERSION/relnotes.2219.html
Reference: IMMUNIX:IMNX-2001-70-010-01
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=98575345009963&w=2
Reference: CALDERA:CSSA-2001-012.0
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=98637996127004&w=2
Reference: MANDRAKE:MDKSA-2001:037
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=98759029811377&w=2
Reference: DEBIAN:DSA-047
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=98741381506142&w=2
Reference: SUSE:SuSE-SA:2001:018
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=99013830726309&w=2
Reference: CONECTIVA:CLA-2001:394
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=98775114228203&w=2
Reference: REDHAT:RHSA-2001:047
Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-047.html
Reference: XF:linux-cpia-memory-overwrite(11162)
Reference: URL:http://xforce.iss.net/xforce/xfdb/11162

Off-by-one vulnerability in CPIA driver of Linux kernel before 2.2.19
allows users to modify kernel memory.


Modifications:
  20040725 desc fix small typo
  20040725 XF:linux-cpia-memory-overwrite(11162)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2001-1391 ACCEPT (7 accept, 5 ack, 0 review)

Current Votes:
   ACCEPT(6) Wall, Cole, Armstrong, Green, Baker, Cox
   MODIFY(1) Frech
   NOOP(2) Foat, Christey

Voter Comments:
 Frech> XF:linux-ptrace-modify-process(6080)
 Christey> fix typo: "off-by-one" should be "Off-by-one"
 Christey> XF:linux-cpia-memory-overwrite(11162) is clearly the correct
   reference here.


======================================================
Candidate: CAN-2002-0036
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0036
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20020116
Category: SF
Reference: CONFIRM:http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-001-multiple.txt
Reference: CERT-VN:VU#587579
Reference: URL:http://www.kb.cert.org/vuls/id/587579
Reference: CONECTIVA:CLA-2003:639
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000639
Reference: MANDRAKE:MDKSA-2003:043
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:043
Reference: REDHAT:RHSA-2003:051
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-051.html
Reference: REDHAT:RHSA-2003:052
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-052.html
Reference: REDHAT:RHSA-2003:168
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-168.html
Reference: XF:kerberos-kdc-neglength-bo(11190)
Reference: URL:http://xforce.iss.net/xforce/xfdb/11190
Reference: BID:6713
Reference: URL:http://www.securityfocus.com/bid/6713
Reference: OSVDB:4896
Reference: URL:http://www.osvdb.org/4896

Integer signedness error in MIT Kerberos V5 ASN.1 decoder before krb5
1.2.5 allows remote attackers to cause a denial of service via a large
unsigned data element length, which is later used as a negative value.


Modifications:
  20040725 ADDREF REDHAT:RHSA-2003:051
  20040725 ADDREF REDHAT:RHSA-2003:052
  20040725 ADDREF MANDRAKE:MDKSA-2003:043
  20040725 ADDREF CONECTIVA:CLA-2003:639
  20040725 ADDREF XF:kerberos-kdc-neglength-bo(11190)
  20040725 ADDREF BID:6713
  20040818 ADDREF REDHAT:RHSA-2003:168
  20040818 ADDREF OSVDB:4896

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0036 ACCEPT (5 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Wall, Cole
   MODIFY(2) Frech, Cox
   NOOP(1) Christey

Voter Comments:
 Cox> This is fixed in krb5 version 1.2.5
 Cox> Addref RHSA-2003:051
 Cox> Addref REDHAT:RHSA-2003:052
 Christey> MANDRAKE:MDKSA-2003:043
   (as suggested by Vincent Danen of Mandrake)
 Frech> XF:kerberos-kdc-neglength-bo(11190)


======================================================
Candidate: CAN-2002-0090
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0090
Final-Decision:
Interim-Decision: 20040825
Modified: 20040824
Proposed: 20020315
Assigned: 20020306
Category: SF
Reference: MISC:http://www.esecurityonline.com/advisories/eSO3761.asp
Reference: VULNWATCH:20020429 [VulnWatch] eSecurityOnline Security Advisory 3761 - Sun Solaris lbxproxy display name buffer overflow vulnerability
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0041.html
Reference: BUGTRAQ:20020429 eSecurityOnline Security Advisory 3761 - Sun Solaris lbxproxy display name buffer overflow vulnerability
Reference: URL:http://online.securityfocus.com/archive/1/270149
Reference: SUNALERT:44842
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/44842
Reference: CERT-VN:VU#188507
Reference: URL:http://www.kb.cert.org/vuls/id/188507
Reference: BID:4633
Reference: URL:http://www.securityfocus.com/bid/4633
Reference: XF:solaris-lbxproxy-display-bo(8958)
Reference: URL:http://www.iss.net/security_center/static/8958.php
Reference: OVAL:OVAL179
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL179.html
Reference: OVAL:OVAL86
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL86.html

Buffer overflow in Low BandWidth X proxy (lbxproxy) in Solaris 8
allows local users to execute arbitrary code via a long display
command line option.


Modifications:
  ADDREF VULNWATCH:20020429 [VulnWatch] eSecurityOnline Security Advisory 3761 - Sun Solaris lbxproxy display name buffer overflow vulnerability
  ADDREF BUGTRAQ:20020429 eSecurityOnline Security Advisory 3761 - Sun Solaris lbxproxy display name buffer overflow vulnerability
  ADDREF BID:4633
  ADDREF CONFIRM:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F44842&zone_32=category%3Asecurity%20lbxproxy
  ADDREF XF:solaris-lbxproxy-display-bo(8958)
  ADDREF CERT-VN:VU#188507
  DESC expanded "lbx" term
  20040725 Normalize SUNALERT reference
  20040824 ADDREF OVAL:OVAL179
  20040824 ADDREF OVAL:OVAL86

Analysis
--------
Vendor Acknowledgement: yes

INFERRED ACTION: CAN-2002-0090 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Balinsky, Wall, Cole, Green
   NOOP(3) Ziese, Foat, Christey

Voter Comments:
 Balinsky> Patch at http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fpatches%2F108652
   resolves an lbxproxy buffer overflow.
 Christey> VULNWATCH:20020429 [VulnWatch] eSecurityOnline Security Advisory 3761 - Sun Solaris lbxproxy display name buffer overflow vulnerability
   URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0041.html
   BUGTRAQ:20020429 eSecurityOnline Security Advisory 3761 - Sun Solaris lbxproxy display name buffer overflow vulnerability
   URL:http://online.securityfocus.com/archive/1/270149
   BID:4633
   URL:http://www.securityfocus.com/bid/4633


======================================================
Candidate: CAN-2002-0158
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0158
Final-Decision:
Interim-Decision: 20040825
Modified: 20040824
Proposed: 20020502
Assigned: 20020327
Category: SF
Reference: BUGTRAQ:20020402 NSFOCUS SA2002-01: Sun Solaris Xsun "-co" heap overflow
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101776858410652&w=2
Reference: VULNWATCH:20020402 NSFOCUS SA2002-01: Sun Solaris Xsun "-co" heap overflow
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0000.html
Reference: CONFIRM:http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fpatches%2F108652
Reference: OVAL:OVAL14
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL14.html
Reference: OVAL:OVAL33
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL33.html

Buffer overflow in Xsun on Solaris 2.6 through 8 allows local users to
gain root privileges via a long -co (color database) command line
argument.


Modifications:
  ADDREF CONFIRM:http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fpatches%2F108652
  20040824 ADDREF OVAL:OVAL14
  20040824 ADDREF OVAL:OVAL33

Analysis
--------
Vendor Acknowledgement: yes patch

ACKNOWLEDGEMENT: the description for patch 108652-52, bug 4661987,
explicitly references CAN-2002-0158.

INFERRED ACTION: CAN-2002-0158 ACCEPT_REV (5 accept, 1 ack, 1 review)

Current Votes:
   ACCEPT(4) Baker, Foat, Armstrong, Green
   MODIFY(1) Frech
   NOOP(3) Christey, Cox, Cole
   REVIEWING(1) Wall

Voter Comments:
 Green> The documentation of this vulnerability is compelling
 Christey> CONFIRM:http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fpatches%2F108652
   the description for patch 108652-52, bug 4661987,
   explicitly references CAN-2002-0158.
 Green> The documentation of this vulnerability is compelling
 Frech> XF:solaris-xsun-co-bo(8703)
 Christey> I received an email on Oct 10, 2003, that suggested that other
   non-Sun operating systems may be affected.
 Christey> XSco is also affected:
   BUGTRAQ:20020611 SCO Openserver Xsco heap overflow.
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102380830430665&w=2
   VULN-DEV:20020611 SCO Openserver Xsco heap overflow.
   URL:http://marc.theaimsgroup.com/?l=vuln-dev&m=102381771109722&w=2
   CALDERA:CSSA-2003-SCO.26


======================================================
Candidate: CAN-2002-0188
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0188
Final-Decision:
Interim-Decision: 20040825
Modified: 20030320-01
Proposed: 20020611
Assigned: 20020420
Category: SF
Reference: BUGTRAQ:20020516 [SNS Advisory No.48] Microsoft Internet Explorer Still Download And Execute ANY Program Automatically
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-05/0126.html
Reference: MS:MS02-023
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-023.asp
Reference: MISC:http://www.lac.co.jp/security/english/snsadv_e/48_e.html
Reference: XF:ie-content-disposition-variant2(9086)
Reference: URL:http://www.iss.net/security_center/static/9086.php

Microsoft Internet Explorer 5.01 and 6.0 allow remote attackers to
execute arbitrary code via malformed Content-Disposition and
Content-Type header fields that cause the application for the spoofed
file type to pass the file back to the operating system for handling
rather than raise an error message, aka the second variant of the
"Content Disposition" vulnerability.


Modifications:
  ADDREF BUGTRAQ:20020516 [SNS Advisory No.48] Microsoft Internet Explorer Still Download And Execute ANY Program Automatically
  ADDREF MISC:http://www.lac.co.jp/security/english/snsadv_e/48_e.html
  ADDREF XF:ie-content-disposition-variant2(9086)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0188 ACCEPT (6 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Baker, Wall, Foat, Cole, Armstrong
   MODIFY(1) Frech
   NOOP(1) Cox

Voter Comments:
 Frech> XF:ie-content-disposition-variant2(9086)


======================================================
Candidate: CAN-2002-0193
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0193
Final-Decision:
Interim-Decision: 20040825
Modified: 20040824
Proposed: 20020611
Assigned: 20020420
Category: SF
Reference: MS:MS02-023
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-023.asp
Reference: XF:ie-content-disposition-variant(9085)
Reference: URL:http://xforce.iss.net/xforce/xfdb/9085
Reference: BID:4752
Reference: URL:http://www.securityfocus.com/bid/4752
Reference: OVAL:OVAL27
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL27.html
Reference: OVAL:OVAL99
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL99.html

Microsoft Internet Explorer 5.01 and 6.0 allow remote attackers to
execute arbitrary code via malformed Content-Disposition and
Content-Type header fields that cause the application for the spoofed
file type to pass the file back to the operating system for handling
rather than raise an error message, aka the first variant of the
"Content Disposition" vulnerability.


Modifications:
  20040725 XF:ie-content-disposition-variant(9085)
  20040725 BID:4752
  20040824 ADDREF OVAL:OVAL27
  20040824 ADDREF OVAL:OVAL99

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0193 ACCEPT (6 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Baker, Wall, Foat, Cole, Armstrong
   MODIFY(1) Frech
   NOOP(1) Cox

Voter Comments:
 Frech> XF:ie-content-disposition-variant(9085)


======================================================
Candidate: CAN-2002-0275
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0275
Final-Decision:
Interim-Decision: 20040825
Modified: 20040725
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20020213 Falcon Web Server Authentication Circumvention Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101363946626951&w=2
Reference: VULNWATCH:20020526 [SecurityOffice] Falcon Web Server Unauthorized File Disclosure Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0082.html
Reference: BUGTRAQ:20020526 [SecurityOffice] Falcon Web Server Unauthorized File Disclosure Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102253858809370&w=2
Reference: BID:4099
Reference: URL:http://online.securityfocus.com/bid/4099
Reference: XF:falcon-protected-dir-access(8189)
Reference: URL:http://xforce.iss.net/xforce/xfdb/8189

Falcon web server 2.0.0.1020 and earlier allows remote attackers to
bypass authentication and read restricted files via an extra / (slash)
in the requested URL.


Modifications:
  20040725 XF:falcon-protected-dir-access(8189)
  20040725 VULNWATCH:20020526 [VulnWatch] [SecurityOffice] Falcon Web Server Unauthorized File Disclosure Vulnerability
  20040725 BUGTRAQ:20020526 [SecurityOffice] Falcon Web Server Unauthorized File Disclosure Vulnerability

Analysis
--------
Vendor Acknowledgement: yes via-email

ACKNOWLEDGEMENT: the vendor confirmed the issue via email.

INFERRED ACTION: CAN-2002-0275 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(6) Christey, Cox, Wall, Foat, Cole, Armstrong

Voter Comments:
 Frech> XF:falcon-protected-dir-access(8189)
 Christey> This issue was rediscovered a few months later:
   VULNWATCH:20020526 [VulnWatch] [SecurityOffice] Falcon Web Server Unauthorized File Disclosure Vulnerability
   URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0082.html
   BUGTRAQ:20020526 [SecurityOffice] Falcon Web Server Unauthorized File Disclosure Vulnerability
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102253858809370&w=2


======================================================
Candidate: CAN-2002-0313
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0313
Final-Decision:
Interim-Decision: 20040825
Modified: 20040725
Proposed: 20020502
Assigned: 20020501
Category: SF
Reference: BUGTRAQ:20020226 SecurityOffice Security Advisory:// Essentia Web Server Vulnerabilities (Vendor Patch)
Reference: URL:http://online.securityfocus.com/archive/1/258365
Reference: BUGTRAQ:20020221 SecurityOffice Security Advisory:// Essentia Web Server DoS Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101440530023617&w=2
Reference: FULLDISC:20030704 Essentia Web Server 2.12 (Linux)
Reference: URL:http://lists.netsys.com/pipermail/full-disclosure/2003-July/006231.html
Reference: XF:essentia-server-long-request-dos(8249)
Reference: URL:http://www.iss.net/security_center/static/8249.php
Reference: BID:4159
Reference: URL:http://www.securityfocus.com/bid/4159

Buffer overflow in Essentia Web Server 2.1 allows remote attackers to
cause a denial of service, and possibly execute arbitrary code, via a
long URL.


Modifications:
  20040725 ADDREF FULLDISC:20030704 Essentia Web Server 2.12 (Linux)

Analysis
--------
Vendor Acknowledgement: yes followup

INFERRED ACTION: CAN-2002-0313 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Frech, Cole
   NOOP(4) Christey, Cox, Wall, Foat

Voter Comments:
 Christey> FULLDISC:20030704 Essentia Web Server 2.12 (Linux)
   URL:http://lists.netsys.com/pipermail/full-disclosure/2003-July/010909.html


======================================================
Candidate: CAN-2002-0357
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0357
Final-Decision:
Interim-Decision: 20040825
Modified: 20030320-01
Proposed: 20020611
Assigned: 20020502
Category: SF
Reference: SGI:20020601-01-P
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020601-01-P
Reference: XF:irix-rpcpasswd-gain-privileges(9261)
Reference: URL:http://www.iss.net/security_center/static/9261.php
Reference: BID:4939
Reference: URL:http://online.securityfocus.com/bid/4939

Unknown vulnerability in rpc.passwd in the nfs.sw.nis subsystem of SGI
IRIX 6.5.15 and earlier allows local users to gain root privileges.


Modifications:
  ADDREF XF:irix-rpcpasswd-gain-privileges(9261)
  ADDREF BID:4939

Analysis
--------
Vendor Acknowledgement: yes advisory

ACCURACY: SecurityFocus' title for the BID implies that the problem is
due to a buffer overflow, but there does not seem to be specific
information about the type of problem in the SGI advisory, which
appears to be the only public information regarding this
vulnerability.

INFERRED ACTION: CAN-2002-0357 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Cole, Armstrong
   MODIFY(1) Frech
   NOOP(4) Christey, Cox, Wall, Foat

Voter Comments:
 Christey> XF:irix-rpcpasswd-gain-privileges(9261)
   URL:http://www.iss.net/security_center/static/9261.php
   BID:4939
   URL:http://online.securityfocus.com/bid/4939
   SecurityFocus' title for the BID implies that the problem
   is due to a buffer overflow, but there does not seem to be
   specific information about the type of problem in the
   SGI advisory, which appears to be the only public information
   regarding this vulnerability.
 Frech> XF:irix-rpcpasswd-gain-privileges(9261)


======================================================
Candidate: CAN-2002-0362
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0362
Final-Decision:
Interim-Decision: 20040825
Modified: 20040725
Proposed: 20020611
Assigned: 20020506
Category: SF
Reference: VULNWATCH:20020506 [VulnWatch] w00w00 on AOL Instant Messenger remote overflow #2
Reference: BUGTRAQ:20020506 w00w00 on AOL Instant Messenger remote overflow #2
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102071080509955&w=2
Reference: BID:4677
Reference: URL:http://www.securityfocus.com/bid/4677
Reference: XF:aim-addexternalapp-bo(9017)
Reference: URL:http://www.iss.net/security_center/static/9017.php

Buffer overflow in AOL Instant Messenger (AIM) 4.2 and later allows
remote attackers to execute arbitrary code via a long AddExternalApp
request and a TLV type greater than 0x2711.


Modifications:
  20040725 ADDREF XF:aim-addexternalapp-bo(9017)

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2002-0362 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Baker, Wall
   MODIFY(1) Frech
   NOOP(5) Christey, Cox, Foat, Cole, Armstrong

Voter Comments:
 Frech> XF:aim-addexternalapp-bo(9017)
 Christey> XF:aim-addexternalapp-bo(9017)
   URL:http://www.iss.net/security_center/static/9017.php


======================================================
Candidate: CAN-2002-0376
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0376
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20020513
Category: SF
Reference: ATSTAKE:A091002-1
Reference: URL:http://www.atstake.com/research/advisories/2002/a091002-1.txt
Reference: BUGTRAQ:20020925 Fwd: QuickTime for Windows ActiveX security advisory
Reference: URL:http://online.securityfocus.com/archive/1/293095
Reference: XF:quicktime-activex-pluginspage-bo(10077)
Reference: URL:http://www.iss.net/security_center/static/10077.php
Reference: BID:5685
Reference: URL:http://www.securityfocus.com/bid/5685

Buffer overflow in Apple QuickTime 5.0 ActiveX component allows remote
attackers to execute arbitrary code via a long pluginspage field.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0376 ACCEPT_ACK_REV (2 accept, 1 ack, 1 review)

Current Votes:
   ACCEPT(2) Baker, Cole
   NOOP(1) Cox
   REVIEWING(1) Wall


======================================================
Candidate: CAN-2002-0380
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0380
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20020611
Assigned: 20020517
Category: SF
Reference: REDHAT:RHSA-2002:094
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-094.html
Reference: REDHAT:RHSA-2002:121
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-121.html
Reference: REDHAT:RHSA-2003:214
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-214.html
Reference: FREEBSD:FreeBSD-SA-02:29
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102650721503642&w=2
Reference: CONECTIVA:CLA-2002:491
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000491
Reference: CALDERA:CSSA-2002-025.0
Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-025.0.txt
Reference: DEBIAN:DSA-255
Reference: URL:http://www.debian.org/security/2003/dsa-255
Reference: BUGTRAQ:20020606 TSLSA-2002-0055 - tcpdump
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102339541014226&w=2
Reference: XF:tcpdump-nfs-bo(9216)
Reference: URL:http://www.iss.net/security_center/static/9216.php
Reference: BID:4890
Reference: URL:http://online.securityfocus.com/bid/4890
Reference: HP:HPSBTL0205-044
Reference: URL:http://online.securityfocus.com/advisories/4169

Buffer overflow in tcpdump 3.6.2 and earlier allows remote attackers
to cause a denial of service and possibly execute arbitrary code via
an NFS packet.


Modifications:
  CHANGEREF REDHAT:RHSA-2002:094 (advisory ID was wrong)
  ADDREF FREEBSD:FreeBSD-SA-02:29
  ADDREF CONECTIVA:CLA-2002:491
  ADDREF CALDERA:CSSA-2002-025.0
  ADDREF XF:tcpdump-nfs-bo(9216)
  ADDREF BID:4890
  ADDREF BUGTRAQ:20020606 TSLSA-2002-0055 - tcpdump
  ADDREF HP:HPSBTL0205-044
  20040818 ADDREF REDHAT:RHSA-2002:121
  20040818 ADDREF REDHAT:RHSA-2003:214
  20040818 ADDREF DEBIAN:DSA-255

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0380 ACCEPT (6 accept, 5 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Wall, Cole, Armstrong
   MODIFY(2) Frech, Cox
   NOOP(2) Christey, Foat

Voter Comments:
 Cox> ADDREF: CLA-2002:491 TSLSA-2002-0055
 Christey> I clearly screwed up the references here.  This is supposed
   to be REDHAT:RHSA-2002:094.   #089 is already covered by
   CAN-2001-1279.

   ADDREF FREEBSD:FreeBSD-SA-02:29
 Christey> CALDERA:CSSA-2002-025.0
   CONECTIVA:CLA-2002:491

   Consider SUSE:SuSE-SA:2002:020, but beware that it upgrades
   *to* 3.6.2, and it mentions *AFS* packets.  There are no
   cross-references to know for sure whether they meant this
   tcpdump vulnerability or an older one.
 Frech> XF:tcpdump-nfs-bo(9216)
 Christey> HP:HPSBTL0205-044
   URL:http://online.securityfocus.com/advisories/4169
 Christey> I'm not going to add the SuSE reference, which may be
   describing CAN-2001-1279.  I don't want to hold this CAN back
   from promotion to an entry any further.


======================================================
Candidate: CAN-2002-0384
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0384
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20020522
Category: SF
Reference: REDHAT:RHSA-2002:098
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-098.html
Reference: REDHAT:RHSA-2002:107
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-107.html
Reference: REDHAT:RHSA-2002:122
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-122.html
Reference: REDHAT:RHSA-2003:156
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-156.html
Reference: MANDRAKE:MDKSA-2002:054
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-054.php
Reference: HP:HPSBTL0208-057
Reference: URL:http://online.securityfocus.com/advisories/4358
Reference: XF:gaim-jabber-module-bo(9766)
Reference: URL:http://www.iss.net/security_center/static/9766.php
Reference: BID:5406
Reference: URL:http://www.securityfocus.com/bid/5406
Reference: OSVDB:3729
Reference: URL:http://www.osvdb.org/3729

Buffer overflow in Jabber plug-in for Gaim client before 0.58 allows
remote attackers to execute arbitrary code.


Modifications:
  20040725 ADDREF REDHAT:RHSA-2003:122
  20040818 ADDREF REDHAT:RHSA-2002:122
  20040818 ADDREF REDHAT:RHSA-2003:156
  20040725 DELREF REDHAT:RHSA-2003:122 [does not exist]
  20040818 ADDREF OSVDB:3729

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0384 ACCEPT (4 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(4) Cox, Cole, Armstrong, Green
   NOOP(1) Christey

Voter Comments:
 Christey> ADDREF MANDRAKE:MDKSA-2002:054
 Cox> Addref: RHSA-2003:122


======================================================
Candidate: CAN-2002-0387
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0387
Final-Decision:
Interim-Decision: 20040825
Modified: 20040725
Proposed: 20030317
Assigned: 20020522
Category: SF
Reference: ATSTAKE:A031303-1
Reference: URL:http://www.atstake.com/research/advisories/2003/a031303-1.txt
Reference: SUNALERT:52022
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/52022
Reference: CIAC:N-064
Reference: URL:http://www.ciac.org/ciac/bulletins/n-064.shtml
Reference: XF:sunone-gxnsapi6-bo(11529)
Reference: URL:http://xforce.iss.net/xforce/xfdb/11529
Reference: BID:7082
Reference: URL:http://www.securityfocus.com/bid/7082

Buffer overflow in gxnsapi6.dll NSAPI plugin of the Connector Module
for Sun ONE Application Server before 6.5 allows remote attackers to
execute arbitrary code via a long HTTP request URL.


Modifications:
  20040725 ADDREF XF:sunone-gxnsapi6-bo(11529)
  20040725 ADDREF SUNALERT:52022
  20040725 CIAC:N-064

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0387 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Stracener, Green
   NOOP(3) Cox, Wall, Cole

Voter Comments:
 Green> ACKNOWLEDGED IN SP1 AVAILABLE AT
   http://wwws.sun.com/software/download/products/3e3afb89.html
 Stracener> cf. Sun[tm] ONE Application Server, Enterprise Edition 6.5 Service Pack 1


======================================================
Candidate: CAN-2002-0395
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0395
Final-Decision:
Interim-Decision: 20040825
Modified: 20040725
Proposed: 20020611
Assigned: 20020530
Category: SF
Reference: ATSTAKE:A060502-1
Reference: URL:http://www.atstake.com/research/advisories/2002/a060502-1.txt
Reference: XF:redm-1050ap-tftp-bruteforce(9264)
Reference: URL:http://xforce.iss.net/xforce/xfdb/9264

The TFTP server for Red-M 1050 (Bluetooth Access Point) can not be
disabled and makes it easier for remote attackers to crack the
administration password via brute force methods.


Modifications:
  20040725 ADDREF XF:redm-1050ap-tftp-bruteforce(9264)

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2002-0395 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Baker, Foat
   MODIFY(1) Frech
   NOOP(4) Cox, Wall, Cole, Armstrong

Voter Comments:
 Frech> XF:redm-1050ap-tftp-bruteforce (9264)


======================================================
Candidate: CAN-2002-0396
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0396
Final-Decision:
Interim-Decision: 20040825
Modified: 20040725
Proposed: 20020611
Assigned: 20020530
Category: SF
Reference: ATSTAKE:A060502-1
Reference: URL:http://www.atstake.com/research/advisories/2002/a060502-1.txt
Reference: XF:redm-1050ap-insecure-session(9265)
Reference: URL:http://xforce.iss.net/xforce/xfdb/9265

The web management server for Red-M 1050 (Bluetooth Access Point) does
not use session-based credentials to authenticate users, which allows
attackers to connect to the server from the same IP address as a user
who has already established a session.


Modifications:
  20040725 ADDREF XF:redm-1050ap-insecure-session(9265)

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2002-0396 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Baker, Foat
   MODIFY(1) Frech
   NOOP(4) Cox, Wall, Cole, Armstrong

Voter Comments:
 Frech> XF:redm-1050ap-insecure-session(9265)


======================================================
Candidate: CAN-2002-0397
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0397
Final-Decision:
Interim-Decision: 20040825
Modified: 20040725
Proposed: 20020611
Assigned: 20020530
Category: SF
Reference: ATSTAKE:A060502-1
Reference: URL:http://www.atstake.com/research/advisories/2002/a060502-1.txt
Reference: XF:redm-1050ap-device-existence(9266)
Reference: URL:http://xforce.iss.net/xforce/xfdb/9266

Red-M 1050 (Bluetooth Access Point) publicizes its name, IP address,
and other information in UDP packets to a broadcast address, which
allows any system on the network to obtain potentially sensitive
information about the Access Point device by monitoring UDP port 8887.


Modifications:
  20040725 ADDREF XF:redm-1050ap-device-existence(9266)

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2002-0397 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Baker, Foat
   MODIFY(1) Frech
   NOOP(4) Cox, Wall, Cole, Armstrong

Voter Comments:
 Frech> XF:redm-1050ap-device-existence (9266)


======================================================
Candidate: CAN-2002-0398
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0398
Final-Decision:
Interim-Decision: 20040825
Modified: 20040725
Proposed: 20020611
Assigned: 20020530
Category: SF
Reference: ATSTAKE:A060502-1
Reference: URL:http://www.atstake.com/research/advisories/2002/a060502-1.txt
Reference: XF:redm-1050ap-ppp-dos(9267)
Reference: URL:http://xforce.iss.net/xforce/xfdb/9267

Red-M 1050 (Bluetooth Access Point) PPP server allows bonded users to
cause a denial of service and possibly execute arbitrary code via a
long user name.


Modifications:
  20040725 ADDREF XF:redm-1050ap-ppp-dos(9267)

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2002-0398 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Baker, Foat
   MODIFY(1) Frech
   NOOP(4) Cox, Wall, Cole, Armstrong

Voter Comments:
 Frech> XF:redm-1050ap-ppp-dos(9267)


======================================================
Candidate: CAN-2002-0400
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0400
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20020611
Assigned: 20020603
Category: SF
Reference: CERT:CA-2002-15
Reference: URL:http://www.cert.org/advisories/CA-2002-15.html
Reference: CERT-VN:VU#739123
Reference: URL:http://www.kb.cert.org/vuls/id/739123
Reference: ISS:20020604 Remote Denial of Service Vulnerability in ISC BIND
Reference: CALDERA:CSSA-2002-SCO.24
Reference: URL:ftp://ftp.caldera.com/pub/updates/OpenUNIX/CSSA-2002-SCO.24.1/CSSA-2002-SCO.24.1.txt
Reference: CONECTIVA:CLA-2002:494
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000494
Reference: HP:HPSBUX0207-202
Reference: URL:http://archives.neohapsis.com/archives/hp/2002-q3/0022.html
Reference: MANDRAKE:MDKSA-2002:038
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-038.php
Reference: REDHAT:RHSA-2002:105
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-105.html
Reference: REDHAT:RHSA-2002:119
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-119.html
Reference: REDHAT:RHSA-2003:154
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-154.html
Reference: SUSE:SuSE-SA:2002:021
Reference: URL:http://www.suse.de/de/security/2002_21_bind9.html
Reference: BID:4936
Reference: URL:http://www.securityfocus.com/bid/4936
Reference: XF:bind-findtype-dos(9250)
Reference: URL:http://www.iss.net/security_center/static/9250.php

ISC BIND 9 before 9.2.1 allows remote attackers to cause a denial of
service (shutdown) via a malformed DNS packet that triggers an error
condition that is not properly handled when the rdataset parameter to
the dns_message_findtype() function in message.c is not NULL.


Modifications:
  ADDREF CALDERA:CSSA-2002-SCO.24
  ADDREF CONECTIVA:CLA-2002:494
  ADDREF SUSE:SuSE-SA:2002:021
  ADDREF REDHAT:RHSA-2002:105
  ADDREF MANDRAKE:MDKSA-2002:038
  ADDREF BID:4936
  ADDREF XF:bind-findtype-dos(9250)
  ADDREF HP:HPSBUX0207-202
  20040725 ADDREF REDHAT:RHSA-2003:154
  20040818 ADDREF REDHAT:RHSA-2002:119

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0400 ACCEPT (6 accept, 7 ack, 0 review)

Current Votes:
   ACCEPT(6) Baker, Cox, Wall, Foat, Cole, Armstrong
   MODIFY(1) Frech
   NOOP(1) Christey

Voter Comments:
 Christey> CALDERA:CSSA-2002-SCO.24
 Christey> CALDERA:CSSA-2002-SCO.24
   URL:ftp://ftp.caldera.com/pub/updates/OpenUNIX/CSSA-2002-SCO.24.1/CSSA-2002-SCO.24.1.txt
   CONECTIVA:CLA-2002:494
   URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000494
   SUSE:SuSE-SA:2002:021
   URL:http://www.suse.de/de/support/security/2002_21_bind9.html
   XF:bind-findtype-dos(9250)
   URL:http://www.iss.net/security_center/static/9250.php
   BID:4936
   URL:http://www.securityfocus.com/bid/4936
 Christey> REDHAT:RHSA-2002:105
 Frech> XF:bind-findtype-dos(9250)
 Christey> MANDRAKE:MDKSA-2002:038
 Christey> HP:HPSBUX0207-202
   URL:http://archives.neohapsis.com/archives/hp/2002-q3/0022.html
 Christey> REDHAT:RHSA-2003:154


======================================================
Candidate: CAN-2002-0443
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0443
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020307 Windows 2000 password policy bypass possibility
Reference: URL:http://online.securityfocus.com/archive/1/260704
Reference: XF:win2k-password-bypass-policy(8402)
Reference: URL:http://www.iss.net/security_center/static/8402.php
Reference: BID:4256
Reference: URL:http://www.securityfocus.com/bid/4256

Microsoft Windows 2000 allows local users to bypass the policy that
prohibits reusing old passwords by changing the current password
before it expires, which does not enable the check for previous
passwords.

Analysis
--------
Vendor Acknowledgement:

INFERRED ACTION: CAN-2002-0443 ACCEPT_REV (4 accept, 0 ack, 1 review)

Current Votes:
   ACCEPT(4) Frech, Foat, Cole, Alderson
   NOOP(1) Cox
   REVIEWING(1) Wall


======================================================
Candidate: CAN-2002-0444
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0444
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020408 Vulnerability: Windows2000Server running Terminalservices
Reference: URL:http://www.securityfocus.com/archive/1/266729
Reference: BID:4464
Reference: URL:http://www.securityfocus.com/bid/4464
Reference: XF:win2k-terminal-bypass-policies(8813)
Reference: URL:http://www.iss.net/security_center/static/8813.php

Microsoft Windows 2000 running the Terminal Server 90-day trial
version, and possibly other versions, does not apply group policies to
incoming users when the number of connections to the SYSVOL share
exceeds the maximum, e.g. with a maximum number of licenses, which can
allow remote authenticated users to bypass group policies.

Analysis
--------
Vendor Acknowledgement:

INFERRED ACTION: CAN-2002-0444 ACCEPT_REV (4 accept, 0 ack, 1 review)

Current Votes:
   ACCEPT(4) Frech, Foat, Cole, Alderson
   NOOP(1) Cox
   REVIEWING(1) Wall


======================================================
Candidate: CAN-2002-0445
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0445
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020312 [ARL02-A05] PHP FirstPost System Information Path Disclosure Vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/261337
Reference: XF:phpfirstpost-path-disclosure(8434)
Reference: URL:http://www.iss.net/security_center/static/8434.php
Reference: BID:4274
Reference: URL:http://www.securityfocus.com/bid/4274
Reference: OSVDB:7170
Reference: URL:http://www.osvdb.org/7170

article.php in PHP FirstPost 0.1 allows allows remote attackers to
obtain the full pathname of the server via an invalid post number in
the post parameter, which leaks the pathname in an error message.


Modifications:
  20040818 ADDREF OSVDB:7170

Analysis
--------
Vendor Acknowledgement: unknown discloser-claimed

INCLUSION: CD:EX-BETA suggests that beta software should not be
included in CVE unless it is popular or in permanent beta. The home
page for PHP FirstPost implies that the product is in beta; however,
the discloser suggests that the developer has stopped maintaining the
code, so it could be argued that this software is in "permanent beta"
and should be included in CVE.

INFERRED ACTION: CAN-2002-0445 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Frech, Cole
   NOOP(3) Cox, Wall, Foat


======================================================
Candidate: CAN-2002-0546
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0546
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20020611
Assigned: 20020607
Category: SF
Reference: BUGTRAQ:20020403 Winamp: Mp3 file can control the minibrowser
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-04/0026.html
Reference: BUGTRAQ:20020403 Re: Winamp: Mp3 file can control the minibrowser
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-04/0049.html
Reference: XF:winamp-mp3-browser-css(8753)
Reference: URL:http://www.iss.net/security_center/static/8753.php
Reference: BID:4414
Reference: URL:http://www.securityfocus.com/bid/4414

Cross-site scripting vulnerability in the mini-browser for Winamp 2.78
and 2.79 allows remote attackers to execute script via an ID3v1 or
ID3v2 tag in an MP3 file.

Analysis
--------
Vendor Acknowledgement: yes followup

ACKNOWLEDGEMENT: the vendor's changelog for version 2.80 says
"minibrowser security fix," but it is not clear that the vendor is
fixing *this* vulnerability, as there are several issues that affect
2.79 (at least CAN-2002-0546 and CAN-2002-0547, and possibly
CAN-2002-0284).

INFERRED ACTION: CAN-2002-0546 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Frech, Cole
   NOOP(4) Cox, Wall, Foat, Armstrong


======================================================
Candidate: CAN-2002-0615
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0615
Final-Decision:
Interim-Decision: 20040825
Modified: 20040725
Proposed: 20020726
Assigned: 20020612
Category: SF
Reference: MS:MS02-032
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-032.asp
Reference: XF:mediaplayer-playlist-script-execution(9422)
Reference: URL:http://www.iss.net/security_center/static/9422.php
Reference: BID:5110
Reference: URL:http://www.securityfocus.com/bid/5110

The Windows Media Active Playlist in Microsoft Windows Media Player
7.1 stores information in a well known location on the local file
system, allowing attackers to execute HTML scripts in the Local
Computer zone, aka "Media Playback Script Invocation".


Modifications:
  20040725 ADDREF XF:mediaplayer-playlist-script-execution(9422)
  20040725 ADDREF BID:5110
  20040725 DELREF BID:4821

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0615 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Wall, Foat, Cole
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> XF:mediaplayer-playlist-script-execution(9422)
   URL:http://www.iss.net/security_center/static/9422.php
   BID:5110
   URL:http://www.securityfocus.com/bid/5110
 Christey> DELREF BID:4821 (that BID is for CVE-2002-0618)


======================================================
Candidate: CAN-2002-0627
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0627
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20020617
Category: SF
Reference: ISS:20020904 Multiple Remote Vulnerabilities in Polycom Videoconferencing Products
Reference: URL:http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21089
Reference: CONFIRM:http://www.polycom.com/common/pw_item_show_doc/0,,1444,00.pdf
Reference: CIAC:M-123
Reference: URL:http://www.ciac.org/ciac/bulletins/m-123.shtml
Reference: XF:viewstation-unicode-retrieve-password(9348)
Reference: URL:http://www.iss.net/security_center/static/9348.php
Reference: BID:5632
Reference: URL:http://www.securityfocus.com/bid/5632

The Web server for Polycom ViewStation before 7.2.4 allows remote
attackers to bypass authentication and read files via Unicode encoded
requests.

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2002-0627 ACCEPT_ACK (2 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(2) Baker, Cole
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-0630
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0630
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20020617
Category: SF
Reference: ISS:20020904 Multiple Remote Vulnerabilities in Polycom Videoconferencing Products
Reference: URL:http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21089
Reference: CONFIRM:http://www.polycom.com/common/pw_item_show_doc/0,,1444,00.pdf
Reference: CIAC:M-123
Reference: URL:http://www.ciac.org/ciac/bulletins/m-123.shtml
Reference: XF:viewstation-icmp-dos(9350)
Reference: URL:http://www.iss.net/security_center/static/9350.php
Reference: BID:5637
Reference: URL:http://www.securityfocus.com/bid/5637

The Telnet service for Polycom ViewStation before 7.2.4 allows remote
attackers to cause a denial of service (crash) via long or malformed
ICMP packets.

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2002-0630 ACCEPT_ACK (2 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(2) Baker, Cole
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-0651
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0651
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20020726
Assigned: 20020628
Category: SF
Reference: BUGTRAQ:20020626 Remote buffer overflow in resolver code of libc
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102513011311504&w=2
Reference: NTBUGTRAQ:20020703 Buffer overflow and DoS i BIND
Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/2002-q3/0000.html
Reference: MISC:http://www.pine.nl/advisories/pine-cert-20020601.txt
Reference: CERT:CA-2002-19
Reference: URL:http://www.cert.org/advisories/CA-2002-19.html
Reference: CERT-VN:VU#803539
Reference: URL:http://www.kb.cert.org/vuls/id/803539
Reference: AIXAPAR:IY32719
Reference: URL:http://archives.neohapsis.com/archives/aix/2002-q3/0001.html
Reference: AIXAPAR:IY32746
Reference: URL:http://archives.neohapsis.com/archives/aix/2002-q3/0001.html
Reference: CALDERA:CSSA-2002-SCO.37
Reference: URL:ftp://ftp.caldera.com/pub/updates/UnixWare/CSSA-2002-SCO.37
Reference: CALDERA:CSSA-2002-SCO.39
Reference: URL:ftp://ftp.caldera.com/pub/updates/OpenServer/CSSA-2002-SCO.39
Reference: CONECTIVA:CLSA-2002:507
Reference: URL:http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000507
Reference: ENGARDE:ESA-20020724-018
Reference: URL:http://archives.neohapsis.com/archives/linux/engarde/2002-q3/0002.html
Reference: FREEBSD:FreeBSD-SA-02:28
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102520962320134&w=2
Reference: MANDRAKE:MDKSA-2002:038
Reference: URL:http://online.securityfocus.com/advisories/4397
Reference: MANDRAKE:MDKSA-2002:043
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-043.php
Reference: NETBSD:NetBSD-SA2002-006
Reference: URL:ftp://ftp.NetBSD.ORG/pub/NetBSD/security/advisories/NetBSD-SA2002-006.txt.asc
Reference: REDHAT:RHSA-2002:119
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-119.html
Reference: REDHAT:RHSA-2002:133
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-133.html
Reference: REDHAT:RHSA-2002:139
Reference: URL:http://rhn.redhat.com/errata/RHSA-2002-139.html
Reference: REDHAT:RHSA-2002:167
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-167.html
Reference: REDHAT:RHSA-2003:154
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-154.html
Reference: SGI:20020701-01-I
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020701-01-I/
Reference: BUGTRAQ:20020704 [OpenPKG-SA-2002.006] OpenPKG Security Advisory (bind)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102579743329251&w=2
Reference: XF:dns-resolver-lib-bo(9432)
Reference: URL:http://www.iss.net/security_center/static/9432.php
Reference: BID:5100
Reference: URL:http://online.securityfocus.com/bid/5100

Buffer overflow in the DNS resolver code used in libc, glibc, and
libbind, as derived from ISC BIND, allows remote malicious DNS servers
to cause a denial of service and possibly execute arbitrary code via
the stub resolvers.


Modifications:
  ADDREF REDHAT:RHSA-2002:133
  ADDREF MANDRAKE:MDKSA-2002:038
  ADDREF CONECTIVA:CLSA-2002:507
  ADDREF XF:dns-resolver-lib-bo(9432)
  ADDREF BUGTRAQ:20020704 [OpenPKG-SA-2002.006] OpenPKG Security Advisory (bind)
  ADDREF BID:5100
  ADDREF SGI:20020701-01-I
  ADDREF REDHAT:RHSA-2002:139
  ADDREF AIXAPAR:IY32719
  ADDREF AIXAPAR:IY32746
  ADDREF ENGARDE:ESA-20020724-018
  20040725 ADDREF CALDERA:CSSA-2002-SCO.37
  20040725 ADDREF CALDERA:CSSA-2002-SCO.39
  20040725 ADDREF MISC:http://www.pine.nl/advisories/pine-cert-20020601.txt
  20040725 ADDREF REDHAT:RHSA-2003:154
  20040725 CHANGEREF CERT:VU#803539 (use CERT-VN source)
  20040818 ADDREF REDHAT:RHSA-2002:119
  20040818 ADDREF REDHAT:RHSA-2002:167
  20040818 ADDREF REDHAT:RHSA-2003:154
  20040818 DELREF REDHAT:RHSA-2002:154

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0651 ACCEPT (5 accept, 8 ack, 0 review)

Current Votes:
   ACCEPT(5) Baker, Cox, Wall, Foat, Cole
   NOOP(1) Christey

Voter Comments:
 Christey> There are actually 2 closely related issues, one in
   gethostbyname/etc. responses related to dn_expand(), and
   another in the getnetbyX functions.  The getnetby* functions
   apparently don't affect BIND 8.x, so they should get a
   different CAN.  See:
   http://marc.theaimsgroup.com/?l=bugtraq&m=102581482511612&w=2
 Christey> Need to beef up the description to more clearly distinguish it
   from CAN-2002-0684.  The NetBSD reference has details,
   related to padding and getanswer() and getnetanswer().

   Also need to closely check each reference to see which
   issue(s) the reference is *really* referring to.
 Christey> REDHAT:RHSA-2002:133
 Christey> MANDRAKE:MDKSA-2002:038
 Christey> MANDRAKE:MDKSA-2002:050
 Christey> The getnet* functions were assigned to CAN-2002-0684.
   Note: MANDRAKE:MDKSA-2002:038-1 explicitly acknowledges this
   issue, but the Mandrake site doesn't have this new revision yet.

   Don't add MANDRAKE:MDKSA-2002:050, that's for CAN-2002-0684
 Christey> XF:dns-resolver-lib-bo(9432)
   URL:http://www.iss.net/security_center/static/9432.php
   CONECTIVA:CLSA-2002:507
   BUGTRAQ:20020704 [OpenPKG-SA-2002.006] OpenPKG Security Advisory (bind)
   BID:5100
   URL:http://online.securityfocus.com/bid/5100
   SGI:20020701-01-I
   REDHAT:RHSA-2002:139
   AIXAPAR:IY32719
   AIXAPAR:IY32746
   ENGARDE:ESA-20020724-018
 Christey> CALDERA:CSSA-2002-SCO.37
   URL:ftp://ftp.caldera.com/pub/updates/UnixWare/CSSA-2002-SCO.37
 Christey> Change the CERT:VU#803539 to a CERT-VN reference.
 Christey> MISC:http://www.pine.nl/advisories/pine-cert-20020601.txt
   CALDERA:CSSA-2002-SCO.39
 Christey> REDHAT:RHSA-2003:154


======================================================
Candidate: CAN-2002-0662
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0662
Final-Decision:
Interim-Decision: 20040825
Modified: 20040725
Proposed: 20030317
Assigned: 20020702
Category: SF
Reference: BUGTRAQ:20020902 The ScrollKeeper Root Trap
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103098575826031&w=2
Reference: DEBIAN:DSA-160
Reference: URL:http://www.debian.org/security/2002/dsa-160
Reference: REDHAT:RHSA-2002:186
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-186.html
Reference: BUGTRAQ:20020904 GLSA: scrollkeeper
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103115387102294&w=2
Reference: XF:scrollkeeper-tmp-file-symlink(10002)
Reference: URL:http://www.iss.net/security_center/static/10002.php
Reference: BID:5602
Reference: URL:http://www.securityfocus.com/bid/5602

scrollkeeper-get-cl in ScrollKeeper 0.3 to 0.3.11 allows local users
to create and overwrite files via a symlink attack on the
scrollkeeper-tempfile.x temporary files.


Modifications:
  20040725 ADDREF XF:scrollkeeper-tmp-file-symlink(10002)
  20040725 ADDREF BID:5602

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0662 ACCEPT (4 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(4) Green, Cox, Cole, Armstrong
   NOOP(1) Christey

Voter Comments:
 Christey> XF:scrollkeeper-tmp-file-symlink(10002)
   URL:http://www.iss.net/security_center/static/10002.php
   BID:5602
   URL:http://www.securityfocus.com/bid/5602


======================================================
Candidate: CAN-2002-0668
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0668
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20020726
Assigned: 20020709
Category: SF
Reference: ATSTAKE:A071202-1
Reference: URL:http://www.atstake.com/research/advisories/2002/a071202-1.txt
Reference: CONFIRM:http://www.pingtel.com/PingtelAtStakeAdvisoryResponse.jsp
Reference: XF:pingtel-xpressa-call-hijacking(9563)
Reference: URL:http://xforce.iss.net/xforce/xfdb/9563
Reference: OSVDB:5144
Reference: URL:http://www.osvdb.org/5144

The web interface for Pingtel xpressa SIP-based voice-over-IP phone
1.2.5 through 1.2.7.4 allows authenticated users to modify the Call
Forwarding settings and hijack calls.


Modifications:
  20040725 ADDREF XF:pingtel-xpressa-call-hijacking(9563)
  20040818 ADDREF OSVDB:5144

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0668 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(5) Cox, Wall, Foat, Cole, Armstrong

Voter Comments:
 Frech> XF:pingtel-xpressa-call-hijacking(9563)


======================================================
Candidate: CAN-2002-0672
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0672
Final-Decision:
Interim-Decision: 20040825
Modified: 20040725
Proposed: 20020726
Assigned: 20020709
Category: SF
Reference: ATSTAKE:A071202-1
Reference: URL:http://www.atstake.com/research/advisories/2002/a071202-1.txt
Reference: CONFIRM:http://www.pingtel.com/PingtelAtStakeAdvisoryResponse.jsp
Reference: XF:pingtel-xpressa-factory-defaults(9567)
Reference: URL:http://www.iss.net/security_center/static/9567.php

Pingtel xpressa SIP-based voice-over-IP phone 1.2.5 through 1.2.7.4
allows attackers with physical access to restore the phone to factory
defaults without authentication via a menu option, which sets the
administrator password to null.


Modifications:
  20040725 XF:pingtel-xpressa-factory-defaults(9567)

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2002-0672 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(6) Christey, Cox, Wall, Foat, Cole, Armstrong

Voter Comments:
 Christey> XF:pingtel-xpressa-factory-defaults(9567)
   URL:http://www.iss.net/security_center/static/9567.php
 Frech> XF:pingtel-xpressa-factory-defaults(9567)


======================================================
Candidate: CAN-2002-0673
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0673
Final-Decision:
Interim-Decision: 20040825
Modified: 20040725
Proposed: 20020726
Assigned: 20020709
Category: SF
Reference: ATSTAKE:A071202-1
Reference: URL:http://www.atstake.com/research/advisories/2002/a071202-1.txt
Reference: CONFIRM:http://www.pingtel.com/PingtelAtStakeAdvisoryResponse.jsp
Reference: XF:pingtel-xpressa-phone-reregister(9568)
Reference: URL:http://www.iss.net/security_center/static/9568.php

The enrollment process for Pingtel xpressa SIP-based voice-over-IP
phone 1.2.5 through 1.2.7.4 allows attackers with physical access to
the phone to log out the current user and re-register the phone using
MyPingtel Sign-In to gain remote access and perform unauthorized
actions.


Modifications:
  20040725 ADDREF XF:pingtel-xpressa-phone-reregister(9568)

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2002-0673 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(6) Christey, Cox, Wall, Foat, Cole, Armstrong

Voter Comments:
 Christey> XF:pingtel-xpressa-phone-reregister(9568)
   URL:http://www.iss.net/security_center/static/9568.php
 Frech> XF:pingtel-xpressa-phone-reregister(9568)


======================================================
Candidate: CAN-2002-0674
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0674
Final-Decision:
Interim-Decision: 20040825
Modified: 20040725
Proposed: 20020726
Assigned: 20020709
Category: SF
Reference: ATSTAKE:A071202-1
Reference: URL:http://www.atstake.com/research/advisories/2002/a071202-1.txt
Reference: CONFIRM:http://www.pingtel.com/PingtelAtStakeAdvisoryResponse.jsp
Reference: XF:pingtel-xpressa-admin-timeout(9569)
Reference: URL:http://xforce.iss.net/xforce/xfdb/9569

Pingtel xpressa SIP-based voice-over-IP phone 1.2.5 through 1.2.7.4
does not "time out" an inactive administrator session, which could
allow other users to perform administrator actions if the
administrator does not explicitly end the authentication.


Modifications:
  20040725 ADDREF XF:pingtel-xpressa-admin-timeout(9569)

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2002-0674 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(5) Cox, Wall, Foat, Cole, Armstrong

Voter Comments:
 Frech> XF:pingtel-xpressa-admin-timeout(9569)


======================================================
Candidate: CAN-2002-0682
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0682
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20020726
Assigned: 20020710
Category: SF
Reference: BUGTRAQ:20020710 wp-02-0008: Apache Tomcat Cross Site Scripting
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102631703811297&w=2
Reference: VULNWATCH:20020710 [VulnWatch] wp-02-0008: Apache Tomcat Cross Site Scripting
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0014.html
Reference: XF:tomcat-servlet-xss(9520)
Reference: URL:http://xforce.iss.net/xforce/xfdb/9520
Reference: BID:5193
Reference: URL:http://www.securityfocus.com/bid/5193
Reference: OSVDB:4973
Reference: URL:http://www.osvdb.org/4973

Cross-site scripting vulnerability in Apache Tomcat 4.0.3 allows
remote attackers to execute script as other web users via script in a
URL with the /servlet/ mapping, which does not filter the script when
an exception is thrown by the servlet.


Modifications:
  20040725 ADDREF XF:tomcat-servlet-xss(9520)
  20040725 ADDREF BID:5193
  20040818 ADDREF OSVDB:4973

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2002-0682 ACCEPT (4 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Cole, Armstrong
   MODIFY(1) Frech
   NOOP(5) Christey, Cox, Balinsky, Wall, Foat

Voter Comments:
 Christey> XF:tomcat-servlet-xss(9520)
   URL:http://www.iss.net/security_center/static/9520.php
   BID:5193
   URL:http://www.securityfocus.com/bid/5193
 Frech> XF:tomcat-servlet-xss(9520)


======================================================
Candidate: CAN-2002-0692
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0692
Final-Decision:
Interim-Decision: 20040825
Modified: 20040725
Proposed: 20030317
Assigned: 20020712
Category: SF
Reference: MISC:http://lists.netsys.com/pipermail/full-disclosure/2002-September/002252.html
Reference: MS:MS02-053
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-053.asp
Reference: CERT-VN:VU#723537
Reference: URL:http://www.kb.cert.org/vuls/id/723537
Reference: XF:fpse-smarthtml-interpreter-dos(10194)
Reference: URL:http://www.iss.net/security_center/static/10194.php
Reference: XF:fpse-smarthtml-interpreter-bo(10195)
Reference: URL:http://www.iss.net/security_center/static/10195.php
Reference: BID:5804
Reference: URL:http://www.securityfocus.com/bid/5804

Buffer overflow in SmartHTML Interpreter (shtml.dll) in Microsoft
FrontPage Server Extensions (FPSE) 2000 and 2002 allows remote
attackers to cause a denial of service (CPU consumption) or run
arbitrary code, respectively, via a certain type of web file request.


Modifications:
  20040725 ADDREF CERT-VN:VU#723537

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0692 ACCEPT (3 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Wall, Cole
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> ADDREF CERT-VN:VU#723537
   URL:http://www.kb.cert.org/vuls/id/723537


======================================================
Candidate: CAN-2002-0694
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0694
Final-Decision:
Interim-Decision: 20040825
Modified: 20040824
Proposed: 20030317
Assigned: 20020712
Category: SF
Reference: MS:MS02-055
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-055.asp
Reference: XF:win-chm-code-execution(10254)
Reference: URL:http://www.iss.net/security_center/static/10254.php
Reference: OVAL:OVAL403
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL403.html

The HTML Help facility in Microsoft Windows 98, 98 Second Edition,
Millennium Edition, NT 4.0, NT 4.0 Terminal Server Edition, Windows
2000, and Windows XP uses the Local Computer Security Zone when
opening .chm files from the Temporary Internet Files folder, which
allows remote attackers to execute arbitrary code via HTML mail that
references or inserts a malicious .chm file containing shortcuts that
can be executed, aka "Code Execution via Compiled HTML Help File."


Modifications:
  20040824 ADDREF OVAL:OVAL403

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0694 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Wall, Cole
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-0696
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0696
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20020712
Category: SF
Reference: MS:MS02-049
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-049.asp
Reference: XF:ms-foxpro-app-execution(10035)
Reference: URL:http://www.iss.net/security_center/static/10035.php
Reference: BID:5633
Reference: URL:http://www.securityfocus.com/bid/5633

Microsoft Visual FoxPro 6.0 does not register its associated files
with Internet Explorer, which allows remote attackers to execute
Visual FoxPro applications without warning via HTML that references
specially-crafted filenames.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0696 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Wall, Cole
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-0729
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0729
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20020726
Assigned: 20020725
Category: SF
Reference: BUGTRAQ:20020725 Microsoft SQL Server 2000 Unauthenticated System Compromise (#NISR25072002)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102760196931518&w=2
Reference: NTBUGTRAQ:20020725 Microsoft SQL Server 2000 Unauthenticated System Compromise (#NISR25072002)
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=102760479902411&w=2

Microsoft SQL Server 2000 allows remote attackers to cause a denial of
service via a malformed 0x08 packet that is missing a colon separator.

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2002-0729 ACCEPT_REV (5 accept, 0 ack, 1 review)

Current Votes:
   ACCEPT(4) Baker, Balinsky, Cole, Armstrong
   MODIFY(1) Frech
   NOOP(3) Christey, Cox, Foat
   REVIEWING(1) Wall

Voter Comments:
 Balinsky> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-039.asp
 Frech> XF:mssql-resolution-service-bo(9661)
 Christey> Microsoft MS02-039 does not mention this issue, therefore it
   is uncertain whether they acknowledged it or not.

   The XF reference is for an overflow, not a malformed packet.


======================================================
Candidate: CAN-2002-0835
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0835
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20020808
Category: SF
Reference: REDHAT:RHSA-2002:162
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-162.html
Reference: REDHAT:RHSA-2002:165
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-165.html
Reference: CALDERA:CSSA-2002-044.0
Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-044.0.txt
Reference: HP:HPSBTL0209-066
Reference: URL:http://online.securityfocus.com/advisories/4449
Reference: BID:5596
Reference: URL:http://www.securityfocus.com/bid/5596
Reference: XF:pxe-dhcp-dos(10003)
Reference: URL:http://www.iss.net/security_center/static/10003.php

Preboot eXecution Environment (PXE) server allows remote attackers to
cause a denial of service (crash) via certain DHCP packets from
Voice-Over-IP (VOIP) phones.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0835 ACCEPT (4 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Armstrong, Green, Cox


======================================================
Candidate: CAN-2002-0836
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0836
Final-Decision:
Interim-Decision: 20040825
Modified: 20040725
Proposed: 20030317
Assigned: 20020808
Category: SF
Reference: REDHAT:RHSA-2002:194
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-194.html
Reference: REDHAT:RHSA-2002:195
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-195.html
Reference: MANDRAKE:MDKSA-2002:070
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-070.php
Reference: DEBIAN:DSA-207
Reference: URL:http://www.debian.org/security/2002/dsa-207
Reference: BUGTRAQ:20021018 GLSA: tetex
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103497852330838&w=2
Reference: BUGTRAQ:20021216 [OpenPKG-SA-2002.015] OpenPKG Security Advisory (tetex)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104005975415582&w=2
Reference: CONECTIVA:CLA-2002:537
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000537
Reference: HP:HPSBTL0210-073
Reference: URL:http://www.securityfocus.com/advisories/4567
Reference: CERT-VN:VU#169841
Reference: URL:http://www.kb.cert.org/vuls/id/169841
Reference: BID:5978
Reference: URL:http://www.securityfocus.com/bid/5978
Reference: XF:dvips-system-execute-commands(10365)
Reference: URL:http://www.iss.net/security_center/static/10365.php

dvips converter for Postscript files in the tetex package calls the
system() function insecurely, which allows remote attackers to execute
arbitrary commands via certain print jobs, possibly involving fonts.


Modifications:
  20040725 ADDREF REDHAT:RHSA-2002:195

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0836 ACCEPT (5 accept, 4 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Baker, Frech, Wall
   MODIFY(1) Cox

Voter Comments:
 Cox> Addref: REDHAT:RHSA-2002:195


======================================================
Candidate: CAN-2002-0840
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0840
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20020808
Category: SF
Reference: BUGTRAQ:20021002 Apache 2 Cross-Site Scripting
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103357160425708&w=2
Reference: VULNWATCH:20021002 Apache 2 Cross-Site Scripting
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0003.html
Reference: CONFIRM:http://www.apacheweek.com/issues/02-10-04
Reference: CONFIRM:http://marc.theaimsgroup.com/?l=apache-httpd-announce&m=103367938230488&w=2
Reference: CONECTIVA:CLA-2002:530
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000530
Reference: ENGARDE:ESA-20021007-024
Reference: URL:http://www.linuxsecurity.com/advisories/other_advisory-2414.html
Reference: MANDRAKE:MDKSA-2002:068
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-068.php
Reference: DEBIAN:DSA-187
Reference: URL:http://www.debian.org/security/2002/dsa-187
Reference: DEBIAN:DSA-188
Reference: URL:http://www.debian.org/security/2002/dsa-188
Reference: DEBIAN:DSA-195
Reference: URL:http://www.debian.org/security/2002/dsa-195
Reference: HP:HPSBUX0210-224
Reference: URL:http://online.securityfocus.com/advisories/4617
Reference: BUGTRAQ:20021003 [OpenPKG-SA-2002.009] OpenPKG Security Advisory (apache)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103376585508776&w=2
Reference: BUGTRAQ:20021017 TSLSA-2002-0069-apache
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-10/0254.html
Reference: REDHAT:RHSA-2002:222
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-222.html
Reference: REDHAT:RHSA-2002:243
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-243.html
Reference: REDHAT:RHSA-2002:244
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-244.html
Reference: REDHAT:RHSA-2002:248
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-248.html
Reference: REDHAT:RHSA-2002:251
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-251.html
Reference: REDHAT:RHSA-2003:106
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-106.html
Reference: SGI:20021105-02-I
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20021105-02-I
Reference: CERT-VN:VU#240329
Reference: URL:http://www.kb.cert.org/vuls/id/240329
Reference: XF:apache-http-host-xss(10241)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10241
Reference: BID:5847
Reference: URL:http://www.securityfocus.com/bid/5847
Reference: OSVDB:862
Reference: URL:http://www.osvdb.org/862

Cross-site scripting (XSS) vulnerability in the default error page of
Apache 2.0 before 2.0.43, and 1.3.x up to 1.3.26, when
UseCanonicalName is "Off" and support for wildcard DNS is present,
allows remote attackers to execute script as other web page visitors
via the Host: header, a different vulnerability than CAN-2002-1157.


Modifications:
  20040725 ADDREF REDHAT:RHSA-2002:222
  20040725 ADDREF REDHAT:RHSA-2002:243
  20040725 ADDREF REDHAT:RHSA-2002:244
  20040725 ADDREF REDHAT:RHSA-2002:248
  20040725 ADDREF REDHAT:RHSA-2002:251
  20040725 ADDREF SGI:20021105-02-I
  20040725 ADDREF XF:apache-http-host-xss(10241)
  20040725 ADDREF BID:5847
  20040818 ADDREF REDHAT:RHSA-2003:106
  20040818 ADDREF OSVDB:862

Analysis
--------
Vendor Acknowledgement: yes

INFERRED ACTION: CAN-2002-0840 ACCEPT (5 accept, 6 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Baker, Wall
   MODIFY(2) Frech, Cox
   NOOP(1) Christey

Voter Comments:
 Christey> CONFIRM:http://www.info.apple.com/usen/security/security_updates.html
 Cox> Addref: RHSA-2002:251
   Addref: RHSA-2002:248
   Addref: RHSA-2002:244
   Addref: RHSA-2002:243
   Addref: RHSA-2002:222
 Frech> XF:apache-http-host-xss(10241)
 Christey> SGI:20021105-02-I
   URL:ftp://patches.sgi.com/support/free/security/advisories/20021105-02-I


======================================================
Candidate: CAN-2002-0842
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0842
Final-Decision:
Interim-Decision: 20040825
Modified: 20040725
Proposed: 20030317
Assigned: 20020808
Category: SF
Reference: BUGTRAQ:20030217 Oracle9i Application Server Format String Vulnerability (#NISR16022003d)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104549708626309&w=2
Reference: NTBUGTRAQ:20030217 Oracle9i Application Server Format String Vulnerability (#NISR16022003d)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104549708626309&w=2
Reference: VULNWATCH:20030217 Oracle9i Application Server Format String Vulnerability (#NISR16022003d)
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0076.html
Reference: MISC:http://www.nextgenss.com/advisories/ora-appservfmtst.txt
Reference: CONFIRM:http://otn.oracle.com/deploy/security/pdf/2003alert52.pdf
Reference: CERT:CA-2003-05
Reference: URL:http://www.cert.org/advisories/CA-2003-05.html
Reference: CERT-VN:VU#849993
Reference: URL:http://www.kb.cert.org/vuls/id/849993
Reference: CIAC:N-046
Reference: URL:http://www.ciac.org/ciac/bulletins/n-046.shtml
Reference: BUGTRAQ:20030218 CSSA-2003-007.0 Advisory withdrawn.  Re: Security Update: [CSSA-2003-007.0] Linux: Apache mod_dav mo
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104559446010858&w=2
Reference: BUGTRAQ:20030218 Re: CSSA-2003-007.0 Advisory withdrawn.
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104560577227981&w=2
Reference: MISC:http://lists.netsys.com/pipermail/full-disclosure/2003-February/004258.html
Reference: XF:oracle-appserver-davpublic-dos(11330)
Reference: URL:http://www.iss.net/security_center/static/11330.php
Reference: BID:6846
Reference: URL:http://www.securityfocus.com/bid/6846

Format string vulnerability in certain third party modifications to
mod_dav for logging bad gateway messages (e.g. Oracle9i Application
Server 9.0.2) allows remote attackers to execute arbitrary code via a
destination URI that forces a "502 Bad Gateway" response, which causes
the format string specifiers to be returned from dav_lookup_uri() in
mod_dav.c, which is then used in a call to ap_log_rerror().


Modifications:
  20040725 ADDREF CERT:CA-2003-05
  20040725 ADDREF CIAC:N-046
  20040725 ADDREF BID:6846
  20040725 ADDREF MISC:http://www.nextgenss.com/advisories/ora-appservfmtst.txt

Analysis
--------
Vendor Acknowledgement: yes advisory

ACCURACY: a SCO advisory was released which mentioned this CAN, but it
was quickly rescinded.  This CAN is for the issue addressed by Oracle
only.

NOTE: This CAN was public in 2003.  It has a 2002 identifier because
the CNA (Red Hat) originally assigned the CAN to the issue in 2002;
but due to some early confusion regarding the "location" of the bug,
and the fact that it only affected certain modifications to the
package, and not the original package itself, it was a while before
the bug was published.

INFERRED ACTION: CAN-2002-0842 ACCEPT (5 accept, 4 ack, 0 review)

Current Votes:
   ACCEPT(5) Cole, Baker, Frech, Cox, Wall
   NOOP(1) Christey

Voter Comments:
 Christey> CERT:CA-2003-05
   URL:http://www.cert.org/advisories/CA-2003-05.html
   CIAC:N-046
   URL:http://www.ciac.org/ciac/bulletins/n-046.shtml
   BID:6846
   URL:http://www.securityfocus.com/bid/6846
   MISC:http://www.nextgenss.com/advisories/ora-appservfmtst.txt


======================================================
Candidate: CAN-2002-0844
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0844
Final-Decision:
Interim-Decision: 20040825
Modified: 20040725
Proposed: 20020830
Assigned: 20020809
Category: SF
Reference: BUGTRAQ:20020525 [DER ADV#8] - Local off by one in CVSD
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102233767925177&w=2
Reference: VULNWATCH:20020525 [DER ADV#8] - Local off by one in CVSD
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0081.html
Reference: CALDERA:CSSA-2002-035.0
Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-035.0.txt
Reference: REDHAT:RHSA-2004:004
Reference: URL:http://www.redhat.com/support/errata/RHSA-2004-004.html
Reference: SGI:20040103-01-U
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20040103-01-U.asc
Reference: XF:cvs-rcs-offbyone-bo(9175)
Reference: URL:http://xforce.iss.net/xforce/xfdb/9175
Reference: BID:4829
Reference: URL:http://www.securityfocus.com/bid/4829

Off-by-one overflow in the CVS PreservePermissions of rcs.c for CVSD
before 1.11.2 allows local users to execute arbitrary code.


Modifications:
  20040725 ADDREF XF:cvs-rcs-offbyone-bo(9175)
  20040725 ADDREF REDHAT:RHSA-2004:004
  20040725 ADDREF SGI:20040103-01-U

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0844 ACCEPT_REV (6 accept, 3 ack, 1 review)

Current Votes:
   ACCEPT(5) Cole, Armstrong, Alderson, Baker, Cox
   MODIFY(1) Frech
   NOOP(2) Christey, Foat
   REVIEWING(1) Jones

Voter Comments:
 Jones> Vulnerable version unclear.  CVE description says 1.11.2, Caldera
   reference says 1.11-8 is both vulnerable AND is the version of the patched
   code.
 Frech> XF:cvs-rcs-offbyone-bo(9175)
 Christey> REDHAT:RHSA-2004:004
   URL:http://www.redhat.com/support/errata/RHSA-2004-004.html
 Christey> SGI:20040103-01-U
   URL:ftp://patches.sgi.com/support/free/security/advisories/20040103-01-U.asc


======================================================
Candidate: CAN-2002-0850
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0850
Final-Decision:
Interim-Decision: 20040825
Modified: 20040725
Proposed: 20030317
Assigned: 20020809
Category: SF
Reference: BUGTRAQ:20020906 Foundstone Labs Advisory - Remotely Exploitable Buffer Overflow in PGP
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103133995920090&w=2
Reference: VULNWATCH:20020905 Foundstone Labs Advisory - Remotely Exploitable Buffer Overflow in PGP
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0106.html
Reference: CONFIRM:http://download.nai.com/products/licensed/pgp/desktop_security/windows/version_7.1.1/pgphotfix_outlookplugin711/ReadMe.txt
Reference: XF:pgp-long-filename-bo(10043)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10043
Reference: BID:5656
Reference: URL:http://www.securityfocus.com/bid/5656

Buffer overflow in PGP Corporate Desktop 7.1.1 allows remote attackers
to execute arbitrary code via an encrypted document that has a long
filename when it is decrypted.


Modifications:
  20040725 ADDREF XF:pgp-long-filename-bo(10043)
  20040725 ADDREF BID:5656

Analysis
--------
Vendor Acknowledgement: yes advisory

ACKNOWLEDGEMENT: The release notes for PGP Corporate Desktop 7.1.x
state: "While PGP supports long file names, it encounters problems
when it tries to encrypt or decrypt files that have names longer than
200 characters... For more information on this issue, see Foundstone
Labs Advisory - 080202-PCRO."  While the advisory ID is different than
the one in Foundstone's Bugtraq post, Foundstone did confirm via email
that both ID's reference the same issue.

INFERRED ACTION: CAN-2002-0850 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Baker
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-0864
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0864
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20020815
Category: SF
Reference: BUGTRAQ:20020916 Microsoft Windows XP Remote Desktop denial of service vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103235745116592&w=2
Reference: BUGTRAQ:20020918 Microsoft Windows Terminal Services vulnerabilities
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103236181522253&w=2
Reference: MS:MS02-051
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-051.asp
Reference: XF:winxp-remote-desktop-dos(10120)
Reference: URL:http://www.iss.net/security_center/static/10120.php
Reference: BID:5713
Reference: URL:http://www.securityfocus.com/bid/5713

The Remote Data Protocol (RDP) version 5.1 in Microsoft Windows XP
allows remote attackers to cause a denial of service (crash) when
Remote Desktop is enabled via a PDU Confirm Active data packet that
does not set the Pattern BLT command, aka "Denial of Service in
Remote Desktop."

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0864 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Green, Wall
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-0865
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0865
Final-Decision:
Interim-Decision: 20040825
Modified: 20040725
Proposed: 20030317
Assigned: 20020815
Category: SF
Reference: MS:MS02-052
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-052.asp
Reference: CERT-VN:VU#140898
Reference: URL:http://www.kb.cert.org/vuls/id/140898
Reference: XF:msvm-xml-methods-access(10135)
Reference: URL:http://www.iss.net/security_center/static/10135.php
Reference: BID:5752
Reference: URL:http://online.securityfocus.com/bid/5752

A certain class that supports XML (Extensible Markup Language) in
Microsoft Virtual Machine (VM) 5.0.3805 and earlier, probably
com.ms.osp.ospmrshl, exposes certain unsafe methods, which allows
remote attackers to execute unsafe code via a Java applet, aka
"Inappropriate Methods Exposed in XML Support Classes."


Modifications:
  20040725 ADDREF CERT-VN:VU#140898

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0865 ACCEPT (3 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Green, Wall
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> ADDREF CERT-VN:VU#140898
   URL:http://www.kb.cert.org/vuls/id/140898

   This VU# also explicitly mentions the com.ms.osp.ospmrshl
   class.


======================================================
Candidate: CAN-2002-0866
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0866
Final-Decision:
Interim-Decision: 20040825
Modified: 20040725
Proposed: 20030317
Assigned: 20020815
Category: SF
Reference: BUGTRAQ:20020923 Technical information about the vulnerabilities fixed by MS-02-52
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-09/0271.html
Reference: MS:MS02-052
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-052.asp
Reference: CERT-VN:VU#307306
Reference: URL:http://www.kb.cert.org/vuls/id/307306
Reference: XF:msvm-jdbc-dll-execution(10133)
Reference: URL:http://www.iss.net/security_center/static/10133.php
Reference: BID:5751
Reference: URL:http://online.securityfocus.com/bid/5751

Java Database Connectivity (JDBC) classes in Microsoft Virtual Machine
(VM) up to and including 5.0.3805 allow remote attackers to load and
execute DLLs (dynamic link libraries) via a Java applet that calls the
constructor for com.ms.jdbc.odbc.JdbcOdbc with the desired DLL
terminated by a null string, aka "DLL Execution via JDBC Classes."


Modifications:
  20040725 ADDREF CERT-VN:VU#307306

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0866 ACCEPT (3 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Green, Wall
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> ADDREF CERT-VN:VU#307306
   URL:http://www.kb.cert.org/vuls/id/307306


======================================================
Candidate: CAN-2002-0867
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0867
Final-Decision:
Interim-Decision: 20040825
Modified: 20040725
Proposed: 20030317
Assigned: 20020815
Category: SF
Reference: MS:MS02-052
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-052.asp
Reference: CERT-VN:VU#792881
Reference: URL:http://www.kb.cert.org/vuls/id/792881
Reference: XF:msvm-jdbc-ie-dos(10134)
Reference: URL:http://www.iss.net/security_center/static/10134.php

Microsoft Virtual Machine (VM) up to and including build 5.0.3805
allows remote attackers to cause a denial of service (crash) in
Internet Explorer via invalid handle data in a Java applet, aka
"Handle Validation Flaw."


Modifications:
  20040725 CERT-VN:VU#792881

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0867 ACCEPT (3 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Green, Wall
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> ADDREF CERT-VN:VU#792881
   URL:http://www.kb.cert.org/vuls/id/792881
   Consider adding BID:5670


======================================================
Candidate: CAN-2002-0895
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0895
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20020830
Assigned: 20020816
Category: SF
Reference: BUGTRAQ:20020522 MatuFtpServer Remote Buffer Overflow and Possible DoS
Reference: URL:http://online.securityfocus.com/archive/1/273581
Reference: BID:4792
Reference: URL:http://www.securityfocus.com/bid/4792
Reference: XF:matuftpserver-pass-bo(9138)
Reference: URL:http://www.iss.net/security_center/static/9138.php

Buffer overflow in MatuFtpServer 1.1.3.0 (1.1.3) allows remote
attackers to cause a denial of service and possibly execute arbitrary
code via a long PASS (password) command.

Analysis
--------
Vendor Acknowledgement:

ACKNOWLEDGEMENT: vendor web page is in Japanese, so acknowledgement
could not be determined.

INFERRED ACTION: CAN-2002-0895 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Alderson, Frech, Jones
   NOOP(4) Cole, Armstrong, Cox, Foat

Voter Comments:
 Alderson> The fact that the vendor page is in Japanese and therefore couldnt
   be verified may highlight future problems of a similar nature.


======================================================
Candidate: CAN-2002-0969
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0969
Final-Decision:
Interim-Decision: 20040825
Modified: 20040725
Proposed: 20030317
Assigned: 20020820
Category: SF
Reference: VULNWATCH:20021002 wp-02-0003: MySQL Locally Exploitable Buffer Overflow
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0004.html
Reference: BUGTRAQ:20021002 wp-02-0003: MySQL Locally Exploitable Buffer Overflow
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103358628011935&w=2
Reference: MISC:http://www.westpoint.ltd.uk/advisories/wp-02-0003.txt
Reference: CONFIRM:http://www.mysql.com/documentation/mysql/bychapter/manual_News.html#News-3.23.x
Reference: XF:mysql-myini-datadir-bo(10243)
Reference: URL:http://www.iss.net/security_center/static/10243.php
Reference: BID:5853
Reference: URL:http://www.securityfocus.com/bid/5853

Buffer overflow in MySQL daemon (mysqld) before 3.23.50, and 4.0 beta
before 4.02, on the Win32 platform, allows local users to execute
arbitrary code via a long "datadir" parameter in the my.ini
initialization file, whose permissions on Windows allow Full Control
to the Everyone group.


Modifications:
  20040725 desc - add Win32

Analysis
--------
Vendor Acknowledgement: unknown

ACKNOWLEDGEMENT: The changelog for "Changes in release 3.23.50 (21 Apr
2002)" says: "Fixed buffer overflow problem if someone specified a too
long datadir parameter to mysqld."

INFERRED ACTION: CAN-2002-0969 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Green, Baker
   NOOP(2) Cox, Wall

Voter Comments:
 Cox> Note that description should refer to Win32 platform
 Green> THE VENDOR'S STATEMENTS IN THE CHANGELOG SHOULD SURFICE AS ACKNOWLEDGEMENT


======================================================
Candidate: CAN-2002-0970
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0970
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20020830
Assigned: 20020821
Category: SF
Reference: BUGTRAQ:20020812 Re: IE SSL Vulnerability (Konqueror affected too)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102918241005893&w=2
Reference: BUGTRAQ:20020818 KDE Security Advisory: Konqueror SSL vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-08/0170.html
Reference: CONFIRM:http://www.kde.org/info/security/advisory-20020818-1.txt
Reference: DEBIAN:DSA-155
Reference: URL:http://www.debian.org/security/2002/dsa-155
Reference: MANDRAKE:MDKSA-2002:058
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2002:058
Reference: CALDERA:CSSA-2002-047.0
Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-047.0.txt
Reference: CONECTIVA:CLA-2002:519
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000519
Reference: REDHAT:RHSA-2002:220
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-220.html
Reference: REDHAT:RHSA-2002:221
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-221.html
Reference: XF:ssl-ca-certificate-spoofing(9776)
Reference: URL:http://xforce.iss.net/xforce/xfdb/9776
Reference: BID:5410
Reference: URL:http://www.securityfocus.com/bid/5410

The SSL capability for Konqueror in KDE 3.0.2 and earlier does not
verify the Basic Constraints for an intermediate CA-signed
certificate, which allows remote attackers to spoof the certificates
of trusted sites via a man-in-the-middle attack.


Modifications:
  ADDREF BUGTRAQ:20020818 KDE Security Advisory: Konqueror SSL vulnerability
  ADDREF CONFIRM:http://www.kde.org/info/security/advisory-20020818-1.txt
  ADDREF MANDRAKE:MDKSA-2002:058
  ADDREF CALDERA:CSSA-2002-047.0
  ADDREF CONECTIVA:CLA-2002:519
  ADDREF REDHAT:RHSA-2002:220
  20040725 ADDREF XF:ssl-ca-certificate-spoofing(9776)
  20040725 ADDREF BID:5410
  20040818 ADDREF REDHAT:RHSA-2002:221

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0970 ACCEPT (5 accept, 4 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Armstrong, Baker, Cox
   MODIFY(1) Frech
   NOOP(3) Foat, Christey, Wall

Voter Comments:
 Christey> CAN-2002-0970 and CAN-2002-0828 are treated differently
   because, as I understand it, the SSL design requires that
   you verify Basic Constraints.  Here, we have 2 separate
   implementations that had the same implementation error,
   just like the 20+ FTP servers have the "buffer overflow
   in USER command" implementation error.  It is assumed
   that CAN-2002-0970 and CAN-2002-0828 don't share the same
   codebases.
 Christey> BUGTRAQ:20020818 KDE Security Advisory: Konqueror SSL vulnerability
   URL:http://archives.neohapsis.com/archives/bugtraq/2002-08/0170.html
 Christey> CONFIRM:http://www.kde.org/info/security/advisory-20020818-1.txt
   MANDRAKE:MDKSA-2002:058
 Christey> CALDERA:CSSA-2002-047.0
   URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-047.0.txt
 Christey> CONECTIVA:CLA-2002:519
   URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000519
 Christey> REDHAT:RHSA-2002:220
 Frech> XF:ssl-ca-certificate-spoofing(9776)


======================================================
Candidate: CAN-2002-0974
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0974
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20020830
Assigned: 20020821
Category: SF
Reference: BUGTRAQ:20020815 Delete arbitrary files using Help and Support Center [MSRC 1198dg]
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102942549832077&w=2
Reference: MS:MS02-060
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-060.asp
Reference: MSKB:Q328940
Reference: URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q328940
Reference: XF:winxp-helpctr-delete-files(9878)
Reference: URL:http://www.iss.net/security_center/static/9878.php
Reference: BID:5478
Reference: URL:http://www.securityfocus.com/bid/5478
Reference: OSVDB:3001
Reference: URL:http://www.osvdb.org/3001

Help and Support Center for Windows XP allows remote attackers to
delete arbitrary files via a link to the hcp: protocol that accesses
uplddrvinfo.htm.


Modifications:
  20040725 ADDREF MS:MS02-060
  20040725 ADDREF MSKB:Q328940
  20040725 ADDREF XF:winxp-helpctr-delete-files(9878)
  20040725 ADDREF BID:5478
  20040818 ADDREF OSVDB:3001

Analysis
--------
Vendor Acknowledgement: yes

INFERRED ACTION: CAN-2002-0974 ACCEPT_REV (3 accept, 2 ack, 1 review)

Current Votes:
   ACCEPT(2) Foat, Armstrong
   MODIFY(1) Frech
   NOOP(3) Cole, Christey, Cox
   REVIEWING(1) Wall

Voter Comments:
 Christey> MSKB:Q328940
 Christey> MS:MS02-060
   URL:http://www.microsoft.com/technet/security/bulletin/ms02-060.asp
   XF:winxp-helpctr-delete-files(9878)
   URL:http://www.iss.net/security_center/static/9878.php
   BID:5478
   URL:http://www.securityfocus.com/bid/5478
 Frech> XF:winxp-helpctr-delete-files(9878)


======================================================
Candidate: CAN-2002-0985
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0985
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20020830
Assigned: 20020823
Category: SF
Reference: BUGTRAQ:20020823 PHP: Bypass safe_mode and inject ASCII control chars with mail()
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103011916928204&w=2
Reference: DEBIAN:DSA-168
Reference: URL:http://www.debian.org/security/2002/dsa-168
Reference: REDHAT:RHSA-2002:213
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-213.html
Reference: REDHAT:RHSA-2002:214
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-214.html
Reference: REDHAT:RHSA-2002:243
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-243.html
Reference: REDHAT:RHSA-2002:244
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-244.html
Reference: REDHAT:RHSA-2002:248
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-248.html
Reference: REDHAT:RHSA-2003:159
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-159.html
Reference: SUSE:SuSE-SA:2002:036
Reference: URL:http://www.suse.de/de/security/2002_036_modphp4.html
Reference: CONECTIVA:CLA-2002:545
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000545
Reference: CALDERA:CSSA-2003-008.0
Reference: XF:php-mail-safemode-bypass(9966)
Reference: URL:http://xforce.iss.net/xforce/xfdb/9966
Reference: BUGTRAQ:20030707 [OpenPKG-SA-2003.032] OpenPKG Security Advisory (php)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=105760591228031&w=2
Reference: MANDRAKE:MDKSA-2003:082
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:0
Reference: OSVDB:2111
Reference: URL:http://www.osvdb.org/2111

Argument injection vulnerability in the mail function for PHP 4.x to
4.2.2 may allow attackers to bypass safe mode restrictions and modify
command line arguments to the MTA (e.g. sendmail) in the 5th argument
to mail(), altering MTA behavior and possibly executing commands.


Modifications:
  20040725 desc change "remote attackers"
  20040725 desc say "argument injection"
  20040725 ADDREF DEBIAN:DSA-168
  20040725 ADDREF SUSE:SuSE-SA:2002:036
  20040725 ADDREF REDHAT:RHSA-2002:213
  20040725 ADDREF CONECTIVA:CLA-2002:545
  20040725 ADDREF CALDERA:CSSA-2003-008.0
  20040725 ADDREF XF:php-mail-safemode-bypass(9966)
  20040725 ADDREF BUGTRAQ:20030707 [OpenPKG-SA-2003.032] OpenPKG Security Advisory (php)
  20040725 ADDREF MANDRAKE:MDKSA-2003:082
  20040818 ADDREF REDHAT:RHSA-2002:214
  20040818 ADDREF REDHAT:RHSA-2002:243
  20040818 ADDREF REDHAT:RHSA-2002:244
  20040818 ADDREF REDHAT:RHSA-2002:248
  20040818 ADDREF REDHAT:RHSA-2003:159
  20040818 ADDREF OSVDB:2111

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0985 ACCEPT_ACK (2 accept, 4 ack, 0 review)

Current Votes:
   MODIFY(2) Frech, Cox
   NOOP(5) Foat, Cole, Armstrong, Christey, Wall

Voter Comments:
 CHANGE> [Cox changed vote from REVIEWING to ACCEPT]
 CHANGE> [Cox changed vote from ACCEPT to MODIFY]
 Cox> this should read "local script authors" not "remote attackers"
   (can be confirmed by checking the PHP advisory too).
 Christey> DEBIAN:DSA-168
 Christey> SUSE:SuSE-SA:2002:036
 Christey> REDHAT:RHSA-2002:213
   URL:http://www.redhat.com/support/errata/RHSA-2002-213.html
 Christey> CONECTIVA:CLA-2002:545
 Christey> Ummm... what is the relationship between this and
   CVE-2001-1246?  The Debian advisory may help to make the
   distinction.

   XF:php-mail-safemode-bypass(9966)
   URL:http://www.iss.net/security_center/static/9966.php
 Christey> CALDERA:CSSA-2003-008.0
 Frech> XF:php-mail-safemode-bypass(9966)
 Christey> BUGTRAQ:20030707 [OpenPKG-SA-2003.032] OpenPKG Security Advisory (php)
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=105760591228031&w=2
 Christey> MANDRAKE:MDKSA-2003:082
   URL:http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:082


======================================================
Candidate: CAN-2002-0986
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0986
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20020830
Assigned: 20020823
Category: SF
Reference: BUGTRAQ:20020823 PHP: Bypass safe_mode and inject ASCII control chars with mail()
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103011916928204&w=2
Reference: DEBIAN:DSA-168
Reference: URL:http://www.debian.org/security/2002/dsa-168
Reference: SUSE:SuSE-SA:2002:036
Reference: URL:http://www.suse.de/de/security/2002_036_modphp4.html
Reference: REDHAT:RHSA-2002:213
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-213.html
Reference: REDHAT:RHSA-2002:214
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-214.html
Reference: REDHAT:RHSA-2002:243
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-243.html
Reference: REDHAT:RHSA-2002:244
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-244.html
Reference: REDHAT:RHSA-2002:248
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-248.html
Reference: REDHAT:RHSA-2003:159
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-159.html
Reference: CONECTIVA:CLA-2002:545
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000545
Reference: CALDERA:CSSA-2003-008.0
Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2003-008.0.txt
Reference: MANDRAKE:MDKSA-2003:082
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:082
Reference: BUGTRAQ:20030707 [OpenPKG-SA-2003.032] OpenPKG Security Advisory (php)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=105760591228031&w=2
Reference: XF:php-mail-ascii-injection(9959)
Reference: URL:http://xforce.iss.net/xforce/xfdb/9959
Reference: BID:5562
Reference: URL:http://www.securityfocus.com/bid/5562
Reference: OSVDB:2160
Reference: URL:http://www.osvdb.org/2160

The mail function in PHP 4.x to 4.2.2 does not filter ASCII control
characters from its arguments, which could allow remote attackers to
modify mail message content, including mail headers, and possibly use
PHP as a "spam proxy."


Modifications:
  20040725 ADDREF DEBIAN:DSA-168
  20040725 ADDREF SUSE:SuSE-SA:2002:036
  20040725 ADDREF REDHAT:RHSA-2002:213
  20040725 ADDREF CONECTIVA:CLA-2002:545
  20040725 ADDREF CALDERA:CSSA-2003-008.0
  20040725 ADDREF MANDRAKE:MDKSA-2003:082
  20040725 ADDREF BUGTRAQ:20030707 [OpenPKG-SA-2003.032] OpenPKG Security Advisory (php)
  20040725 ADDREF XF:php-mail-ascii-injection(9959)
  20040725 ADDREF BID:5562
  20040818 ADDREF REDHAT:RHSA-2002:214
  20040818 ADDREF REDHAT:RHSA-2002:243
  20040818 ADDREF REDHAT:RHSA-2002:244
  20040818 ADDREF REDHAT:RHSA-2002:248
  20040818 ADDREF REDHAT:RHSA-2003:159
  20040818 ADDREF OSVDB:2160

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0986 ACCEPT_ACK (2 accept, 4 ack, 0 review)

Current Votes:
   ACCEPT(1) Cox
   MODIFY(1) Frech
   NOOP(5) Foat, Cole, Armstrong, Christey, Wall

Voter Comments:
 CHANGE> [Cox changed vote from REVIEWING to ACCEPT]
 Christey> DEBIAN:DSA-168
 Christey> SUSE:SuSE-SA:2002:036
 Christey> REDHAT:RHSA-2002:213
   URL:http://www.redhat.com/support/errata/RHSA-2002-213.html
 Christey> CONECTIVA:CLA-2002:545
 Christey> XF:php-mail-ascii-injection(9959)
   URL:http://www.iss.net/security_center/static/9959.php
   BID:5562
   URL:http://www.securityfocus.com/bid/5562
 Christey> CALDERA:CSSA-2003-008.0
 Frech> XF:php-mail-ascii-injection(9959)
 Christey> BUGTRAQ:20030707 [OpenPKG-SA-2003.032] OpenPKG Security Advisory (php)
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=105760591228031&w=2
 Christey> MANDRAKE:MDKSA-2003:082
   URL:http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:082


======================================================
Candidate: CAN-2002-0990
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0990
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20020827
Category: SF
Reference: BUGTRAQ:20021014 Multiple Symantec Firewall Secure Webserver timeout DoS
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103463869503124&w=2
Reference: CONFIRM:http://securityresponse.symantec.com/avcenter/security/Content/2002.10.11.html
Reference: BID:5958
Reference: URL:http://www.securityfocus.com/bid/5958
Reference: XF:simple-webserver-url-dos(10364)
Reference: URL:http://www.iss.net/security_center/static/10364.php

The web proxy component in Symantec Enterprise Firewall (SEF) 6.5.2
through 7.0, Raptor Firewall 6.5 and 6.5.3, VelociRaptor, and Symantec
Gateway Security allow remote attackers to cause a denial of service
(connection resource exhaustion) via multiple connection requests to
domains whose DNS server is unresponsive or does not exist, which
generates a long timeout.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-0990 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Green, Baker
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-1091
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1091
Final-Decision:
Interim-Decision: 20040825
Modified: 20040725
Proposed: 20030317
Assigned: 20020906
Category: SF
Reference: BUGTRAQ:20020906 zero-width gif: exploit PoC for NS6.2.3 (fixed in 7.0) [Was: GIFs
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103134051120770&w=2
Reference: MISC:http://crash.ihug.co.nz/~Sneuro/zerogif/
Reference: CONFIRM:http://bugzilla.mozilla.org/show_bug.cgi?id=157989
Reference: MANDRAKE:MDKSA-2002:075
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2002:075
Reference: REDHAT:RHSA-2002:192
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-192.html
Reference: REDHAT:RHSA-2003:046
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-046.html
Reference: XF:netscape-zero-gif-bo(10058)
Reference: URL:http://www.iss.net/security_center/static/10058.php
Reference: BID:5665
Reference: URL:http://www.securityfocus.com/bid/5665

Netscape 6.2.3 and earlier, and Mozilla 1.0.1, allow remote attackers
to corrupt heap memory and execute arbitrary code via a GIF image with
a zero width.


Modifications:
  20040725 ADDREF REDHAT:RHSA-2003:046

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2002-1091 ACCEPT (4 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Cole, Armstrong
   MODIFY(1) Cox

Voter Comments:
 Cox> Addref: RHSA-2003:046
 Green> ACKNOWLEDGED IN REDHAT ERRATA


======================================================
Candidate: CAN-2002-1092
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1092
Final-Decision:
Interim-Decision: 20040825
Modified: 20040725
Proposed: 20030317
Assigned: 20020906
Category: SF
Reference: CISCO:20020903 Cisco VPN 3000 Concentrator Multiple Vulnerabilities
Reference: URL:http://www.cisco.com/warp/public/707/vpn3k-multiple-vuln-pub.shtml
Reference: XF:cisco-vpn-bypass-authentication(10017)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10017
Reference: BID:5613
Reference: URL:http://www.securityfocus.com/bid/5613

Cisco VPN 3000 Concentrator 3.6(Rel) and earlier, and 2.x.x, when
configured to use internal authentication with group accounts and
without any user accounts, allows remote VPN clients to log in using
PPTP or IPSEC user authentication.


Modifications:
  20040725 ADDREF XF:cisco-vpn-bypass-authentication(10017)
  20040725 ADDREF BID:5613

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1092 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Green, Baker, Jones, Cole
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1093
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1093
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20020906
Category: SF
Reference: CISCO:20020903 Cisco VPN 3000 Concentrator Multiple Vulnerabilities
Reference: URL:http://www.cisco.com/warp/public/707/vpn3k-multiple-vuln-pub.shtml
Reference: XF:cisco-vpn-html-parser-dos(10018)
Reference: URL:http://www.iss.net/security_center/static/10018.php
Reference: BID:5615
Reference: URL:http://www.securityfocus.com/bid/5615

HTML interface for Cisco VPN 3000 Concentrator 2.x.x and 3.x.x before
3.0.3(B) allows remote attackers to cause a denial of service (CPU
consumption) via a long URL request.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1093 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Green, Baker, Jones, Cole
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1095
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1095
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20020906
Category: SF
Reference: CISCO:20020903 Cisco VPN 3000 Concentrator Multiple Vulnerabilities
Reference: URL:http://www.cisco.com/warp/public/707/vpn3k-multiple-vuln-pub.shtml
Reference: XF:cisco-vpn-pptp-dos(10021)
Reference: URL:http://www.iss.net/security_center/static/10021.php
Reference: BID:5625
Reference: URL:http://www.securityfocus.com/bid/5625

Cisco VPN 3000 Concentrator before 2.5.2(F), with encryption enabled,
allows remote attackers to cause a denial of service (reload) via a
Windows-based PPTP client with the "No Encryption" option set.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1095 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Green, Baker, Jones, Cole
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1096
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1096
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20020906
Category: SF
Reference: CISCO:20020903 Cisco VPN 3000 Concentrator Multiple Vulnerabilities
Reference: URL:http://www.cisco.com/warp/public/707/vpn3k-multiple-vuln-pub.shtml
Reference: BID:5611
Reference: URL:http://www.securityfocus.com/bid/5611
Reference: XF:cisco-vpn-user-passwords(10019)
Reference: URL:http://www.iss.net/security_center/static/10019.php

Cisco VPN 3000 Concentrator 2.2.x, and 3.x before 3.5.1, allows
restricted administrators to obtain user passwords that are stored in
plaintext in HTML source code.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1096 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Green, Baker, Jones, Cole
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1097
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1097
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20020906
Category: SF
Reference: CISCO:20020903 Cisco VPN 3000 Concentrator Multiple Vulnerabilities
Reference: URL:http://www.cisco.com/warp/public/707/vpn3k-multiple-vuln-pub.shtml
Reference: XF:cisco-vpn-certificate-passwords(10022)
Reference: URL:http://www.iss.net/security_center/static/10022.php
Reference: BID:5612
Reference: URL:http://www.securityfocus.com/bid/5612

Cisco VPN 3000 Concentrator 2.2.x, and 3.x before 3.5.2, allows
restricted administrators to obtain certificate passwords that are
stored in plaintext in the HTML source code for Certificate Management
pages.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1097 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Green, Baker, Jones, Cole
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1098
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1098
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20020906
Category: SF
Reference: CISCO:20020903 Cisco VPN 3000 Concentrator Multiple Vulnerabilities
Reference: URL:http://www.cisco.com/warp/public/707/vpn3k-multiple-vuln-pub.shtml
Reference: XF:cisco-vpn-xml-filter(10023)
Reference: URL:http://www.iss.net/security_center/static/10023.php
Reference: BID:5614
Reference: URL:http://www.securityfocus.com/bid/5614

Cisco VPN 3000 Concentrator 2.2.x, and 3.x before 3.5.3, adds an
"HTTPS on Public Inbound (XML-Auto)(forward/in)" rule but sets the
protocol to "ANY" when the XML filter configuration is enabled, which
ultimately allows arbitrary traffic to pass through the concentrator.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1098 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Green, Baker, Jones, Cole
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1099
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1099
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20020906
Category: SF
Reference: CISCO:20020903 Cisco VPN 3000 Concentrator Multiple Vulnerabilities
Reference: URL:http://www.cisco.com/warp/public/707/vpn3k-multiple-vuln-pub.shtml
Reference: XF:cisco-vpn-web-access(10024)
Reference: URL:http://www.iss.net/security_center/static/10024.php
Reference: BID:5616
Reference: URL:http://www.securityfocus.com/bid/5616

Cisco VPN 3000 Concentrator 2.2.x, and 3.x before 3.5.3, allows remote
attackers to obtain potentially sensitive information without
authentication by directly accessing certain HTML pages.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1099 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Green, Baker, Jones, Cole
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1102
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1102
Final-Decision:
Interim-Decision: 20040825
Modified: 20040725
Proposed: 20030317
Assigned: 20020906
Category: SF
Reference: CISCO:20020903 Cisco VPN 3000 Concentrator Multiple Vulnerabilities
Reference: URL:http://www.cisco.com/warp/public/707/vpn3k-multiple-vuln-pub.shtml
Reference: XF:cisco-vpn-lan-connection-dos(10027)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10027
Reference: BID:5622
Reference: URL:http://www.securityfocus.com/bid/5622

The LAN-to-LAN IPSEC capability for Cisco VPN 3000 Concentrator 2.2.x,
and 3.x before 3.5.4, allows remote attackers to cause a denial of
service via an incoming LAN-to-LAN connection with an existing
security association with another device on the remote network, which
causes the concentrator to remove the previous connection.


Modifications:
  20040725 ADDREF XF:cisco-vpn-lan-connection-dos(10027)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1102 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Green, Baker, Jones, Cole
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1104
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1104
Final-Decision:
Interim-Decision: 20040825
Modified: 20040725
Proposed: 20030317
Assigned: 20020906
Category: SF
Reference: CISCO:20020905 Cisco VPN Client Multiple Vulnerabilities - Second Set
Reference: URL:http://www.cisco.com/warp/public/707/vpnclient-multiple2-vuln-pub.shtml
Reference: XF:cisco-vpn-tcp-dos(10042)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10042
Reference: BID:5649
Reference: URL:http://www.securityfocus.com/bid/5649

Cisco Virtual Private Network (VPN) Client software 2.x.x and 3.x
before 3.0.5 allows remote attackers to cause a denial of service
(crash) via TCP packets with source and destination ports of 137
(NETBIOS).


Modifications:
  20040725 ADDREF XF:cisco-vpn-tcp-dos(10042)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1104 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Green, Baker, Jones, Cole
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1105
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1105
Final-Decision:
Interim-Decision: 20040825
Modified: 20040725
Proposed: 20030317
Assigned: 20020906
Category: SF
Reference: CISCO:20020905 Cisco VPN Client Multiple Vulnerabilities - Second Set
Reference: URL:http://www.cisco.com/warp/public/707/vpnclient-multiple2-vuln-pub.shtml
Reference: XF:cisco-vpn-obtain-password(10044)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10044
Reference: BID:5650
Reference: URL:http://www.securityfocus.com/bid/5650

Cisco Virtual Private Network (VPN) Client software 2.x.x, and 3.x
before 3.5.1C, allows local users to use a utility program to obtain
the group password.


Modifications:
  20040725 desc - add "local users"
  20040725 ADDREF XF:cisco-vpn-obtain-password(10044)
  20040725 ADDREF BID:5650

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1105 ACCEPT_REV (3 accept, 1 ack, 1 review)

Current Votes:
   ACCEPT(3) Green, Baker, Cole
   NOOP(1) Cox
   REVIEWING(1) Jones

Voter Comments:
 Jones> [JHJ] "...allows local attackers..."?


======================================================
Candidate: CAN-2002-1106
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1106
Final-Decision:
Interim-Decision: 20040825
Modified: 20040725
Proposed: 20030317
Assigned: 20020906
Category: SF
Reference: CISCO:20020905 Cisco VPN Client Multiple Vulnerabilities - Second Set
Reference: URL:http://www.cisco.com/warp/public/707/vpnclient-multiple2-vuln-pub.shtml
Reference: XF:cisco-vpn-certificate-mitm(10045)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10045
Reference: BID:5652
Reference: URL:http://www.securityfocus.com/bid/5652

Cisco Virtual Private Network (VPN) Client software 2.x.x, and 3.x
before 3.5.1C, does not properly verify that certificate DN fields
match those of the certificate from the VPN Concentrator, which allows
remote attackers to conduct man-in-the-middle attacks.


Modifications:
  20040725 ADDREF XF:cisco-vpn-certificate-mitm(10045)
  20040725 ADDREF BID:5652

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1106 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Green, Baker, Jones, Cole
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1107
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1107
Final-Decision:
Interim-Decision: 20040825
Modified: 20040725
Proposed: 20030317
Assigned: 20020906
Category: SF
Reference: CISCO:20020905 Cisco VPN Client Multiple Vulnerabilities - Second Set
Reference: URL:http://www.cisco.com/warp/public/707/vpnclient-multiple2-vuln-pub.shtml
Reference: XF:cisco-vpn-random-numbers(10046)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10046
Reference: BID:5653
Reference: URL:http://www.securityfocus.com/bid/5653

Cisco Virtual Private Network (VPN) Client software 2.x.x, and 3.x
before 3.5.2B, does not generate sufficiently random numbers, which
may make it vulnerable to certain attacks such as spoofing.


Modifications:
  20040725 ADDREF XF:cisco-vpn-random-numbers(10046)
  20040725 ADDREF BID:5653

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1107 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Baker, Cole
   MODIFY(1) Jones
   NOOP(1) Cox

Voter Comments:
 Jones> Suggest changing "...vulnerable to certain attacks such as
   spoofing." to "vulnerable to certain attacks which exploit this
   cryptographic weakness."  Spoofing is a specific example of a broader class
   of attacks based on the weak RN generation.


======================================================
Candidate: CAN-2002-1108
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1108
Final-Decision:
Interim-Decision: 20040825
Modified: 20040725
Proposed: 20030317
Assigned: 20020906
Category: SF
Reference: CISCO:20020905 Cisco VPN Client Multiple Vulnerabilities - Second Set
Reference: URL:http://www.cisco.com/warp/public/707/vpnclient-multiple2-vuln-pub.shtml
Reference: XF:cisco-vpn-tcp-filter(10047)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10047
Reference: BID:5651
Reference: URL:http://www.securityfocus.com/bid/5651

Cisco Virtual Private Network (VPN) Client software 2.x.x, and 3.x
before 3.6(Rel), when configured with all tunnel mode, can be forced
into acknowledging a TCP packet from outside the tunnel.


Modifications:
  ADDREF 20040725 XF:cisco-vpn-tcp-filter(10047)
  ADDREF 20040725 BID:5651

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1108 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Baker, Cole
   MODIFY(1) Jones
   NOOP(1) Cox

Voter Comments:
 Jones> Suggest adding quotes around "all tunnel", e.g., ...configured
   with "all tunnel" mode..., to remove amiguity.


======================================================
Candidate: CAN-2002-1109
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1109
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20020906
Category: SF
Reference: CONFIRM:http://marc.theaimsgroup.com/?l=amavis-announce&m=103121272122242&w=2
Reference: BUGTRAQ:20020905 GLSA: amavis
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103124270321404&w=2
Reference: XF:amavis-securetar-tar-dos(10056)
Reference: URL:http://www.iss.net/security_center/static/10056.php

securetar, as used in AMaViS shell script 0.2.1 and earlier, allows
users to cause a denial of service (CPU consumption) via a malformed
TAR file, possibly via an incorrect file size parameter.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1109 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Baker, Cole
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-1111
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1111
Final-Decision:
Interim-Decision: 20040825
Modified: 20040725
Proposed: 20030317
Assigned: 20020906
Category: SF
Reference: BUGTRAQ:20020819 [Mantis Advisory/2002-02] Limiting output to reporters can be bypassed
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102978873620491&w=2
Reference: DEBIAN:DSA-153
Reference: URL:http://www.debian.org/security/2002/dsa-153
Reference: BID:5515
Reference: URL:http://www.securityfocus.com/bid/5515
Reference: XF:mantis-limit-reporters-bypass(9898)
Reference: URL:http://xforce.iss.net/xforce/xfdb/9898

print_all_bug_page.php in Mantis 0.17.3 and earlier does not verify
the limit_reporters option, which allows remote attackers to view bug
summaries for bugs that would otherwise be restricted.


Modifications:
  20040725 ADDREF XF:mantis-limit-reporters-bypass(9898)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1111 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Cole, Armstrong
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1112
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1112
Final-Decision:
Interim-Decision: 20040825
Modified: 20040725
Proposed: 20030317
Assigned: 20020906
Category: SF
Reference: BUGTRAQ:20020819 [Mantis Advisory/2002-03] Bug listings of private projects can be viewed through cookie manipulation
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102978673018271&w=2
Reference: DEBIAN:DSA-153
Reference: URL:http://www.debian.org/security/2002/dsa-153
Reference: BID:5514
Reference: URL:http://www.securityfocus.com/bid/5514
Reference: XF:mantis-private-project-bug-listing(9899)
Reference: URL:http://xforce.iss.net/xforce/xfdb/9899

Mantis before 0.17.4 allows remote attackers to list project bugs
without authentication by modifying the cookie that is used by the
"View Bugs" page.


Modifications:
  20040725 ADDREF XF:mantis-private-project-bug-listing(9899)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1112 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Cole, Armstrong
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1113
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1113
Final-Decision:
Interim-Decision: 20040825
Modified: 20040820
Proposed: 20030317
Assigned: 20020906
Category: SF
Reference: BUGTRAQ:20020813 mantisbt security flaw
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102927873301965&w=2
Reference: BUGTRAQ:20020819 [Mantis Advisory/2002-04] Arbitrary code execution
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102978924821040&w=2
Reference: DEBIAN:DSA-153
Reference: URL:http://www.debian.org/security/2002/dsa-153
Reference: BID:5504
Reference: URL:http://www.securityfocus.com/bid/5504
Reference: XF:mantis-include-remote-files(9829)
Reference: URL:http://xforce.iss.net/xforce/xfdb/9829
Reference: OSVDB:4858
Reference: URL:http://www.osvdb.org/4858

summary_graph_functions.php in Mantis 0.17.3 and earlier allows remote
attackers to execute arbitrary PHP code by modifying the
g_jpgraph_path parameter to reference the location of the PHP code.


Modifications:
  20040725 ADDREF XF:mantis-include-remote-files(9829)
  20040818 ADDREF OSVDB:4858

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1113 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Cole, Armstrong
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1116
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1116
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20020906
Category: SF
Reference: BUGTRAQ:20020823 [Mantis Advisory/2002-07] Bugs in private projects listed on 'View Bugs'
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103014152320112&w=2
Reference: DEBIAN:DSA-161
Reference: URL:http://www.debian.org/security/2002/dsa-161

The "View Bugs" page (view_all_bug_page.php) in Mantis 0.17.4a and
earlier includes summaries of private bugs for users that do not have
access to any projects.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1116 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Cole, Armstrong
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1117
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1117
Final-Decision:
Interim-Decision: 20040825
Modified: 20040824
Proposed: 20030317
Assigned: 20020906
Category: SF
Reference: BUGTRAQ:20020906 Veritas Backup Exec opens networks for NetBIOS based attacks?
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103134395124579&w=2
Reference: BUGTRAQ:20020906 UPDATE: (Was Veritas Backup Exec opens networks for NetBIOS based attacks?)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103134930629683&w=2
Reference: CONFIRM:http://seer.support.veritas.com/docs/238618.htm
Reference: XF:veritas-backupexec-restrictanonymous-zero(10093)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10093
Reference: OSVDB:8230
Reference: URL:http://www.osvdb.org/8230
Reference: OVAL:OVAL1036
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL1036.html

Veritas Backup Exec 8.5 and earlier requires that the
"RestrictAnonymous" registry key for Microsoft Exchange 2000 must be
set to 0, which enables anonymous listing of the SAM database and
shares.


Modifications:
  20040804 ADDREF XF:veritas-backupexec-restrictanonymous-zero(10093)
  20040818 ADDREF OSVDB:8230
  20040824 ADDREF OVAL:OVAL1036

Analysis
--------
Vendor Acknowledgement: yes

INFERRED ACTION: CAN-2002-1117 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Wall, Cole
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1118
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1118
Final-Decision:
Interim-Decision: 20040825
Modified: 20040804
Proposed: 20030317
Assigned: 20020909
Category: SF
Reference: VULNWATCH:20021009 R7-0006: Oracle 8i/9i Listener SERVICE_CURLOAD Denial of Service
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0017.html
Reference: CONFIRM:http://otn.oracle.com/deploy/security/pdf/2002alert42rev1.pdf
Reference: XF:oracle-net-services-dos(10283)
Reference: URL:http://www.iss.net/security_center/static/10283.php
Reference: BID:5678
Reference: URL:http://www.securityfocus.com/bid/5678

TNS Listener in Oracle Net Services for Oracle 9i 9.2.x and 9.0.x, and
Oracle 8i 8.1.x, allows remote attackers to cause a denial of service
(hang or crash) via a SERVICE_CURLOAD command.


Modifications:
  20040804 ADDREF BID:5678

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1118 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Green, Baker, Wall, Cole
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1119
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1119
Final-Decision:
Interim-Decision: 20040825
Modified: 20040804
Proposed: 20030317
Assigned: 20020909
Category: SF
Reference: MISC:http://mail.python.org/pipermail/python-dev/2002-August/027229.html
Reference: DEBIAN:DSA-159
Reference: URL:http://www.debian.org/security/2002/dsa-159
Reference: CONECTIVA:CLA-2002:527
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000527
Reference: CALDERA:CSSA-2002-045.0
Reference: MANDRAKE:MDKSA-2002:082
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-082.php
Reference: REDHAT:RHSA-2002:202
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-202.html
Reference: REDHAT:RHSA-2003:048
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-048.html
Reference: BUGTRAQ:20030123 [OpenPKG-SA-2003.006] OpenPKG Security Advisory (python)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104333092200589&w=2
Reference: XF:python-execvpe-tmpfile-symlink(10009)
Reference: URL:http://www.iss.net/security_center/static/10009.php
Reference: BID:5581
Reference: URL:http://www.securityfocus.com/bid/5581

os._execvpe from os.py in Python 2.2.1 and earlier creates temporary
files with predictable names, which could allow local users to execute
arbitrary code via a symlink attack.


Modifications:
  20040804 ADDREF REDHAT:RHSA-2003:048

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1119 ACCEPT (4 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Cole, Armstrong
   MODIFY(1) Cox

Voter Comments:
 Cox> Addref: RHSA-2003:048


======================================================
Candidate: CAN-2002-1122
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1122
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20020911
Category: SF
Reference: VULNWATCH:20020918 Foundstone Research Labs Advisory - Remotely Exploitable Buffer Overflow in ISS Scanner
Reference: ISS:20020918 Flaw in Internet Scanner Parsing Mechanism
Reference: URL:http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21165
Reference: XF:is-http-response-bo(10130)
Reference: URL:http://www.iss.net/security_center/static/10130.php
Reference: BID:5738
Reference: URL:http://www.securityfocus.com/bid/5738
Reference: OSVDB:3150
Reference: URL:http://www.osvdb.org/3150

Buffer overflow in the parsing mechanism for ISS Internet Scanner
6.2.1, when using the license banner HTTP check, allows remote
attackers to execute arbitrary code via a long web server response.


Modifications:
  20040818 ADDREF OSVDB:3150

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1122 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Wall, Cole
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1123
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1123
Final-Decision:
Interim-Decision: 20040825
Modified: 20040804
Proposed: 20030317
Assigned: 20020911
Category: SF
Reference: BUGTRAQ:20020806 SPIKE 2.5 and associated vulns
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102865925419469&w=2
Reference: BUGTRAQ:20020807 MS SQL Server Hello Overflow NASL script
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102873609025020&w=2
Reference: MS:MS02-056
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-056.asp
Reference: BID:5411
Reference: URL:http://online.securityfocus.com/bid/5411
Reference: XF:mssql-preauth-bo(9788)
Reference: URL:http://www.iss.net/security_center/static/9788.php

Buffer overflow in the authentication function for Microsoft SQL
Server 2000 and Microsoft Desktop Engine (MSDE) 2000 allows remote
attackers to execute arbitrary code via a long request to TCP port
1433, aka the "Hello" overflow.


Modifications:
  20040804 [refs] delete extra XF:mssql-preauth-bo(9788)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1123 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Wall, Cole
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1126
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1126
Final-Decision:
Interim-Decision: 20040825
Modified: 20040804
Proposed: 20030317
Assigned: 20020917
Category: SF
Reference: BUGTRAQ:20020911 Privacy leak in mozilla
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103176760004720&w=2
Reference: CONFIRM:http://bugzilla.mozilla.org/show_bug.cgi?id=145579
Reference: REDHAT:RHSA-2002:192
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-192.html
Reference: REDHAT:RHSA-2003:046
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-046.html
Reference: MANDRAKE:MDKSA-2002:075
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2002:075
Reference: XF:mozilla-onunload-url-leak(10084)
Reference: URL:http://www.iss.net/security_center/static/10084.php
Reference: BID:5694
Reference: URL:http://www.securityfocus.com/bid/5694

Mozilla 1.1 and earlier, and Mozilla-based browsers such as Netscape
and Galeon, set the document referrer too quickly in certain
situations when a new page is being loaded, which allows web pages to
determine the next page that is being visited, including manually
entered URLs, using the onunload handler.


Modifications:
  20040804 ADDREF REDHAT:RHSA-2003:046

Analysis
--------
Vendor Acknowledgement: yes patch

INFERRED ACTION: CAN-2002-1126 ACCEPT (4 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Cole, Armstrong
   MODIFY(1) Cox

Voter Comments:
 Cox> Addref: RHSA-2003:046


======================================================
Candidate: CAN-2002-1132
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1132
Final-Decision:
Interim-Decision: 20040825
Modified: 20040804
Proposed: 20030317
Assigned: 20020920
Category: SF
Reference: BUGTRAQ:20020919 Squirrel Mail 1.2.7 XSS Exploit
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-09/0246.html
Reference: REDHAT:RHSA-2002:204
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-204.html
Reference: DEBIAN:DSA-191
Reference: URL:http://www.debian.org/security/2002/dsa-191
Reference: XF:squirrelmail-options-path-disclosure(10345)
Reference: URL:http://www.iss.net/security_center/static/10345.php

SquirrelMail 1.2.7 and earlier allows remote attackers to determine
the absolute pathname of the options.php script via a malformed
optpage file argument, which generates an error message when the file
cannot be included in the script.


Modifications:
  20040804 [desc] remove "and possibly later versions"

Analysis
--------
Vendor Acknowledgement: yes followup

INFERRED ACTION: CAN-2002-1132 ACCEPT (4 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Cole, Armstrong
   MODIFY(1) Cox

Voter Comments:
 Cox> We have verified through source code inspection that the issue
   mentioned in CAN-2002-1132 was fixed in upstream Squirrelmail 1.2.8


======================================================
Candidate: CAN-2002-1135
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1135
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20020923
Category: SF
Reference: BUGTRAQ:20020922 PHP source injection in phpWebSite
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103279980906880&w=2
Reference: CONFIRM:http://phpwebsite.appstate.edu/article.php?sid=400
Reference: XF:phpwebsite-modsecurity-file-include(10164)
Reference: URL:http://www.iss.net/security_center/static/10164.php
Reference: BID:5779
Reference: URL:http://www.securityfocus.com/bid/5779
Reference: OSVDB:3848
Reference: URL:http://www.osvdb.org/3848

modsecurity.php 1.10 and earlier, in phpWebSite 0.8.2 and earlier,
allows remote attackers to execute arbitrary PHP source code via an
inc_prefix parameter that points to the malicious code.


Modifications:
  20040818 ADDREF OSVDB:3848

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1135 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Baker, Cole
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-1137
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1137
Final-Decision:
Interim-Decision: 20040825
Modified: 20040804
Proposed: 20030317
Assigned: 20020923
Category: SF
Reference: MISC:http://www.scan-associates.net/papers/foxpro.txt
Reference: MS:MS02-056
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-056.asp
Reference: XF:mssql-dbcc-bo-variant(10255)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10255
Reference: BID:5877
Reference: URL:http://www.securityfocus.com/bid/5877

Buffer overflow in the Database Console Command (DBCC) that handles
user inputs in Microsoft SQL Server 7.0 and 2000, including Microsoft
Data Engine (MSDE) 1.0 and Microsoft Desktop Engine (MSDE) 2000,
allows attackers to execute arbitrary code via a long SourceDB
argument in a "non-SQL OLEDB data source" such as FoxPro, a variant of
CAN-2002-0644.


Modifications:
  20040804 ADDREF XF:mssql-dbcc-bo-variant(10255)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1137 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Wall, Cole
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1138
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1138
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20020923
Category: SF
Reference: MS:MS02-056
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-056.asp
Reference: XF:mssql-agent-create-files(10257)
Reference: URL:http://www.iss.net/security_center/static/10257.php

Microsoft SQL Server 7.0 and 2000, including Microsoft Data Engine
(MSDE) 1.0 and Microsoft Desktop Engine (MSDE) 2000, writes output
files for scheduled jobs under its own privileges instead of the
entity that launched it, which allows attackers to overwrite system
files, aka "Flaw in Output File Handling for Scheduled Jobs."

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1138 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Wall, Cole
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1139
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1139
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20020923
Category: SF
Reference: MS:MS02-054
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-054.asp
Reference: XF:win-zip-incorrect-path(10252)
Reference: URL:http://www.iss.net/security_center/static/10252.php
Reference: BID:5876
Reference: URL:http://www.securityfocus.com/bid/5876

The Compressed Folders feature in Microsoft Windows 98 with Plus!
Pack, Windows Me, and Windows XP does not properly check the
destination folder during the decompression of ZIP files, which allows
attackers to place an executable file in a known location on a user's
system, aka "Incorrect Target Path for Zipped File Decompression."

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1139 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Wall, Cole
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1140
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1140
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20020923
Category: SF
Reference: MS:MS02-057
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-057.asp
Reference: XF:sfu-rpc-parameter-bo(10258)
Reference: URL:http://www.iss.net/security_center/static/10258.php
Reference: BID:5879
Reference: URL:http://www.securityfocus.com/bid/5879

The Sun Microsystems RPC library Services for Unix 3.0 Interix SD, as
implemented on Microsoft Windows NT4, 2000, and XP, allows remote
attackers to cause a denial of service (service hang) via malformed
packet fragments, aka "Improper parameter size check leading to denial
of service."

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1140 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Wall, Cole
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1141
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1141
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20020923
Category: SF
Reference: MS:MS02-057
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-057.asp
Reference: XF:sfu-invalid-rpc-dos(10259)
Reference: URL:http://www.iss.net/security_center/static/10259.php
Reference: BID:5880
Reference: URL:http://www.securityfocus.com/bid/5880

An input validation error in the Sun Microsystems RPC library Services
for Unix 3.0 Interix SD, as implemented on Microsoft Windows NT4,
2000, and XP, allows remote attackers to cause a denial of service via
malformed fragmented RPC client packets, aka "Denial of service by
sending an invalid RPC request."

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1141 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Wall, Cole
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1142
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1142
Final-Decision:
Interim-Decision: 20040825
Modified: 20040804
Proposed: 20030317
Assigned: 20020923
Category: SF
Reference: MS:MS02-065
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-065.asp
Reference: VULNWATCH:20021120 Foundstone Advisory
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0082.html
Reference: MISC:http://www.foundstone.com/knowledge/randd-advisories-display.html?id=337
Reference: CERT:CA-2002-33
Reference: URL:http://www.cert.org/advisories/CA-2002-33.html
Reference: CERT-VN:VU#542081
Reference: URL:http://www.kb.cert.org/vuls/id/542081
Reference: XF:mdac-rds-server-bo(10659)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10659
Reference: BID:6214
Reference: URL:http://www.securityfocus.com/bid/6214

Heap-based buffer overflow in the Remote Data Services (RDS) component
of Microsoft Data Access Components (MDAC) 2.1 through 2.6, and
Internet Explorer 5.01 through 6.0, allows remote attackers to execute
code via a malformed HTTP request to the Data Stub.


Modifications:
  20040804 ADDREF VULNWATCH:20021120 Foundstone Advisory
  20040804 ADDREF MISC:http://www.foundstone.com/knowledge/randd-advisories-display.html?id=337
  20040804 ADDREF CERT:CA-2002-33
  20040804 ADDREF CERT-VN:VU#542081
  20040804 ADDREF XF:mdac-rds-server-bo(10659)
  20040804 ADDREF BID:6214

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1142 ACCEPT (3 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Wall, Cole
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> VULNWATCH:20021120 Foundstone Advisory
   URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0082.html
   MISC:http://www.foundstone.com/knowledge/randd-advisories-display.html?id=337
   CERT:CA-2002-33
   URL:http://www.cert.org/advisories/CA-2002-33.html
   CERT-VN:VU#542081
   URL:http://www.kb.cert.org/vuls/id/542081
   XF:mdac-rds-server-bo(10659)
   URL:http://xforce.iss.net/xforce/xfdb/10659
   BID:6214
   URL:http://www.securityfocus.com/bid/6214


======================================================
Candidate: CAN-2002-1146
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1146
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20020923
Category: SF
Reference: FREEBSD:FreeBSD-SA-02:42
Reference: MANDRAKE:MDKSA-2004:009
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:009
Reference: NETBSD:NetBSD-SA2002-015
Reference: URL:ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-015.txt.asc
Reference: REDHAT:RHSA-2002:197
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-197.html
Reference: REDHAT:RHSA-2002:258
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-258.html
Reference: REDHAT:RHSA-2003:022
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-022.html
Reference: REDHAT:RHSA-2003:212
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-212.html
Reference: CERT-VN:VU#738331
Reference: URL:http://www.kb.cert.org/vuls/id/738331
Reference: XF:dns-resolver-lib-read-bo(10295)
Reference: URL:http://www.iss.net/security_center/static/10295.php
Reference: CONECTIVA:CLA-2002:535
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000535

The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries
such as glibc 2.2.5 and earlier, libc, and libresolv, use the maximum
buffer size instead of the actual size when processing a DNS response,
which causes the stub resolvers to read past the actual boundary
("read buffer overflow"), allowing remote attackers to cause a denial
of service (crash).


Modifications:
  20040804 ADDREF REDHAT:RHSA-2003:022
  20040804 ADDREF REDHAT:RHSA-2002:258
  20040804 ADDREF MANDRAKE:MDKSA-2004:009
  20040818 ADDREF REDHAT:RHSA-2003:212

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1146 ACCEPT (5 accept, 4 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Frech, Wall, Cole
   MODIFY(1) Cox
   NOOP(1) Christey

Voter Comments:
 Cox> Addref: RHSA-2003:022
   Addref: RHSA-2002:258
 Christey> MANDRAKE:MDKSA-2004:009
   URL:http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:009


======================================================
Candidate: CAN-2002-1147
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1147
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20020924
Category: SF
Reference: MISC:http://www.tech-serve.com/research/advisories/2002/a092302-1.txt
Reference: BUGTRAQ:20020924 HP Procurve 4000M Stacked Switch HTTP Reset Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103287951910420&w=2
Reference: HP:HPSBUX0209-219
Reference: URL:http://online.securityfocus.com/advisories/4501
Reference: BID:5784
Reference: URL:http://www.securityfocus.com/bid/5784
Reference: XF:hp-procurve-http-reset-dos(10172)
Reference: URL:http://www.iss.net/security_center/static/10172.php

The HTTP administration interface for HP Procurve 4000M Switch
firmware before C.09.16, with stacking features and remote
administration enabled, does not authenticate requests to reset the
device, which allows remote attackers to cause a denial of service via
a direct request to the device_reset CGI program.

Analysis
--------
Vendor Acknowledgement: unknown discloser-claimed

INFERRED ACTION: CAN-2002-1147 ACCEPT_ACK_REV (2 accept, 1 ack, 1 review)

Current Votes:
   ACCEPT(2) Cole, Armstrong
   NOOP(1) Cox
   REVIEWING(1) Green


======================================================
Candidate: CAN-2002-1148
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1148
Final-Decision:
Interim-Decision: 20040825
Modified: 20040804
Proposed: 20030317
Assigned: 20020924
Category: SF
Reference: BUGTRAQ:20020924 JSP source code exposure in Tomcat 4.x
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103288242014253&w=2
Reference: DEBIAN:DSA-170
Reference: URL:http://www.debian.org/security/2002/dsa-170
Reference: HP:HPSBUX0212-229
Reference: URL:http://online.securityfocus.com/advisories/4758
Reference: REDHAT:RHSA-2002:217
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-217.html
Reference: REDHAT:RHSA-2002:218
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-218.html
Reference: BID:5786
Reference: URL:http://www.securityfocus.com/bid/5786
Reference: XF:tomcat-servlet-source-code(10175)
Reference: URL:http://www.iss.net/security_center/static/10175.php

The default servlet (org.apache.catalina.servlets.DefaultServlet) in
Tomcat 4.0.4 and 4.1.10 and earlier allows remote attackers to read
source code for server files via a direct request to the servlet.


Modifications:
  20040804 ADDREF REDHAT:RHSA-2002:217
  20040804 ADDREF REDHAT:RHSA-2002:218

Analysis
--------
Vendor Acknowledgement: unknown vague

ACCURACY: The "DSA-169" number was inadvertently published for two
separate issues.  Debian confirmed via email that DSA-169 is intended
for the htcheck issue (CAN-2002-1195), and DSA-170 is intended for the
Tomcat issue (CAN-2002-1148).

INFERRED ACTION: CAN-2002-1148 ACCEPT (3 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(2) Green, Armstrong
   MODIFY(1) Cox
   NOOP(2) Christey, Cole

Voter Comments:
 Christey> DEBIAN:DSA-170

   Note: DSA-170 was originally published with the DSA-169 ID,
   but DSA-169 is really ht://Check, and DSA-170 is really
   tomcat, as confirmed by Debian via email.  The online advisories
   at www.debian.org are authoritative.
 Cox> Addref: RHSA-2002:218
   Addref: RHSA-2002:217


======================================================
Candidate: CAN-2002-1151
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1151
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20020924
Category: SF
Reference: BUGTRAQ:20020910 KDE Security Advisory: Konqueror Cross Site Scripting Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103175850925395&w=2
Reference: CONFIRM:http://www.kde.org/info/security/advisory-20020908-2.txt
Reference: CALDERA:CSSA-2002-047.0
Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-047.0.txt
Reference: CONECTIVA:CLA-2002:525
Reference: DEBIAN:DSA-167
Reference: URL:http://www.debian.org/security/2002/dsa-167
Reference: MANDRAKE:MDKSA-2002:064
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-064.php
Reference: REDHAT:RHSA-2002:220
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-220.html
Reference: REDHAT:RHSA-2002:221
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-221.html
Reference: BID:5689
Reference: URL:http://online.securityfocus.com/bid/5689
Reference: XF:ie-sameoriginpolicy-bypass(10039)
Reference: URL:http://www.iss.net/security_center/static/10039.php
Reference: OSVDB:7867
Reference: URL:http://www.osvdb.org/7867

The cross-site scripting protection for Konqueror in KDE 2.2.2 and 3.0
through 3.0.3 does not properly initialize the domains on sub-frames
and sub-iframes, which can allow remote attackers to execute script
and steal cookies from subframes that are in other domains.


Modifications:
  20040804 ADDREF REDHAT:RHSA-2002:221
  20040818 ADDREF OSVDB:7867

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1151 ACCEPT (4 accept, 4 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Cole, Armstrong
   MODIFY(1) Cox

Voter Comments:
 Cox> Addref: RHSA-2002:221


======================================================
Candidate: CAN-2002-1152
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1152
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20020924
Category: SF
Reference: BUGTRAQ:20020910 KDE Security Advisory: Secure Cookie Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103175827225044&w=2
Reference: CONFIRM:http://www.kde.org/info/security/advisory-20020908-1.txt
Reference: REDHAT:RHSA-2002:220
Reference: XF:kde-konqueror-cookie-hijacking(10083)
Reference: URL:http://www.iss.net/security_center/static/10083.php
Reference: BID:5691
Reference: URL:http://www.securityfocus.com/bid/5691

Konqueror in KDE 3.0 through 3.0.2 does not properly detect the
"secure" flag in an HTTP cookie, which could cause Konqueror to send
the cookie across an unencrypted channel, which could allow remote
attackers to steal the cookie via sniffing.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1152 ACCEPT (4 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(4) Green, Cox, Cole, Armstrong


======================================================
Candidate: CAN-2002-1153
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1153
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20020924
Category: SF
Reference: BUGTRAQ:20020919 KPMG-2002035: IBM Websphere Large Header DoS
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103244572803950&w=2
Reference: CONFIRM:ftp://ftp.software.ibm.com/software/websphere/appserv/support/fixes/pq62144/readme.txt
Reference: XF:websphere-host-header-bo(10140)
Reference: URL:http://www.iss.net/security_center/static/10140.php
Reference: BID:5749
Reference: URL:http://www.securityfocus.com/bid/5749
Reference: OSVDB:2092
Reference: URL:http://www.osvdb.org/2092

IBM Websphere 4.0.3 allows remote attackers to cause a denial of
service (crash) and possibly execute arbitrary code via an HTTP
request with long HTTP headers, such as "Host".


Modifications:
  20040818 ADDREF OSVDB:2092

Analysis
--------
Vendor Acknowledgement: yes

INFERRED ACTION: CAN-2002-1153 ACCEPT_ACK_REV (2 accept, 1 ack, 1 review)

Current Votes:
   ACCEPT(2) Baker, Cole
   NOOP(1) Cox
   REVIEWING(1) Wall


======================================================
Candidate: CAN-2002-1154
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1154
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20020925
Category: SF
Reference: CONFIRM:http://www.analog.cx/security5.html
Reference: REDHAT:RHSA-2002:059
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-059.html
Reference: XF:analog-anlgform-dos(10344)
Reference: URL:http://www.iss.net/security_center/static/10344.php
Reference: OSVDB:3779
Reference: URL:http://www.osvdb.org/3779

anlgform.pl in Analog before 5.23 does not restrict access to the
PROGRESSFREQ progress update command, which allows remote attackers to
cause a denial of service (disk consumption) by using the command to
report updates more frequently and fill the web server error log.


Modifications:
  20040818 ADDREF REDHAT:RHSA-2002:059
  20040818 ADDREF OSVDB:3779

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1154 ACCEPT_ACK (2 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(2) Baker, Cole
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-1156
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1156
Final-Decision:
Interim-Decision: 20040825
Modified: 20040804
Proposed: 20030317
Assigned: 20020926
Category: SF
Reference: CONFIRM:http://www.apacheweek.com/issues/02-10-04
Reference: CONFIRM:http://www.apache.org/dist/httpd/CHANGES_2.0
Reference: HP:HPSBUX0210-224
Reference: URL:http://online.securityfocus.com/advisories/4617
Reference: CERT-VN:VU#910713
Reference: URL:http://www.kb.cert.org/vuls/id/910713
Reference: BID:6065
Reference: URL:http://online.securityfocus.com/bid/6065
Reference: XF:apache-webdav-cgi-source(10499)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10499

Apache 2.0.42 allows remote attackers to view the source code of a CGI
script via a POST request to a directory with both WebDAV and CGI
enabled.


Modifications:
  20040804 ADDREF XF:apache-webdav-cgi-source(10499)

Analysis
--------
Vendor Acknowledgement: yes advisory

ACKNOWLEDGEMENT: The change log for 2.0.43 includes the item:
"SECURITY: Allow POST requests and CGI scripts to work when DAV is
enabled on the location."

INFERRED ACTION: CAN-2002-1156 ACCEPT (5 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Cox, Wall, Cole
   MODIFY(1) Frech

Voter Comments:
 Frech> XF:apache-webdav-cgi-source(10499)


======================================================
Candidate: CAN-2002-1157
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1157
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20020926
Category: SF
Reference: CONECTIVA:CLA-2002:541
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000541
Reference: DEBIAN:DSA-181
Reference: URL:http://www.debian.org/security/2002/dsa-181
Reference: ENGARDE:ESA-20021029-027
Reference: URL:http://www.linuxsecurity.com/advisories/other_advisory-2512.html
Reference: MANDRAKE:MDKSA-2002:072
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-072.php
Reference: REDHAT:RHSA-2002:222
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-222.html
Reference: REDHAT:RHSA-2002:243
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-243.html
Reference: REDHAT:RHSA-2002:244
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-244.html
Reference: REDHAT:RHSA-2002:248
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-248.html
Reference: REDHAT:RHSA-2002:251
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-251.html
Reference: REDHAT:RHSA-2003:106
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-106.html
Reference: BUGTRAQ:20021023 [OpenPKG-SA-2002.010] OpenPKG Security Advisory (apache)
Reference: URL:http://online.securityfocus.com/archive/1/296753
Reference: BUGTRAQ:20021026 GLSA: mod_ssl
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-10/0374.html
Reference: BID:6029
Reference: URL:http://www.securityfocus.com/bid/6029
Reference: XF:apache-modssl-host-xss(10457)
Reference: URL:http://www.iss.net/security_center/static/10457.php
Reference: OSVDB:2107
Reference: URL:http://www.osvdb.org/2107

Cross-site scripting vulnerability in the mod_ssl Apache module 2.8.9
and earlier, when UseCanonicalName is off and wildcard DNS is enabled,
allows remote attackers to execute script as other web site visitors,
via the server name in an HTTPS response on the SSL port, which is
used in a self-referencing URL, a different vulnerability than
CAN-2002-0840.


Modifications:
  20040804 ADDREF REDHAT:RHSA-2002:248
  20040804 ADDREF REDHAT:RHSA-2002:251
  20040804 ADDREF REDHAT:RHSA-2002:222
  20040804 ADDREF REDHAT:RHSA-2002:243
  20040804 ADDREF REDHAT:RHSA-2002:244
  20040818 ADDREF REDHAT:RHSA-2003:106
  20040818 ADDREF OSVDB:2107

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1157 ACCEPT (4 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Cole, Armstrong
   MODIFY(1) Cox

Voter Comments:
 Cox> Addref: RHSA-2002:251
   Addref: RHSA-2002:248
   Addref: RHSA-2002:244
   Addref: RHSA-2002:243
   Addref: RHSA-2002:222


======================================================
Candidate: CAN-2002-1158
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1158
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20020926
Category: SF
Reference: CONFIRM:http://canna.sourceforge.jp/sec/Canna-2002-01.txt
Reference: DEBIAN:DSA-224
Reference: URL:http://www.debian.org/security/2003/dsa-224
Reference: REDHAT:RHSA-2002:246
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-246.html
Reference: REDHAT:RHSA-2002:261
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-261.html
Reference: REDHAT:RHSA-2003:115
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-115.html
Reference: BUGTRAQ:20021220 GLSA: canna
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104041812206344&w=2
Reference: BID:6351
Reference: URL:http://www.securityfocus.com/bid/6351
Reference: XF:canna-irwthrough-bo(10831)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10831

Buffer overflow in the irw_through function for Canna 3.5b2 and
earlier allows local users to execute arbitrary code as the bin user.


Modifications:
  20040804 ADDREF REDHAT:RHSA-2002:261
  20040804 ADDREF BID:6351
  20040804 ADDREF XF:canna-irwthrough-bo(10831)
  20040804 ADDREF DEBIAN:DSA-224
  20040804 ADDREF BUGTRAQ:20021220 GLSA: canna
  20040804 ADDREF CONFIRM:http://canna.sourceforge.jp/sec/Canna-2002-01.txt
  20040804 [desc] add "irw_through"
  20040818 ADDREF REDHAT:RHSA-2003:115

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1158 ACCEPT (3 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(2) Green, Cole
   MODIFY(1) Cox

Voter Comments:
 Cox> Addref: RHSA-2002:261


======================================================
Candidate: CAN-2002-1159
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1159
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20020926
Category: SF
Reference: DEBIAN:DSA-224
Reference: URL:http://www.debian.org/security/2003/dsa-224
Reference: REDHAT:RHSA-2002:246
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-246.html
Reference: REDHAT:RHSA-2002:261
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-261.html
Reference: REDHAT:RHSA-2003:115
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-115.html
Reference: CONFIRM:http://canna.sourceforge.jp/sec/Canna-2002-01.txt
Reference: BID:6354
Reference: URL:http://www.securityfocus.com/bid/6354
Reference: XF:canna-improper-request-validation(10832)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10832

Canna 3.6 and earlier does not properly validate requests, which
allows remote attackers to cause a denial of service or information
leak.


Modifications:
  20040804 ADDREF REDHAT:RHSA-2002:261
  20040804 ADDREF CONFIRM:http://canna.sourceforge.jp/sec/Canna-2002-01.txt
  20040804 ADDREF DEBIAN:DSA-224
  20040804 ADDREF BID:6354
  20040804 ADDREF XF:canna-improper-request-validation(10832)
  20040818 ADDREF REDHAT:RHSA-2003:115

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2002-1159 ACCEPT_ACK (2 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(1) Baker
   MODIFY(1) Cox
   NOOP(1) Cole

Voter Comments:
 Cox> Addref: RHSA-2002:261


======================================================
Candidate: CAN-2002-1160
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1160
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20020926
Category: CF
Reference: BUGTRAQ:20021214 BDT_AV200212140001: Insecure default: Using pam_xauth for su from sh-utils package
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104431622818954&w=2
Reference: CONECTIVA:CLA-2003:693
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000693
Reference: MANDRAKE:MDKSA-2003:017
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:017
Reference: REDHAT:RHSA-2003:028
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-028.html
Reference: REDHAT:RHSA-2003:035
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-035.html
Reference: SUNALERT:55760
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/55760
Reference: CERT-VN:VU#911505
Reference: URL:http://www.kb.cert.org/vuls/id/911505
Reference: BID:6753
Reference: URL:http://www.securityfocus.com/bid/6753
Reference: XF:linux-pamxauth-gain-privileges(11254)
Reference: URL:http://www.iss.net/security_center/static/11254.php

The default configuration of the pam_xauth module forwards
MIT-Magic-Cookies to new X sessions, which could allow local users to
gain root privileges by stealing the cookies from a temporary .xauth
file, which is created with the original user's credentials after root
uses su.


Modifications:
  20040804 ADDREF CONECTIVA:CLA-2003:693
  20040804 ADDREF CERT-VN:VU#911505
  20040804 ADDREF SUNALERT:55760
  20040818 ADDREF REDHAT:RHSA-2003:028

Analysis
--------
Vendor Acknowledgement: yes advisory

ACCURACY: while the post from Andreas Beck appears to be dated
December 14, 2002, it was not actually published until February 3,
2002, as reflected in the Vendor Response section.

INFERRED ACTION: CAN-2002-1160 ACCEPT_ACK (2 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(2) Green, Cox
   NOOP(2) Christey, Cole

Voter Comments:
 Green> CLEARLY ACKNOWLEDGED IN THE MANDRAKE SUPPORT ADVISORY
 Christey> CONECTIVA:CLA-2003:693
   URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000693


======================================================
Candidate: CAN-2002-1169
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1169
Final-Decision:
Interim-Decision: 20040825
Modified: 20040820
Proposed: 20030317
Assigned: 20020927
Category: SF
Reference: MISC:http://www.rapid7.com/advisories/R7-0007.txt
Reference: VULNWATCH:20021023 R7-0007: IBM WebSphere Edge Server Caching Proxy Denial of Service
Reference: AIXAPAR:IY35970
Reference: BID:6002
Reference: URL:http://online.securityfocus.com/bid/6002
Reference: XF:ibm-wte-helpout-dos(10452)
Reference: URL:http://www.iss.net/security_center/static/10452.php
Reference: OSVDB:2090
Reference: URL:http://www.osvdb.org/2090

IBM Web Traffic Express Caching Proxy Server 3.6 and 4.x before
4.0.1.26 allows remote attackers to cause a denial of service (crash)
via an HTTP request to helpout.exe with a missing HTTP version number,
which causes ibmproxy.exe to crash.


Modifications:
  20040818 ADDREF OSVDB:2090

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2002-1169 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Green, Armstrong
   NOOP(2) Cox, Cole

Voter Comments:
 Green> PATCH RELEASED BY VENDOR


======================================================
Candidate: CAN-2002-1170
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1170
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20020930
Category: SF
Reference: BUGTRAQ:20021002 iDEFENSE Security Advisory 10.02.2002: Net-SNMP DoS Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103359362020365&w=2
Reference: BUGTRAQ:20021014 GLSA: net-snmp
Reference: MISC:http://www.idefense.com/advisory/10.02.02.txt
Reference: CONFIRM:http://sourceforge.net/forum/forum.php?forum_id=216532
Reference: REDHAT:RHSA-2002:228
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-228.html

The handle_var_requests function in snmp_agent.c for the SNMP daemon
in the Net-SNMP (formerly ucd-snmp) package 5.0.1 through 5.0.5 allows
remote attackers to cause a denial of service (crash) via a NULL
dereference.

Analysis
--------
Vendor Acknowledgement: unknown

ACCURACY: While the initial iDEFENSE report said that 5.0.5 was fixed,
a followup consultation with the developer indicated that the fix was
incorrect, and 5.0.6 is the first fixed version.

INFERRED ACTION: CAN-2002-1170 ACCEPT (4 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(4) Green, Cox, Cole, Armstrong


======================================================
Candidate: CAN-2002-1178
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1178
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20021003
Category: SF
Reference: BUGTRAQ:20021002 wp-02-0011: Jetty CGIServlet Arbitrary Command Execution
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103358725813039&w=2
Reference: VULNWATCH:20021002 wp-02-0011: Jetty CGIServlet Arbitrary Command Execution
Reference: MISC:http://www.westpoint.ltd.uk/advisories/wp-02-0011.txt
Reference: CONFIRM:http://groups.yahoo.com/group/jetty-announce/message/45
Reference: XF:jetty-cgiservlet-directory-traversal(10246)
Reference: URL:http://www.iss.net/security_center/static/10246.php
Reference: BID:5852
Reference: URL:http://www.securityfocus.com/bid/5852

Directory traversal vulnerability in the CGIServlet for Jetty HTTP
server before 4.1.0 allows remote attackers to execute arbitrary
commands via ..\ (dot-dot backslash) sequences in an HTTP request to
the cgi-bin directory.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1178 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Baker, Cole
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-1179
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1179
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20021004
Category: SF
Reference: NTBUGTRAQ:20021010 Outlook Express Remote Code Execution in Preview Pane (S/MIME)
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=103429637822920&w=2
Reference: NTBUGTRAQ:20021010 Re: Problems applying MS02-058
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=103429681123297&w=2
Reference: BUGTRAQ:20021010 Outlook Express Remote Code Execution in Preview Pane (S/MIME)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103435413105661&w=2
Reference: MS:MS02-058
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-058.asp
Reference: XF:outlook-smime-bo(10338)
Reference: URL:http://www.iss.net/security_center/static/10338.php
Reference: BID:5944
Reference: URL:http://www.securityfocus.com/bid/5944

Buffer overflow in the S/MIME Parsing capability in Microsoft Outlook
Express 5.5 and 6.0 allows remote attackers to execute arbitrary code
via a digitally signed email with a long "From" address, which
triggers the overflow when the user views or previews the message.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1179 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Wall, Cole
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1180
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1180
Final-Decision:
Interim-Decision: 20040825
Modified: 20040824
Proposed: 20030317
Assigned: 20021004
Category: SF
Reference: MS:MS02-062
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-062.asp
Reference: XF:iis-script-source-access-bypass(10504)
Reference: URL:http://www.iss.net/security_center/static/10504.php
Reference: BID:6071
Reference: URL:http://www.securityfocus.com/bid/6071
Reference: OVAL:OVAL931
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL931.html

A typographical error in the script source access permissions for
Internet Information Server (IIS) 5.0 does not properly exclude .COM
files, which allows attackers with only write permissions to upload
malicious .COM files, aka "Script Source Access Vulnerability."


Modifications:
  20040804 ADDREF
  20040824 ADDREF OVAL:OVAL931

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1180 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Wall, Cole
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1182
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1182
Final-Decision:
Interim-Decision: 20040825
Modified: 20040824
Proposed: 20030317
Assigned: 20021004
Category: SF
Reference: VULNWATCH:20021031 Microsoft Internet Information Server 5/5.1 Denial of Service (#NISR31102002)
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0048.html
Reference: MS:MS02-062
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-062.asp
Reference: XF:iis-webdav-memory-allocation-dos(10503)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10503
Reference: BID:6070
Reference: URL:http://www.securityfocus.com/bid/6070
Reference: OVAL:OVAL1009
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL1009.html
Reference: OVAL:OVAL1011
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL1011.html

IIS 5.0 and 5.1 allows remote attackers to cause a denial of service
(crash) via malformed WebDAV requests that cause a large amount of
memory to be assigned.


Modifications:
  20040804 ADDREF XF:iis-webdav-memory-allocation-dos(10503)
  20040804 ADDREF BID:6070
  20040824 ADDREF OVAL:OVAL1009
  20040824 ADDREF OVAL:OVAL1011

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1182 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Wall, Cole
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1183
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1183
Final-Decision:
Interim-Decision: 20040825
Modified: 20040824
Proposed: 20030317
Assigned: 20021004
Category: SF
Reference: MS:MS02-050
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-050.asp
Reference: XF:ssl-ca-certificate-spoofing(9776)
Reference: URL:http://xforce.iss.net/xforce/xfdb/9776
Reference: BID:5410
Reference: URL:http://www.securityfocus.com/bid/5410
Reference: OVAL:OVAL1059
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL1059.html
Reference: OVAL:OVAL1455
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL1455.html
Reference: OVAL:OVAL2108
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL2108.html

Microsoft Windows 98 and Windows NT 4.0 do not properly verify the
Basic Constraints of digital certificates, allowing remote attackers
to execute code, aka "New Variant of Certificate Validation Flaw Could
Enable Identity Spoofing" (CAN-2002-0862).


Modifications:
  20040804 ADDREF XF:ssl-ca-certificate-spoofing(9776)
  20040804 ADDREF BID:5410
  20040824 ADDREF OVAL:OVAL1059
  20040824 ADDREF OVAL:OVAL1455
  20040824 ADDREF OVAL:OVAL2108

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1183 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Wall, Cole
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1184
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1184
Final-Decision:
Interim-Decision: 20040825
Modified: 20040804
Proposed: 20030317
Assigned: 20021004
Category: CF
Reference: MS:MS02-064
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-064.asp
Reference: XF:win2k-partition-weak-permissions(9779)
Reference: URL:http://xforce.iss.net/xforce/xfdb/9779
Reference: BID:5415
Reference: URL:http://www.securityfocus.com/bid/5415

The system root folder of Microsoft Windows 2000 has default
permissions of Everyone group with Full access (Everyone:F) and is in
the search path when locating programs during login or application
launch from the desktop, which could allow attackers to gain
privileges as other users via Trojan horse programs.


Modifications:
  20040804 ADDREF XF:win2k-partition-weak-permissions(9779)
  20040804 ADDREF BID:5415

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1184 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Wall, Cole
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1185
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1185
Final-Decision:
Interim-Decision: 20040825
Modified: 20040824
Proposed: 20030317
Assigned: 20021004
Category: SF
Reference: VULNWATCH:20021211 PNG (Portable Network Graphics) Deflate Heap Corruption Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0105.html
Reference: BUGTRAQ:20021212 PNG (Portable Network Graphics) Deflate Heap Corruption Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103970996205091&w=2
Reference: MS:MS02-066
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-066.asp
Reference: XF:ie-png-bo(10662)
Reference: URL:http://www.iss.net/security_center/static/10662.php
Reference: BID:6216
Reference: URL:http://online.securityfocus.com/bid/6216
Reference: OVAL:OVAL393
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL393.html
Reference: OVAL:OVAL542
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL542.html

Internet Explorer 5.01 through 6.0 does not properly check certain
parameters of a PNG file when opening it, which allows remote
attackers to cause a denial of service (crash) by triggering a
heap-based buffer overflow using invalid length codes during
decompression, aka "Malformed PNG Image File Failure."


Modifications:
  20040824 ADDREF OVAL:OVAL393
  20040824 ADDREF OVAL:OVAL542

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1185 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Wall, Cole
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1186
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1186
Final-Decision:
Interim-Decision: 20040825
Modified: 20040824
Proposed: 20030317
Assigned: 20021004
Category: SF
Reference: BUGTRAQ:20020903 MSIEv6 % encoding causes a problem again
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-09/0018.html
Reference: MS:MS02-066
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-066.asp
Reference: XF:ie-sameoriginpolicy-bypass(10039)
Reference: URL:http://www.iss.net/security_center/static/10039.php
Reference: BID:5610
Reference: URL:http://online.securityfocus.com/bid/5610
Reference: OVAL:OVAL143
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL143.html
Reference: OVAL:OVAL471
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL471.html
Reference: OVAL:OVAL495
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL495.html

Internet Explorer 5.01 through 6.0 does not properly perform security
checks on certain encoded characters within a URL, which allows a
remote attacker to steal potentially sensitive information from a user
by redirecting the user to another site that has that information, aka
"Encoded Characters Information Disclosure."


Modifications:
  20040824 ADDREF OVAL:OVAL143
  20040824 ADDREF OVAL:OVAL471
  20040824 ADDREF OVAL:OVAL495

Analysis
--------
Vendor Acknowledgement: yes advisory

ACCURACY: Microsoft confirmed via email that this item addresses the
specified Bugtraq post.

INFERRED ACTION: CAN-2002-1186 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Wall, Cole
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1187
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1187
Final-Decision:
Interim-Decision: 20040825
Modified: 20040824
Proposed: 20030317
Assigned: 20021004
Category: SF
Reference: BUGTRAQ:20020909 Who framed Internet Explorer (GM#010-IE)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103158601431054&w=2
Reference: MS:MS02-066
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-066.asp
Reference: XF:ie-frame-script-execution (10066)
Reference: URL:http://www.iss.net/security_center/static/10066.php
Reference: BID:5672
Reference: URL:http://online.securityfocus.com/bid/5672
Reference: OSVDB:2998
Reference: URL:http://www.osvdb.org/2998
Reference: OVAL:OVAL203
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL203.html
Reference: OVAL:OVAL225
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL225.html

Cross-site scripting vulnerability (XSS) in Internet Explorer 5.01
through 6.0 allows remote attackers to read and execute files on the
local system via web pages using the <frame> or <iframe> element and
javascript, aka "Frames Cross Site Scripting," as demonstrated using
the PrivacyPolicy.dlg resource.


Modifications:
  20040818 ADDREF OSVDB:2998
  20040824 ADDREF OVAL:OVAL203
  20040824 ADDREF OVAL:OVAL225

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1187 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Wall, Cole
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1188
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1188
Final-Decision:
Interim-Decision: 20040825
Modified: 20040824
Proposed: 20030317
Assigned: 20021004
Category: SF
Reference: BUGTRAQ:20020912 LEVERAGING CROSS-PROTOCOL SCRIPTING IN MSIE
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103184415307193&w=2
Reference: MS:MS02-066
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-066.asp
Reference: BID:6217
Reference: URL:http://www.securityfocus.com/bid/6217
Reference: XF:ie-object-read-tif(10665)
Reference: URL:http://www.iss.net/security_center/static/10665.php
Reference: OVAL:OVAL444
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL444.html
Reference: OVAL:OVAL690
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL690.html

Internet Explorer 5.01 through 6.0 allows remote attackers to identify
the path to the Temporary Internet Files folder and obtain user
information such as cookies via certain uses of the OBJECT tag, which
are not subjected to the proper security checks, aka "Temporary
Internet Files folders Name Reading."


Modifications:
  20040804 ADDREF BID:6217
  20040824 ADDREF OVAL:OVAL444
  20040824 ADDREF OVAL:OVAL690

Analysis
--------
Vendor Acknowledgement: yes advisory

ACCURACY: Microsoft confirmed via email that this item addresses the
specified Bugtraq post.

INFERRED ACTION: CAN-2002-1188 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Wall, Cole
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1189
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1189
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20021004
Category: SF
Reference: CISCO:20021004 Predefined Restriction Tables Allow Calls to International Operator
Reference: URL:http://www.cisco.com/warp/public/707/toll-fraud-pub.shtml
Reference: XF:cisco-unity-insecure-configuration(10282)
Reference: URL:http://www.iss.net/security_center/static/10282.php
Reference: BID:5896
Reference: URL:http://www.securityfocus.com/bid/5896

The default configuration of Cisco Unity 2.x and 3.x does not block
international operator calls in the predefined restriction tables,
which could allow authenticated users to place international calls
using call forwarding.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1189 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Green, Baker, Jones, Cole
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1193
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1193
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20021008
Category: SF
Reference: DEBIAN:DSA-172
Reference: URL:http://www.debian.org/security/2002/dsa-172
Reference: XF:tkmail-tmp-file-symlink(10307)
Reference: URL:http://www.iss.net/security_center/static/10307.php
Reference: BID:5911
Reference: URL:http://www.securityfocus.com/bid/5911

tkmail before 4.0beta9-8.1 allows local users to create or overwrite
files as users via a symlink attack on temporary files.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1193 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Cole, Armstrong
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1195
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1195
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20021009
Category: SF
Reference: BUGTRAQ:20020912 ht://Check XSS
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103184269605160&w=2
Reference: DEBIAN:DSA-169
Reference: URL:http://www.debian.org/security/2002/dsa-169
Reference: XF:htcheck-server-header-xss(10089)
Reference: URL:http://www.iss.net/security_center/static/10089.php

Cross-site scripting vulnerability (XSS) in the PHP interface for
ht://Check 1.1 allows remote web servers to insert arbitrary HTML,
including script, via a web page.

Analysis
--------
Vendor Acknowledgement: yes advisory

ACCURACY: The "DSA-169" number was inadvertently published for two
separate issues.  Debian confirmed via email that DSA-169 is intended
for the htcheck issue (CAN-2002-1195), and DSA-170 is intended for the
Tomcat issue (CAN-2002-1148).

INFERRED ACTION: CAN-2002-1195 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Cole, Armstrong
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> DEBIAN:DSA-169

   Note: DSA-170 was originally published with the DSA-169 ID,
   but DSA-169 is really ht://Check, and DSA-170 is really
   tomcat, as confirmed by Debian via email.  The online advisories
   at www.debian.org are authoritative.


======================================================
Candidate: CAN-2002-1196
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1196
Final-Decision:
Interim-Decision: 20040825
Modified: 20040804
Proposed: 20030317
Assigned: 20021009
Category: SF
Reference: BUGTRAQ:20021001 [BUGZILLA] Security Advisory
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103349804226566&w=2
Reference: CONFIRM:http://bugzilla.mozilla.org/show_bug.cgi?id=167485#c12
Reference: DEBIAN:DSA-173
Reference: URL:http://www.debian.org/security/2002/dsa-173
Reference: BID:5843
Reference: URL:http://www.securityfocus.com/bid/5843
Reference: XF:bugzilla-usebuggroups-permissions-leak(10233)
Reference: URL:http://www.iss.net/security_center/static/10233.php

editproducts.cgi in Bugzilla 2.14.x before 2.14.4, and 2.16.x before
2.16.1, when the "usebuggroups" feature is enabled and more than 47
groups are specified, does not properly calculate bit values for large
numbers, which grants extra permissions to users via known features of
Perl math that set multiple bits.


Modifications:
  20040804 ADDREF BID:5843

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1196 ACCEPT (3 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Cole, Armstrong
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> ADDREF BID:5843
   URL:http://www.securityfocus.com/bid/5843


======================================================
Candidate: CAN-2002-1197
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1197
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20021009
Category: SF
Reference: BUGTRAQ:20021001 [BUGZILLA] Security Advisory
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103349804226566&w=2
Reference: CONFIRM:http://bugzilla.mozilla.org/show_bug.cgi?id=163024
Reference: XF:bugzilla-emailappend-command-injection(10234)
Reference: URL:http://www.iss.net/security_center/static/10234.php

bugzilla_email_append.pl in Bugzilla 2.14.x before 2.14.4, and 2.16.x
before 2.16.1, allows remote attackers to execute arbitrary code via
shell metacharacters in a system call to processmail.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1197 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Baker, Cole
   NOOP(3) Christey, Cox, Wall

Voter Comments:
 Christey> Via email, Debian said that they are NOT vulnerable to this
   issue, because the bug is in a "contrib" package and not
   part of the core product.


======================================================
Candidate: CAN-2002-1198
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1198
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20021009
Category: SF
Reference: BUGTRAQ:20021001 [BUGZILLA] Security Advisory
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103349804226566&w=2
Reference: CONFIRM:http://bugzilla.mozilla.org/show_bug.cgi?id=165221
Reference: XF:bugzilla-email-sql-injection(10235)
Reference: URL:http://www.iss.net/security_center/static/10235.php

Bugzilla 2.16.x before 2.16.1 does not properly filter apostrophes
from an email address during account creation, which allows remote
attackers to execute arbitrary SQL via a SQL injection attack.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1198 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Baker, Cole
   NOOP(3) Christey, Cox, Wall

Voter Comments:
 Christey> Via email, Debian said that they are NOT vulnerable to this
   issue.


======================================================
Candidate: CAN-2002-1199
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1199
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20021011
Category: SF
Reference: BUGTRAQ:20021010 Multiple vendor ypxfrd map handling vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103426842025029&w=2
Reference: CALDERA:CSSA-2002-SCO.40
Reference: URL:ftp://ftp.caldera.com/pub/updates/OpenServer/CSSA-2002-SCO.40
Reference: COMPAQ:SSRT2339
Reference: SUNALERT:47903
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/47903
Reference: CERT-VN:VU#538033
Reference: URL:http://www.kb.cert.org/vuls/id/538033
Reference: XF:ypxfrd-file-disclosure(10329)
Reference: URL:http://www.iss.net/security_center/static/10329.php
Reference: BID:5937
Reference: URL:http://www.securityfocus.com/bid/5937

The getdbm procedure in ypxfrd allows local users to read arbitrary
files, and remote attackers to read databases outside /var/yp, via a
directory traversal and symlink attack on the domain and map
arguments.


Modifications:
  20040804 [refs] normalize SUNALERT ref

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1199 ACCEPT (4 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Frech, Wall, Cole
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1200
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1200
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20021011
Category: SF
Reference: CONFIRM:http://www.balabit.hu/static/zsa/ZSA-2002-014-en.txt
Reference: BUGTRAQ:20021010 syslog-ng buffer overflow
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103426595021928&w=2
Reference: DEBIAN:DSA-175
Reference: URL:http://www.debian.org/security/2002/dsa-175
Reference: ENGARDE:ESA-20021016-025
Reference: ENGARDE:ESA-20021029-028
Reference: URL:http://www.linuxsecurity.com/advisories/other_advisory-2513.html
Reference: CONECTIVA:CLA-2002:547
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000547
Reference: SUSE:SuSE-SA:2002:039
Reference: URL:http://www.suse.com/de/security/2002_039_syslog_ng.html
Reference: BID:5934
Reference: URL:http://www.securityfocus.com/bid/5934
Reference: XF:syslogng-macro-expansion-bo(10339)
Reference: URL:http://www.iss.net/security_center/static/10339.php

Balabit Syslog-NG 1.4.x before 1.4.15, and 1.5.x before 1.5.20, when
using template filenames or output, does not properly track the size
of a buffer when constant characters are encountered during macro
expansion, which allows remote attackers to cause a denial of service
and possibly execute arbitrary code.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1200 ACCEPT (3 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Cole, Armstrong
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1211
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1211
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20021014
Category: SF
Reference: MISC:http://www.idefense.com/advisory/10.31.02b.txt
Reference: BUGTRAQ:20021101 iDEFENSE Security Advisory 10.31.02b: Prometheus Application Framework Code Injection
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103616306403031&w=2
Reference: VULNWATCH:20021101 iDEFENSE Security Advisory 10.31.02b: Prometheus Application Framework Code Injection
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0050.html
Reference: XF:prometheus-php-file-include(10515)
Reference: URL:http://www.iss.net/security_center/static/10515.php
Reference: BID:6087
Reference: URL:http://www.securityfocus.com/bid/6087

Prometheus 6.0 and earlier allows remote attackers to execute
arbitrary PHP code via a modified PROMETHEUS_LIBRARY_BASE that points
to code stored on a remote server, which is then used in (1)
index.php, (2) install.php, or (3) various test_*.php scripts.

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2002-1211 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Baker, Cole
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-1214
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1214
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20021014
Category: SF
Reference: BUGTRAQ:20020926 Microsoft PPTP Server and Client remote vulnerability
Reference: URL:http://online.securityfocus.com/archive/1/293146
Reference: MS:MS02-063
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-063.asp
Reference: XF:win-pptp-packet-bo (10199)
Reference: URL:http://www.iss.net/security_center/static/10199.php
Reference: BID:5807
Reference: URL:http://online.securityfocus.com/bid/5807

Buffer overflow in Microsoft PPTP Service on Windows XP and Windows
2000 allows remote attackers to cause a denial of service (hang) and
possibly execute arbitrary code via a certain PPTP packet with
malformed control data.

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2002-1214 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Wall, Cole
   NOOP(1) Cox

Voter Comments:
 Green> ACKNOWLEDGED IN http://www.microsoft.com/technet/security/bulletin/ms02-063.asp


======================================================
Candidate: CAN-2002-1219
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1219
Final-Decision:
Interim-Decision: 20040825
Modified: 20040804
Proposed: 20030317
Assigned: 20021016
Category: SF
Reference: ISS:20021112 Multiple Remote Vulnerabilities in BIND4 and BIND8
Reference: URL:http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21469
Reference: BUGTRAQ:20021112 [Fwd: Notice of serious vulnerabilities in ISC BIND 4 & 8]
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103713117612842&w=2
Reference: CONFIRM:http://www.isc.org/products/BIND/bind-security.html
Reference: CERT:CA-2002-31
Reference: URL:http://www.cert.org/advisories/CA-2002-31.html
Reference: CERT-VN:VU#852283
Reference: URL:http://www.kb.cert.org/vuls/id/852283
Reference: FREEBSD:FreeBSD-SA-02:43
Reference: ENGARDE:ESA-20021114-029
Reference: SUSE:SuSE-SA:2002:044
Reference: MANDRAKE:MDKSA-2002:077
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-077.php
Reference: DEBIAN:DSA-196
Reference: URL:http://www.debian.org/security/2002/dsa-196
Reference: CONECTIVA:CLA-2002:546
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000546
Reference: CALDERA:CSSA-2003-SCO.2
Reference: CIAC:N-013
Reference: URL:http://www.ciac.org/ciac/bulletins/n-013.shtml
Reference: BUGTRAQ:20021115 [OpenPKG-SA-2002.011] OpenPKG Security Advisory (bind, bind8)
Reference: URL:http://online.securityfocus.com/archive/1/300019
Reference: COMPAQ:SSRT2408
Reference: URL:http://online.securityfocus.com/advisories/4999
Reference: SGI:20021201-01-P
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20021201-01-P
Reference: BUGTRAQ:20021118 TSLSA-2002-0076 - bind
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103763574715133&w=2
Reference: CONFIRM:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F48818
Reference: BID:6160
Reference: URL:http://www.securityfocus.com/bid/6160
Reference: XF:bind-sig-rr-bo(10304)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10304

Buffer overflow in named in BIND 4 versions 4.9.10 and earlier, and 8
versions 8.3.3 and earlier, allows remote attackers to execute
arbitrary code via a certain DNS server response containing SIG
resource records (RR).


Modifications:
  20040804 ADDREF XF:bind-sig-rr-bo(10304)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1219 ACCEPT (4 accept, 11 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Cox, Wall, Cole
   MODIFY(1) Frech

Voter Comments:
 Frech> XF:bind-sig-rr-bo(10304)


======================================================
Candidate: CAN-2002-1220
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1220
Final-Decision:
Interim-Decision: 20040825
Modified: 20040804
Proposed: 20030317
Assigned: 20021016
Category: SF
Reference: ISS:20021112 Multiple Remote Vulnerabilities in BIND4 and BIND8
Reference: URL:http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21469
Reference: BUGTRAQ:20021112 [Fwd: Notice of serious vulnerabilities in ISC BIND 4 & 8]
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103713117612842&w=2
Reference: CONFIRM:http://www.isc.org/products/BIND/bind-security.html
Reference: CERT:CA-2002-31
Reference: URL:http://www.cert.org/advisories/CA-2002-31.html
Reference: CERT-VN:VU#229595
Reference: URL:http://www.kb.cert.org/vuls/id/229595
Reference: FREEBSD:FreeBSD-SA-02:43
Reference: ENGARDE:ESA-20021114-029
Reference: SUSE:SuSE-SA:2002:044
Reference: MANDRAKE:MDKSA-2002:077
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-077.php
Reference: DEBIAN:DSA-196
Reference: URL:http://www.debian.org/security/2002/dsa-196
Reference: CALDERA:CSSA-2003-SCO.2
Reference: CIAC:N-013
Reference: URL:http://www.ciac.org/ciac/bulletins/n-013.shtml
Reference: BUGTRAQ:20021115 [OpenPKG-SA-2002.011] OpenPKG Security Advisory (bind, bind8)
Reference: URL:http://online.securityfocus.com/archive/1/300019
Reference: COMPAQ:SSRT2408
Reference: URL:http://online.securityfocus.com/advisories/4999
Reference: BUGTRAQ:20021118 TSLSA-2002-0076 - bind
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103763574715133&w=2
Reference: XF:bind-opt-rr-dos(10332)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10332
Reference: BID:6161
Reference: URL:http://www.securityfocus.com/bid/6161

BIND 8.3.x through 8.3.3 allows remote attackers to cause a denial of
service (termination due to assertion failure) via a request for a
subdomain that does not exist, with an OPT resource record with a
large UDP payload size.


Modifications:
  20040804 ADDREF XF:bind-opt-rr-dos(10332)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1220 ACCEPT (4 accept, 10 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Cox, Wall, Cole
   MODIFY(1) Frech

Voter Comments:
 Frech> XF:bind-opt-rr-dos(10332)


======================================================
Candidate: CAN-2002-1221
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1221
Final-Decision:
Interim-Decision: 20040825
Modified: 20040804
Proposed: 20030317
Assigned: 20021016
Category: SF
Reference: ISS:20021112 Multiple Remote Vulnerabilities in BIND4 and BIND8
Reference: URL:http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21469
Reference: BUGTRAQ:20021112 [Fwd: Notice of serious vulnerabilities in ISC BIND 4 & 8]
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103713117612842&w=2
Reference: CONFIRM:http://www.isc.org/products/BIND/bind-security.html
Reference: CERT:CA-2002-31
Reference: URL:http://www.cert.org/advisories/CA-2002-31.html
Reference: CERT-VN:VU#581682
Reference: URL:http://www.kb.cert.org/vuls/id/581682
Reference: FREEBSD:FreeBSD-SA-02:43
Reference: ENGARDE:ESA-20021114-029
Reference: SUSE:SuSE-SA:2002:044
Reference: MANDRAKE:MDKSA-2002:077
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-077.php
Reference: DEBIAN:DSA-196
Reference: URL:http://www.debian.org/security/2002/dsa-196
Reference: CONECTIVA:CLA-2002:546
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000546
Reference: CALDERA:CSSA-2003-SCO.2
Reference: CIAC:N-013
Reference: URL:http://www.ciac.org/ciac/bulletins/n-013.shtml
Reference: BUGTRAQ:20021115 [OpenPKG-SA-2002.011] OpenPKG Security Advisory (bind, bind8)
Reference: URL:http://online.securityfocus.com/archive/1/300019
Reference: COMPAQ:SSRT2408
Reference: URL:http://online.securityfocus.com/advisories/4999
Reference: BUGTRAQ:20021118 TSLSA-2002-0076 - bind
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103763574715133&w=2
Reference: XF:bind-null-dereference-dos(10333)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10333
Reference: BID:6159
Reference: URL:http://www.securityfocus.com/bid/6159

BIND 8.x through 8.3.3 allows remote attackers to cause a denial of
service (crash) via SIG RR elements with invalid expiry times, which
are removed from the internal BIND database and later cause a null
dereference.


Modifications:
  20040804 ADDREF XF:bind-null-dereference-dos(10333)
  20040804 ADDREF BID:6159

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1221 ACCEPT (4 accept, 10 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Cox, Wall, Cole
   MODIFY(1) Frech

Voter Comments:
 Frech> XF:bind-null-dereference-dos(10333)


======================================================
Candidate: CAN-2002-1222
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1222
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20021017
Category: SF
Reference: CISCO:20021016 Cisco CatOS Embedded HTTP Server Buffer Overflow
Reference: URL:http://www.cisco.com/warp/public/707/catos-http-overflow-vuln.shtml
Reference: XF:cisco-catalyst-ciscoview-bo(10382)
Reference: URL:http://www.iss.net/security_center/static/10382.php
Reference: BID:5976
Reference: URL:http://www.securityfocus.com/bid/5976

Buffer overflow in the embedded HTTP server for Cisco Catalyst
switches running CatOS 5.4 through 7.3 allows remote attackers to
cause a denial of service (reset) via a long HTTP request.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1222 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Green, Baker, Jones, Cole
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1223
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1223
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20021017
Category: SF
Reference: BUGTRAQ:20021009 KDE Security Advisory: KGhostview Arbitary Code Execution
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-10/0163.html
Reference: CONFIRM:http://www.kde.org/info/security/advisory-20021008-1.txt
Reference: REDHAT:RHSA-2002:220
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-220.html
Reference: MANDRAKE:MDKSA-2002:071
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2002:071
Reference: XF:gsview-dsc-ps-bo(11319)
Reference: URL:http://www.iss.net/security_center/static/11319.php

Buffer overflow in DSC 3.0 parser from GSview, as used in KGhostView
in KDE 1.1 and KDE 3.0.3a, may allow attackers to cause a denial of
service or execute arbitrary code via a modified .ps (PostScript)
input file.

Analysis
--------
Vendor Acknowledgement: yes advisory

ABSTRACTION: CAN-2002-0838 and CAN-2002-1223 are different overflows
that stem from different packages.  The KDE security advisory makes
this clear.  Therefore CD:SF-LOC suggests keeping them SPLIT.

INFERRED ACTION: CAN-2002-1223 ACCEPT (3 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Cox, Cole


======================================================
Candidate: CAN-2002-1224
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1224
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20021017
Category: SF
Reference: CONFIRM:http://www.kde.org/info/security/advisory-20021008-2.txt
Reference: REDHAT:RHSA-2002:220
Reference: BUGTRAQ:20021009 KDE Security Advisory: kpf Directory traversal
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-10/0164.html
Reference: BUGTRAQ:20021011 Security hole in kpf - KDE personal fileserver.
Reference: URL:http://online.securityfocus.com/archive/1/294991
Reference: XF:kpf-icon-view-files(10347)
Reference: URL:http://www.iss.net/security_center/static/10347.php
Reference: BID:5951
Reference: URL:http://www.securityfocus.com/bid/5951

Directory traversal vulnerability in kpf for KDE 3.0.1 through KDE
3.0.3a allows remote attackers to read arbitrary files as the kpf user
via a URL with a modified icon parameter.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1224 ACCEPT (4 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(4) Green, Cox, Cole, Armstrong


======================================================
Candidate: CAN-2002-1227
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1227
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20021017
Category: SF
Reference: DEBIAN:DSA-177
Reference: URL:http://www.debian.org/security/2002/dsa-177
Reference: XF:pam-disabled-bypass-authentication(10405)
Reference: URL:http://www.iss.net/security_center/static/10405.php
Reference: BID:5994
Reference: URL:http://www.securityfocus.com/bid/5994

PAM 0.76 treats a disabled password as if it were an empty (null)
password, which allows local and remote attackers to gain privileges
as disabled users.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1227 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Green, Cox, Cole, Armstrong

Voter Comments:
 CHANGE> [Cox changed vote from REVIEWING to ACCEPT]


======================================================
Candidate: CAN-2002-1230
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1230
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20021021
Category: SF
Reference: MISC:http://getad.chat.ru/
Reference: MISC:http://www.packetstormsecurity.nl/filedesc/GetAd.c.html
Reference: MS:MS02-071
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-071.asp
Reference: BID:5927
Reference: URL:http://online.securityfocus.com/bid/5927
Reference: XF:win-netdde-gain-privileges(10343)
Reference: URL:http://www.iss.net/security_center/static/10343.php

NetDDE Agent on Windows NT 4.0, 4.0 Terminal Server Edition, Windows
2000, and Windows XP allows local users to execute arbitrary code as
LocalSystem via "shatter" style attack by sending a WM_COPYDATA
message followed by a WM_TIMER message, as demonstrated by GetAd, aka
"Flaw in Windows WM_TIMER Message Handling Could Enable Privilege
Elevation."

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2002-1230 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Green, Wall
   NOOP(2) Cox, Cole

Voter Comments:
 Green> ACKNOWLEDGED IN http://www.microsoft.com/technet/security/bulletin/ms02-071.asp


======================================================
Candidate: CAN-2002-1231
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1231
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20021021
Category: SF
Reference: CALDERA:CSSA-2002-SCO.41
Reference: URL:ftp://ftp.sco.com/pub/updates/OpenUNIX/CSSA-2002-SCO.41
Reference: XF:openunix-unixware-rcp-dos(10425)
Reference: URL:http://www.iss.net/security_center/static/10425.php
Reference: BID:6025
Reference: URL:http://www.securityfocus.com/bid/6025

SCO UnixWare 7.1.1 and Open UNIX 8.0.0 allows local users to cause a
denial of service via an rcp call on /proc.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1231 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Cole, Armstrong
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1232
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1232
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20021022
Category: SF
Reference: CALDERA:CSSA-2002-054.0
Reference: CONECTIVA:CLA-2002:539
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000539
Reference: DEBIAN:DSA-180
Reference: URL:http://www.debian.org/security/2002/dsa-180
Reference: HP:HPSBTL0210-074
Reference: URL:http://online.securityfocus.com/advisories/4605
Reference: MANDRAKE:MDKSA-2002:078
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-078.php
Reference: REDHAT:RHSA-2002:223
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-223.html
Reference: REDHAT:RHSA-2002:224
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-224.html
Reference: REDHAT:RHSA-2003:229
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-229.html
Reference: BUGTRAQ:20021028 GLSA: ypserv
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103582692228894&w=2
Reference: BID:6016
Reference: URL:http://www.securityfocus.com/bid/6016
Reference: XF:ypserv-map-memory-leak(10423)
Reference: URL:http://www.iss.net/security_center/static/10423.php

Memory leak in ypdb_open in yp_db.c for ypserv before 2.5 in the NIS
package 3.9 and earlier allows remote attackers to cause a denial of
service (memory consumption) via a large number of requests for a map
that does not exist.


Modifications:
  20040804 ADDREF REDHAT:RHSA-2002:224
  20040818 ADDREF REDHAT:RHSA-2003:229

Analysis
--------
Vendor Acknowledgement: yes advisory

ACCURACY: Via email, Thorsten Kukuk (the developer) clarified that
this is a basic memory leak, and not an information leak of old
domain/map names, which was suggested in some vendor advisories.

ACCURACY: an early version of MANDRAKE:MDKSA-2002:078 included a
description that discussed the ypserv issue, but its references were
for other problems.  Mandrake has confirmed that MDKSA-2002:078 is
intended for CAN-2002-1232 only.

INFERRED ACTION: CAN-2002-1232 ACCEPT (4 accept, 4 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Cole, Armstrong
   MODIFY(1) Cox

Voter Comments:
 Cox> Addref RHSA-2002:224


======================================================
Candidate: CAN-2002-1236
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1236
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20021024
Category: SF
Reference: MISC:http://www.idefense.com/advisory/10.31.02a.txt
Reference: BUGTRAQ:20021101 iDEFENSE Security Advisory 10.31.02a: Denial of Service Vulnerability in Linksys BEFSR41 EtherFast Cable/DSL Router
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103616324103171&w=2
Reference: VULNWATCH:20021101 iDEFENSE Security Advisory 10.31.02a: Denial of Service Vulnerability in Linksys BEFSR41 EtherFast Cable/DSL Router
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0049.html
Reference: XF:linksys-etherfast-gozila-dos(10514)
Reference: URL:http://www.iss.net/security_center/static/10514.php
Reference: BID:6086
Reference: URL:http://www.securityfocus.com/bid/6086

The remote management web server for Linksys BEFSR41 EtherFast
Cable/DSL Router before firmware 1.42.7 allows remote attackers to
cause a denial of service (crash) via an HTTP request to Gozila.cgi
without any arguments.

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2002-1236 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Baker, Cole
   NOOP(2) Cox, Wall

Voter Comments:
 Green> RELEASED IN DEC., 2002 IS REPORTED TO CORRECT THE PROBLEM


======================================================
Candidate: CAN-2002-1239
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1239
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20021101
Category: SF
Reference: BUGTRAQ:20021108 iDEFENSE Security Advisory 11.08.02b: Non-Explicit Path Vulnerability in QNX Neutrino RTOS
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103679043232178&w=2
Reference: VULNWATCH:20021108 iDEFENSE Security Advisory 11.08.02b: Non-Explicit Path Vulnerability in QNX Neutrino RTOS
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0066.html
Reference: MISC:http://www.idefense.com/advisory/11.08.02b.txt
Reference: XF:qnx-rtos-gain-privileges(10564)
Reference: URL:http://www.iss.net/security_center/static/10564.php
Reference: BID:6146
Reference: URL:http://www.securityfocus.com/bid/6146

QNX Neutrino RTOS 6.2.0 uses the PATH environment variable to find and
execute the cp program while operating at raised privileges, which
allows local users to gain privileges by modifying the PATH to point
to a malicious cp program.

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2002-1239 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Baker, Cole
   NOOP(2) Cox, Wall

Voter Comments:
 Green> QNX ACKNOWNLEDGED THE ISSUE AND CORRECTED IT IN CURRENT VERSION RELEASED JAN. 2003


======================================================
Candidate: CAN-2002-1242
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1242
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20021101
Category: SF
Reference: MISC:http://www.idefense.com/advisory/10.31.02c.txt
Reference: BUGTRAQ:20021101 iDEFENSE Security Advisory 10.31.02c: PHP-Nuke SQL Injection Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103616324103171&w=2
Reference: VULNWATCH:20021101 iDEFENSE Security Advisory 10.31.02c: PHP-Nuke SQL Injection Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0051.html
Reference: XF:phpnuke-accountmanager-sql-injection(10516)
Reference: URL:http://www.iss.net/security_center/static/10516.php
Reference: BID:6088
Reference: URL:http://www.securityfocus.com/bid/6088
Reference: OSVDB:6244
Reference: URL:http://www.osvdb.org/6244

SQL injection vulnerability in PHP-Nuke before 6.0 allows remote
authenticated users to modify the database and gain privileges via the
"bio" argument to modules.php.


Modifications:
  20040818 ADDREF OSVDB:6244

Analysis
--------
Vendor Acknowledgement: unknown discloser-claimed

INFERRED ACTION: CAN-2002-1242 ACCEPT (4 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Balinsky, Cole, Armstrong
   NOOP(2) Cox, Wall

Voter Comments:
 Balinsky> Vendor acknowledged problem in its fix:
   http://phpnuke.org/modules.php?name=News&file=article&sid=5647


======================================================
Candidate: CAN-2002-1244
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1244
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20021101
Category: SF
Reference: BUGTRAQ:20021104 iDEFENSE Security Advisory 11.04.02a: Pablo FTP Server DoS Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103642642802889&w=2
Reference: VULNWATCH:20021104 iDEFENSE Security Advisory 11.04.02a: Pablo FTP Server DoS Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0057.html
Reference: CONFIRM:http://www.pablovandermeer.nl/ftpserver.zip
Reference: BID:6099
Reference: URL:http://www.securityfocus.com/bid/6099
Reference: XF:pablo-ftp-username-dos(10532)
Reference: URL:http://www.iss.net/security_center/static/10532.php
Reference: OSVDB:4996
Reference: URL:http://www.osvdb.org/4996

Format string vulnerability in Pablo FTP Server 1.5, 1.3, and possibly
other versions, allows remote attackers to cause a denial of service
and possibly execute arbitrary code via format strings in the USER
command.


Modifications:
  20040804 [refs] remove dupe XF:pablo-ftp-username-dos(10532)
  20040818 ADDREF OSVDB:4996

Analysis
--------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: the "whatsnew.txt" file includes an item for version
1.51, dated 11/01/2002, which says "Fixed security vulnerability:
sending %n%n%n (and other c-formating strings) c rashed the system
(thanks to www.idefense.com) [the discloser]."

INFERRED ACTION: CAN-2002-1244 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Baker, Cole
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-1245
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1245
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20021101
Category: SF
Reference: MISC:http://www.idefense.com/advisory/11.06.02.txt
Reference: BUGTRAQ:20021106 iDEFENSE Security Advisory 11.06.02: Non-Explicit Path Vulnerability in LuxMan
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103660334009855&w=2
Reference: VULNWATCH:20021106 iDEFENSE Security Advisory 11.06.02: Non-Explicit Path Vulnerability in LuxMan
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0062.html
Reference: DEBIAN:DSA-189
Reference: URL:http://www.debian.org/security/2002/dsa-189
Reference: XF:luxman-maped-read-memory(10549)
Reference: URL:http://www.iss.net/security_center/static/10549.php
Reference: BID:6113
Reference: URL:http://www.securityfocus.com/bid/6113

Maped in LuxMan 0.41 uses the user-provided search path to find and
execute the gzip program, which allows local users to modify /dev/mem
and gain privileges via a modified PATH environment variable that
points to a Trojan horse gzip program.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1245 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Cole, Armstrong
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1248
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1248
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20021101
Category: SF
Reference: BUGTRAQ:20021104 iDEFENSE Security Advisory 11.04.02b: Denial of Service Vulnerability in Xeneo Web Server
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103642597302308&w=2
Reference: MISC:http://www.idefense.com/advisory/11.04.02b.txt
Reference: XF:xeneo-php-dos(10534)
Reference: URL:http://www.iss.net/security_center/static/10534.php
Reference: BID:6098
Reference: URL:http://www.securityfocus.com/bid/6098

Northern Solutions Xeneo Web Server 2.1.0.0, 2.0.759.6, and other
versions before 2.1.5 allows remote attackers to cause a denial of
service (crash) via a GET request for a "%" URI.

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2002-1248 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Baker, Cole
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-1250
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1250
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20021101
Category: SF
Reference: MISC:http://www.idefense.com/advisory/11.01.02.txt
Reference: VULNWATCH:20021101 iDEFENSE Security Advisory 11.01.02: Buffer Overflow Vulnerability in Abuse
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0055.html
Reference: XF:abuse-net-command-bo(10519)
Reference: URL:http://www.iss.net/security_center/static/10519.php
Reference: BID:6094
Reference: URL:http://www.securityfocus.com/bid/6094

Buffer overflow in Abuse 2.00 and earlier allows local users to gain
root privileges via a long -net command line argument.

Analysis
--------
Vendor Acknowledgement: unknown discloser-claimed

INFERRED ACTION: CAN-2002-1250 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Cole, Armstrong
   NOOP(3) Cox, Balinsky, Wall


======================================================
Candidate: CAN-2002-1251
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1251
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20021101
Category: SF
Reference: DEBIAN:DSA-186
Reference: URL:http://www.debian.org/security/2002/dsa-186
Reference: XF:log2mail-log-file-bo(10527)
Reference: URL:http://www.iss.net/security_center/static/10527.php
Reference: BID:6089
Reference: URL:http://www.securityfocus.com/bid/6089

Buffer overflow in log2mail before 0.2.5.1 allows remote attackers to
execute arbitrary code via a long log message.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1251 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Cole, Armstrong
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1252
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1252
Final-Decision:
Interim-Decision: 20040825
Modified: 20040804
Proposed: 20030317
Assigned: 20021101
Category: SF
Reference: ISS:20030120 PeopleSoft XML External Entities Vulnerability
Reference: URL:http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21811
Reference: BID:6647
Reference: URL:http://www.securityfocus.com/bid/6647
Reference: XF:peoplesoft-xxe-read-files(10520)
Reference: URL:http://www.iss.net/security_center/static/10520.php

The Application Messaging Gateway for PeopleTools 8.1x before 8.19, as
used in various PeopleSoft products, allows remote attackers to read
arbitrary files via certain XML External Entities (XXE) fields in an
HTTP POST request that is processed by the SimpleFileHandler handler.


Modifications:
  20040804 ADDREF BID:6647

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2002-1252 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Stracener, Baker
   NOOP(4) Green, Cox, Wall, Cole


======================================================
Candidate: CAN-2002-1253
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1253
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20021101
Category: SF
Reference: MISC:http://www.idefense.com/advisory/11.01.02.txt
Reference: VULNWATCH:20021101 iDEFENSE Security Advisory 11.01.02: Buffer Overflow Vulnerability in Abuse
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0055.html
Reference: XF:abuse-lisp-gain-privileges(11300)
Reference: URL:http://www.iss.net/security_center/static/11300.php

Abuse 2.00 and earlier allows local users to gain privileges via
command line arguments that specify alternate Lisp scripts that run at
escalated privileges, which can contain functions that execute
commands or modify files.

Analysis
--------
Vendor Acknowledgement: unknown discloser-claimed

INFERRED ACTION: CAN-2002-1253 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Cole, Armstrong
   NOOP(3) Cox, Balinsky, Wall


======================================================
Candidate: CAN-2002-1255
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1255
Final-Decision:
Interim-Decision: 20040825
Modified: 20040804
Proposed: 20030317
Assigned: 20021104
Category: SF
Reference: MS:MS02-067
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-067.asp
Reference: XF:outlook-email-header-dos(10763)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10763
Reference: BID:6319
Reference: URL:http://www.securityfocus.com/bid/6319

Microsoft Outlook 2002 allows remote attackers to cause a denial of
service (repeated failure) via an email message with a certain invalid
header field that is accessed using POP3, IMAP, or WebDAV, aka "E-mail
Header Processing Flaw Could Cause Outlook 2002 to Fail."


Modifications:
  20040804 ADDREF XF:outlook-email-header-dos(10763)
  20040804 ADDREF BID:6319

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1255 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Wall, Cole
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1256
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1256
Final-Decision:
Interim-Decision: 20040825
Modified: 20040824
Proposed: 20030317
Assigned: 20021104
Category: SF
Reference: MS:MS02-070
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-070.asp
Reference: XF:win-smb-policy-modification(10843)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10843
Reference: BID:6367
Reference: URL:http://www.securityfocus.com/bid/6367
Reference: OVAL:OVAL277
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL277.html

The SMB signing capability in the Server Message Block (SMB) protocol
in Microsoft Windows 2000 and Windows XP allows attackers to disable
the digital signing settings in an SMB session to force the data to be
sent unsigned, then inject data into the session without detection,
e.g. by modifying group policy information sent from a domain
controller.


Modifications:
  20040804 ADDREF XF:win-smb-policy-modification(10843)
  20040804 ADDREF BID:6367
  20040824 ADDREF OVAL:OVAL277

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1256 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Wall, Cole
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> XF:win-smb-policy-modification (10843)
   URL:http://www.iss.net/security_center/static/10843.php
   BID:6367
   URL:http://www.securityfocus.com/bid/6367


======================================================
Candidate: CAN-2002-1257
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1257
Final-Decision:
Interim-Decision: 20040825
Modified: 20040804
Proposed: 20030317
Assigned: 20021104
Category: SF
Reference: MS:MS02-069
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-069.asp
Reference: BID:6371
Reference: URL:http://www.securityfocus.com/bid/6371

Microsoft Virtual Machine (VM) up to and including build 5.0.3805
allows remote attackers to execute arbitrary code by including a Java
applet that invokes COM (Component Object Model) objects in a web site
or an HTML mail.


Modifications:
  20040804 ADDREF BID:6371

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1257 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Wall, Cole
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1260
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1260
Final-Decision:
Interim-Decision: 20040825
Modified: 20040804
Proposed: 20030317
Assigned: 20021104
Category: SF
Reference: MS:MS02-069
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-069.asp
Reference: XF:msvm-jdbc-gain-access(10833)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10833
Reference: BID:6379
Reference: URL:http://www.securityfocus.com/bid/6379

The Java Database Connectivity (JDBC) APIs in Microsoft Virtual
Machine (VM) 5.0.3805 and earlier allow remote attackers to bypass
security checks and access database contents via an untrusted Java
applet.


Modifications:
  20040804 ADDREF XF:msvm-jdbc-gain-access(10833)
  20040804 ADDREF BID:6379

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1260 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Wall, Cole
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1264
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1264
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20021104
Category: SF
Reference: BUGTRAQ:20021104 Oracle iSQL*Plus buffer overflow vulnerability (#NISR04112002)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103643298712284&w=2
Reference: VULNWATCH:20021104 Oracle iSQL*Plus buffer overflow vulnerability (#NISR04112002)
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0060.html
Reference: CONFIRM:http://technet.oracle.com/deploy/security/pdf/2002alert46rev1.pdf
Reference: XF:oracle-isqlplus-userid-bo(10524)
Reference: URL:http://www.iss.net/security_center/static/10524.php
Reference: BID:6085
Reference: URL:http://www.securityfocus.com/bid/6085
Reference: OSVDB:4013
Reference: URL:http://www.osvdb.org/4013

Buffer overflow in Oracle iSQL*Plus web application of the Oracle 9
database server allows remote attackers to execute arbitrary code via
a long USERID parameter in the isqlplus URL.


Modifications:
  20040818 ADDREF OSVDB:4013

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2002-1264 ACCEPT_REV (3 accept, 1 ack, 1 review)

Current Votes:
   ACCEPT(3) Green, Baker, Cole
   NOOP(1) Cox
   REVIEWING(1) Wall


======================================================
Candidate: CAN-2002-1265
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1265
Final-Decision:
Interim-Decision: 20040825
Modified: 20040804
Proposed: 20030317
Assigned: 20021104
Category: SF
Reference: CERT-VN:VU#266817
Reference: URL:http://www.kb.cert.org/vuls/id/266817
Reference: HP:HPSBUX01020
Reference: URL:http://www-1.ibm.com/services/continuity/recover1.nsf/mss/MSS-OAR-E01-2004.0800.1
Reference: SGI:20021103-01-P
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20021103-01-P
Reference: SUNALERT:51082
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/51082
Reference: CONFIRM:http://www.info.apple.com/usen/security/security_updates.html
Reference: BID:6103
Reference: URL:http://www.securityfocus.com/bid/6103
Reference: XF:sun-rpc-libc-dos(10539)
Reference: URL:http://www.iss.net/security_center/static/10539.php

The Sun RPC functionality in multiple libc implementations does not
provide a time-out mechanism when reading data from TCP connections,
which allows remote attackers to cause a denial of service (hang).


Modifications:
  20040804 ADDREF HP:HPSBUX01020
  20040804 ADDREF SUNALERT:51082
  20040804 ADDREF BID:6103

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1265 ACCEPT (4 accept, 4 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Frech, Wall, Cole
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1266
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1266
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20021104
Category: SF
Reference: CONFIRM:http://www.info.apple.com/usen/security/security_updates.html
Reference: XF:macos-disk-image-privileges(10818)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10818
Reference: OSVDB:7057
Reference: URL:http://www.osvdb.org/7057

Mac OS X 10.2.2 allows local users to gain privileges by mounting a
disk image file that was created on another system, aka "Local User
Privilege Elevation via Disk Image File."


Modifications:
  20040804 ADDREF XF:macos-disk-image-privileges(10818)
  20040818 ADDREF OSVDB:7057

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1266 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Baker, Cole
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-1267
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1267
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20021104
Category: SF
Reference: CONFIRM:http://www.info.apple.com/usen/security/security_updates.html
Reference: XF:macos-cups-dos(10824)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10824
Reference: OSVDB:7058
Reference: URL:http://www.osvdb.org/7058

Mac OS X 10.2.2 allows remote attackers to cause a denial of service
by accessing the CUPS Printing Web Administration utility, aka "CUPS
Printing Web Administration is Remotely Accessible."


Modifications:
  20040804 ADDREF XF:macos-cups-dos(10824)
  20040818 ADDREF OSVDB:7058

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1267 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Baker, Cole
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-1268
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1268
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20021104
Category: SF
Reference: CONFIRM:http://www.info.apple.com/usen/security/security_updates.html
Reference: XF:macos-iso9600-gain-privileges(10828)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10828
Reference: OSVDB:7059
Reference: URL:http://www.osvdb.org/7059

Mac OS X 10.2.2 allows local users to gain privileges via a mounted
ISO 9600 CD, aka "User Privilege Elevation via Mounting an ISO 9600
CD."


Modifications:
  20040804 ADDREF XF:macos-iso9600-gain-privileges(10828)
  20040818 ADDREF OSVDB:7059

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1268 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Baker, Cole
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-1270
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1270
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20021104
Category: SF
Reference: CONFIRM:http://www.info.apple.com/usen/security/security_updates.html
Reference: XF:macos-mach-read-files(10829)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10829
Reference: OSVDB:7060
Reference: URL:http://www.osvdb.org/7060

Mac OS X 10.2.2 allows local users to read files that only allow write
access via the map_fd() Mach system call.


Modifications:
  20040804 ADDREF XF:macos-mach-read-files(10829)
  20040818 ADDREF OSVDB:7060

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1270 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Baker, Cole
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-1271
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1271
Final-Decision:
Interim-Decision: 20040825
Modified: 20040804
Proposed: 20030317
Assigned: 20021105
Category: SF
Reference: DEBIAN:DSA-386
Reference: URL:http://www.debian.org/security/2003/dsa-386
Reference: MANDRAKE:MDKSA-2002:076
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-076.php
Reference: SUSE:SuSE-SA:2002:041
Reference: URL:http://www.suse.de/de/security/2002_041_perl_mailtools.html
Reference: BUGTRAQ:20021106 GLSA: MailTools
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103659723101369&w=2
Reference: BUGTRAQ:20021108 [Security Announce] Re: MDKSA-2002:076 - perl-MailTools update
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103679569705086&w=2
Reference: XF:mail-mailer-command-execution(10548)
Reference: URL:http://www.iss.net/security_center/static/10548.php
Reference: BID:6104
Reference: URL:http://www.securityfocus.com/bid/6104

The Mail::Mailer Perl module in the perl-MailTools package 1.47 and
earlier uses mailx as the default mailer, which allows remote
attackers to execute arbitrary commands by inserting them into the
mail body, which is then processed by mailx.


Modifications:
  20040804 ADDREF DEBIAN:DSA-386

Analysis
--------
Vendor Acknowledgement: yes advisory

Note: Debian has stated that they are not vulnerable.

INFERRED ACTION: CAN-2002-1271 ACCEPT (3 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Cole, Armstrong
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> DEBIAN:DSA-386
   URL:http://www.debian.org/security/2003/dsa-386


======================================================
Candidate: CAN-2002-1272
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1272
Final-Decision:
Interim-Decision: 20040825
Modified: 20040804
Proposed: 20030317
Assigned: 20021106
Category: SF
Reference: CERT:CA-2002-32
Reference: URL:http://www.cert.org/advisories/CA-2002-32.html
Reference: CERT-VN:VU#181721
Reference: URL:http://www.kb.cert.org/vuls/id/181721
Reference: BID:6220
Reference: URL:http://online.securityfocus.com/bid/6220
Reference: XF:alcatel-omniswitch-backdoor(10664)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10664

Alcatel OmniSwitch 7700/7800 switches running AOS 5.1.1 contains a
back door telnet server that was intended for development but not
removed before distribution, which allows remote attackers to gain
administrative privileges.


Modifications:
  20040804 ADDREF XF:alcatel-omniswitch-backdoor(10664)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1272 ACCEPT (3 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(2) Baker, Cole
   MODIFY(1) Frech
   NOOP(2) Cox, Wall

Voter Comments:
 Frech> XF:alcatel-omniswitch-backdoor(10664)


======================================================
Candidate: CAN-2002-1277
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1277
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20021108
Category: SF
Reference: DEBIAN:DSA-190
Reference: URL:http://www.debian.org/security/2002/dsa-190
Reference: CONECTIVA:CLA-2002:548
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000548
Reference: MANDRAKE:MDKSA-2002:085
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-085.php
Reference: REDHAT:RHSA-2003:009
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-009.html
Reference: REDHAT:RHSA-2003:043
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-043.html
Reference: XF:window-maker-image-bo(10560)
Reference: URL:http://www.iss.net/security_center/static/10560.php
Reference: BID:6119
Reference: URL:http://www.securityfocus.com/bid/6119

Buffer overflow in Window Maker (wmaker) 0.80.0 and earlier may allow
remote attackers to execute arbitrary code via a certain image file
that is not properly handled when Window Maker uses width and height
information to allocate a buffer.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1277 ACCEPT (4 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(4) Green, Cox, Cole, Armstrong
   NOOP(1) Christey

Voter Comments:
 Christey> REDHAT:RHSA-2003:009
   URL:http://www.redhat.com/support/errata/RHSA-2003-009.html


======================================================
Candidate: CAN-2002-1278
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1278
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20021108
Category: CF
Reference: CONECTIVA:CLA-2002:544
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000544
Reference: XF:linuxconf-sendmail-mail-relay(10554)
Reference: URL:http://www.iss.net/security_center/static/10554.php
Reference: BID:6118
Reference: URL:http://www.securityfocus.com/bid/6118
Reference: OSVDB:6066
Reference: URL:http://www.osvdb.org/6066

The mailconf module in Linuxconf 1.24, and other versions before 1.28,
on Conectiva Linux 6.0 through 8, and possibly other distributions,
generates the Sendmail configuration file (sendmail.cf) in a way that
configures Sendmail to run as an open mail relay, which allows remote
attackers to send Spam email.


Modifications:
  20040804 [desc] add "and possibly other distros" and 1.28
  20040818 ADDREF OSVDB:6066

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1278 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Cole, Armstrong
   MODIFY(1) Cox

Voter Comments:
 Cox> This is an issue that does not just affect Conectiva Linux, so perhaps
   remove or add "and possibly other distributions".  This is fixed
   in Linuxconf 1.28


======================================================
Candidate: CAN-2002-1284
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1284
Final-Decision:
Interim-Decision: 20040825
Modified: 20040804
Proposed: 20030317
Assigned: 20021112
Category: SF
Reference: CONFIRM:http://devel-home.kde.org/~kgpg/bug.html
Reference: BUGTRAQ:20021110 GLSA: kgpg
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103702926611286&w=2
Reference: XF:kgpg-wizard-empty-password(10629)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10629
Reference: BID:6152
Reference: URL:http://www.securityfocus.com/bid/6152

The wizard in KGPG 0.6 through 0.8.2 does not properly provide the
passphrase to gpg when creating new keys, which causes secret keys to
be created with an empty passphrase and allows local attackers to
steal the keys if they can be read.


Modifications:
  20040804 ADDREF XF:kgpg-wizard-empty-password(10629)
  20040804 ADDREF BID:6152

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1284 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Baker, Cole
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-1296
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1296
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20021113
Category: SF
Reference: BUGTRAQ:20021127 Solaris priocntl exploit
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103842619803173&w=2
Reference: CERT-VN:VU#683673
Reference: URL:http://www.kb.cert.org/vuls/id/683673
Reference: CONFIRM:http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert/49131
Reference: BID:6262
Reference: URL:http://online.securityfocus.com/bid/6262
Reference: XF:solaris-priocntl-pcclname-modules(10717)
Reference: URL:http://www.iss.net/security_center/static/10717.php

Directory traversal vulnerability in priocntl system call in Solaris
does allows local users to execute arbitrary code via ".." sequences
in the pc_clname field of a pcinfo_t structure, which cause priocntl
to load a malicious kernel module.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1296 ACCEPT (4 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Frech, Wall, Cole
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1307
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1307
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20021115
Category: SF
Reference: DEBIAN:DSA-199
Reference: URL:http://www.debian.org/security/2002/dsa-199
Reference: CONFIRM:http://www.mhonarc.org/archive/cgi-bin/mesg.cgi?a=mhonarc-users&i=200210211713.g9LHDXE02256@mcguire.earlhood.com
Reference: BID:6204
Reference: URL:http://online.securityfocus.com/bid/6204
Reference: XF:mhonarc-mime-header-xss(10666)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10666
Reference: OSVDB:7353
Reference: URL:http://www.osvdb.org/7353

Cross-site scripting vulnerability (XSS) in MHonArc 2.5.12 and earlier
allows remote attackers to insert script or HTML via an email message
with the script in a MIME header name.


Modifications:
  20040804 ADDREF XF:mhonarc-mime-header-xss(10666)
  20040818 ADDREF OSVDB:7353

Analysis
--------
Vendor Acknowledgement: yes advisory

ACKNOWLEDGEMENT: an email posted by the author to the mhonarc-users
mailing list on October 21, 2002 indicates acknowledgement.

INFERRED ACTION: CAN-2002-1307 ACCEPT (3 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Cole, Armstrong
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1308
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1308
Final-Decision:
Interim-Decision: 20040825
Modified: 20040804
Proposed: 20030317
Assigned: 20021115
Category: SF
Reference: BUGTRAQ:20021114 Netscape/Mozilla: Exploitable heap corruption via jar: URI handler.
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103730181813075&w=2
Reference: MISC:http://bugzilla.mozilla.org/show_bug.cgi?id=157646
Reference: REDHAT:RHSA-2003:162
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-162.html
Reference: REDHAT:RHSA-2003:163
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-163.html
Reference: XF:mozilla-netscape-jar-bo(10636)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10636
Reference: BID:6185
Reference: URL:http://www.securityfocus.com/bid/6185

Heap-based buffer overflow in Netscape and Mozilla allows remote
attackers to execute arbitrary code via a jar: URL that references a
malformed .jar file, which overflows a buffer during decompression.


Modifications:
  20040804 ADDREF REDHAT:RHSA-2003:162
  20040804 ADDREF REDHAT:RHSA-2003:163
  20040804 ADDREF XF:mozilla-netscape-jar-bo(10636)
  20040804 ADDREF BID:6185

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1308 ACCEPT_ACK_REV (2 accept, 1 ack, 1 review)

Current Votes:
   ACCEPT(2) Baker, Cox
   NOOP(3) Christey, Wall, Cole
   REVIEWING(1) Green

Voter Comments:
 CHANGE> [Cox changed vote from REVIEWING to ACCEPT]
 Christey> REDHAT:RHSA-2003:162
   URL:http://www.redhat.com/support/errata/RHSA-2003-162.html
 Christey> REDHAT:RHSA-2003:163
 Christey> REDHAT:RHSA-2003:163
   URL:http://www.redhat.com/support/errata/RHSA-2003-163.html


======================================================
Candidate: CAN-2002-1311
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1311
Final-Decision:
Interim-Decision: 20040825
Modified: 20040804
Proposed: 20030317
Assigned: 20021116
Category: SF
Reference: DEBIAN:DSA-197
Reference: URL:http://www.debian.org/security/2002/dsa-197
Reference: BUGTRAQ:20021119 GLSA: courier
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103794021013436&w=2
Reference: XF:courier-mta-insecure-permissions(10643)
Reference: URL:http://www.iss.net/security_center/static/10643.php
Reference: BID:6189
Reference: URL:http://www.securityfocus.com/bid/6189

Courier sqwebmail before 0.40.0 does not quickly drop privileges after
startup in certain cases, which could allow local users to read
arbitrary files.


Modifications:
  20040804 ADDREF BUGTRAQ:20021119 GLSA: courier
  20040804 ADDREF XF:courier-mta-insecure-permissions(10643)
  20040804 ADDREF BID:6189

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1311 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Cole, Armstrong
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> BUGTRAQ:20021119 GLSA: courier
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103794021013436&w=2
   XF:courier-mta-insecure-permissions(10643)
   URL:http://www.iss.net/security_center/static/10643.php
   BID:6189
   URL:http://www.securityfocus.com/bid/6189


======================================================
Candidate: CAN-2002-1313
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1313
Final-Decision:
Interim-Decision: 20040825
Modified: 20040804
Proposed: 20030317
Assigned: 20021118
Category: SF
Reference: DEBIAN:DSA-198
Reference: URL:http://www.debian.org/security/2002/dsa-198
Reference: BID:6193
Reference: URL:http://www.securityfocus.com/bid/6193
Reference: XF:nullmailer-nonexistent-user-dos(10649)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10649

nullmailer 1.00RC5 and earlier allows local users to cause a denial of
service via an email to a local user that does not exist, which
generates an error that causes nullmailer to stop sending mail to all
users.


Modifications:
  20040804 ADDREF XF:nullmailer-nonexistent-user-dos(10649)
  20040804 ADDREF BID:6193

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1313 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Cole, Armstrong
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1317
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1317
Final-Decision:
Interim-Decision: 20040825
Modified: 20040824
Proposed: 20030317
Assigned: 20021125
Category: SF
Reference: ISS:20021125 Solaris fs.auto Remote Compromise Vulnerability
Reference: URL:http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21541
Reference: BUGTRAQ:20021125 ISS Security Brief: Solaris fs.auto Remote Compromise Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103825150527843&w=2
Reference: CONFIRM:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/48879
Reference: SGI:20021202-01-I
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20021202-01-I
Reference: HP:HPSBUX0212-228
Reference: URL:http://www.securityfocus.com/advisories/4988
Reference: CERT:CA-2002-34
Reference: URL:http://www.cert.org/advisories/CA-2002-34.html
Reference: CERT-VN:VU#312313
Reference: URL:http://www.kb.cert.org/vuls/id/312313
Reference: CIAC:N-024
Reference: URL:http://www.ciac.org/ciac/bulletins/n-024.shtml
Reference: XF:solaris-fsauto-execute-code(10375)
Reference: URL:http://www.iss.net/security_center/static/10375.php
Reference: BID:6241
Reference: URL:http://www.securityfocus.com/bid/6241
Reference: OVAL:OVAL149
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL149.html
Reference: OVAL:OVAL152
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL152.html

Buffer overflow in Dispatch() routine for XFS font server (fs.auto) on
Solaris 2.5.1 through 9 allows remote attackers to cause a denial of
service (crash) or execute arbitrary code via a certain XFS query.


Modifications:
  20040804 ADDREF BID:6241
  20040804 ADDREF CERT-VN:VU#312313
  20040804 ADDREF CIAC:N-024
  20040804 ADDREF HP:HPSBUX0212-228
  20040824 ADDREF OVAL:OVAL149
  20040824 ADDREF OVAL:OVAL152

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1317 ACCEPT (3 accept, 7 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Frech, Wall, Cole
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> BID:6241
   URL:http://www.securityfocus.com/bid/6241
   CERT-VN:VU#312313
   URL:http://www.kb.cert.org/vuls/id/312313
   CIAC:N-024
   URL:http://www.ciac.org/ciac/bulletins/n-024.shtml
   HP:HPSBUX0212-228
   URL:http://www.securityfocus.com/advisories/4988


======================================================
Candidate: CAN-2002-1318
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1318
Final-Decision:
Interim-Decision: 20040825
Modified: 20040804
Proposed: 20030317
Assigned: 20021125
Category: SF
Reference: CONFIRM:http://us1.samba.org/samba/whatsnew/samba-2.2.7.html
Reference: CONECTIVA:CLA-2002:550
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000550
Reference: DEBIAN:DSA-200
Reference: URL:http://www.debian.org/security/2002/dsa-200
Reference: HP:HPSBUX0212-230
Reference: URL:http://www.ciac.org/ciac/bulletins/n-023.shtml
Reference: MANDRAKE:MDKSA-2002:081
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-081.php
Reference: REDHAT:RHSA-2002:266
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-266.html
Reference: SGI:20021204-01-I
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20021204-01-I
Reference: SUNALERT:53580
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/53580
Reference: SUSE:SuSE-SA:2002:045
Reference: URL:http://www.suse.de/de/security/2002_045_samba.html
Reference: TURBO:TSLSA-2002-0080
Reference: BUGTRAQ:20021121 GLSA: samba
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103801986818076&w=2
Reference: BUGTRAQ:20021129 [OpenPKG-SA-2002.012] OpenPKG Security Advisory (samba)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103859045302448&w=2
Reference: CERT-VN:VU#958321
Reference: URL:http://www.kb.cert.org/vuls/id/958321
Reference: XF:samba-password-change-bo(10683)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10683
Reference: BID:6210
Reference: URL:http://www.securityfocus.com/bid/6210

Buffer overflow in samba 2.2.2 through 2.2.6 allows remote attackers
to cause a denial of service and possibly execute arbitrary code via
an encrypted password that causes the overflow during decryption in
which a DOS codepage string is converted to a little-endian UCS2
unicode string.


Modifications:
  20040804 ADDREF XF:samba-password-change-bo(10683)
  20040804 ADDREF BID:6210
  20040804 ADDREF SUNALERT:53580
  20040804 ADDREF CERT-VN:VU#958321
  20040804 ADDREF HP:HPSBUX0212-230

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1318 ACCEPT (4 accept, 7 ack, 0 review)

Current Votes:
   ACCEPT(4) Green, Cox, Cole, Armstrong


======================================================
Candidate: CAN-2002-1319
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1319
Final-Decision:
Interim-Decision: 20040825
Modified: 20040804
Proposed: 20030317
Assigned: 20021125
Category: SF
Reference: BUGTRAQ:20021111 i386 Linux kernel DoS
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103714004623587&w=2
Reference: BUGTRAQ:20021114 Re: i386 Linux kernel DoS
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103737292709297&w=2
Reference: CONECTIVA:CLA-2002:553
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000553
Reference: REDHAT:RHSA-2002:262
Reference: URL:http://rhn.redhat.com/errata/RHSA-2002-262.html
Reference: REDHAT:RHSA-2002:263
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-263.html
Reference: REDHAT:RHSA-2002:264
Reference: URL:http://rhn.redhat.com/errata/RHSA-2002-264.html

The Linux kernel 2.4.20 and earlier, and 2.5.x, when running on x86
systems, allows local users to cause a denial of service (hang) via
the emulation mode, which does not properly clear TF and NT EFLAGs.


Modifications:
  20040804 ADDREF REDHAT:RHSA-2002:263

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1319 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Cole, Armstrong
   MODIFY(1) Cox

Voter Comments:
 Cox> Addref :RHSA-2002:263


======================================================
Candidate: CAN-2002-1320
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1320
Final-Decision:
Interim-Decision: 20040825
Modified: 20040804
Proposed: 20030317
Assigned: 20021125
Category: SF
Reference: BUGTRAQ:20021107 Remote pine Denial of Service
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103668430620531&w=2
Reference: CONECTIVA:CLA-2002:551
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000551
Reference: ENGARDE:ESA-20021127-032
Reference: URL:http://www.linuxsecurity.com/advisories/engarde_advisory-2614.html
Reference: MANDRAKE:MDKSA-2002:084
Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-084.php
Reference: REDHAT:RHSA-2002:270
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-270.html
Reference: REDHAT:RHSA-2002:271
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-271.html
Reference: SUSE:SuSE-SA:2002:046
Reference: URL:http://www.suse.de/de/security/2002_046_pine.html
Reference: BUGTRAQ:20021202 GLSA: pine
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103884988306241&w=2
Reference: XF:pine-from-header-dos(10555)
Reference: URL:http://www.iss.net/security_center/static/10555.php
Reference: BID:6120
Reference: URL:http://www.securityfocus.com/bid/6120

Pine 4.44 and earlier allows remote attackers to cause a denial of
service (core dump and failed restart) via an email message with a
>From header that contains a large number of quotation marks (").


Modifications:
  20040804 ADDREF REDHAT:RHSA-2002:271

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1320 ACCEPT (4 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Cole, Armstrong
   MODIFY(1) Cox

Voter Comments:
 Cox> Addref: RHSA-2002:271


======================================================
Candidate: CAN-2002-1323
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1323
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20021126
Category: SF
Reference: CONFIRM:http://bugs6.perl.org/rt2/Ticket/Display.html?id=17744
Reference: CONFIRM:http://use.perl.org/articles/02/10/06/1118222.shtml?tid=5
Reference: DEBIAN:DSA-208
Reference: URL:http://www.debian.org/security/2002/dsa-208
Reference: BUGTRAQ:20021216 [OpenPKG-SA-2002.014] OpenPKG Security Advisory (perl)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104005919814869&w=2
Reference: BUGTRAQ:20021219 TSLSA-2002-0087 - perl
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104033126305252&w=2
Reference: BUGTRAQ:20021220 GLSA: perl
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104040175522502&w=2
Reference: VULNWATCH:20021105 Perl Safe.pm compartment reuse vuln
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0061.html
Reference: REDHAT:RHSA-2003:256
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-256.html
Reference: REDHAT:RHSA-2003:257
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-257.html
Reference: SGI:20030606-01-A
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20030606-01-A
Reference: CALDERA:CSSA-2004-007.0
Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2004-007.0.txt
Reference: SCO:SCOSA-2004.1
Reference: URL:ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2004.1/SCOSA-2004.1.txt
Reference: BID:6111
Reference: URL:http://www.securityfocus.com/bid/6111
Reference: XF:safe-pm-bypass-restrictions(10574)
Reference: URL:http://www.iss.net/security_center/static/10574.php
Reference: OSVDB:2183
Reference: URL:http://www.osvdb.org/2183
Reference: OSVDB:3814
Reference: URL:http://www.osvdb.org/3814

Safe.pm 2.0.7 and earlier, when used in Perl 5.8.0 and earlier, may
allow attackers to break out of safe compartments in (1) Safe::reval
or (2) Safe::rdo using a redefined @_ variable, which is not reset
between successive calls.


Modifications:
  20040804 ADDREF SGI:20030606-01-A
  20040804 ADDREF REDHAT:RHSA-2003:256
  20040804 ADDREF CALDERA:CSSA-2004-007.0
  20040804 ADDREF SCO:SCOSA-2004.1
  20040818 ADDREF REDHAT:RHSA-2003:257
  20040818 ADDREF OSVDB:2183
  20040818 ADDREF OSVDB:3814

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2002-1323 ACCEPT (4 accept, 5 ack, 0 review)

Current Votes:
   ACCEPT(4) Green, Cox, Cole, Armstrong
   NOOP(1) Christey

Voter Comments:
 Green> ACKNOWLEDGED BY PERL.ORG
 Christey> SGI:20030606-01-A
   URL:ftp://patches.sgi.com/support/free/security/advisories/20030606-01-A
 Christey> REDHAT:RHSA-2003:256
 Christey> CALDERA:CSSA-2004-007.0
   URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2004-007.0.txt
 Christey> SCO:SCOSA-2004.1
   URL:ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2004.1/SCOSA-2004.1.txt


======================================================
Candidate: CAN-2002-1325
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1325
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20021126
Category: SF
Reference: MS:MS02-069
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-069.asp
Reference: BID:6380
Reference: URL:http://online.securityfocus.com/bid/6380

Microsoft Virtual Machine (VM) build 5.0.3805 and earlier allows
remote attackers to determine a local user's username via a Java
applet that accesses the user.dir system property, aka "User.dir
Exposure Vulnerability."

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1325 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Green, Wall
   NOOP(2) Cox, Cole


======================================================
Candidate: CAN-2002-1327
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1327
Final-Decision:
Interim-Decision: 20040825
Modified: 20040804
Proposed: 20030317
Assigned: 20021126
Category: SF
Reference: BUGTRAQ:20021219 Foundstone Research Labs Advisory - Exploitable Windows XP Media Files
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104025849109384&w=2
Reference: MS:MS02-072
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-072.asp
Reference: CERT:CA-2002-37
Reference: URL:http://www.cert.org/advisories/CA-2002-37.html
Reference: CERT-VN:VU#591890
Reference: URL:http://www.kb.cert.org/vuls/id/591890
Reference: XF:winxp-windows-shell-bo(10892)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10892
Reference: BID:6427
Reference: URL:http://www.securityfocus.com/bid/6427

Buffer overflow in the Windows Shell function in Microsoft Windows XP
allows remote attackers to execute arbitrary code via an .MP3 or .WMA
audio file with a corrupt custom attribute, aka "Unchecked Buffer in
Windows Shell Could Enable System Compromise."


Modifications:
  20040804 ADDREF XF:winxp-windows-shell-bo(10892)
  20040804 ADDREF BID:6427

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1327 ACCEPT (4 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(3) Baker, Wall, Cole
   MODIFY(1) Frech
   NOOP(1) Cox

Voter Comments:
 Frech> XF:winxp-windows-shell-bo(10892)


======================================================
Candidate: CAN-2002-1336
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1336
Final-Decision:
Interim-Decision: 20040825
Modified: 20040804
Proposed: 20030317
Assigned: 20021202
Category: SF
Reference: BUGTRAQ:20020724 VNC authentication weakness
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102753170201524&w=2
Reference: BUGTRAQ:20020726 RE: VNC authentication weakness
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102769183913594&w=2
Reference: CONFIRM:http://www.tightvnc.com/WhatsNew.txt
Reference: CONECTIVA:CLA-2003:640
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000640
Reference: MANDRAKE:MDKSA-2003:022
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:022
Reference: REDHAT:RHSA-2002:287
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-287.html
Reference: REDHAT:RHSA-2003:041
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-041.html
Reference: BID:5296
Reference: URL:http://online.securityfocus.com/bid/5296
Reference: XF:vnc-weak-authentication(5992)
Reference: URL:http://xforce.iss.net/xforce/xfdb/5992

TightVNC before 1.2.6 generates the same challenge string for multiple
connections, which allows remote attackers to bypass VNC
authentication by sniffing the challenge and response of other users.


Modifications:
  20040804 ADDREF REDHAT:RHSA-2002:287
  20040804 ADDREF REDHAT:RHSA-2003:041
  20040804 ADDREF CONECTIVA:CLA-2003:640
  20040804 ADDREF XF:vnc-weak-authentication(5992)

Analysis
--------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: The changelog for 1.2.6 says that it "Fixed a
repeated challenge replay attack vulnerability, bugtraq id 5296."

INFERRED ACTION: CAN-2002-1336 ACCEPT (4 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Cole, Armstrong
   MODIFY(1) Cox
   NOOP(1) Christey

Voter Comments:
 Cox> Addref: RHSA-2002:287
   Addref: RHSA-2003:041
 Christey> CONECTIVA:CLA-2003:640


======================================================
Candidate: CAN-2002-1337
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1337
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20021203
Category: SF
Reference: ISS:20030303 Remote Sendmail Header Processing Vulnerability
Reference: URL:http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21950
Reference: CONFIRM:http://www.sendmail.org/8.12.8.html
Reference: BUGTRAQ:20030303 sendmail 8.12.8 available
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104673778105192&w=2
Reference: BUGTRAQ:20030304 [LSD] Technical analysis of the remote sendmail vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104678739608479&w=2
Reference: CERT:CA-2003-07
Reference: URL:http://www.cert.org/advisories/CA-2003-07.html
Reference: FREEBSD:FreeBSD-SA-03:04
Reference: REDHAT:RHSA-2003:073
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-073.html
Reference: REDHAT:RHSA-2003:074
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-074.html
Reference: REDHAT:RHSA-2003:227
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-227.html
Reference: SGI:20030301-01-P
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20030301-01-P
Reference: AIXAPAR:IY40500
Reference: AIXAPAR:IY40501
Reference: AIXAPAR:IY40502
Reference: SUSE:SuSE-SA:2003:013
Reference: MANDRAKE:MDKSA-2003:028
Reference: NETBSD:NetBSD-SA2003-002
Reference: CONECTIVA:CLA-2003:571
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000571
Reference: DEBIAN:DSA-257
Reference: URL:http://www.debian.org/security/2003/dsa-257
Reference: HP:HPSBUX0302-246
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104679411316818&w=2
Reference: CALDERA:CSSA-2003-SCO.6
Reference: URL:ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.6
Reference: CALDERA:CSSA-2003-SCO.5
Reference: URL:ftp://ftp.sco.com/pub/updates/UnixWare/CSSA-2003-SCO.5
Reference: BUGTRAQ:20030304 GLSA:  sendmail (200303-4)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104678862409849&w=2
Reference: BUGTRAQ:20030303 Fwd: APPLE-SA-2003-03-03 sendmail
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104678862109841&w=2
Reference: CERT-VN:VU#398025
Reference: URL:http://www.kb.cert.org/vuls/id/398025
Reference: BID:6991
Reference: URL:http://www.securityfocus.com/bid/6991
Reference: XF:sendmail-header-processing-bo(10748)
Reference: URL:http://www.iss.net/security_center/static/10748.php

Buffer overflow in Sendmail 5.79 to 8.12.7 allows remote attackers to
execute arbitrary code via certain formatted address fields, related
to sender and recipient header comments as processed by the crackaddr
function of headers.c.


Modifications:
  20040804 ADDREF REDHAT:RHSA-2003:074
  20040804 ADDREF BID:6991
  20040818 ADDREF REDHAT:RHSA-2003:227

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1337 ACCEPT (5 accept, 13 ack, 0 review)

Current Votes:
   ACCEPT(5) Baker, Bollinger, Frech, Wall, Cole
   MODIFY(1) Cox

Voter Comments:
 Cox> Addref: REDHAT:RHSA-2003:074


======================================================
Candidate: CAN-2002-1348
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1348
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20021210
Category: SF
Reference: CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=126233
Reference: DEBIAN:DSA-249
Reference: URL:http://www.debian.org/security/2003/dsa-249
Reference: DEBIAN:DSA-250
Reference: URL:http://www.debian.org/security/2003/dsa-250
Reference: DEBIAN:DSA-251
Reference: URL:http://www.debian.org/security/2003/dsa-251
Reference: REDHAT:RHSA-2003:044
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-044.html
Reference: REDHAT:RHSA-2003:045
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-045.html
Reference: BUGTRAQ:20030217 GLSA:  w3m
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104552193927323&w=2
Reference: BID:6794
Reference: URL:http://www.securityfocus.com/bid/6794
Reference: XF:w3m-img-alt-xss(11266)
Reference: URL:http://www.iss.net/security_center/static/11266.php

w3m before 0.3.2.2 does not properly escape HTML tags in the ALT
attribute of an IMG tag, which could allow remote attackers to access
files or cookies.


Modifications:
  20040804 ADDREF REDHAT:RHSA-2003:045
  20040804 ADDREF BID:6794
  20040804 ADDREF DEBIAN:DSA-250
  20040804 ADDREF DEBIAN:DSA-251
  20040818 ADDREF DEBIAN:DSA-249

Analysis
--------
Vendor Acknowledgement: yes advisory

ACKNOWLEDGEMENT: The changelog for 0.3.2.2 describes "another security
vulnerability in w3m 0.3.2.x that w3m will miss to escape html tag in
img alt attribute, so malicious frame html may deceive you to access
your local files, cookies and so on."
NOTE: CAN-2002-1404 was also assigned to this issue.  However, it is
being rejected in favor of CAN-2002-1348.

INFERRED ACTION: CAN-2002-1348 ACCEPT (3 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(2) Green, Cole
   MODIFY(1) Cox

Voter Comments:
 Cox> Addref: REDHAT:RHSA-2003:045


======================================================
Candidate: CAN-2002-1349
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1349
Final-Decision:
Interim-Decision: 20040825
Modified: 20040804
Proposed: 20030317
Assigned: 20021210
Category: SF
Reference: BUGTRAQ:20021210 Unchecked buffer in PC-cillin
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103953822705917&w=2
Reference: MISC:http://www.texonet.com/advisories/TEXONET-20021210.txt
Reference: CONFIRM:http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionId=12982
Reference: CERT-VN:VU#157961
Reference: URL:http://www.kb.cert.org/vuls/id/157961
Reference: BID:6350
Reference: URL:http://www.securityfocus.com/bid/6350
Reference: XF:pccillin-pop3trap-bo(10814)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10814

Buffer overflow in pop3trap.exe for PC-cillin 2000, 2002, and 2003
allows local users to execute arbitrary code via a long input string
to TCP port 110 (POP3).


Modifications:
  20040804 ADDREF XF:pccillin-pop3trap-bo(10814)
  20040804 ADDREF CERT-VN:VU#157961
  20040804 ADDREF BID:6350

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1349 ACCEPT (3 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Baker, Cole
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-1350
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1350
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20021213
Category: SF
Reference: DEBIAN:DSA-206
Reference: URL:http://www.debian.org/security/2002/dsa-206
Reference: MANDRAKE:MDKSA-2003:027
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:027
Reference: REDHAT:RHSA-2003:032
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-032.html
Reference: REDHAT:RHSA-2003:033
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-033.html
Reference: REDHAT:RHSA-2003:214
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-214.html
Reference: BUGTRAQ:20021219 TSLSA-2002-0084 - tcpdump
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104032975103398&w=2
Reference: MLIST:[tcpdump-workers] 20011015 Bug in print-bgp.c?
Reference: URL:http://www.tcpdump.org/lists/workers/2001/10/msg00101.html
Reference: BID:6213
Reference: URL:http://www.securityfocus.com/bid/6213
Reference: XF:tcpdump-sizeof-memory-corruption(10695)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10695

The BGP decoding routines in tcpdump 3.6.x before 3.7 do not properly
copy data, which allows remote attackers to cause a denial of service
(application crash).


Modifications:
  20040804 [desc] fix affected versions
  20040804 ADDREF REDHAT:RHSA-2003:032
  20040804 ADDREF REDHAT:RHSA-2003:033
  20040804 ADDREF MANDRAKE:MDKSA-2003:027
  20040804 ADDREF MLIST:[tcpdump-workers] 20011015 Bug in print-bgp.c?
  20040804 ADDREF XF:tcpdump-sizeof-memory-corruption(10695)
  20040804 ADDREF BID:6213
  20040818 ADDREF REDHAT:RHSA-2003:214

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1350 ACCEPT (3 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(2) Green, Cole
   MODIFY(1) Cox
   NOOP(1) Christey

Voter Comments:
 Cox> Note that the -2.2 implies a Debian package version where they have
   backported a security fix to their 3.6.2-2.2 packages.  Upstream
   tcpdump 3.6.* was vulnerable to this issue, it was fixed in 3.7
   Addref: RHSA-2003:033
 Christey> REDHAT:RHSA-2003:032
   URL:http://www.redhat.com/support/errata/RHSA-2003-032.html
 Christey> MANDRAKE:MDKSA-2003:027
   (as suggested by Vincent Danen of Mandrake)
 Cox> ADDREF: http://www.tcpdump.org/lists/workers/2001/10/msg00101.html
   This issue is a safety check that is triggered because of a bug;
   therefore this is soley a Denial of Service vulnerability and
   would not be able to result in arbitrary code execution.


======================================================
Candidate: CAN-2002-1361
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1361
Final-Decision:
Interim-Decision: 20040825
Modified: 20040804
Proposed: 20030317
Assigned: 20021214
Category: SF
Reference: BUGTRAQ:20021205 Cobalt RaQ4 Remote root exploit
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103912513522807&w=2
Reference: SUNALERT:49377
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/49377
Reference: CERT:CA-2002-35
Reference: URL:http://www.cert.org/advisories/CA-2002-35.html
Reference: CERT-VN:VU#810921
Reference: URL:http://www.kb.cert.org/vuls/id/810921
Reference: CIAC:N-025
Reference: URL:http://www.ciac.org/ciac/bulletins/n-025.shtml
Reference: BID:6326
Reference: URL:http://www.securityfocus.com/bid/6326
Reference: XF:cobalt-shp-overflow-privileges(10776)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10776

overflow.cgi CGI script in Sun Cobalt RaQ 4 with the SHP (Security
Hardening Patch) installed allows remote attackers to execute
arbitrary code via a POST request with shell metacharacters in the
email parameter.


Modifications:
  20040804 ADDREF XF:cobalt-shp-overflow-privileges(10776)
  20040804 ADDREF BID:6326
  20040804 ADDREF CIAC:N-025
  20040804 [refs] normalize SUNALERT

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1361 ACCEPT (3 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(2) Baker, Cole
   MODIFY(1) Frech
   NOOP(2) Cox, Wall

Voter Comments:
 Frech> XF:cobalt-shp-overflow-privileges(10776)


======================================================
Candidate: CAN-2002-1362
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1362
Final-Decision:
Interim-Decision: 20040825
Modified: 20040810
Proposed: 20030317
Assigned: 20021214
Category: SF
Reference: DEBIAN:DSA-211
Reference: URL:http://www.debian.org/security/2002/dsa-211
Reference: REDHAT:RHSA-2003:118
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-118.html
Reference: XF:micq-0xfe-dos(10872)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10872
Reference: BID:6392
Reference: URL:http://www.securityfocus.com/bid/6392

mICQ 0.4.9 and earlier allows remote attackers to cause a denial of
service (crash) via malformed ICQ message types without a 0xFE
separator character.


Modifications:
  20040804 ADDREF REDHAT:RHSA-2003:118
  20040804 ADDREF XF:micq-0xfe-dos(10872)
  20040804 ADDREF BID:6392

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1362 ACCEPT (3 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Cox, Cole
   NOOP(1) Christey

Voter Comments:
 Christey> REDHAT:RHSA-2003:118


======================================================
Candidate: CAN-2002-1363
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1363
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20021214
Category: SF
Reference: DEBIAN:DSA-213
Reference: URL:http://www.debian.org/security/2002/dsa-213
Reference: MANDRAKE:MDKSA-2004:063
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:063
Reference: REDHAT:RHSA-2003:006
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-006.html
Reference: REDHAT:RHSA-2003:007
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-007.html
Reference: REDHAT:RHSA-2003:119
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-119.html
Reference: REDHAT:RHSA-2003:157
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-157.html
Reference: REDHAT:RHSA-2004:249
Reference: URL:http://www.redhat.com/support/errata/RHSA-2004-249.html
Reference: REDHAT:RHSA-2004:402
Reference: URL:http://www.redhat.com/support/errata/RHSA-2004-402.html
Reference: SUSE:SUSE-SA:2003:0004
Reference: URL:http://www.suse.com/de/security/2003_004_libpng.html
Reference: XF:libpng-file-offset-bo(10925)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10925
Reference: BID:6431
Reference: URL:http://www.securityfocus.com/bid/6431

Portable Network Graphics (PNG) library libpng 1.2.5 and earlier does
not correctly calculate offsets, which allows remote attackers to
cause a denial of service (crash) and possibly execute arbitrary code
via a buffer overflow attack on the row buffers.


Modifications:
  20040810 desc - modify affected versions
  20040810 ADDREF GENTOO:GLSA-200407-06
  20040810 ADDREF MANDRAKE:MDKSA-2004:063
  20040810 ADDREF REDHAT:RHSA-2003:007
  20040810 ADDREF REDHAT:RHSA-2003:119
  20040810 ADDREF REDHAT:RHSA-2004:249
  20040810 ADDREF XF:libpng-file-offset-bo(10925)
  20040810 ADDREF BID:6431
  20040818 ADDREF REDHAT:RHSA-2003:157
  20040818 ADDREF REDHAT:RHSA-2004:402

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1363 ACCEPT (3 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(2) Green, Cole
   MODIFY(1) Cox
   NOOP(1) Christey

Voter Comments:
 Cox> Addref: REDHAT:RHSA-2003:007
 Cox> ADDREF REDHAT:RHSA-2003:119
 Cox> There is only one upstream version of libpng, and so the description
   should be

   "Portable Network Graphics (PNG) libraries libpng 1.2.5 and earlier does
   not correctly calculate offsets"
 Christey> REDHAT:RHSA-2004:249
   URL:http://www.redhat.com/support/errata/RHSA-2004-249.html
 Christey> MANDRAKE:MDKSA-2004:063
   URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:063
 Christey> GENTOO:GLSA-200407-06
   URL:http://www.gentoo.org/security/en/glsa/glsa-200407-06.xml
 Christey> Consider REDHAT:RHSA-2004:402, although that advisory may in
   fact be addressing a variant.
 Christey> APPLE:APPLE-SA-2004-09-09
   URL:http://lists.apple.com/mhonarc/security-announce/msg00056.html


======================================================
Candidate: CAN-2002-1364
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1364
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20021216
Category: SF
Reference: DEBIAN:DSA-254
Reference: URL:http://www.debian.org/security/2003/dsa-254
Reference: SUSE:SuSE-SA:2002:043
Reference: URL:http://www.suse.de/de/security/2002_043_traceroute_nanog_nkitb.html
Reference: BUGTRAQ:20021129 Exploit for traceroute-nanog overflow
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103858895600963&w=2
Reference: BID:6166
Reference: URL:http://www.securityfocus.com/bid/6166
Reference: XF:traceroute-nanog-getorigin-bo(10778)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10778

Buffer overflow in the get_origin function in traceroute-nanog allows
attackers to execute arbitrary code via long WHOIS responses.


Modifications:
  20040810 ADDREF XF:traceroute-nanog-getorigin-bo(10778)
  20040818 ADDREF DEBIAN:DSA-254

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1364 ACCEPT (3 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Cole, Armstrong
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1365
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1365
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20021216
Category: SF
Reference: BUGTRAQ:20021213 Advisory 05/2002: Another Fetchmail Remote Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103979751818638&w=2
Reference: MISC:http://security.e-matters.de/advisories/052002.html
Reference: BUGTRAQ:20021215 GLSA: fetchmail
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104004858802000&w=2
Reference: CALDERA:CSSA-2003-001.0
Reference: CONECTIVA:CLA-2002:554
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000554
Reference: DEBIAN:DSA-216
Reference: URL:http://www.debian.org/security/2002/dsa-216
Reference: ENGARDE:ESA-20030127-002
Reference: IMMUNIX:IMNX-2003-7+-023-01
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=106674887826149&w=2
Reference: MANDRAKE:MDKSA-2003:011
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:011
Reference: REDHAT:RHSA-2002:293
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-293.html
Reference: REDHAT:RHSA-2002:294
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-294.html
Reference: REDHAT:RHSA-2003:155
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-155.html
Reference: SUSE:SuSE-SA:2003:001

Heap-based buffer overflow in Fetchmail 6.1.3 and earlier does not
account for the "@" character when determining buffer lengths for
local addresses, which allows remote attackers to execute arbitrary
code via a header with a large number of local addresses.


Modifications:
  20040810 ADDREF REDHAT:RHSA-2002:294
  20040810 ADDREF IMMUNIX:IMNX-2003-7+-023-01
  20040818 ADDREF REDHAT:RHSA-2003:155
  20040818 ADDREF DEBIAN:DSA-216

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1365 ACCEPT (3 accept, 4 ack, 0 review)

Current Votes:
   ACCEPT(2) Green, Cole
   MODIFY(1) Cox
   NOOP(1) Christey

Voter Comments:
 Cox> Addref: REDHAT:RHSA-2002:294
 Christey> BUGTRAQ:20031020 Immunix Secured OS 7+ fetchmail update
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=106674887826149&w=2


======================================================
Candidate: CAN-2002-1366
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1366
Final-Decision:
Interim-Decision: 20040825
Modified: 20040810
Proposed: 20030317
Assigned: 20021216
Category: SF
Reference: BUGTRAQ:20021219 iDEFENSE Security Advisory 12.19.02: Multiple Security Vulnerabilities in Common Unix Printing System (CUPS)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104032149026670&w=2
Reference: VULNWATCH:20021219 iDEFENSE Security Advisory 12.19.02: Multiple Security Vulnerabilities in Common Unix Printing System (CUPS)
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0117.html
Reference: MISC:http://www.idefense.com/advisory/12.19.02.txt
Reference: DEBIAN:DSA-232
Reference: URL:http://www.debian.org/security/2003/dsa-232
Reference: MANDRAKE:MDKSA-2003:001
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:001
Reference: REDHAT:RHSA-2002:295
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-295.html
Reference: SUSE:SuSE-SA:2003:002
Reference: URL:http://www.suse.com/de/security/2003_002_cups.html
Reference: XF:cups-certs-race-condition(10907)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10907
Reference: BID:6435
Reference: URL:http://www.securityfocus.com/bid/6435

Common Unix Printing System (CUPS) 1.1.14 through 1.1.17 allows local
users with lp privileges to create or overwrite arbitrary files via
file race conditions, as demonstrated by ice-cream.


Modifications:
  20040810 ADDREF DEBIAN:DSA-232
  20040810 ADDREF MANDRAKE:MDKSA-2003:001
  20040810 ADDREF SUSE:SuSE-SA:2003:002
  20040810 ADDREF XF:cups-certs-race-condition(10907)
  20040810 ADDREF BID:6435

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1366 ACCEPT (3 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Cox, Cole
   NOOP(1) Christey

Voter Comments:
 Cox> Is it usual to name some arbitrary exploit in CVE descriptions?
 Christey> MANDRAKE:MDKSA-2003:001
 Christey> CVE rarely mentions exploits or other malware by name, except
   where a vulnerability is often referred to by that exploit
   name, or if there is some evidence that it would be used in a keyword
   search.  This makes it easier for people to be certain that they have
   found the correct CVE identifier for a particular issue.  In this
   case, there was a large number of CUPS vulnerabilities reported all at
   once, so the "ice-cream" keyword would be useful to clarify which bug
   is being discussed.


======================================================
Candidate: CAN-2002-1367
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1367
Final-Decision:
Interim-Decision: 20040825
Modified: 20040810
Proposed: 20030317
Assigned: 20021216
Category: SF
Reference: BUGTRAQ:20021219 iDEFENSE Security Advisory 12.19.02: Multiple Security Vulnerabilities in Common Unix Printing System (CUPS)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104032149026670&w=2
Reference: VULNWATCH:20021219 iDEFENSE Security Advisory 12.19.02: Multiple Security Vulnerabilities in Common Unix Printing System (CUPS)
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0117.html
Reference: MISC:http://www.idefense.com/advisory/12.19.02.txt
Reference: CONECTIVA:CLSA-2003:702
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000702
Reference: DEBIAN:DSA-232
Reference: URL:http://www.debian.org/security/2003/dsa-232
Reference: MANDRAKE:MDKSA-2003:001
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:001
Reference: REDHAT:RHSA-2002:295
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-295.html
Reference: SUSE:SuSE-SA:2003:002
Reference: URL:http://www.suse.com/de/security/2003_002_cups.html
Reference: XF:cups-udp-add-printers(10908)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10908
Reference: BID:6436
Reference: URL:http://www.securityfocus.com/bid/6436

Common Unix Printing System (CUPS) 1.1.14 through 1.1.17 allows remote
attackers to add printers without authentication via a certain UDP
packet, which can then be used to perform unauthorized activities such
as stealing the local root certificate for the administration server
via a "need authorization" page, as demonstrated by new-coke.


Modifications:
  20040810 ADDREF CONECTIVA:CLSA-2003:702
  20040810 ADDREF DEBIAN:DSA-232
  20040810 ADDREF MANDRAKE:MDKSA-2003:001
  20040810 ADDREF SUSE:SuSE-SA:2003:002
  20040810 ADDREF XF:cups-udp-add-printers(10908)
  20040810 ADDREF BID:6436

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1367 ACCEPT (3 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Cox, Cole
   NOOP(1) Christey

Voter Comments:
 Cox> Is it usual to name some arbitrary exploit in CVE descriptions?
 Christey> MANDRAKE:MDKSA-2003:001


======================================================
Candidate: CAN-2002-1369
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1369
Final-Decision:
Interim-Decision: 20040825
Modified: 20040810
Proposed: 20030317
Assigned: 20021216
Category: SF
Reference: BUGTRAQ:20021219 iDEFENSE Security Advisory 12.19.02: Multiple Security Vulnerabilities in Common Unix Printing System (CUPS)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104032149026670&w=2
Reference: VULNWATCH:20021219 iDEFENSE Security Advisory 12.19.02: Multiple Security Vulnerabilities in Common Unix Printing System (CUPS)
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0117.html
Reference: MISC:http://www.idefense.com/advisory/12.19.02.txt
Reference: CONECTIVA:CLSA-2003:702
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000702
Reference: DEBIAN:DSA-232
Reference: URL:http://www.debian.org/security/2003/dsa-232
Reference: MANDRAKE:MDKSA-2003:001
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:001
Reference: REDHAT:RHSA-2002:295
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-295.html
Reference: SUSE:SuSE-SA:2003:002
Reference: URL:http://www.suse.com/de/security/2003_002_cups.html
Reference: BID:6438
Reference: URL:http://www.securityfocus.com/bid/6438
Reference: XF:cups-strncat-options-bo(10910)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10910

jobs.c in Common Unix Printing System (CUPS) 1.1.14 through 1.1.17
does not properly use the strncat function call when processing the
options string, which allows remote attackers to execute arbitrary
code via a buffer overflow attack.


Modifications:
  20040810 ADDREF CONECTIVA:CLSA-2003:702
  20040810 ADDREF DEBIAN:DSA-232
  20040810 ADDREF MANDRAKE:MDKSA-2003:001
  20040810 ADDREF SUSE:SuSE-SA:2003:002
  20040810 ADDREF BID:6438
  20040810 ADDREF XF:cups-strncat-options-bo(10910)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1369 ACCEPT (3 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Cox, Cole
   NOOP(1) Christey

Voter Comments:
 Christey> MANDRAKE:MDKSA-2003:001


======================================================
Candidate: CAN-2002-1371
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1371
Final-Decision:
Interim-Decision: 20040825
Modified: 20040810
Proposed: 20030317
Assigned: 20021216
Category: SF
Reference: BUGTRAQ:20021219 iDEFENSE Security Advisory 12.19.02: Multiple Security Vulnerabilities in Common Unix Printing System (CUPS)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104032149026670&w=2
Reference: VULNWATCH:20021219 iDEFENSE Security Advisory 12.19.02: Multiple Security Vulnerabilities in Common Unix Printing System (CUPS)
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0117.html
Reference: MISC:http://www.idefense.com/advisory/12.19.02.txt
Reference: CONECTIVA:CLSA-2003:702
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000702
Reference: DEBIAN:DSA-232
Reference: URL:http://www.debian.org/security/2003/dsa-232
Reference: MANDRAKE:MDKSA-2003:001
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:001
Reference: REDHAT:RHSA-2002:295
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-295.html
Reference: SUSE:SuSE-SA:2003:002
Reference: URL:http://www.suse.com/de/security/2003_002_cups.html
Reference: BID:6439
Reference: URL:http://www.securityfocus.com/bid/6439
Reference: XF:cups-zero-width-images(10911)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10911

filters/image-gif.c in Common Unix Printing System (CUPS) 1.1.14
through 1.1.17 does not properly check for zero-length GIF images,
which allows remote attackers to execute arbitrary code via modified
chunk headers, as demonstrated by nogif.


Modifications:
  20040810 ADDREF CONECTIVA:CLSA-2003:702
  20040810 ADDREF DEBIAN:DSA-232
  20040810 ADDREF MANDRAKE:MDKSA-2003:001
  20040810 ADDREF SUSE:SuSE-SA:2003:002
  20040810 ADDREF BID:6439
  20040810 ADDREF XF:cups-zero-width-images(10911)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1371 ACCEPT (3 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Cox, Cole
   NOOP(1) Christey

Voter Comments:
 Cox> Is it usual to name some arbitrary exploit in CVE descriptions?
 Christey> MANDRAKE:MDKSA-2003:001


======================================================
Candidate: CAN-2002-1372
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1372
Final-Decision:
Interim-Decision: 20040825
Modified: 20040810
Proposed: 20030317
Assigned: 20021216
Category: SF
Reference: BUGTRAQ:20021219 iDEFENSE Security Advisory 12.19.02: Multiple Security Vulnerabilities in Common Unix Printing System (CUPS)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104032149026670&w=2
Reference: VULNWATCH:20021219 iDEFENSE Security Advisory 12.19.02: Multiple Security Vulnerabilities in Common Unix Printing System (CUPS)
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0117.html
Reference: MISC:http://www.idefense.com/advisory/12.19.02.txt
Reference: CONECTIVA:CLSA-2003:702
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000702
Reference: DEBIAN:DSA-232
Reference: URL:http://www.debian.org/security/2003/dsa-232
Reference: MANDRAKE:MDKSA-2003:001
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:001
Reference: REDHAT:RHSA-2002:295
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-295.html
Reference: SUSE:SuSE-SA:2003:002
Reference: URL:http://www.suse.com/de/security/2003_002_cups.html
Reference: BID:6440
Reference: URL:http://www.securityfocus.com/bid/6440
Reference: XF:cups-file-descriptor-dos(10912)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10912

Common Unix Printing System (CUPS) 1.1.14 through 1.1.17 does not
properly check the return values of various file and socket
operations, which could allow a remote attacker to cause a denial of
service (resource exhaustion) by causing file descriptors to be
assigned and not released, as demonstrated by fanta.


Modifications:
  20040810 ADDREF CONECTIVA:CLSA-2003:702
  20040810 ADDREF DEBIAN:DSA-232
  20040810 ADDREF MANDRAKE:MDKSA-2003:001
  20040810 ADDREF SUSE:SuSE-SA:2003:002
  20040810 ADDREF BID:6440
  20040810 ADDREF XF:cups-file-descriptor-dos(10912)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1372 ACCEPT (3 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Cox, Cole
   NOOP(1) Christey

Voter Comments:
 Cox> Is it usual to name some arbitrary exploit in CVE descriptions?
 Christey> MANDRAKE:MDKSA-2003:001


======================================================
Candidate: CAN-2002-1373
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1373
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20021216
Category: SF
Reference: BUGTRAQ:20021212 Advisory 04/2002: Multiple MySQL vulnerabilities
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103971644013961&w=2
Reference: MISC:http://security.e-matters.de/advisories/042002.html
Reference: DEBIAN:DSA-212
Reference: URL:http://www.debian.org/security/2002/dsa-212
Reference: ENGARDE:ESA-20030127-001
Reference: GENTOO:200212-2
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104004857201968&w=2
Reference: IMMUNIX:IMNX-2003-7+-008-01
Reference: URL:http://www.securityfocus.com/advisories/5269
Reference: REDHAT:RHSA-2002:288
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-288.html
Reference: REDHAT:RHSA-2002:289
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-289.html
Reference: REDHAT:RHSA-2003:166
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-166.html
Reference: SUSE:SUSE-SA:2003:003
Reference: URL:http://www.suse.com/de/security/2003_003_mysql.html
Reference: TRUSTIX:2002-0086
Reference: URL:http://www.trustix.net/errata/misc/2002/TSL-2002-0086-mysql.asc.txt
Reference: BID:6368
Reference: URL:http://www.securityfocus.com/bid/6368
Reference: XF:mysql-comtabledump-dos(10846)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10846

Signed integer vulnerability in the COM_TABLE_DUMP package for MySQL
3.23.x before 3.23.54 allows remote attackers to cause a denial of
service (crash or hang) in mysqld by causing large negative integers
to be provided to a memcpy call.


Modifications:
  20040810 ADDREF DEBIAN:DSA-212
  20040810 ADDREF IMMUNIX:IMNX-2003-7+-008-01
  20040810 ADDREF MANDRAKE:MDKSA-2002:087
  20040810 ADDREF SUSE:SUSE-SA:2003:003
  20040810 ADDREF REDHAT:RHSA-2002:289
  20040810 ADDREF BID:6368
  20040810 ADDREF XF:mysql-comtabledump-dos(10846)
  20040810 [ref] normalize TRUSTIX
  20040810 [ref] normalize GENTOO
  20040818 ADDREF REDHAT:RHSA-2003:166

Analysis
--------
Vendor Acknowledgement: unknown

ACCURACY: a MySQL developer (Sergei Golubchik) confirmed via email
that the only the 3.23 branch was affected.

INFERRED ACTION: CAN-2002-1373 ACCEPT (3 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(2) Green, Cole
   MODIFY(1) Cox

Voter Comments:
 Cox> Addref: REDHAT:RHSA-2002:289


======================================================
Candidate: CAN-2002-1374
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1374
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20021216
Category: SF
Reference: BUGTRAQ:20021212 Advisory 04/2002: Multiple MySQL vulnerabilities
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103971644013961&w=2
Reference: MISC:http://security.e-matters.de/advisories/042002.html
Reference: DEBIAN:DSA-212
Reference: URL:http://www.debian.org/security/2002/dsa-212
Reference: ENGARDE:ESA-20021213-033
Reference: URL:http://www.linuxsecurity.com/advisories/engarde_advisory-2660.html
Reference: GENTOO:GLSA-200212-2
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104004857201968&w=2
Reference: IMMUNIX:IMNX-2003-7+-008-01
Reference: URL:http://www.securityfocus.com/advisories/5269
Reference: REDHAT:RHSA-2002:288
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-288.html
Reference: REDHAT:RHSA-2002:289
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-289.html
Reference: REDHAT:RHSA-2003:166
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-166.html
Reference: SUSE:SUSE-SA:2003:003
Reference: URL:http://www.suse.com/de/security/2003_003_mysql.html
Reference: TRUSTIX:2002-0086
Reference: URL:http://www.trustix.net/errata/misc/2002/TSL-2002-0086-mysql.asc.txt
Reference: BUGTRAQ:20021216 [OpenPKG-SA-2002.013] OpenPKG Security Advisory (mysql)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104005886114500&w=2
Reference: BID:6373
Reference: URL:http://www.securityfocus.com/bid/6373
Reference: XF:mysql-comchangeuser-password-bypass(10847)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10847

The COM_CHANGE_USER command in MySQL 3.x before 3.23.54, and 4.x
before 4.0.6, allows remote attackers to gain privileges via a brute
force attack using a one-character password, which causes MySQL to
only compare the provided password against the first character of the
real password.


Modifications:
  20040810 ADDREF DEBIAN:DSA-212
  20040810 ADDREF IMMUNIX:IMNX-2003-7+-008-01
  20040810 ADDREF MANDRAKE:MDKSA-2002:087
  20040810 ADDREF SUSE:SUSE-SA:2003:003
  20040810 ADDREF REDHAT:RHSA-2002:289
  20040810 ADDREF BID:6373
  20040810 ADDREF XF:mysql-comchangeuser-password-bypass(10847)
  20040810 [ref] normalize TRUSTIX
  20040810 [ref] normalize GENTOO
  20040818 ADDREF REDHAT:RHSA-2003:166

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2002-1374 ACCEPT (3 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(2) Green, Cole
   MODIFY(1) Cox

Voter Comments:
 Cox> Addref: REDHAT:RHSA-2002:289
 Green> ACKNOWLEDGED IN THE RED HAT ERRATA


======================================================
Candidate: CAN-2002-1375
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1375
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20021216
Category: SF
Reference: BUGTRAQ:20021212 Advisory 04/2002: Multiple MySQL vulnerabilities
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103971644013961&w=2
Reference: MISC:http://security.e-matters.de/advisories/042002.html
Reference: DEBIAN:DSA-212
Reference: URL:http://www.debian.org/security/2002/dsa-212
Reference: ENGARDE:ESA-20021213-033
Reference: URL:http://www.linuxsecurity.com/advisories/engarde_advisory-2660.html
Reference: GENTOO:GLSA-200212-2
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104004857201968&w=2
Reference: IMMUNIX:IMNX-2003-7+-008-01
Reference: URL:http://www.securityfocus.com/advisories/5269
Reference: REDHAT:RHSA-2002:288
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-288.html
Reference: REDHAT:RHSA-2002:289
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-289.html
Reference: REDHAT:RHSA-2003:166
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-166.html
Reference: SUSE:SUSE-SA:2003:003
Reference: URL:http://www.suse.com/de/security/2003_003_mysql.html
Reference: TRUSTIX:2002-0086
Reference: URL:http://www.trustix.net/errata/misc/2002/TSL-2002-0086-mysql.asc.txt
Reference: BUGTRAQ:20021216 [OpenPKG-SA-2002.013] OpenPKG Security Advisory (mysql)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104005886114500&w=2
Reference: BID:6375
Reference: URL:http://www.securityfocus.com/bid/6375
Reference: XF:mysql-comchangeuser-password-bo(10848)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10848

The COM_CHANGE_USER command in MySQL 3.x before 3.23.54, and 4.x to
4.0.6, allows remote attackers to execute arbitrary code via a long
response.


Modifications:
  20040810 ADDREF DEBIAN:DSA-212
  20040810 ADDREF IMMUNIX:IMNX-2003-7+-008-01
  20040810 ADDREF MANDRAKE:MDKSA-2002:087
  20040810 ADDREF SUSE:SUSE-SA:2003:003
  20040810 ADDREF REDHAT:RHSA-2002:289
  20040810 ADDREF BID:6375
  20040810 ADDREF XF:mysql-comchangeuser-password-bo(10848)
  20040810 [ref] normalize TRUSTIX
  20040810 [ref] normalize GENTOO
  20040818 ADDREF REDHAT:RHSA-2003:166

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2002-1375 ACCEPT (3 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(2) Green, Cole
   MODIFY(1) Cox

Voter Comments:
 Cox> Addref: REDHAT:RHSA-2002:289
 Green> ACKNOWLEDGED IN THE RED HAT ERRATA


======================================================
Candidate: CAN-2002-1377
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1377
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20021216
Category: SF
Reference: FULLDISC:20021213 Some vim problems, yet still vim much better than windows
Reference: URL:http://lists.netsys.com/pipermail/full-disclosure/2002-December/002948.html
Reference: MISC:http://www.guninski.com/vim1.html
Reference: BUGTRAQ:20040331 OpenLinux: vim arbitrary commands execution through modelines
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=108077992208690&w=2
Reference: CONECTIVA:CLA-2004:812
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000812
Reference: MANDRAKE:MDKSA-2003:012
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:012
Reference: REDHAT:RHSA-2002:297
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-297.html
Reference: REDHAT:RHSA-2002:302
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-302.html
Reference: SUNALERT:55700
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/55700
Reference: BID:6384
Reference: URL:http://www.securityfocus.com/bid/6384
Reference: XF:vim-modeline-command-execution(10835)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10835

vim 6.0 and 6.1, and possibly other versions, allows attackers to
execute arbitrary commands using the libcall feature in modelines,
which are not sandboxed but may be executed when vim is used to edit a
malicious file, as demonstrated using mutt.


Modifications:
  20040810 ADDREF CONECTIVA:CLA-2004:812
  20040810 ADDREF SUNALERT:55700
  20040810 ADDREF BID:6384
  20040810 ADDREF XF:vim-modeline-command-execution(10835)
  20040810 ADDREF BUGTRAQ:20040331 OpenLinux: vim arbitrary commands execution through modelines
  20040810 [refs] normalize FULLDISC
  20040810 [desc] clarify
  20040818 ADDREF REDHAT:RHSA-2002:302

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2002-1377 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Green, Cole
   MODIFY(1) Cox
   NOOP(1) Christey

Voter Comments:
 Cox> The mention of mutt in the original advisory is used to give one
   indication of a possible attack vector.  It should be 'but may
   be executed when vim is used to edit a malicious file'
   Addref: REDHAT:RHSA-2002:302
 Green> ACKNOWLEDGED IN REDHAT ERRATA
 Christey> CONECTIVA:CLA-2004:812
   URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000812
 Christey> BUGTRAQ:20040331 OpenLinux: vim arbitrary commands execution through modelines
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=108077992208690&w=2


======================================================
Candidate: CAN-2002-1380
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1380
Final-Decision:
Interim-Decision: 20040825
Modified: 20040810
Proposed: 20030317
Assigned: 20021216
Category: SF
Reference: VULNWATCH:20021217 RAZOR advisory: Linux 2.2.xx /proc/<pid>/mem mmap() vulnerability
Reference: DEBIAN:DSA-336
Reference: URL:http://www.debian.org/security/2003/dsa-336
Reference: ENGARDE:ESA-20030318-009
Reference: URL:http://www.linuxsecurity.com/advisories/engarde_advisory-2976.html
Reference: MANDRAKE:MDKSA-2003:039
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:039
Reference: REDHAT:RHSA-2003:088
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-088.html
Reference: TRUSTIX:2002-0083
Reference: URL:http://www.trustix.net/errata/misc/2002/TSL-2002-0083-kernel.asc.txt
Reference: BID:6420
Reference: URL:http://www.securityfocus.com/bid/6420
Reference: XF:linux-protread-mmap-dos(10884)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10884

Linux kernel 2.2.x allows local users to cause a denial of service
(crash) by using the mmap() function with a PROT_READ parameter to
access non-readable memory pages through the /proc/pid/mem interface.


Modifications:
  20040810 ADDREF DEBIAN:DSA-336
  20040810 ADDREF ENGARDE:ESA-20030318-009
  20040810 ADDREF MANDRAKE:MDKSA-2003:039
  20040810 ADDREF REDHAT:RHSA-2003:088
  20040810 ADDREF BID:6420
  20040810 ADDREF XF:linux-protread-mmap-dos(10884)
  20040810 [refs] normalize TRUSTIX

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1380 ACCEPT_ACK_REV (2 accept, 2 ack, 2 review)

Current Votes:
   ACCEPT(1) Baker
   MODIFY(1) Cox
   NOOP(2) Christey, Cole
   REVIEWING(2) Green, Wall

Voter Comments:
 Christey> ENGARDE:ESA-20030318-009
   URL:http://www.linuxsecurity.com/advisories/engarde_advisory-2976.html
 CHANGE> [Cox changed vote from ACCEPT to MODIFY]
 Cox> Addref: RHSA-2003:088
 Christey> MANDRAKE:MDKSA-2003:039
   URL:http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:039
 Christey> DEBIAN:DSA-336
   URL:http://www.debian.org/security/2003/dsa-336


======================================================
Candidate: CAN-2002-1381
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1381
Final-Decision:
Interim-Decision: 20040825
Modified: 20040810
Proposed: 20030317
Assigned: 20021216
Category: SF
Reference: BUGTRAQ:20021204 Local root vulnerability found in exim 4.x (and 3.x)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103903403527788&w=2
Reference: CONFIRM:http://groups.yahoo.com/group/exim-users/message/42358
Reference: GENTOO:GLSA-200212-5
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104006219018664&w=2
Reference: BID:6314
Reference: URL:http://www.securityfocus.com/bid/6314
Reference: XF:exim-daemonc-format-string(10761)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10761

Format string vulnerability in daemon.c for Exim 4.x through 4.10, and
3.x through 3.36, allows exim administrative users to execute
arbitrary code by modifying the pid_file_path value.


Modifications:
  20040810 ADDREF BID:6314
  20040810 ADDREF XF:exim-daemonc-format-string(10761)
  20040810 [refs] normalize GENTOO

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1381 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Green, Baker, Cox, Cole
   NOOP(1) Wall


======================================================
Candidate: CAN-2002-1382
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1382
Final-Decision:
Interim-Decision: 20040825
Modified: 20040810
Proposed: 20030317
Assigned: 20021217
Category: SF
Reference: BUGTRAQ:20021217 Macromedia Shockwave Flash Malformed Header Overflow #2
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104014220727109&w=2
Reference: VULNWATCH:20021217 Macromedia Shockwave Flash Malformed Header Overflow #2
Reference: URL:http://marc.theaimsgroup.com/?l=vulnwatch&m=104013370116670
Reference: CONFIRM:http://www.macromedia.com/v1/handlers/index.cfm?ID=23569
Reference: BID:6383
Reference: URL:http://www.securityfocus.com/bid/6383
Reference: XF:flash-swf-bo(10861)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10861

Macromedia Flash Player before 6.0.65.0 allows remote attackers to
execute arbitrary code via certain malformed data headers in Shockwave
Flash file format (SWF) files, a different issue than CAN-2002-0846.


Modifications:
  20040810 ADDREF BID:6383
  20040810 ADDREF XF:flash-swf-bo(10861)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1382 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Green, Baker, Wall, Cole
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1384
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1384
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20021218
Category: SF
Reference: VULNWATCH:20021223 iDEFENSE Security Advisory 12.23.02: Integer Overflow in pdftops
Reference: MISC:http://www.idefense.com/advisory/12.23.02.txt
Reference: DEBIAN:DSA-222
Reference: URL:http://www.debian.org/security/2003/dsa-222
Reference: DEBIAN:DSA-226
Reference: URL:http://www.debian.org/security/2003/dsa-226
Reference: DEBIAN:DSA-232
Reference: URL:http://www.debian.org/security/2003/dsa-232
Reference: GENTOO:GLSA-200301-1
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104152282309980&w=2
Reference: MANDRAKE:MDKSA-2003:001
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:001
Reference: MANDRAKE:MDKSA-2003:002
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:002
Reference: REDHAT:RHSA-2002:295
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-295.html
Reference: REDHAT:RHSA-2002:307
Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-307.html
Reference: REDHAT:RHSA-2003:037
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-037.html
Reference: REDHAT:RHSA-2003:216
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-216.html
Reference: SUSE:SUSE-SA:2003:002
Reference: URL:http://www.suse.com/de/security/2003_002_cups.html
Reference: BID:6475
Reference: URL:http://www.securityfocus.com/bid/6475
Reference: XF:pdftops-integer-overflow(10937)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10937

Integer overflow in pdftops, as used in Xpdf 2.01 and earlier, xpdf-i,
and CUPS before 1.1.18, allows local users to execute arbitrary code
via a ColorSpace entry with a large number of elements, as
demonstrated by cups-pdf.


Modifications:
  20040810 ADDREF DEBIAN:DSA-232
  20040810 ADDREF MANDRAKE:MDKSA-2003:001
  20040810 ADDREF MANDRAKE:MDKSA-2003:002
  20040810 ADDREF REDHAT:RHSA-2002:307
  20040810 ADDREF SUSE:SUSE-SA:2003:002
  20040810 ADDREF XF:pdftops-integer-overflow(10937)
  20040810 ADDREF BID:6475
  20040810 [refs] normalize GENTOO
  20040818 ADDREF REDHAT:RHSA-2003:216

Analysis
--------
Vendor Acknowledgement: yes

INFERRED ACTION: CAN-2002-1384 ACCEPT (3 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(2) Green, Cole
   MODIFY(1) Cox
   NOOP(1) Christey

Voter Comments:
 Cox> Addref: REDHAT:RHSA-2002:307
 Christey> MANDRAKE:MDKSA-2003:001
   MANDRAKE:MDKSA-2003:002


======================================================
Candidate: CAN-2002-1385
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1385
Final-Decision:
Interim-Decision: 20040825
Modified: 20040810
Proposed: 20030317
Assigned: 20021219
Category: SF
Reference: BUGTRAQ:20021218 Openwebmail 1.71 remote root compromise
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104031696120743&w=2
Reference: BUGTRAQ:20021219 [Fix] Openwebmail 1.71 remote root compromise
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104032263328026&w=2
Reference: CONFIRM:http://sourceforge.net/forum/forum.php?thread_id=782605&forum_id=108435
Reference: BID:6425
Reference: URL:http://www.securityfocus.com/bid/6425
Reference: XF:open-webmail-command-execution(10904)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10904

openwebmail_init in Open WebMail 1.81 and earlier allows local users
attackers to execute arbitrary code via .. (dot dot) sequences in a
login name, such as the name provided in the sessionid parameter for
openwebmail-abook.pl, which is used to find a configuration file that
specifies additional code to be executed.


Modifications:
  20040810 ADDREF BID:6425
  20040810 ADDREF XF:open-webmail-command-execution(10904)

Analysis
--------
Vendor Acknowledgement: yes advisory

ACKNOWLEDGEMENT: the announce page for Open WebMail includes an item
"Security Advisory 20021219," which describes the problem and credits
the Bugtraq poster.

INFERRED ACTION: CAN-2002-1385 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Baker, Cole
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-1388
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1388
Final-Decision:
Interim-Decision: 20040825
Modified: 20040810
Proposed: 20030317
Assigned: 20021230
Category: SF
Reference: CONFIRM:http://www.mhonarc.org/archive/cgi-bin/mesg.cgi?a=mhonarc-users&i=200212220120.gBM1K8502180@mcguire.earlhood.com
Reference: DEBIAN:DSA-221
Reference: URL:http://www.debian.org/security/2002/dsa-221
Reference: XF:mhonarc-m2htexthtml-filter-xss(10950)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10950
Reference: BID:6479
Reference: URL:http://www.securityfocus.com/bid/6479

Cross-site scripting (XSS) vulnerability in MHonArc before 2.5.14
allows remote attackers to inject arbitrary HTML into web archive
pages via HTML mail messages.


Modifications:
  20040810 ADDREF XF:mhonarc-m2htexthtml-filter-xss(10950)
  20040810 ADDREF BID:6479

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1388 ACCEPT_ACK (2 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(2) Green, Cole
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1389
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1389
Final-Decision:
Interim-Decision: 20040825
Modified: 20040810
Proposed: 20030317
Assigned: 20021230
Category: SF
Reference: DEBIAN:DSA-217
Reference: URL:http://www.debian.org/security/2002/dsa-217
Reference: BID:6485
Reference: URL:http://www.securityfocus.com/bid/6485
Reference: XF:typespeed-command-line-bo(10936)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10936

Buffer overflow in typespeed 0.4.2 and earlier allows local users to
gain privileges via long input.


Modifications:
  20040810 BID:6485
  20040810 XF:typespeed-command-line-bo(10936)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1389 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Green, Cole
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1390
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1390
Final-Decision:
Interim-Decision: 20040825
Modified: 20040810
Proposed: 20030317
Assigned: 20030106
Category: SF
Reference: CONFIRM:http://cristal.inria.fr/~ddr/GeneWeb/en/version/4.09.html
Reference: DEBIAN:DSA-223
Reference: URL:http://www.debian.org/security/2003/dsa-223
Reference: BID:6549
Reference: URL:http://www.securityfocus.com/bid/6549
Reference: XF:geneweb-absolute-information-disclosure(11021)
Reference: URL:http://xforce.iss.net/xforce/xfdb/11021

The daemon for GeneWeb before 4.09 does not properly handle requested
paths, which allows remote attackers to read arbitrary files via a
crafted URL.


Modifications:
  20040810 ADDREF BID:6549
  20040810 ADDREF XF:geneweb-absolute-information-disclosure(11021)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1390 ACCEPT_ACK (2 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(2) Green, Cole
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> BID:6549
   URL:http://www.securityfocus.com/bid/6549
   XF:geneweb-absolute-information-disclosure(11021)
   URL:http://www.iss.net/security_center/static/11021.php


======================================================
Candidate: CAN-2002-1391
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1391
Final-Decision:
Interim-Decision: 20040825
Modified: 20040810
Proposed: 20030317
Assigned: 20030106
Category: SF
Reference: CONFIRM:http://search.alphanet.ch/cgi-bin/search.cgi?msgid=20021125142338.E12094%40greenie.muc.de&max_results=1&type=long&domain=ml-mgetty
Reference: CALDERA:CSSA-2003-021.0
Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2003-021.0.txt
Reference: GENTOO:GLSA-200304-09
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=105154413326136&w=2
Reference: REDHAT:RHSA-2003:008
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-008.html
Reference: REDHAT:RHSA-2003:036
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-036.html
Reference: BID:7303
Reference: URL:http://www.securityfocus.com/bid/7303
Reference: XF:mgetty-cndprogram-callername-bo(11072)
Reference: URL:http://xforce.iss.net/xforce/xfdb/11072

Buffer overflow in cnd-program for mgetty before 1.1.29 allows remote
attackers to cause a denial of service and possibly execute arbitrary
code via a Caller ID string with a long CallerName argument.


Modifications:
  20040810 ADDREF CALDERA:CSSA-2003-021.0
  20040810 ADDREF GENTOO:GLSA-200304-09
  20040810 ADDREF REDHAT:RHSA-2003:008
  20040810 ADDREF REDHAT:RHSA-2003:036
  20040810 ADDREF BID:7303
  20040810 ADDREF XF:mgetty-cndprogram-callername-bo(11072)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1391 ACCEPT (4 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Baker, Cole
   MODIFY(1) Cox
   NOOP(2) Christey, Wall

Voter Comments:
 Cox> ADDREF: RHSA-2003:0008
 Christey> BUGTRAQ:20030428 GLSA:  mgetty (200304-09)
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=105154413326136&w=2
 Christey> CALDERA:CSSA-2003-021.0
   URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2003-021.0.txt


======================================================
Candidate: CAN-2002-1392
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1392
Final-Decision:
Interim-Decision: 20040825
Modified: 20040810
Proposed: 20030317
Assigned: 20030106
Category: CF
Reference: CONFIRM:http://search.alphanet.ch/cgi-bin/search.cgi?msgid=20021125142338.E12094%40greenie.muc.de&max_results=1&type=long&domain=ml-mgetty
Reference: CALDERA:CSSA-2003-021.0
Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2003-021.0.txt
Reference: GENTOO:GLSA-200304-09
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=105154413326136&w=2
Reference: REDHAT:RHSA-2003:008
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-008.html
Reference: REDHAT:RHSA-2003:036
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-036.html
Reference: BID:7302
Reference: URL:http://www.securityfocus.com/bid/7302
Reference: XF:mgetty-faxspool-worldwritable-directory(11070)
Reference: URL:http://xforce.iss.net/xforce/xfdb/11070

faxspool in mgetty before 1.1.29 uses a world-writable spool directory
for outgoing faxes, which allows local users to modify fax
transmission privileges.


Modifications:
  20040810 ADDREF CALDERA:CSSA-2003-021.0
  20040810 ADDREF GENTOO:GLSA-200304-09
  20040810 ADDREF REDHAT:RHSA-2003:008
  20040810 ADDREF REDHAT:RHSA-2003:036
  20040810 ADDREF BID:7302
  20040810 ADDREF XF:mgetty-faxspool-worldwritable-directory(11070)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1392 ACCEPT (4 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Baker, Cole
   MODIFY(1) Cox
   NOOP(2) Christey, Wall

Voter Comments:
 Cox> ADDREF: RHSA-2003:0008
 Christey> BUGTRAQ:20030428 GLSA:  mgetty (200304-09)
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=105154413326136&w=2
 Christey> CALDERA:CSSA-2003-021.0
   URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2003-021.0.txt


======================================================
Candidate: CAN-2002-1394
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1394
Final-Decision:
Interim-Decision: 20040825
Modified: 20040810
Proposed: 20030317
Assigned: 20030106
Category: SF
Reference: DEBIAN:DSA-225
Reference: URL:http://www.debian.org/security/2003/dsa-225
Reference: CONFIRM:http://marc.theaimsgroup.com/?l=tomcat-dev&m=103417249325526&w=2
Reference: CONFIRM:http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13365
Reference: REDHAT:RHSA-2003:075
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-075.html
Reference: REDHAT:RHSA-2003:082
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-082.html
Reference: GENTOO:GLSA-200210-001
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103470282514938&w=2
Reference: BID:6562
Reference: URL:http://www.securityfocus.com/bid/6562
Reference: XF:tomcat-invoker-source-code(10376)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10376

Apache Tomcat 4.0.5 and earlier, when using both the invoker servlet
and the default servlet, allows remote attackers to read source code
for server files or bypass certain protections, a variant of
CAN-2002-1148.


Modifications:
  20040810 ADDREF REDHAT:RHSA-2003:075
  20040810 ADDREF REDHAT:RHSA-2003:082
  20040810 ADDREF BID:6562
  20040810 ADDREF XF:tomcat-invoker-source-code(10376)
  20040810 [refs] normalize GENTOO

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1394 ACCEPT (4 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Cole, Armstrong
   MODIFY(1) Cox

Voter Comments:
 Cox> Addref: RHSA-2003:082
 Cox> ADDREF REDHAT:RHSA-2003:075


======================================================
Candidate: CAN-2002-1396
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1396
Final-Decision:
Interim-Decision: 20040825
Modified: 20040810
Proposed: 20030317
Assigned: 20030107
Category: SF
Reference: BUGTRAQ:20021227 Buffer overflow in PHP "wordwrap" function
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104102689503192&w=2
Reference: CONFIRM:http://bugs.php.net/bug.php?id=20927
Reference: ENGARDE:ESA-20030219-003
Reference: URL:http://archives.neohapsis.com/archives/linux/engarde/2003-q1/0003.html
Reference: GENTOO:200301-8
Reference: URL:http://www.securityfocus.com/advisories/4862
Reference: MANDRAKE:MDKSA-2003:019
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:019
Reference: REDHAT:RHSA-2003:017
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-017.html
Reference: SCO:CSSA-2003-SCO.28
Reference: SUSE:SuSE-SA:2003:0009
Reference: URL:http://www.suse.com/de/security/2003_009_mod_php4.html
Reference: BID:6488
Reference: URL:http://www.securityfocus.com/bid/6488
Reference: XF:php-wordwrap-bo(10944)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10944

Heap-based buffer overflow in the wordwrap function in PHP after 4.1.2
and before 4.3.0 may allow attackers to cause a denial of service or
execute arbitrary code.


Modifications:
  20040810 ADDREF GENTOO:200301-8
  20040810 ADDREF SCO:CSSA-2003-SCO.28
  20040810 ADDREF BID:6488
  20040810 ADDREF XF:php-wordwrap-bo(10944)

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2002-1396 ACCEPT (3 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(3) Green, Cox, Cole
   NOOP(1) Christey

Voter Comments:
 Green> ACKNOWLEDGED IN http://bugs.php.net/bug.php?id=20927
 Christey> SCO:CSSA-2003-SCO.28


======================================================
Candidate: CAN-2002-1403
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1403
Final-Decision:
Interim-Decision: 20040825
Modified: 20040810
Proposed: 20030317
Assigned: 20030110
Category: SF
Reference: CONECTIVA:CLA-2002:549
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000549
Reference: DEBIAN:DSA-219
Reference: URL:http://www.debian.org/security/2002/dsa-219
Reference: GENTOO:GLSA-200301-3
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104189546709447&w=2
Reference: MANDRAKE:MDKSA-2003:003
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:003
Reference: BID:6200
Reference: URL:http://online.securityfocus.com/bid/6200
Reference: XF:dhcpcd-info-execute-commands(10663)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10663

dhcpcd DHCP client daemon 1.3.22 and earlier allows local users to
execute arbitrary code via shell metacharacters that are fed from a
dhcpd .info script into a .exe script.


Modifications:
  20040810 ADDREF XF:dhcpcd-info-execute-commands(10663)
  20040810 [refs] normalize GENTOO

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1403 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Armstrong, Green, Cox
   NOOP(1) Christey

Voter Comments:
 CHANGE> [Cox changed vote from REVIEWING to ACCEPT]
 Christey> XF:dhcpcd-info-execute-commands(10663)


======================================================
Candidate: CAN-2002-1405
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1405
Final-Decision:
Interim-Decision: 20040825
Modified: 20040810
Proposed: 20030317
Assigned: 20030204
Category: SF
Reference: BUGTRAQ:20020819 Lynx CRLF Injection
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102978118411977&w=2
Reference: BUGTRAQ:20020822 Lynx CRLF Injection, part two
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103003793418021&w=2
Reference: DEBIAN:DSA-210
Reference: URL:http://www.debian.org/security/2002/dsa-210
Reference: CALDERA:CSSA-2002-049.0
Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-049.0.txt
Reference: REDHAT:RHSA-2003:029
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-029.html
Reference: REDHAT:RHSA-2003:030
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-030.html
Reference: TRUSTIX:2002-0085
Reference: URL:http://www.trustix.net/errata/misc/2002/TSL-2002-0085-lynx-ssl.asc.txt
Reference: MANDRAKE:MDKSA-2003:023
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:023
Reference: BID:5499
Reference: URL:http://www.securityfocus.com/bid/5499
Reference: XF:lynx-crlf-injection(9887)
Reference: URL:http://www.iss.net/security_center/static/9887.php

CRLF injection vulnerability in Lynx 2.8.4 and earlier allows remote
attackers to inject false HTTP headers into an HTTP request that is
provided on the command line, via a URL containing encoded carriage
return, line feed, and other whitespace characters.


Modifications:
  20040810 ADDREF BID:5499
  20040810 ADDREF REDHAT:RHSA-2003:030
  20040810 [refs] normalize TRUSTIX

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1405 ACCEPT (4 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Green
   MODIFY(1) Cox
   NOOP(1) Christey

Voter Comments:
 Cox> Addref: RHSA-2003:030
 Christey> BID:5499
   URL:http://www.securityfocus.com/bid/5499


======================================================
Candidate: CAN-2002-1407
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1407
Final-Decision:
Interim-Decision: 20040825
Modified: 20040810
Proposed: 20030317
Assigned: 20030205
Category: SF
Reference: BUGTRAQ:20020805 IE SSL Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102866120821995&w=2
Reference: BUGTRAQ:20020810 TinySSL Vendor Statement: Basic Constraints Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-08/0096.html
Reference: BID:5410
Reference: URL:http://www.securityfocus.com/bid/5410
Reference: XF:ssl-ca-certificate-spoofing(9776)
Reference: URL:http://xforce.iss.net/xforce/xfdb/9776

TinySSL 1.02 and earlier does not verify the Basic Constraints for an
intermediate CA-signed certificate, which allows remote attackers to
spoof the certificates of trusted sites via a man-in-the-middle
attack.


Modifications:
  20040810 ADDREF XF:ssl-ca-certificate-spoofing(9776)

Analysis
--------
Vendor Acknowledgement: yes

INFERRED ACTION: CAN-2002-1407 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Baker
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-1412
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1412
Final-Decision:
Interim-Decision: 20040825
Modified: 20040810
Proposed: 20030317
Assigned: 20030205
Category: SF
Reference: BUGTRAQ:20020801 code injection in gallery
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-07/0471.html
Reference: CONFIRM:http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=50&mode=thread&order=0&thold=0
Reference: DEBIAN:DSA-138
Reference: URL:http://www.debian.org/security/2002/dsa-138
Reference: BID:5375
Reference: URL:http://www.securityfocus.com/bid/5375
Reference: XF:gallery-basedir-execute-commands(9737)
Reference: URL:http://xforce.iss.net/xforce/xfdb/9737

Gallery photo album package before 1.3.1 allows local and possibly
remote attackers to execute arbitrary code via a modified
GALLERY_BASEDIR variable that points to a directory or URL that
contains a Trojan horse init.php script.


Modifications:
  20040810 ADDREF BID:5375
  20040810 ADDREF XF:gallery-basedir-execute-commands(9737)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1412 ACCEPT (3 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Green
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> BID:5375


======================================================
Candidate: CAN-2002-1413
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1413
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20030205
Category: SF
Reference: BUGTRAQ:20020821 NOVL-2002-2963349 - Rconag6 Secure IP Login Vulnerability - NW6SP2
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-08/0216.html
Reference: CERT-VN:VU#746251
Reference: URL:http://www.kb.cert.org/vuls/id/746251
Reference: CONFIRM:http://support.novell.com/servlet/tidfinder/2963349
Reference: XF:netware-rconj-no-password(9928)
Reference: URL:http://www.iss.net/security_center/static/9928.php
Reference: BID:5541
Reference: URL:http://www.securityfocus.com/bid/5541

RCONAG6 for Novell Netware SP2, while running RconJ in secure mode,
allows remote attackers to bypass authentication using the RconJ
"Secure IP" (SSL) option during a connection.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1413 ACCEPT (3 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Baker, Frech
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-1414
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1414
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20030205
Category: SF
Reference: VULN-DEV:20020806 qmailadmin SUID buffer overflow
Reference: URL:http://marc.theaimsgroup.com/?l=vuln-dev&m=102859603029424&w=2
Reference: BUGTRAQ:20020724 Re: qmailadmin SUID buffer overflow
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-08/0016.html
Reference: CONFIRM:http://www.inter7.com/qmailadmin/ChangeLog
Reference: BID:5404
Reference: URL:http://www.securityfocus.com/bid/5404
Reference: XF:qmailadmin-templatedir-bo(9786)
Reference: URL:http://www.iss.net/security_center/static/9786.php

Buffer overflow in qmailadmin allows local users to gain privileges
via a long QMAILADMIN_TEMPLATEDIR environment variable.

Analysis
--------
Vendor Acknowledgement: yes advisory

ACKNOWLEDGEMENT: The changelog includes an item dated August 6, 2002,
which states "Fixed local overflow in template code."

INFERRED ACTION: CAN-2002-1414 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Baker
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-1417
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1417
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20030205
Category: SF
Reference: BUGTRAQ:20020820 NOVL-2002-2963297 - NetBasic Buffer Overflow + Scripting Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-08/0199.html
Reference: CONFIRM:http://support.novell.com/servlet/tidfinder/2963297
Reference: BID:5523
Reference: URL:http://www.securityfocus.com/bid/5523
Reference: XF:novell-netbasic-directory-traversal(9910)
Reference: URL:http://www.iss.net/security_center/static/9910.php

Directory traversal vulnerability in Novell NetBasic Scripting Server
(NSN) for Netware 5.1 and 6, and Novell Small Business Suite 5.1 and
6, allows remote attackers to read arbitrary files via a URL
containing a "..%5c" sequence (modified dot-dot), which is mapped to
the directory separator.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1417 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Baker
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-1418
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1418
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20030205
Category: SF
Reference: BUGTRAQ:20020820 NOVL-2002-2963297 - NetBasic Buffer Overflow + Scripting Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-08/0199.html
Reference: CONFIRM:http://support.novell.com/servlet/tidfinder/2963297
Reference: XF:novell-netbasic-interpreter-bo(9911)
Reference: URL:http://www.iss.net/security_center/static/9911.php
Reference: BID:5524
Reference: URL:http://www.securityfocus.com/bid/5524

Buffer overflow in the interpreter for Novell NetBasic Scripting
Server (NSN) for Netware 5.1 and 6, and Novell Small Business Suite
5.1 and 6, allows remote attackers to cause a denial of service
(ABEND) via a long module name.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1418 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Baker
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-1419
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1419
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20030205
Category: SF
Reference: SGI:20020805-01-I
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020805-01-I
Reference: BID:5467
Reference: URL:http://www.securityfocus.com/bid/5467
Reference: XF:irix-origin-bypass-filtering(9868)
Reference: URL:http://www.iss.net/security_center/static/9868.php

The upgrade of IRIX on Origin 3000 to 6.5.13 through 6.5.16 changes
the MAC address of the system, which could modify intended access
restrictions that are based on a MAC address.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1419 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Green
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1420
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1420
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20030205
Category: SF
Reference: BUGTRAQ:20020812 OpenBSD Security Advisory: Select Boundary Condition (fwd)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102918817012863&w=2
Reference: BID:5442
Reference: URL:http://www.securityfocus.com/bid/5442
Reference: XF:openbsd-select-bo(9809)
Reference: URL:http://www.iss.net/security_center/static/9809.php
Reference: OSVDB:7554
Reference: URL:http://www.osvdb.org/7554

Integer signedness error in select() on OpenBSD 3.1 and earlier allows
local users to overwrite arbitrary kernel memory via a negative value
for the size parameter, which satisfies the boundary check as a signed
integer, but is later used as an unsigned integer during a data
copying operation.


Modifications:
  20040818 ADDREF OSVDB:7554

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1420 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Baker
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-1424
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1424
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20030205
Category: SF
Reference: DEBIAN:DSA-141
Reference: URL:http://www.debian.org/security/2002/dsa-141
Reference: BID:5385
Reference: URL:http://www.securityfocus.com/bid/5385
Reference: XF:munpack-mime-bo(9747)
Reference: URL:http://www.iss.net/security_center/static/9747.php

Buffer overflow in munpack in mpack 1.5 and earlier allows remote
attackers to cause a denial of service and possibly execute arbitrary
code.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1424 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Green
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1425
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1425
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20030205
Category: SF
Reference: DEBIAN:DSA-141
Reference: URL:http://www.debian.org/security/2002/dsa-141
Reference: BID:5386
Reference: URL:http://www.securityfocus.com/bid/5386
Reference: XF:munpack-dotdot-directory-traversal(9748)
Reference: URL:http://www.iss.net/security_center/static/9748.php

Directory traversal vulnerability in munpack in mpack 1.5 and earlier
allows remote attackers to create new files in the parent directory
via a ../ (dot-dot) sequence in the filename to be extracted.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1425 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Green
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1430
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1430
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20030205
Category: SF
Reference: BUGTRAQ:20020730 [ADVISORY]:  Arbitrary file disclosure vulnerability in Sympoll 1.2
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-07/0401.html
Reference: CONFIRM:http://www.ralusp.net/downloads/sympoll/changelog.txt
Reference: BID:5360
Reference: URL:http://www.securityfocus.com/bid/5360
Reference: XF:sympoll-php-view-files(9723)
Reference: URL:http://www.iss.net/security_center/static/9723.php

Unknown vulnerability in Sympoll 1.2 allows remote attackers to read
arbitrary files when register_globals is enabled, possibly by
modifying certain PHP variables through URL parameters.

Analysis
--------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: the vendor's changelog for version 1.3 includes an
item labeled "IMPORTANT SECURITY FIX" and crediting an individual who
is also credited by the author of the Bugtraq post. The dates of the
Bugtraq post and vendor changelog are also the same (July 30).
ACCURACY: while neither the Bugtraq poster nor the vendor say that PHP
variables are directly modified through URL parameters, that is the
behavior that is otherwise prevented by the register_globals feature,
and typical of vulnerabilities in many PHP scripts.

INFERRED ACTION: CAN-2002-1430 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Baker
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-1435
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1435
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20030205
Category: SF
Reference: BUGTRAQ:20020822 Arbitrary code execution problem in Achievo
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-08/0235.html
Reference: CONFIRM:http://www.achievo.org/lists/2002/Aug/msg00092.html
Reference: XF:achievo-php-execute-code(9947)
Reference: URL:http://www.iss.net/security_center/static/9947.php
Reference: BID:5552
Reference: URL:http://www.securityfocus.com/bid/5552

class.atkdateattribute.js.php in Achievo 0.7.0 through 0.9.1, except
0.8.2, allows remote attackers to execute arbitrary PHP code when the
'allow_url_fopen' setting is enabled via a URL in the config_atkroot
parameter that points to the code.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1435 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Baker
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-1436
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1436
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20030205
Category: SF
Reference: BUGTRAQ:20020820 NOVL-2002-2963307 - PERL Handler Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-08/0202.html
Reference: CONFIRM:http://support.novell.com/servlet/tidfinder/2963307
Reference: XF:netware-perl-code-execution(9916)
Reference: URL:http://www.iss.net/security_center/static/9916.php
Reference: BID:5520
Reference: URL:http://www.securityfocus.com/bid/5520

The web handler for Perl 5.003 on Novell NetWare 5.1 and NetWare 6
allows remote attackers to execute arbitrary Perl code via an HTTP
POST request.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1436 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Baker
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-1437
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1437
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20030205
Category: SF
Reference: BUGTRAQ:20020820 NOVL-2002-2963307 - PERL Handler Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-08/0202.html
Reference: CONFIRM:http://support.novell.com/servlet/tidfinder/2963307
Reference: BID:5522
Reference: URL:http://www.securityfocus.com/bid/5522
Reference: XF:netware-perl-directory-traversal(9915)
Reference: URL:http://www.iss.net/security_center/static/9915.php

Directory traversal vulnerability in the web handler for Perl 5.003 on
Novell NetWare 5.1 and NetWare 6 allows remote attackers to read
arbitrary files via an HTTP request containing "..%5c" (URL-encoded
dot-dot backslash) sequences.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1437 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Baker
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-1438
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1438
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20030205
Category: SF
Reference: BUGTRAQ:20020820 NOVL-2002-2963307 - PERL Handler Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-08/0202.html
Reference: CONFIRM:http://support.novell.com/servlet/tidfinder/2963307
Reference: XF:netware-perl-information-disclosure(9917)
Reference: URL:http://www.iss.net/security_center/static/9917.php
Reference: BID:5521
Reference: URL:http://www.securityfocus.com/bid/5521

The web handler for Perl 5.003 on Novell NetWare 5.1 and NetWare 6
allows remote attackers to obtain Perl version information via the -v
option.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1438 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Baker
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-1443
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1443
Final-Decision:
Interim-Decision: 20040825
Modified: 20040810
Proposed: 20030317
Assigned: 20030205
Category: SF
Reference: BUGTRAQ:20020808 Exploiting the Google toolbar (GM#001-MC)
Reference: URL:http://online.securityfocus.com/archive/1/286527
Reference: NTBUGTRAQ:20020808 Exploiting the Google toolbar (GM#001-MC)
Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/2002-q3/0066.html
Reference: MISC:http://sec.greymagic.com/adv/gm001-mc/
Reference: CONFIRM:http://toolbar.google.com/whatsnew.php3
Reference: BID:5426
Reference: URL:http://www.securityfocus.com/bid/5426
Reference: XF:google-toolbar-keypress-monitoring(10054)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10054

The Google toolbar 1.1.58 and earlier allows remote web sites to
monitor a user's input into the toolbar via an "onkeydown" event
handler.


Modifications:
  20040810 ADDREF XF:google-toolbar-keypress-monitoring(10054)

Analysis
--------
Vendor Acknowledgement: unknown discloser-claimed

INFERRED ACTION: CAN-2002-1443 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Baker
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-1446
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1446
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20030205
Category: SF
Reference: BUGTRAQ:20020819 nCipher Advisory #5: C_Verify validates incorrect symmetric signatures
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-08/0172.html
Reference: CONFIRM:http://www.ncipher.com/support/advisories/advisory5_c_verify.html
Reference: BID:5498
Reference: URL:http://www.securityfocus.com/bid/5498
Reference: XF:ncipher-cverify-improper-verification(9895)
Reference: URL:http://www.iss.net/security_center/static/9895.php

The error checking routine used for the C_Verify call on a symmetric
verification key in the nCipher PKCS#11 library 1.2.0 and later
returns the CKR_OK status even when it detects an invalid signature,
which could allow remote attackers to modify or forge messages.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1446 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Baker
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-1447
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1447
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20030205
Category: SF
Reference: BUGTRAQ:20020619 [AP] Cisco vpnclient buffer overflow
Reference: URL:http://online.securityfocus.com/archive/1/277653
Reference: CISCO:20020619 Buffer Overflow in UNIX VPN Client
Reference: URL:http://www.cisco.com/warp/public/707/cisco-unix-vpnclient-buffer-overflow-pub.shtml
Reference: MISC:http://sec.angrypacket.com/advisories/0002_AP.vpnclient.txt
Reference: XF:ciscovpn-profile-name-bo(9376)
Reference: URL:http://www.iss.net/security_center/static/9376.php
Reference: BID:5056
Reference: URL:http://www.securityfocus.com/bid/5056

Buffer overflow in the vpnclient program for UNIX VPN Client before
3.5.2 allows local users to gain administrative privileges via a long
profile name in a connect argument.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1447 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Green, Baker, Jones
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1448
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1448
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20030205
Category: CF
Reference: BUGTRAQ:20020805 SNMP vulnerability in AVAYA Cajun firmware
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-07/0519.html
Reference: CONFIRM:http://support.avaya.com/security/Unauthorized_SNMP/index.jhtml
Reference: XF:avaya-cajun-default-snmp(9769)
Reference: URL:http://www.iss.net/security_center/static/9769.php
Reference: BID:5396
Reference: URL:http://www.securityfocus.com/bid/5396

An undocumented SNMP read/write community string ('NoGaH$@!') in Avaya
P330, P130, and M770-ATM Cajun products allows remote attackers to
gain administrative privileges.

Analysis
--------
Vendor Acknowledgement: yes advisory

ACKNOWLEDGEMENT: the vendor's security advisory credits Jacek
Lipkowski, the author of the Bugtraq post.

INFERRED ACTION: CAN-2002-1448 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Baker
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-1463
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1463
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20030205
Category: SF
Reference: BUGTRAQ:20020802 Security Advisory: Raptor Firewall Weak ISN Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-07/0492.html
Reference: CONFIRM:http://www.symantec.com/techsupp/bulletin/archive/firewall/082002firewall.html
Reference: BID:5387
Reference: URL:http://www.securityfocus.com/bid/5387
Reference: XF:symantec-tcp-seq-predict(12836)
Reference: URL:http://xforce.iss.net/xforce/xfdb/12836
Reference: OSVDB:855
Reference: URL:http://www.osvdb.org/855

Symantec Raptor Firewall 6.5 and 6.5.3, Enterprise Firewall 6.5.2 and
7.0, VelociRaptor Models 500/700/1000 and 1100/1200/1300, and Gateway
Security 5110/5200/5300 generate easily predictable initial sequence
numbers (ISN), which allows remote attackers to spoof connections.


Modifications:
  20040810 ADDREF BID:5387
  20040810 ADDREF XF:symantec-tcp-seq-predict(12836)
  20040818 ADDREF OSVDB:855

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1463 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Baker
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-1468
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1468
Final-Decision:
Interim-Decision: 20040825
Modified: 20040810
Proposed: 20030317
Assigned: 20030205
Category: SF
Reference: AIXAPAR:IY31997
Reference: URL:http://archives.neohapsis.com/archives/aix/2002-q3/0007.html
Reference: BID:5885
Reference: URL:http://www.securityfocus.com/bid/5885

Buffer overflow in errpt in AIX 4.3.3 allows local users to execute
arbitrary code as root.


Modifications:
  20040810 [desc] clarify based on Bollinger's vote
  20040810 ADDREF BID:5885

Analysis
--------
Vendor Acknowledgement: yes

INFERRED ACTION: CAN-2002-1468 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Armstrong, Green, Bollinger
   NOOP(1) Cox

Voter Comments:
 Bollinger> This buffer overflow allows a local attacker to execute
   arbitrary code as root.


======================================================
Candidate: CAN-2002-1469
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1469
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20030205
Category: SF
Reference: BUGTRAQ:20020820 vulnerabilities in scponly
Reference: URL:http://online.securityfocus.com/archive/1/288245
Reference: CONFIRM:http://www.sublimation.org/scponly/
Reference: BID:5526
Reference: URL:http://www.securityfocus.com/bid/5526
Reference: XF:scponly-ssh-env-upload(9913)
Reference: URL:http://www.iss.net/security_center/static/9913.php

scponly does not properly verify the path when finding the (1) scp or
(2) sftp-server programs, which could allow remote authenticated users
to bypass access controls by uploading malicious programs and
modifying the PATH variable in $HOME/.ssh/environment to locate those
programs.

Analysis
--------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: on the release notes for scponly is an item titled
"aug 2002 addendum" and states "Derek D. Martin [the discloser] sent
me an exploitable vulnerability condition that can be used to run
arbitrary commands, thus circumventing scponly!"

INFERRED ACTION: CAN-2002-1469 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Baker
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-1471
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1471
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20030205
Category: SF
Reference: BUGTRAQ:20021003 SSL certificate validation problems in Ximian Evolution
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-10/0045.html
Reference: XF:evolution-camel-certificate-mitm(10292)
Reference: URL:http://www.iss.net/security_center/static/10292.php
Reference: BID:5875
Reference: URL:http://www.securityfocus.com/bid/5875

The camel component for Ximian Evolution 1.0.x and earlier does not
verify certificates when it establishes a new SSL connection after
previously verifying a certificate, which could allow remote attackers
to monitor or modify sessions via a man-in-the-middle attack.

Analysis
--------
Vendor Acknowledgement:

INFERRED ACTION: CAN-2002-1471 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   NOOP(2) Cox, Wall

Voter Comments:
 CHANGE> [Cox changed vote from REVIEWING to NOOP]


======================================================
Candidate: CAN-2002-1472
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1472
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20030205
Category: SF
Reference: CONECTIVA:CLA-2002:529
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000529
Reference: REDHAT:RHSA-2003:066
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-066.html
Reference: REDHAT:RHSA-2003:067
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-067.html
Reference: SUSE:SuSE-SA:2002:032
Reference: URL:http://archives.neohapsis.com/archives/linux/suse/2002-q3/1116.html
Reference: BID:5735
Reference: URL:http://www.securityfocus.com/bid/5735
Reference: XF:xfree86-x11-program-execution(10137)
Reference: URL:http://www.iss.net/security_center/static/10137.php

libX11.so in xfree86, when used in setuid or setgid programs, allows
local users to gain root privileges via a modified LD_PRELOAD
environment variable that points to a malicious module.


Modifications:
  20040810 ADDREF REDHAT:RHSA-2003:067
  20040810 [desc] clarify role of setuid/setgid programs
  20040818 ADDREF REDHAT:RHSA-2003:066

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1472 ACCEPT (4 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Green
   MODIFY(1) Cox
   NOOP(1) Christey

Voter Comments:
 Christey> REDHAT:RHSA-2003:067
   URL:http://www.redhat.com/support/errata/RHSA-2003-067.html
 CHANGE> [Cox changed vote from REVIEWING to MODIFY]
 Cox> The description should be updated to show that this is exploitable only in
   setuid/gid programs that happen to link libX11.so.  This is important as
   many distributions did not ship with any setuid programs linked to
   libX11.so.

   Perhaps "setuid/gid programs linked to the xfree86 libX11.so allows local
   users to gain privileges via a modified LD_PRELOAD environment
   variable that points to a malicious module."


======================================================
Candidate: CAN-2002-1476
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1476
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20030205
Category: SF
Reference: NETBSD:NetBSD-SA2002-012
Reference: URL:ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-012.txt.asc
Reference: BID:5724
Reference: URL:http://www.securityfocus.com/bid/5724
Reference: XF:netbsd-libc-setlocale-bo(10159)
Reference: URL:http://www.iss.net/security_center/static/10159.php
Reference: OSVDB:7565
Reference: URL:http://www.osvdb.org/7565

Buffer overflow in setlocale in libc on NetBSD 1.4.x through 1.6, and
possibly other operating systems, when called with the LC_ALL
category, allows local attackers to execute arbitrary code via a
user-controlled locale string that has more than 6 elements, which
exceeds the boundaries of the new_categories category array, as
exploitable through programs such as xterm and zsh.


Modifications:
  20040818 ADDREF OSVDB:7565

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1476 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Green
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1477
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1477
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20030205
Category: SF
Reference: BUGTRAQ:20020903 Cacti security issues
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-09/0028.html
Reference: DEBIAN:DSA-164
Reference: URL:http://www.debian.org/security/2002/dsa-164
Reference: MISC:http://www.knights-of-the-routing-table.org/advisories/krt_001_20020903_cacti.txt
Reference: XF:cacti-graph-label-commands(10048)
Reference: URL:http://www.iss.net/security_center/static/10048.php
Reference: BID:5627
Reference: URL:http://www.securityfocus.com/bid/5627

graphs.php in Cacti before 0.6.8 allows remote authenticated Cacti
administrators to execute arbitrary commands via shell metacharacters
in the title during edit mode.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1477 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Green
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1478
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1478
Final-Decision:
Interim-Decision: 20040825
Modified: 20040811
Proposed: 20030317
Assigned: 20030205
Category: SF
Reference: BUGTRAQ:20020903 Cacti security issues
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-09/0028.html
Reference: MISC:http://www.knights-of-the-routing-table.org/advisories/krt_001_20020903_cacti.txt
Reference: DEBIAN:DSA-164
Reference: URL:http://www.debian.org/security/2002/dsa-164
Reference: XF:cacti-console-mode-commands(10050)
Reference: URL:http://www.iss.net/security_center/static/10050.php
Reference: BID:5630
Reference: URL:http://www.securityfocus.com/bid/5630

Cacti before 0.6.8 allows attackers to execute arbitrary commands via
the "Data Input" option in console mode.


Modifications:
  20040811 ADDREF DEBIAN:DSA-164

Analysis
--------
Vendor Acknowledgement:

ACCURACY: it is not clear from the report whether the "console mode"
is remote or not; if only accessible on the command line, this may not
be a vulnerability unless Cacti is setuid.

INFERRED ACTION: CAN-2002-1478 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   NOOP(3) Christey, Cox, Wall

Voter Comments:
 Christey> Sounds like DEBIAN:DSA-164 is a match.
 Baker> http://www.dsinet.org/textfiles/advisories/Debian/DSA-164-1


======================================================
Candidate: CAN-2002-1479
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1479
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20030205
Category: SF
Reference: BUGTRAQ:20020903 Cacti security issues
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-09/0028.html
Reference: MISC:http://www.knights-of-the-routing-table.org/advisories/krt_001_20020903_cacti.txt
Reference: XF:cacti-config-world-readable(10049)
Reference: URL:http://www.iss.net/security_center/static/10049.php
Reference: BID:5628
Reference: URL:http://www.securityfocus.com/bid/5628

Cacti before 0.6.8 stores a MySQL username and password in plaintext
in config.php, which has world-readable permissions, which allows
local users modify databases as the Cacti user and possibly gain
privileges.

Analysis
--------
Vendor Acknowledgement:

ACCURACY: it is not clear from the report whether the "console mode"
is remote or not; if only accessible on the command line, this may not
be a vulnerability unless Cacti is setuid.

INFERRED ACTION: CAN-2002-1479 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-1490
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1490
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20030205
Category: SF
Reference: NETBSD:NetBSD-SA2002-007
Reference: URL:ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-007.txt.asc
Reference: XF:netbsd-tiocsctty-ioctl-bo(10115)
Reference: URL:http://www.iss.net/security_center/static/10115.php
Reference: BID:5722
Reference: URL:http://www.securityfocus.com/bid/5722
Reference: OSVDB:7566
Reference: URL:http://www.osvdb.org/7566

NetBSD 1.4 through 1.6 beta allows local users to cause a denial of
service (kernel panic) via a series of calls to the TIOCSCTTY ioctl,
which causes an integer overflow in a structure counter and sets the
counter to zero, which frees memory that is still in use by other
processes.


Modifications:
  20040818 ADDREF OSVDB:7566

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1490 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Green
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1491
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1491
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20030205
Category: SF
Reference: CISCO:20020918 Cisco VPN 5000 Client Multiple Vulnerabilities
Reference: URL:http://www.cisco.com/warp/public/707/vpn5k-client-multiple-vuln-pub.shtml
Reference: XF:cisco-vpn5000-defaultconnection-password(10129)
Reference: URL:http://www.iss.net/security_center/static/10129.php
Reference: BID:5736
Reference: URL:http://www.securityfocus.com/bid/5736
Reference: OSVDB:7041
Reference: URL:http://www.osvdb.org/7041

The Cisco VPN 5000 Client for MacOS before 5.2.2 records the most
recently used login password in plaintext when saving "Default
Connection" settings, which could allow local users to gain
privileges.


Modifications:
  20040818 ADDREF OSVDB:7041

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1491 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Green, Baker
   MODIFY(1) Jones
   NOOP(1) Cox

Voter Comments:
 Jones> Change "...to gain privileges." to "...to gain additional
   privileges."


======================================================
Candidate: CAN-2002-1493
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1493
Final-Decision:
Interim-Decision: 20040825
Modified: 20040811
Proposed: 20030317
Assigned: 20030205
Category: SF
Reference: BUGTRAQ:20020914 Lycos HTMLGear Guestbook Script Injection Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-09/0198.html
Reference: VULNWATCH:20020926 [VulnWatch] BugTraq ID: 5728
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0132.html
Reference: BID:5728
Reference: URL:http://www.securityfocus.com/bid/5728
Reference: XF:guestgear-img-xss(12235)
Reference: URL:http://xforce.iss.net/xforce/xfdb/12235

Cross-site scripting (XSS) vulnerability in Lycos HTMLGear guestbook
allows remote attackers to inject arbitrary script via (1) STYLE
attributes or (2) SRC attributes in an IMG tag.


Modifications:
  20040811 ADDREF XF:guestgear-img-xss(12235)

Analysis
--------
Vendor Acknowledgement: yes followup

INFERRED ACTION: CAN-2002-1493 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Baker
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-1494
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1494
Final-Decision:
Interim-Decision: 20040825
Modified: 20040811
Proposed: 20030317
Assigned: 20030205
Category: SF
Reference: BUGTRAQ:20020903 Cross-Site Scripting in Aestiva's HTML/OS
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-09/0026.html
Reference: BID:5618
Reference: URL:http://www.securityfocus.com/bid/5618
Reference: XF:aestiva-htmlos-cgi-xss(10029)
Reference: URL:http://www.iss.net/security_center/static/10029.php

Cross-site scripting (XSS) vulnerabilities in Aestiva HTML/OS allows
remote attackers to insert arbitrary HTML or script by inserting the
script after a trailing / character, which inserts the script into the
resulting error message.


Modifications:
  20040811 [refs] fix Bugtraq post subject

Analysis
--------
Vendor Acknowledgement: no

INFERRED ACTION: CAN-2002-1494 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   NOOP(3) Christey, Cox, Wall

Voter Comments:
 Christey> Fix Bugtraq subject line:
   BUGTRAQ:20020903 Cross-Site Scripting in Aestiva's HTML/OS


======================================================
Candidate: CAN-2002-1496
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1496
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20030205
Category: SF
Reference: BUGTRAQ:20020922 remote exploitable heap overflow in Null HTTPd 0.5.0
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-09/0284.html
Reference: CONFIRM:http://freshmeat.net/releases/97910/
Reference: BID:5774
Reference: URL:http://www.securityfocus.com/bid/5774
Reference: XF:null-httpd-contentlength-bo(10160)
Reference: URL:http://www.iss.net/security_center/static/10160.php

Heap-based buffer overflow in Null HTTP Server 0.5.0 and earlier
allows remote attackers to execute arbitrary code via a negative value
in the Content-Length HTTP header.

Analysis
--------
Vendor Acknowledgement: yes changelog

INFERRED ACTION: CAN-2002-1496 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Baker
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-1497
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1497
Final-Decision:
Interim-Decision: 20040825
Modified: 20040811
Proposed: 20030317
Assigned: 20030205
Category: SF
Reference: CONFIRM:http://freshmeat.net/releases/97910/
Reference: BID:5603
Reference: URL:http://www.securityfocus.com/bid/5603
Reference: XF:null-httpd-xss(10004)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10004

Cross-site scripting (XSS) vulnerability in Null HTTP Server 0.5.0 and
earlier allows remote attackers to insert arbitrary HTML into a "404
Not Found" response.


Modifications:
  20040811 ADDREF BID:5603
  20040811 ADDREF XF:null-httpd-xss(10004)

Analysis
--------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: the changelog for 0.5.1 includes a statement that the
new version "fixes XSS filtering in 404 responses."

INFERRED ACTION: CAN-2002-1497 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Baker
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-1501
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1501
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20030205
Category: SF
Reference: BUGTRAQ:20020913 Scan against Enterasys SSR8000 crash the system
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-09/0141.html
Reference: MISC:http://www.enterasys.com/support/techtips/tk0659-9.html
Reference: BID:5703
Reference: URL:http://www.securityfocus.com/bid/5703
Reference: XF:smartswitch-portscan-dos(10096)
Reference: URL:http://www.iss.net/security_center/static/10096.php

The MPS functionality in Enterasys SSR8000 (Smart Switch Router)
before firmware 8.3.0.10 allows remote attackers to cause a denial of
service (crash) via multiple port scans to ports 15077 and 15078.

Analysis
--------
Vendor Acknowledgement: unknown discloser-claimed

INFERRED ACTION: CAN-2002-1501 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   NOOP(2) Cox, Wall

Voter Comments:
 Baker> http://www.enterasys.com/support/techtips/tk0659-9.html


======================================================
Candidate: CAN-2002-1502
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1502
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20030205
Category: SF
Reference: BUGTRAQ:20020912 xbreaky symlink vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-09/0131.html
Reference: CONFIRM:http://xbreaky.sourceforge.net/
Reference: BID:5700
Reference: URL:http://www.securityfocus.com/bid/5700
Reference: XF:xbreaky-breakyhighscores-symlink(10078)
Reference: URL:http://www.iss.net/security_center/static/10078.php

Symbolic link vulnerability in xbreaky before 0.5.5 allows local users
to overwrite arbitrary files via a symlink from the user's
.breakyhighscores file to the target file.

Analysis
--------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: on the front page for xbreaky, a changelog dated
September 12, 2002, says "Marco van Berkum [the discloser] discovered
a bug in xbreaky" and includes a short description of the problem.

INFERRED ACTION: CAN-2002-1502 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Baker
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-1505
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1505
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20030205
Category: SF
Reference: BUGTRAQ:20020908 sql injection vulnerability in WBB 2.0 RC1 and below
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-09/0083.html
Reference: BID:5675
Reference: URL:http://www.securityfocus.com/bid/5675
Reference: XF:wbb-board-sql-injection(10069)
Reference: URL:http://www.iss.net/security_center/static/10069.php

SQL injection vulnerability in board.php for WoltLab Burning Board
(wBB) 2.0 RC 1 and earlier allows remote attackers to modify the
database and possibly gain privileges via the boardid parameter.

Analysis
--------
Vendor Acknowledgement: unknown discloser-claimed fixed

INFERRED ACTION: CAN-2002-1505 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   NOOP(2) Cox, Wall

Voter Comments:
 Baker> http://www.woltlab.de/documentation/54.html
   Release notes for RC2 indicate the "safety problem" with the parameters.


======================================================
Candidate: CAN-2002-1509
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1509
Final-Decision:
Interim-Decision: 20040825
Modified: 20040811
Proposed: 20030317
Assigned: 20030213
Category: SF
Reference: CONFIRM:http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=75418
Reference: MANDRAKE:MDKSA-2003:026
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:026
Reference: REDHAT:RHSA-2003:057
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-057.html
Reference: REDHAT:RHSA-2003:058
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-058.html

A patch for shadow-utils 20000902 causes the useradd command to create
a mail spool files with read/write privileges of the new user's group
(mode 660), which allows other users in the same group to read or
modify the new user's incoming email.


Modifications:
  20040811 [desc] fix affected version
  20040811 REDHAT:RHSA-2003:058

Analysis
--------
Vendor Acknowledgement: yes patch

INFERRED ACTION: CAN-2002-1509 ACCEPT (5 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Armstrong, Green, Jones
   MODIFY(1) Cox

Voter Comments:
 Cox> Addref: RHSA-2003:058
   "20000902-7" should just be "20000902", the -7 being a Red Hat
   specific release number.


======================================================
Candidate: CAN-2002-1510
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1510
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20030219
Category: SF
Reference: CONECTIVA:CLA-2002:533
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000533
Reference: MISC:http://wuarchive.wustl.edu/mirrors/NetBSD/NetBSD-current/xsrc/xfree/xc/programs/Xserver/hw/xfree86/CHANGELOG
Reference: REDHAT:RHSA-2003:064
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-064.html
Reference: REDHAT:RHSA-2003:065
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-065.html
Reference: SUNALERT:55602
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/55602
Reference: XF:xfree86-xdm-unauth-access(11389)
Reference: URL:http://www.iss.net/security_center/static/11389.php

xdm, with the authComplain variable set to false, allows arbitrary
attackers to connect to the X server if the xdm auth directory does
not exist.


Modifications:
  20040811 ADDREF SUNALERT:55602
  20040818 ADDREF REDHAT:RHSA-2003:064
  20040818 ADDREF REDHAT:RHSA-2003:065

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1510 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Armstrong, Green, Cox


======================================================
Candidate: CAN-2002-1511
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1511
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20030219
Category: SF
Reference: CONFIRM:http://changelogs.credativ.org/debian/pool/main/v/vnc/vnc_3.3.6-3/changelog
Reference: CONECTIVA:CLSA-2003:640
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000640
Reference: GENTOO:200302-15
Reference: URL:http://security.gentoo.org/glsa/glsa-200302-15.xml
Reference: MANDRAKE:MDKSA-2003:022
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:022
Reference: REDHAT:RHSA-2003:041
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-041.html
Reference: REDHAT:RHSA-2003:068
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-068.html
Reference: SUNALERT:56161
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/56161
Reference: BID:6905
Reference: URL:http://www.securityfocus.com/bid/6905
Reference: XF:vnc-rand-weak-cookie(11384)
Reference: URL:http://www.iss.net/security_center/static/11384.php

The vncserver wrapper for vnc before 3.3.3r2-21 uses the rand()
function instead of srand(), which causes vncserver to generate weak
cookies.


Modifications:
  20040811 ADDREF CONECTIVA:CLSA-2003:640
  20040811 ADDREF GENTOO:200302-15
  20040811 ADDREF SUNALERT:56161
  20040811 ADDREF BID:6905
  20040818 ADDREF REDHAT:RHSA-2003:068

Analysis
--------
Vendor Acknowledgement: yes changelog

INFERRED ACTION: CAN-2002-1511 ACCEPT (4 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Green
   MODIFY(1) Cox
   NOOP(1) Christey

Voter Comments:
 Cox> Addref: RHSA-2003:068
 Christey> CONECTIVA:CLA-2003:640


======================================================
Candidate: CAN-2002-1513
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1513
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20030223
Category: SF
Reference: BUGTRAQ:20020927 OpenVMS POP server local vulnerability
Reference: URL:http://online.securityfocus.com/archive/1/293070
Reference: BUGTRAQ:20021001 [security bulletin] SSRT2371 HP OpenVMS Potential POP server local vulnerability (fwd)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-10/0010.html
Reference: COMPAQ:SSRT2371
Reference: URL:http://archives.neohapsis.com/archives/compaq/2002-q4/0000.html
Reference: BID:5790
Reference: URL:http://www.securityfocus.com/bid/5790
Reference: XF:openvms-pop-gain-privileges(10236)
Reference: URL:http://www.iss.net/security_center/static/10236.php

The UCX POP server in HP TCP/IP services for OpenVMS 4.2 through 5.3
allows local users to truncate arbitrary files via the -logfile
command line option, which overrides file system permissions because
the server runs with the SYSPRV and BYPASS privileges.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1513 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Green
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1514
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1514
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20030223
Category: SF
Reference: BUGTRAQ:20020925 Borland Interbase local root exploit
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-09/0311.html
Reference: BID:5805
Reference: URL:http://www.securityfocus.com/bid/5805
Reference: XF:interbase-gdslockmgr-bo(10196)
Reference: URL:http://www.iss.net/security_center/static/10196.php

gds_lock_mgr in Borland InterBase allows local users to overwrite
files and gain privileges via a symlink attack on a "isc_init1.X"
temporary file, as demonstrated by modifying the xinetdbd file.

Analysis
--------
Vendor Acknowledgement:

INFERRED ACTION: CAN-2002-1514 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   NOOP(3) Cox, Balinsky, Wall


======================================================
Candidate: CAN-2002-1516
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1516
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20030223
Category: SF
Reference: CIAC:N-004
Reference: URL:http://www.ciac.org/ciac/bulletins/n-004.shtml
Reference: SGI:20020903-01-P
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020903-01-P
Reference: XF:irix-rpcbind-w-symlink(10272)
Reference: URL:http://www.iss.net/security_center/static/10272.php
Reference: BID:5889
Reference: URL:http://online.securityfocus.com/bid/5889

rpcbind in SGI IRIX, when using the -w command line switch, allows
local users to overwrite arbitrary files via a symlink attack.

Analysis
--------
Vendor Acknowledgement: yes advisory

ABSTRACTION: this is most likely a different vulnerability than
CVE-1999-0190 because CVE-1999-0190 is remotely exploitable, and
symlink issues are, by there nature, only locally exploitable.

INFERRED ACTION: CAN-2002-1516 ACCEPT (3 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Green
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1517
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1517
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20030223
Category: SF
Reference: CIAC:N-004
Reference: URL:http://www.ciac.org/ciac/bulletins/n-004.shtml
Reference: SGI:20020903-01-P
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020903-01-P
Reference: XF:irix-fsr-efs-symlink(10275)
Reference: URL:http://www.iss.net/security_center/static/10275.php
Reference: BID:5897
Reference: URL:http://www.securityfocus.com/bid/5897

fsr_efs in IRIX 6.5 allows local users to conduct unauthorized file
activities via a symlink attack, possibly via the .fsrlast file.

Analysis
--------
Vendor Acknowledgement: yes advisory

ACCURACY: the only source that specifically mentions the ".fsrlast"
file is SecurityFocus, and it is not clear where that knowledge came
from.

INFERRED ACTION: CAN-2002-1517 ACCEPT (3 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Green
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1518
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1518
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20030223
Category: SF
Reference: CIAC:N-004
Reference: URL:http://www.ciac.org/ciac/bulletins/n-004.shtml
Reference: SGI:20020903-01-P
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020903-01-P
Reference: BID:5893
Reference: URL:http://www.securityfocus.com/bid/5893
Reference: XF:irix-mv-directory-insecure(10276)
Reference: URL:http://www.iss.net/security_center/static/10276.php

mv in IRIX 6.5 creates a directory with world-writable permissions
while moving a directory, which could allow local users to modify
files and directories.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1518 ACCEPT (3 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Green
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1519
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1519
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20030223
Category: SF
Reference: BUGTRAQ:20020926 Watchguard firewall appliances security issues
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-09/0325.html
Reference: BUGTRAQ:20020927 Software Update Available for Legacy RapidStream Appliances and WatchGuard Firebox Vclass appliances
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-09/0335.html
Reference: BID:5814
Reference: URL:http://www.securityfocus.com/bid/5814
Reference: XF:firebox-vclass-cli-format-string(10217)
Reference: URL:http://www.iss.net/security_center/static/10217.php
Reference: OSVDB:4924
Reference: URL:http://www.osvdb.org/4924

Format string vulnerability in the CLI interface for WatchGuard
Firebox Vclass 3.2 and earlier, and RSSA Appliance 3.0.2, allows
remote attackers to cause a denial of service and possibly execute
arbitrary code via format string specifiers in the password parameter.


Modifications:
  20040811 [desc] fix "and possible" typo
  20040818 ADDREF OSVDB:4924

Analysis
--------
Vendor Acknowledgement: yes followup

INFERRED ACTION: CAN-2002-1519 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Baker
   NOOP(3) Christey, Cox, Wall

Voter Comments:
 Christey> fix typo: "and possible"


======================================================
Candidate: CAN-2002-1520
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1520
Final-Decision:
Interim-Decision: 20040825
Modified: 20040820
Proposed: 20030317
Assigned: 20030223
Category: SF
Reference: BUGTRAQ:20020927 Software Update Available for Legacy RapidStream Appliances and WatchGuard Firebox Vclass appliances
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-09/0335.html
Reference: BUGTRAQ:20020926 Watchguard firewall appliances security issues
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-09/0325.html
Reference: BID:5815
Reference: URL:http://www.securityfocus.com/bid/5815
Reference: XF:firebox-vclass-cli-admin-privileges(10218)
Reference: URL:http://www.iss.net/security_center/static/10218.php
Reference: OSVDB:4831
Reference: URL:http://www.osvdb.org/4831

The CLI interface for WatchGuard Firebox Vclass 3.2 and earlier, and
RSSA Appliance 3.0.2, does not properly close the SSH connection when
a -N option is provided during authentication, which allows remote
attackers to access CLI with administrator privileges.


Modifications:
  20040818 ADDREF OSVDB:4831

Analysis
--------
Vendor Acknowledgement: yes followup

INFERRED ACTION: CAN-2002-1520 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Baker
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-1521
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1521
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20030223
Category: SF
Reference: VULNWATCH:20020925 [SecurityOffice] Webserver 4D v3.6 Weak Password Preservation Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0128.html
Reference: XF:webserver-4d-plaintext-passwords(10198)
Reference: URL:http://www.iss.net/security_center/static/10198.php
Reference: BID:5803
Reference: URL:http://www.securityfocus.com/bid/5803

Web Server 4D (WS4D) 3.6 stores passwords in plaintext in the Ws4d.4DD
file, which allows attackers to gain privileges.

Analysis
--------
Vendor Acknowledgement: no

INFERRED ACTION: CAN-2002-1521 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-1524
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1524
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20030223
Category: SF
Reference: BUGTRAQ:20020929 IIL Advisory: Winamp 3 (1.0.0.488) XML parser buffer overflow vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-09/0346.html
Reference: BID:5832
Reference: URL:http://www.securityfocus.com/bid/5832
Reference: XF:winamp-xml-parser-bo(10228)
Reference: URL:http://www.iss.net/security_center/static/10228.php

Buffer overflow in XML parser in wsabi.dll of Winamp 3 (1.0.0.488)
allows remote attackers to execute arbitrary code via a skin file
(.wal) with a long include file tag.

Analysis
--------
Vendor Acknowledgement:

INFERRED ACTION: CAN-2002-1524 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-1528
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1528
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20030223
Category: SF
Reference: BUGTRAQ:20021010 MondoSearch show the source of all files
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-10/0147.html
Reference: XF:mondosearch-url-souce-disclosure(10350)
Reference: URL:http://www.iss.net/security_center/static/10350.php
Reference: BID:5941
Reference: URL:http://www.securityfocus.com/bid/5941

MsmMask.exe in MondoSearch 4.4 allows remote attackers to obtain the
source code of scripts via the mask parameter.

Analysis
--------
Vendor Acknowledgement:

INFERRED ACTION: CAN-2002-1528 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-1529
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1529
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20030223
Category: SF
Reference: BUGTRAQ:20021008 Four Vulnerabilities in SurfControl's SuperScout Email Filter Administrative Server
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-10/0137.html
Reference: XF:superscout-emailfilter-error-xss(10319)
Reference: URL:http://www.iss.net/security_center/static/10319.php
Reference: BID:5928
Reference: URL:http://www.securityfocus.com/bid/5928

Cross-site scripting (XSS) vulnerability in msgError.asp for the
administrative web interface (STEMWADM) for SurfControl SuperScout
Email Filter allows remote attackers to insert arbitrary script or
HTML via the Reason parameter.

Analysis
--------
Vendor Acknowledgement: unknown discloser-claimed

INFERRED ACTION: CAN-2002-1529 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-1530
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1530
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20030223
Category: SF
Reference: BUGTRAQ:20021008 Four Vulnerabilities in SurfControl's SuperScout Email Filter Administrative Server
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-10/0137.html
Reference: BID:5929
Reference: URL:http://www.securityfocus.com/bid/5929
Reference: XF:superscout-emailfilter-plaintext-passwords(10320)
Reference: URL:http://www.iss.net/security_center/static/10320.php

The administrative web interface (STEMWADM) for SurfControl SuperScout
Email Filter allows users to obtain usernames and plaintext passwords
via a request to the userlist.asp program, which includes the
passwords in a user editing form.

Analysis
--------
Vendor Acknowledgement: unknown discloser-claimed

INFERRED ACTION: CAN-2002-1530 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-1531
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1531
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20030223
Category: SF
Reference: BUGTRAQ:20021008 Four Vulnerabilities in SurfControl's SuperScout Email Filter Administrative Server
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-10/0137.html
Reference: XF:superscout-emailfilter-content-dos(10321)
Reference: URL:http://www.iss.net/security_center/static/10321.php
Reference: BID:5930
Reference: URL:http://www.securityfocus.com/bid/5930

The administrative web interface (STEMWADM) for SurfControl SuperScout
Email Filter allows remote attackers to cause a denial of service
(crash) via an HTTP request without a Content-Length parameter.

Analysis
--------
Vendor Acknowledgement: unknown discloser-claimed

INFERRED ACTION: CAN-2002-1531 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-1532
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1532
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20030223
Category: SF
Reference: BUGTRAQ:20021008 Four Vulnerabilities in SurfControl's SuperScout Email Filter Administrative Server
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-10/0137.html
Reference: BID:5931
Reference: URL:http://www.securityfocus.com/bid/5931
Reference: XF:superscout-emailfilter-get-dos(10322)
Reference: URL:http://www.iss.net/security_center/static/10322.php

The administrative web interface (STEMWADM) for SurfControl SuperScout
Email Filter allows remote attackers to cause a denial of service
(resource exhaustion) via a GET request without the terminating
/r/n/r/n (CRLF) sequence, which causes the interface to wait for the
sequence and blocks other users from accessing it.

Analysis
--------
Vendor Acknowledgement: unknown discloser-claimed

INFERRED ACTION: CAN-2002-1532 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-1534
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1534
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20030223
Category: SF
Reference: BUGTRAQ:20021006 Flash player can read local files
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-10/0083.html
Reference: XF:flash-xml-read-files(10297)
Reference: URL:http://www.iss.net/security_center/static/10297.php
Reference: BID:5904
Reference: URL:http://www.securityfocus.com/bid/5904

Macromedia Flash Player allows remote attackers to read arbitrary
files via XML script in a .swf file that is hosted on a remote SMB
share.

Analysis
--------
Vendor Acknowledgement:

INFERRED ACTION: CAN-2002-1534 ACCEPT_REV (3 accept, 0 ack, 1 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   NOOP(1) Cox
   REVIEWING(1) Wall


======================================================
Candidate: CAN-2002-1537
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1537
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20030225
Category: SF
Reference: BUGTRAQ:20021027 Privilege Escalation Vulnerability In phpBB 2.0.0
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-10/0385.html
Reference: XF:phpbb-adminugauth-admin-privileges(10489)
Reference: URL:http://www.iss.net/security_center/static/10489.php
Reference: BID:6056
Reference: URL:http://www.securityfocus.com/bid/6056
Reference: OSVDB:4284
Reference: URL:http://www.osvdb.org/4284

admin_ug_auth.php in phpBB 2.0.0 allows local users to gain
administrator privileges by directly calling admin_ug_auth.php with
modifed form fields such as "u".


Modifications:
  20040818 ADDREF OSVDB:4284

Analysis
--------
Vendor Acknowledgement: unknown discloser-claimed

INFERRED ACTION: CAN-2002-1537 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-1538
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1538
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20030225
Category: SF
Reference: BUGTRAQ:20021025 Sec-Tec advisory 24.10.02 Unauthorised file acces in Acuma
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-10/0366.html
Reference: XF:acusend-unauthorized-file-access(10473)
Reference: URL:http://www.iss.net/security_center/static/10473.php
Reference: BID:6048
Reference: URL:http://www.securityfocus.com/bid/6048

Acuma Acusend 4, and possibly earlier versions, allows remote
authenticated users to read the reports of other users by inferring
the full URL, whose name is easily predictable.

Analysis
--------
Vendor Acknowledgement: unknown discloser-claimed

INFERRED ACTION: CAN-2002-1538 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-1540
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1540
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20030225
Category: SF
Reference: BUGTRAQ:20021024 DH team: Norton Antivirus Corporate Edition Privilege Escalation
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-10/0346.html
Reference: BUGTRAQ:20021025 RE:  DH team: Norton Antivirus Corporate Edition Privilege Escalation, http://online.securityfocus.com/archive/1/296979/2002-10-22/2002-10-28/0
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-10/0369.html
Reference: XF:nav-winhlp32-gain-privileges(10475)
Reference: URL:http://www.iss.net/security_center/static/10475.php
Reference: OSVDB:6258
Reference: URL:http://www.osvdb.org/6258

The client for Symantec Norton AntiVirus Corporate Edition 7.5.x
before 7.5.1 Build 62 and 7.6.x before 7.6.1 Build 35a runs winhlp32
with raised privileges, which allows local users to gain privileges by
using certain features of winhlp32.


Modifications:
  20040818 ADDREF OSVDB:6258

Analysis
--------
Vendor Acknowledgement: yes followup

INFERRED ACTION: CAN-2002-1540 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Green, Baker, Wall
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1541
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1541
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20030225
Category: SF
Reference: VULNWATCH:20021024 [SecurityOffice] BadBlue Web Server v1.7 Protected File Access Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0041.html
Reference: BID:6044
Reference: URL:http://www.securityfocus.com/bid/6044
Reference: XF:badblue-protected-file-access(10466)
Reference: URL:http://www.iss.net/security_center/static/10466.php

BadBlue 1.7 allows remote attackers to bypass password protections for
directories and files via an HTTP request containing an extra /
(slash).

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2002-1541 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-1543
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1543
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20030225
Category: SF
Reference: NETBSD:NetBSD-SA2002-025
Reference: URL:ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-025.txt.asc
Reference: XF:trek-keyboard-input-bo(10458)
Reference: URL:http://www.iss.net/security_center/static/10458.php
Reference: BID:6036
Reference: URL:http://www.securityfocus.com/bid/6036
Reference: OSVDB:7570
Reference: URL:http://www.osvdb.org/7570

Buffer overflow in trek on NetBSD 1.5 through 1.5.3 allows local users
to gain privileges via long keyboard input.


Modifications:
  20040818 ADDREF OSVDB:7570

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1543 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Green
   NOOP(1) Cox


======================================================
Candidate: CAN-2002-1547
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1547
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20030304
Category: SF
Reference: BUGTRAQ:20021101 Netscreen SSH1 CRC32 Compensation Denial of service
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-10/0443.html
Reference: VULNWATCH:20021101 Netscreen SSH1 CRC32 Compensation Denial of service
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0053.html
Reference: VULNWATCH:20021101 (Correction) Netscreen SSH1 CRC32 Compensation Denial of service
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0054.html
Reference: BUGTRAQ:20021101 (Correction) Netscreen SSH1 CRC32 Compensation Denial of service
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-10/0446.html
Reference: CONFIRM:http://www.netscreen.com/support/alerts/11_06_02.html
Reference: XF:netscreen-ssh-dos(10528)
Reference: URL:http://www.iss.net/security_center/static/10528.php
Reference: OSVDB:4376
Reference: URL:http://www.osvdb.org/4376

Netscreen running ScreenOS 4.0.0r6 and earlier allows remote attackers
to cause a denial of service via a malformed SSH packet to the Secure
Command Shell (SCS) management interface, as demonstrated via certain
CRC32 exploits, a different vulnerability than CVE-2001-0144.


Modifications:
  20040818 ADDREF OSVDB:4376

Analysis
--------
Vendor Acknowledgement: yes advisory

ACKNOWLEDGEMENT: The advisory by Netscreen says "NetScreen has
confirmed a customer report that an SSHv1 CRC32 Attack can compromise
the ability to manage the NetScreen device and/or force the device to
reboot"

INFERRED ACTION: CAN-2002-1547 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Green, Baker
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-1548
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1548
Final-Decision:
Interim-Decision: 20040825
Modified: 20040811
Proposed: 20030317
Assigned: 20030304
Category: SF
Reference: AIXAPAR:IY31934
Reference: URL:http://archives.neohapsis.com/archives/aix/2002-q4/0002.html

Unknown vulnerability in autofs on AIX 4.3.0, when using executable
maps, allows attackers to execute arbitrary commands as root, possibly
related to "string handling around how the executable map is called."


Modifications:
  20040811 [desc] add details

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1548 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Green, Bollinger
   NOOP(2) Armstrong, Cox


======================================================
Candidate: CAN-2002-1549
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1549
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20030304
Category: SF
Reference: BUGTRAQ:20021112 Remote Buffer Overflow vulnerability in Light HTTPd
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-11/0138.html
Reference: BID:6162
Reference: URL:http://www.securityfocus.com/bid/6162
Reference: XF:light-httpd-bo(10607)
Reference: URL:http://www.iss.net/security_center/static/10607.php

Buffer overflow in Light HTTPd (lhttpd) 0.1 allows remote attackers to
execute arbitrary code via a long HTTP GET request.

Analysis
--------
Vendor Acknowledgement:

INFERRED ACTION: CAN-2002-1549 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-1550
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1550
Final-Decision:
Interim-Decision: 20040825
Modified: 20040811
Proposed: 20030317
Assigned: 20030304
Category: SF
Reference: AIXAPAR:IY34617
Reference: URL:http://archives.neohapsis.com/archives/aix/2002-q4/0002.html

dump_smutil.sh in IBM AIX allows local users to overwrite arbitrary
files via a symlink attack on temporary files.


Modifications:
  20040811 [desc] add "overwrite files" per Bollinger

Analysis
--------
Vendor Acknowledgement: yes

INFERRED ACTION: CAN-2002-1550 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Armstrong, Green, Bollinger
   NOOP(1) Cox

Voter Comments:
 Bollinger> local attacker can overwrite arbitrary files as root.  the
   attacker does not have control over the contents or the timing of the
   attack.


======================================================
Candidate: CAN-2002-1552
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1552
Final-Decision:
Interim-Decision: 20040825
Modified: 20040811
Proposed: 20030317
Assigned: 20030304
Category: SF
Reference: BUGTRAQ:20021112 NOVL-2002-2963827 - Remote Manager Security Issue - NW5.1
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103712790808781&w=2
Reference: BUGTRAQ:20021112 NOVL-2002-2963767 - Remote Manager Security Issue - eDir 8.6.2
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103712498905027&w=2
Reference: BID:6163
Reference: URL:http://www.securityfocus.com/bid/6163
Reference: XF:novell-edirectory-expired-accounts(10604)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10604

Novell eDirectory (eDir) 8.6.2 and Netware 5.1 eDir 85.x allows users
with expired passwords to gain inappropriate permissions when logging
in from Remote Manager.


Modifications:
  20040811 ADDREF XF:novell-edirectory-expired-accounts(10604)
  20040811 ADDREF BID:6163

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1552 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Green, Baker
   NOOP(3) Christey, Cox, Wall

Voter Comments:
 Christey> BID:6163
   URL:http://www.securityfocus.com/bid/6163


======================================================
Candidate: CAN-2002-1560
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1560
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20030304
Category: SF
Reference: BUGTRAQ:20021022 gBook
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-10/0328.html
Reference: BID:6033
Reference: URL:http://www.securityfocus.com/bid/6033
Reference: XF:gbook-mysql-admin-access(10455)
Reference: URL:http://www.iss.net/security_center/static/10455.php

index.php in gBook 1.4 allows remote attackers to bypass
authentication and gain administrative privileges by setting the login
parameter to true.

Analysis
--------
Vendor Acknowledgement: no

INFERRED ACTION: CAN-2002-1560 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2002-1574
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1574
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20040318
Assigned: 20031201
Category: SF
Reference: REDHAT:RHSA-2004:044
Reference: URL:http://www.redhat.com/support/errata/RHSA-2004-044.html
Reference: REDHAT:RHSA-2004:106
Reference: URL:http://www.redhat.com/support/errata/RHSA-2004-106.html
Reference: CIAC:N-096
Reference: URL:http://www.ciac.org/ciac/bulletins/n-096.shtml
Reference: XF:linux-ixj-root-privileges(10417)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10417
Reference: BID:5985
Reference: URL:http://www.securityfocus.com/bid/5985

Buffer overflow in the ixj telephony card driver in Linux before
2.4.20, with unknown attack vectors and impact.


Modifications:
  20040818 ADDREF REDHAT:RHSA-2004:106

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2002-1574 ACCEPT (5 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(5) Cole, Armstrong, Baker, Cox, Wall

Voter Comments:
 Cox> http://linux.bkbits.net:8080/linux-2.4/cset@alan@lxorguk.ukuu.org.uk|ChangeSet|20020826224304|09117


======================================================
Candidate: CAN-2003-0002
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0002
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20030102
Category: SF
Reference: BUGTRAQ:20021007 CSS on Microsoft Content Management Server
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103417794800719&w=2
Reference: MS:MS03-002
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms03-002.asp
Reference: BID:5922
Reference: URL:http://online.securityfocus.com/bid/5922
Reference: XF:mcms-manuallogin-reasontxt-xss (10318)
Reference: URL:http://www.iss.net/security_center/static/10318.php

Cross-site scripting vulnerability (XSS) in ManualLogin.asp script for
Microsoft Content Management Server (MCMS) 2001 allows remote
attackers to execute arbitrary script via the REASONTXT parameter.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2003-0002 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Wall, Cole, Green
   NOOP(1) Cox


======================================================
Candidate: CAN-2003-0003
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0003
Final-Decision:
Interim-Decision: 20040825
Modified: 20040824
Proposed: 20030317
Assigned: 20030102
Category: SF
Reference: BUGTRAQ:20030130 Microsoft RPC Locator Buffer Overflow Vulnerability (#NISR29012003)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104394414713415&w=2
Reference: NTBUGTRAQ:20030130 Microsoft RPC Locator Buffer Overflow Vulnerability (#NISR29012003)
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=104393588232166&w=2
Reference: MS:MS03-001
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms03-001.asp
Reference: CERT:CA-2003-03
Reference: URL:http://www.cert.org/advisories/CA-2003-03.html
Reference: CERT-VN:VU#610986
Reference: URL:http://www.kb.cert.org/vuls/id/610986
Reference: BID:6666
Reference: URL:http://www.securityfocus.com/bid/6666
Reference: XF:win-locator-bo(11132)
Reference: URL:http://xforce.iss.net/xforce/xfdb/11132
Reference: OVAL:OVAL103
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL103.html

Buffer overflow in the RPC Locator service for Microsoft Windows NT
4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows
XP allows local users to execute arbitrary code via an RPC call to the
service containing certain parameter information.


Modifications:
  20040811 ADDREF BID:6666
  20040811 ADDREF XF:win-locator-bo(11132)
  20040824 ADDREF OVAL:OVAL103

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2003-0003 ACCEPT (4 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(3) Wall, Cole, Baker
   MODIFY(1) Frech
   NOOP(1) Cox

Voter Comments:
 Frech> XF:win-locator-bo(11132)


======================================================
Candidate: CAN-2003-0004
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0004
Final-Decision:
Interim-Decision: 20040825
Modified: 20040811
Proposed: 20030317
Assigned: 20030102
Category: SF
Reference: BUGTRAQ:20030327 NSFOCUS SA2003-01: Microsoft Windows XP Redirector Local Buffer Overflow Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104878038418534&w=2
Reference: VULNWATCH:20030327 NSFOCUS SA2003-01: Microsoft Windows XP Redirector Local Buffer Overflow Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0154.html
Reference: MS:MS03-005
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms03-005.asp
Reference: BID:6778
Reference: URL:http://www.securityfocus.com/bid/6778
Reference: XF:winxp-windows-redirector-bo(11260)
Reference: URL:http://www.iss.net/security_center/static/11260.php

Buffer overflow in the Windows Redirector function in Microsoft
Windows XP allows local users to execute arbitrary code via a long
parameter.


Modifications:
  20040811 ADDREF BUGTRAQ:20030327 NSFOCUS SA2003-01: Microsoft Windows XP Redirector Local Buffer Overflow Vulnerability
  20040811 ADDREF VULNWATCH:20030327 NSFOCUS SA2003-01: Microsoft Windows XP Redirector Local Buffer Overflow Vulnerability
  20040811 ADDREF BID:6778

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2003-0004 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Wall, Cole, Green
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> BUGTRAQ:20030327 NSFOCUS SA2003-01: Microsoft Windows XP Redirector Local Buffer Overflow Vulnerability
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104878038418534&w=2
 Christey> VULNWATCH:20030327 NSFOCUS SA2003-01: Microsoft Windows XP Redirector Local Buffer Overflow Vulnerability
   URL:http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0154.html
 Christey> BID:6778
   URL:http://www.securityfocus.com/bid/6778


======================================================
Candidate: CAN-2003-0007
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0007
Final-Decision:
Interim-Decision: 20040825
Modified: 20040811
Proposed: 20030317
Assigned: 20030102
Category: SF
Reference: MS:MS03-003
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms03-003.asp
Reference: BID:6667
Reference: URL:http://www.securityfocus.com/bid/6667
Reference: XF:outlook-v1-certificate-plaintext(11133)
Reference: URL:http://xforce.iss.net/xforce/xfdb/11133

Microsoft Outlook 2002 does not properly handle requests to encrypt
email messages with V1 Exchange Server Security certificates, which
causes Outlook to send the email in plaintext, aka "Flaw in how
Outlook 2002 handles V1 Exchange Server Security Certificates could
lead to Information Disclosure."


Modifications:
  20040811 ADDREF BID:6667
  20040811 ADDREF XF:outlook-v1-certificate-plaintext(11133)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2003-0007 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Wall, Cole, Green
   NOOP(1) Cox


======================================================
Candidate: CAN-2003-0009
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0009
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20030102
Category: SF
Reference: BUGTRAQ:20030227 MS-Windows ME IE/Outlook/HelpCenter critical vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104636383018686&w=2
Reference: MS:MS03-006
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms03-006.asp
Reference: CIAC:N-047
Reference: URL:http://www.ciac.org/ciac/bulletins/n-047.shtml
Reference: CERT-VN:VU#489721
Reference: URL:http://www.kb.cert.org/vuls/id/489721
Reference: BID:6966
Reference: URL:http://www.securityfocus.com/bid/6966
Reference: XF:winme-hsc-hcp-bo(11425)
Reference: URL:http://www.iss.net/security_center/static/11425.php
Reference: OSVDB:6074
Reference: URL:http://www.osvdb.org/6074

Cross-site scripting (XSS) vulnerability in Help and Support Center
for Microsoft Windows Me allows remote attackers to execute arbitrary
script in the Local Computer security context via an hcp:// URL with
the malicious script in the topic parameter.


Modifications:
  20040811 ADDREF CIAC:N-047
  20040811 ADDREF CERT-VN:VU#489721
  20040811 ADDREF BID:6966
  20040818 ADDREF OSVDB:6074

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2003-0009 ACCEPT (3 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(3) Wall, Cole, Green
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> CIAC:N-047
   URL:http://www.ciac.org/ciac/bulletins/n-047.shtml
   CERT-VN:VU#489721
   URL:http://www.kb.cert.org/vuls/id/489721
   BID:6966
   URL:http://www.securityfocus.com/bid/6966


======================================================
Candidate: CAN-2003-0012
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0012
Final-Decision:
Interim-Decision: 20040825
Modified: 20040811
Proposed: 20030317
Assigned: 20030106
Category: SF
Reference: BUGTRAQ:20030102 [BUGZILLA] Security Advisory - remote database password disclosure
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104154319200399&w=2
Reference: DEBIAN:DSA-230
Reference: URL:http://www.debian.org/security/2003/dsa-230
Reference: REDHAT:RHSA-2003:012
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-012.html
Reference: BID:6502
Reference: URL:http://online.securityfocus.com/bid/6502
Reference: XF:bugzilla-mining-world-writable(10971)
Reference: URL:http://www.iss.net/security_center/static/10971.php

The data collection script for Bugzilla 2.14.x before 2.14.5, 2.16.x
before 2.16.2, and 2.17.x before 2.17.3 sets world-writable
permissions for the data/mining directory when it runs, which allows
local users to modify or delete the data.


Modifications:
  20040811 ADDREF REDHAT:RHSA-2003:012
  20040811 ADDREF XF:bugzilla-mining-world-writable(10971)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2003-0012 ACCEPT (4 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Armstrong, Green, Jones
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> REDHAT:RHSA-2003:012
   URL:http://www.redhat.com/support/errata/RHSA-2003-012.html
   XF:bugzilla-mining-world-writable(10971)
   URL:http://www.iss.net/security_center/static/10971.php


======================================================
Candidate: CAN-2003-0013
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0013
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20030106
Category: CF
Reference: BUGTRAQ:20030102 [BUGZILLA] Security Advisory - remote database password disclosure
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104154319200399&w=2
Reference: DEBIAN:DSA-230
Reference: URL:http://www.debian.org/security/2003/dsa-230
Reference: BID:6501
Reference: URL:http://online.securityfocus.com/bid/6501
Reference: XF:bugzilla-htaccess-database-password(10970)
Reference: URL:http://www.iss.net/security_center/static/10970.php
Reference: OSVDB:6351
Reference: URL:http://www.osvdb.org/6351

The default .htaccess scripts for Bugzilla 2.14.x before 2.14.5,
2.16.x before 2.16.2, and 2.17.x before 2.17.3 do not include
filenames for backup copies of the localconfig file that are made from
editors such as vi and Emacs, which could allow remote attackers to
obtain a database password by directly accessing the backup file.


Modifications:
  20040811 ADDREF XF:bugzilla-htaccess-database-password(10970)
  20040818 ADDREF OSVDB:6351

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2003-0013 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Armstrong, Green, Jones
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> XF:bugzilla-htaccess-database-password(10970)
   URL:http://www.iss.net/security_center/static/10970.php


======================================================
Candidate: CAN-2003-0015
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0015
Final-Decision:
Interim-Decision: 20040825
Modified: 20040811
Proposed: 20030317
Assigned: 20030107
Category: SF
Reference: VULNWATCH:20030120 Advisory 01/2003: CVS remote vulnerability
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0028.html
Reference: MISC:http://security.e-matters.de/advisories/012003.html
Reference: MISC:http://lists.netsys.com/pipermail/full-disclosure/2003-January/003606.html
Reference: BUGTRAQ:20030124 Test program for CVS double-free.
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104342550612736&w=2
Reference: BUGTRAQ:20030202 Exploit for CVS double free() for Linux pserver
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104428571204468&w=2
Reference: CERT:CA-2003-02
Reference: URL:http://www.cert.org/advisories/CA-2003-02.html
Reference: CONFIRM:http://ccvs.cvshome.org/servlets/NewsItemView?newsID=51&JServSessionIdservlets=5of2iuhr14
Reference: CALDERA:CSSA-2003-006
Reference: DEBIAN:DSA-233
Reference: URL:http://www.debian.org/security/2003/dsa-233
Reference: FREEBSD:FreeBSD-SA-03:01
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104438807203491&w=2
Reference: MANDRAKE:MDKSA-2003:009
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:009
Reference: REDHAT:RHSA-2003:012
Reference: URL:http://rhn.redhat.com/errata/RHSA-2003-012.html
Reference: REDHAT:RHSA-2003:013
Reference: URL:http://rhn.redhat.com/errata/RHSA-2003-013.html
Reference: SUSE:SuSE-SA:2003:0007
Reference: BUGTRAQ:20030122 [security@slackware.com: [slackware-security] New CVS packages available]
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104333092200589&w=2
Reference: CIAC:N-032
Reference: URL:http://www.ciac.org/ciac/bulletins/n-032.shtml
Reference: CERT-VN:VU#650937
Reference: URL:http://www.kb.cert.org/vuls/id/650937
Reference: BID:6650
Reference: URL:http://www.securityfocus.com/bid/6650
Reference: XF:cvs-doublefree-memory-corruption(11108)
Reference: URL:http://xforce.iss.net/xforce/xfdb/11108

Double-free vulnerabiity in CVS 1.11.4 and earlier allows remote
attackers to cause a denial of service and possibly execute arbitrary
code via a malformed Directory request, as demonstrated by bypassing
write checks to execute Update-prog and Checkin-prog commands.


Modifications:
  20040811 ADDREF BID:6650
  20040811 ADDREF XF:cvs-doublefree-memory-corruption(11108)
  20040811 ADDREF CIAC:N-032
  20040811 ADDREF MANDRAKE:MDKSA-2003:009

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2003-0015 ACCEPT (5 accept, 9 ack, 0 review)

Current Votes:
   ACCEPT(4) Wall, Cole, Baker, Cox
   MODIFY(1) Frech
   NOOP(1) Christey

Voter Comments:
 Frech> XF:cvs-doublefree-memory-corruption(11108)
 Christey> BID:6650
   URL:http://www.securityfocus.com/bid/6650
   CIAC:N-032
   URL:http://www.ciac.org/ciac/bulletins/n-032.shtml
   MANDRAKE:MDKSA-2003:009
   URL:http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:009


======================================================
Candidate: CAN-2003-0016
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0016
Final-Decision:
Interim-Decision: 20040825
Modified: 20040811
Proposed: 20030317
Assigned: 20030107
Category: SF
Reference: MLIST:[apache-httpd-announce] 20030120 [ANNOUNCE] Apache 2.0.44 Released
Reference: URL:http://marc.theaimsgroup.com/?l=apache-httpd-announce&m=104313442901017&w=2
Reference: CERT-VN:VU#979793
Reference: URL:http://www.kb.cert.org/vuls/id/979793
Reference: CERT-VN:VU#825177
Reference: URL:http://www.kb.cert.org/vuls/id/825177
Reference: CONFIRM:http://www.apacheweek.com/issues/03-01-24#security
Reference: BID:6659
Reference: URL:http://www.securityfocus.com/bid/6659
Reference: XF:apache-device-name-dos(11124)
Reference: URL:http://xforce.iss.net/xforce/xfdb/11124
Reference: XF:apache-device-code-execution(11125)
Reference: URL:http://xforce.iss.net/xforce/xfdb/11125

Apache before 2.0.44, when running on unpatched Windows 9x and Me
operating systems, allows remote attackers to cause a denial of
service or execute arbitrary code via an HTTP request containing
MS-DOS device names.


Modifications:
  20040811 ADDREF CERT-VN:VU#979793
  20040811 ADDREF CERT-VN:VU#825177
  20040811 ADDREF CONFIRM:http://www.apacheweek.com/issues/03-01-24#security
  20040811 ADDREF XF:apache-device-name-dos(11124)
  20040811 ADDREF XF:apache-device-code-execution(11125)
  20040811 ADDREF BID:6659
  20040811 [refs] normalize MLIST

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2003-0016 ACCEPT (5 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(5) Wall, Cole, Green, Baker, Cox
   NOOP(1) Christey

Voter Comments:
 Cox> Addref: http://www.apacheweek.com/issues/03-01-24#security
 Christey> BUGTRAQ:20030122 Path Parsing Errata in Apache HTTP Server
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104326783301113&w=2
   CERT-VN:VU#979793
   URL:http://www.kb.cert.org/vuls/id/979793
   CERT-VN:VU#825177
   URL:http://www.kb.cert.org/vuls/id/825177

   Need to update the description to cover the fact that there
   are 2 separate attack vectors / bugs here (note: CD:SF-LOC
   does suggest keeping these issues MERGED in a single item)


======================================================
Candidate: CAN-2003-0017
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0017
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20030107
Category: SF
Reference: CONFIRM:http://marc.theaimsgroup.com/?l=apache-httpd-announce&m=104313442901017&w=2

Apache 2.0 before 2.0.44 on Windows platforms allows remote attackers
to obtain certain files via an HTTP request that ends in certain
illegal characters such as ">", which causes a different filename to
be processed and served.

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2003-0017 ACCEPT_REV (4 accept, 1 ack, 1 review)

Current Votes:
   ACCEPT(4) Cole, Green, Baker, Cox
   REVIEWING(1) Wall

Voter Comments:
 Cox> You can use this vulnerability to quickly build up a complete list of
   available files in a directory, (for example if "a>" returns a file
   then try "aa>" and so on.  So suggest modification of "certain files"
   to "files".
   Addref: http://www.apacheweek.com/issues/03-01-24#security
 Green> SPECIFIC REFERENCE TO THE VULNERABILITY IN APACHE 2.0.44
   ANNOUNCEMENT


======================================================
Candidate: CAN-2003-0018
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0018
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20030107
Category: SF
Reference: DEBIAN:DSA-358
Reference: URL:http://www.debian.org/security/2003/dsa-358
Reference: DEBIAN:DSA-423
Reference: URL:http://www.debian.org/security/2004/dsa-423
Reference: MANDRAKE:MDKSA-2003:014
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:014
Reference: REDHAT:RHSA-2003:025
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-025.html
Reference: BID:6763
Reference: URL:http://www.securityfocus.com/bid/6763
Reference: XF:linux-odirect-information-leak(11249)
Reference: URL:http://www.iss.net/security_center/static/11249.php

Linux kernel 2.4.10 through 2.4.21-pre4 does not properly handle the
O_DIRECT feature, which allows local attackers with write privileges
to read portions of previously deleted files, or cause file system
corruption.


Modifications:
  20040811 ADDREF DEBIAN:DSA-423
  20040811 ADDREF BID:6763
  20040818 ADDREF DEBIAN:DSA-358

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2003-0018 ACCEPT (5 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(5) Cole, Armstrong, Green, Cox, Jones
   NOOP(1) Christey

Voter Comments:
 Christey> BID:6763
   URL:http://www.securityfocus.com/bid/6763

   SUSE:SuSE-SA:2003:049 also references this bug: "race
   condition with files opened via O_DIRECT which could be exploited to
   read disk blocks randomly. This could include blocks of previously
   deleted files with sensitive content"
 Christey> DEBIAN:DSA-423
   URL:http://www.debian.org/security/2004/dsa-423


======================================================
Candidate: CAN-2003-0019
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0019
Final-Decision:
Interim-Decision: 20040825
Modified: 20040811
Proposed: 20030317
Assigned: 20030107
Category: SF
Reference: REDHAT:RHSA-2003:056
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-056.html
Reference: CERT-VN:VU#134025
Reference: URL:http://www.kb.cert.org/vuls/id/134025
Reference: CIAC:N-044
Reference: URL:http://www.ciac.org/ciac/bulletins/n-044.shtml
Reference: BID:6801
Reference: URL:http://www.securityfocus.com/bid/6801
Reference: XF:linux-umlnet-gain-privileges(11276)
Reference: URL:http://www.iss.net/security_center/static/11276.php

uml_net in the kernel-utils package for Red Hat Linux 8.0 has
incorrect setuid root privileges, which allows local users to modify
network interfaces, e.g. by modifying ARP entries or placing
interfaces into promiscuous mode.


Modifications:
  20040811 ADDREF CIAC:N-044
  20040811 ADDREF CERT-VN:VU#134025
  20040811 ADDREF BID:6801

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2003-0019 ACCEPT (5 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(5) Cole, Armstrong, Green, Cox, Jones
   NOOP(1) Christey

Voter Comments:
 Christey> CIAC:N-044
   URL:http://www.ciac.org/ciac/bulletins/n-044.shtml
   CERT-VN:VU#134025
   URL:http://www.kb.cert.org/vuls/id/134025
   BID:6801
   URL:http://www.securityfocus.com/bid/6801


======================================================
Candidate: CAN-2003-0020
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020
Final-Decision:
Interim-Decision: 20040825
Modified: 20040824
Proposed: 20030317
Assigned: 20030107
Category: SF
Reference: VULNWATCH:20030224 Terminal Emulator Security Issues
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0093.html
Reference: BUGTRAQ:20030224 Terminal Emulator Security Issues
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104612710031920&w=2
Reference: APPLE:APPLE-SA-2004-05-03
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=108369640424244&w=2
Reference: GENTOO:GLSA-200405-22
Reference: URL:http://security.gentoo.org/glsa/glsa-200405-22.xml
Reference: HP:SSRT4717
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=108731648532365&w=2
Reference: MANDRAKE:MDKSA-2003:050
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:050
Reference: MANDRAKE:MDKSA-2004:046
Reference: URL:http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:046
Reference: REDHAT:RHSA-2003:082
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-082.html
Reference: REDHAT:RHSA-2003:083
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-083.html
Reference: REDHAT:RHSA-2003:104
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-104.html
Reference: REDHAT:RHSA-2003:139
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-139.html
Reference: REDHAT:RHSA-2003:243
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-243.html
Reference: REDHAT:RHSA-2003:244
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-244.html
Reference: TRUSTIX:2004-0017
Reference: URL:http://www.trustix.org/errata/2004/0017
Reference: TRUSTIX:2004-0027
Reference: URL:http://www.trustix.org/errata/2004/0027
Reference: SLACKWARE:SSA:2004-133
Reference: URL:http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.529643
Reference: BUGTRAQ:20040512 [OpenPKG-SA-2004.021] OpenPKG Security Advisory (apache)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=108437852004207&w=2
Reference: XF:apache-esc-seq-injection(11412)
Reference: URL:http://www.iss.net/security_center/static/11412.php
Reference: BID:9930
Reference: URL:http://www.securityfocus.com/bid/9930
Reference: OVAL:OVAL150
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL150.html

Apache does not filter terminal escape sequences from its error logs,
which could make it easier for attackers to insert those sequences
into terminal emulators containing vulnerabilities related to escape
sequences.


Modifications:
  20040811 ADDREF REDHAT:RHSA-2003:139
  20040811 ADDREF REDHAT:RHSA-2003:243
  20040811 ADDREF MANDRAKE:MDKSA-2003:050
  20040811 ADDREF TRUSTIX:2004-0017
  20040811 ADDREF TRUSTIX:2004-0027
  20040811 ADDREF APPLE:APPLE-SA-2004-05-03
  20040811 ADDREF BUGTRAQ:20040512 [OpenPKG-SA-2004.021] OpenPKG Security Advisory (apache)
  20040811 ADDREF SLACKWARE:SSA:2004-133
  20040811 ADDREF MANDRAKE:MDKSA-2004:046
  20040811 ADDREF GENTOO:GLSA-200405-22
  20040811 ADDREF HP:SSRT4717
  20040818 ADDREF REDHAT:RHSA-2003:082
  20040818 ADDREF REDHAT:RHSA-2003:083
  20040818 ADDREF REDHAT:RHSA-2003:104
  20040818 ADDREF REDHAT:RHSA-2003:244
  20040824 ADDREF OVAL:OVAL150

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2003-0020 ACCEPT (3 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Baker
   MODIFY(1) Cox
   NOOP(3) Wall, Green, Christey

Voter Comments:
 CHANGE> [Cox changed vote from REVIEWING to MODIFY]
 Cox> This issue affects Apache 1.3.27, Apache 2.0.45 and earlier,
   as well as possibly later versions (since it's not fixed by
   ASF yet)
 Cox> ADDREF REDHAT:RHSA-2003:139
 Christey> MANDRAKE:MDKSA-2003:050
   (as suggested by Vincent Danen of Mandrake)
 Christey> REDHAT:RHSA-2003:243
 Christey> BUGTRAQ:20040330 TSLSA-2004-0017 - apache
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=108066914830552&w=2
 Christey> APPLE:APPLE-SA-2004-05-03
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=108369640424244&w=2
 Christey> BUGTRAQ:20040512 [OpenPKG-SA-2004.021] OpenPKG Security Advisory (apache)
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=108437852004207&w=2
 Christey> SLACKWARE:SSA:2004-133
   URL:http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.529643
   TRUSTIX:2004-0027
   URL:http://www.trustix.org/errata/2004/0027
 Christey> MANDRAKE:MDKSA-2004:046
   URL:http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:046
 Christey> BUGTRAQ:20040526 [ GLSA 200405-22 ] Apache 1.3: Multiple vulnerabilities
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=108559521611694&w=2
 Christey> HP:SSRT4717
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=108731648532365&w=2


======================================================
Candidate: CAN-2003-0021
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0021
Final-Decision:
Interim-Decision: 20040825
Modified: 20040811
Proposed: 20030317
Assigned: 20030107
Category: SF
Reference: VULNWATCH:20030224 Terminal Emulator Security Issues
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0093.html
Reference: BUGTRAQ:20030224 Terminal Emulator Security Issues
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104612710031920&w=2
Reference: MANDRAKE:MDKSA-2003:040
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:040
Reference: GENTOO:GLSA-200303-1
Reference: URL:http://www.linuxsecurity.com/advisories/gentoo_advisory-2911.html
Reference: BID:6936
Reference: URL:http://www.securityfocus.com/bid/6936
Reference: XF:terminal-emulator-screen-dump(11413)
Reference: URL:http://www.iss.net/security_center/static/11413.php

The "screen dump" feature in Eterm 0.9.1 and earlier allows attackers
to overwrite arbitrary files via a certain character escape sequence
when it is echoed to a user's terminal, e.g. when the user views a
file containing the malicious sequence.


Modifications:
  20040811 ADDREF MANDRAKE:MDKSA-2003:040
  20040811 ADDREF BID:6936
  20040811 [refs] normalize GENTOO

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2003-0021 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Green, Baker, Cox
   NOOP(2) Wall, Christey

Voter Comments:
 Christey> MANDRAKE:MDKSA-2003:040
   URL:http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:040
 Christey> MANDRAKE:MDKSA-2003:040
   (as suggested by Vincent Danen of Mandrake)
 Christey> BID:6936
   URL:http://www.securityfocus.com/bid/6936


======================================================
Candidate: CAN-2003-0022
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0022
Final-Decision:
Interim-Decision: 20040825
Modified: 20040811
Proposed: 20030317
Assigned: 20030107
Category: SF
Reference: VULNWATCH:20030224 Terminal Emulator Security Issues
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0093.html
Reference: BUGTRAQ:20030224 Terminal Emulator Security Issues
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104612710031920&w=2
Reference: MANDRAKE:MDKSA-2003:034
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:034
Reference: REDHAT:RHSA-2003:054
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-054.html
Reference: REDHAT:RHSA-2003:055
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-055.html
Reference: BID:6938
Reference: URL:http://www.securityfocus.com/bid/6938
Reference: XF:terminal-emulator-screen-dump(11413)
Reference: URL:http://www.iss.net/security_center/static/11413.php

The "screen dump" feature in rxvt 2.7.8 allows attackers to overwrite
arbitrary files via a certain character escape sequence when it is
echoed to a user's terminal, e.g. when the user views a file
containing the malicious sequence.


Modifications:
  20040811 ADDREF REDHAT:RHSA-2003:055
  20040811 ADDREF MANDRAKE:MDKSA-2003:034
  20040811 ADDREF BID:6938

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2003-0022 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Green, Baker
   MODIFY(1) Cox
   NOOP(2) Wall, Christey

Voter Comments:
 Cox> Addref: RHSA-2003:055
 Christey> MANDRAKE:MDKSA-2003:034
   URL:http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:034
 Green> ACKNOWLEDGED IN RHSA-2003:054-07
 Christey> MANDRAKE:MDKSA-2003:034
   (as suggested by Vincent Danen of Mandrake)
 Christey> BID:6938
   URL:http://www.securityfocus.com/bid/6938


======================================================
Candidate: CAN-2003-0023
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0023
Final-Decision:
Interim-Decision: 20040825
Modified: 20040811
Proposed: 20030317
Assigned: 20030107
Category: SF
Reference: VULNWATCH:20030224 Terminal Emulator Security Issues
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0093.html
Reference: BUGTRAQ:20030224 Terminal Emulator Security Issues
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104612710031920&w=2
Reference: MANDRAKE:MDKSA-2003:034
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:034
Reference: REDHAT:RHSA-2003:055
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-055.html
Reference: REDHAT:RHSA-2003:054
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-054.html
Reference: BID:6947
Reference: URL:http://www.securityfocus.com/bid/6947
Reference: XF:terminal-emulator-menu-modification(11416)
Reference: URL:http://www.iss.net/security_center/static/11416.php

The menuBar feature in rxvt 2.7.8 allows attackers to modify menu
options and execute arbitrary commands via a certain character escape
sequence that inserts the commands into the menu.


Modifications:
  20040811 ADDREF REDHAT:RHSA-2003:055
  20040811 ADDREF MANDRAKE:MDKSA-2003:034
  20040811 ADDREF BID:6947

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2003-0023 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Green, Baker
   MODIFY(1) Cox
   NOOP(2) Wall, Christey

Voter Comments:
 Cox> Addref: RHSA-2003:055
 Christey> MANDRAKE:MDKSA-2003:034
   URL:http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:034
 Green> ACKNOWLEDGED IN RHSA-2003:054-07
 Christey> MANDRAKE:MDKSA-2003:034
   (as suggested by Vincent Danen of Mandrake)
 Christey> BID:6947
   URL:http://www.securityfocus.com/bid/6947


======================================================
Candidate: CAN-2003-0024
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0024
Final-Decision:
Interim-Decision: 20040825
Modified: 20040811
Proposed: 20030317
Assigned: 20030107
Category: SF
Reference: VULNWATCH:20030224 Terminal Emulator Security Issues
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0093.html
Reference: BUGTRAQ:20030224 Terminal Emulator Security Issues
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104612710031920&w=2
Reference: BID:6949
Reference: URL:http://www.securityfocus.com/bid/6949
Reference: XF:terminal-emulator-menu-modification(11416)
Reference: URL:http://www.iss.net/security_center/static/11416.php

The menuBar feature in aterm 0.42 allows attackers to modify menu
options and execute arbitrary commands via a certain character escape
sequence that inserts the commands into the menu.


Modifications:
  20040811 ADDREF BID:6949

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2003-0024 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Baker, Cox
   NOOP(3) Wall, Green, Christey

Voter Comments:
 Christey> BID:6949
   URL:http://www.securityfocus.com/bid/6949


======================================================
Candidate: CAN-2003-0027
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0027
Final-Decision:
Interim-Decision: 20040825
Modified: 20040824
Proposed: 20030317
Assigned: 20030110
Category: SF
Reference: BUGTRAQ:20030122 Entercept Ricochet Advisory: Sun Solaris KCMS Library Service Daemon Arbitrary File Retrieval Vulner
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104326556329850&w=2
Reference: MISC:http://www.entercept.com/news/uspr/01-22-03.asp
Reference: SUNALERT:50104
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/50104
Reference: CERT-VN:VU#850785
Reference: URL:http://www.kb.cert.org/vuls/id/850785
Reference: BID:6665
Reference: URL:http://www.securityfocus.com/bid/6665
Reference: XF:solaris-kcms-directory-traversal(11129)
Reference: URL:http://xforce.iss.net/xforce/xfdb/11129
Reference: OVAL:OVAL120
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL120.html
Reference: OVAL:OVAL195
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL195.html

Directory traversal vulnerability in Sun Kodak Color Management System
(KCMS) library service daemon (kcms_server) allows remote attackers to
read arbitrary files via the KCS_OPEN_PROFILE procedure.


Modifications:
  20040811 ADDREF SUNALERT:50104
  20040811 ADDREF BID:6665
  20040811 ADDREF XF:solaris-kcms-directory-traversal(11129)
  20040824 ADDREF OVAL:OVAL120
  20040824 ADDREF OVAL:OVAL195

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2003-0027 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Wall, Cole, Baker
   MODIFY(1) Frech
   NOOP(1) Cox

Voter Comments:
 Frech> XF:solaris-kcms-directory-traversal(11129)


======================================================
Candidate: CAN-2003-0032
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0032
Final-Decision:
Interim-Decision: 20040825
Modified: 20040811
Proposed: 20030317
Assigned: 20030112
Category: SF
Reference: BUGTRAQ:20030103 Multiple libmcrypt vulnerabilities
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104162752401212&w=2
Reference: BUGTRAQ:20030105 GLSA:  libmcrypt
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104188513728573&w=2
Reference: DEBIAN:DSA-228
Reference: URL:http://www.debian.org/security/2003/dsa-228
Reference: CONECTIVA:CLA-2003:567
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000567
Reference: SUSE:SuSE-SA:2003:0010
Reference: XF:libmcrypt-libtool-memory-leak(10988)
Reference: URL:http://www.iss.net/security_center/static/10988.php
Reference: BID:6512
Reference: URL:http://www.securityfocus.com/bid/6512

Memory leak in libmcrypt before 2.5.5 allows attackers to cause a
denial of service (memory exhaustion) via a large number of requests
to the application, which causes libmcrypt to dynamically load
algorithms via libtool.


Modifications:
  20040811 ADDREF XF:libmcrypt-libtool-memory-leak(10988)
  20040811 ADDREF BID:6512

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2003-0032 ACCEPT (4 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Armstrong, Green, Jones
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> XF:libmcrypt-libtool-memory-leak(10988)
   URL:http://www.iss.net/security_center/static/10988.php
   BID:6512
   URL:http://www.securityfocus.com/bid/6512


======================================================
Candidate: CAN-2003-0033
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0033
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20030115
Category: SF
Reference: ISS:20030303 Snort RPC Preprocessing Vulnerability
Reference: URL:http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21951
Reference: BUGTRAQ:20030303 Snort RPC Vulnerability (fwd)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104673386226064&w=2
Reference: DEBIAN:DSA-297
Reference: URL:http://www.debian.org/security/2003/dsa-297
Reference: ENGARDE:ESA-20030307-007
Reference: URL:http://www.linuxsecurity.com/advisories/engarde_advisory-2944.html
Reference: GENTOO:GLSA-200304-06
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=105154530427824&w=2
Reference: GENTOO:GLSA-200303-6.1
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104716001503409&w=2
Reference: MANDRAKE:MDKSA-2003:029
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:029
Reference: CERT:CA-2003-13
Reference: URL:http://www.cert.org/advisories/CA-2003-13.html
Reference: CERT-VN:VU#916785
Reference: URL:http://www.kb.cert.org/vuls/id/916785
Reference: BID:6963
Reference: URL:http://www.securityfocus.com/bid/6963
Reference: XF:snort-rpc-fragment-bo(10956)
Reference: URL:http://www.iss.net/security_center/static/10956.php
Reference: OSVDB:4418
Reference: URL:http://www.osvdb.org/4418

Buffer overflow in the RPC preprocessor for Snort 1.8 and 1.9.x before
1.9.1 allows remote attackers to execute arbitrary code via fragmented
RPC packets.


Modifications:
  20040811 ADDREF CERT:CA-2003-13
  20040811 ADDREF CERT-VN:VU#916785
  20040811 ADDREF DEBIAN:DSA-297
  20040811 ADDREF GENTOO:GLSA-200304-06
  20040811 ADDREF BID:6963
  20040811 [refs] normalize GENTOO 200303-6.1
  20040818 ADDREF OSVDB:4418

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2003-0033 ACCEPT (4 accept, 4 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Armstrong, Green, Jones
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> CERT:CA-2003-13
   URL:http://www.cert.org/advisories/CA-2003-13.html
   CERT-VN:VU#916785
   URL:http://www.kb.cert.org/vuls/id/916785
 Christey> BUGTRAQ:20030428 GLSA:  snort (200304-06)
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=105154530427824&w=2
 Christey> DEBIAN:DSA-297
   URL:http://www.debian.org/security/2003/dsa-297


======================================================
Candidate: CAN-2003-0039
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0039
Final-Decision:
Interim-Decision: 20040825
Modified: 20040811
Proposed: 20030317
Assigned: 20030127
Category: SF
Reference: BUGTRAQ:20030115 DoS against DHCP infrastructure with isc dhcrelay
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104310927813830&w=2
Reference: CONECTIVA:CLSA-2003:616
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000616
Reference: DEBIAN:DSA-245
Reference: URL:http://www.debian.org/security/2003/dsa-245
Reference: REDHAT:RHSA-2003:034
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-034.html
Reference: TURBO:TLSA-2003-26
Reference: URL:http://cc.turbolinux.com/security/TLSA-2003-26.txt
Reference: BUGTRAQ:20030219 [OpenPKG-SA-2003.012] OpenPKG Security Advisory (dhcpd)
Reference: URL:http://www.openpkg.org/security/OpenPKG-SA-2003.012-dhcpd.html
Reference: CERT-VN:VU#149953
Reference: URL:http://www.kb.cert.org/vuls/id/149953
Reference: BID:6628
Reference: URL:http://www.securityfocus.com/bid/6628
Reference: XF:dhcp-dhcrelay-dos(11187)
Reference: URL:http://xforce.iss.net/xforce/xfdb/11187

ISC dhcrelay (dhcp-relay) 3.0rc9 and earlier, and possibly other
versions, allows remote attackers to cause a denial of service (packet
storm) via a certain BOOTP packet that is forwarded to a broadcast MAC
address, causing an infinite loop that is not restricted by a hop
count.


Modifications:
  20040811 ADDREF REDHAT:RHSA-2003:034
  20040811 ADDREF CONECTIVA:CLSA-2003:616
  20040811 ADDREF CERT-VN:VU#149953
  20040811 ADDREF TURBO:TLSA-2003-26
  20040811 ADDREF XF:dhcp-dhcrelay-dos(11187)
  20040811 ADDREF BID:6628

Analysis
--------
Vendor Acknowledgement: yes

INFERRED ACTION: CAN-2003-0039 ACCEPT (5 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(5) Cole, Armstrong, Green, Cox, Jones
   NOOP(1) Christey

Voter Comments:
 Christey> REDHAT:RHSA-2003:034
   URL:http://www.redhat.com/support/errata/RHSA-2003-034.html


======================================================
Candidate: CAN-2003-0040
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0040
Final-Decision:
Interim-Decision: 20040825
Modified: 20040811
Proposed: 20030317
Assigned: 20030127
Category: SF
Reference: DEBIAN:DSA-247
Reference: URL:http://www.debian.org/security/2003/dsa-247
Reference: BID:6738
Reference: URL:http://www.securityfocus.com/bid/6738
Reference: XF:courierimap-authmysqllib-sql-injection(11213)
Reference: URL:http://xforce.iss.net/xforce/xfdb/11213

SQL injection vulnerability in the PostgreSQL auth module for courier
0.40 and earlier allows remote attackers to execute SQL code via the
user name.


Modifications:
  20040811 ADDREF BID:6738
  20040811 ADDREF XF:courierimap-authmysqllib-sql-injection(11213)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2003-0040 ACCEPT_REV (3 accept, 1 ack, 1 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Green
   NOOP(1) Cox
   REVIEWING(1) Jones

Voter Comments:
 Jones> [JHJ] Specific user name?


======================================================
Candidate: CAN-2003-0043
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0043
Final-Decision:
Interim-Decision: 20040825
Modified: 20040811
Proposed: 20030317
Assigned: 20030127
Category: SF
Reference: CONFIRM:http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a/
Reference: CONFIRM:http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a/RELEASE-NOTES-3.3.1a.txt
Reference: DEBIAN:DSA-246
Reference: URL:http://www.debian.org/security/2003/dsa-246
Reference: HP:HPSBUX0303-249
Reference: URL:http://www.securityfocus.com/advisories/5111
Reference: BID:6722
Reference: URL:http://www.securityfocus.com/bid/6722
Reference: XF:tomcat-webxml-read-files(11195)
Reference: URL:http://xforce.iss.net/xforce/xfdb/11195

Jakarta Tomcat before 3.3.1a, when used with JDK 1.3.1 or earlier,
uses trusted privileges when processing the web.xml file, which could
allow remote attackers to read portions of some files through the
web.xml file.


Modifications:
  20040811 ADDREF HP:HPSBUX0303-249
  20040811 ADDREF BID:6722
  20040811 ADDREF XF:tomcat-webxml-read-files(11195)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2003-0043 ACCEPT (5 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(5) Cole, Armstrong, Green, Cox, Jones

Voter Comments:
 CHANGE> [Cox changed vote from NOOP to ACCEPT]


======================================================
Candidate: CAN-2003-0045
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0045
Final-Decision:
Interim-Decision: 20040825
Modified: 20040811
Proposed: 20030317
Assigned: 20030127
Category: SF
Reference: CONFIRM:http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a/RELEASE-NOTES-3.3.1a.txt
Reference: XF:jakarta-tomcat-msdos-dos(12102)
Reference: URL:http://xforce.iss.net/xforce/xfdb/12102

Jakarta Tomcat before 3.3.1a on certain Windows systems may allow
remote attackers to cause a denial of service (thread hang and
resource consumption) via a request for a JSP page containing an
MS-DOS device name, such as aux.jsp.


Modifications:
  20040811 ADDREF XF:jakarta-tomcat-msdos-dos(12102)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2003-0045 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Green, Baker, Cox
   NOOP(1) Wall

Voter Comments:
 CHANGE> [Cox changed vote from NOOP to ACCEPT]


======================================================
Candidate: CAN-2003-0050
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0050
Final-Decision:
Interim-Decision: 20040825
Modified: 20040811
Proposed: 20030317
Assigned: 20030128
Category: SF
Reference: ATSTAKE:A032403-1
Reference: BUGTRAQ:20030224 QuickTime/Darwin Streaming Administration Server Multiple vulnerabilities
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104618904330226&w=2
Reference: CONFIRM:http://lists.apple.com/archives/security-announce/2003/Feb/25/applesa20030225macosx102.txt
Reference: BID:6954
Reference: URL:http://www.securityfocus.com/bid/6954
Reference: XF:quicktime-darwin-command-execution(11401)
Reference: URL:http://www.iss.net/security_center/static/11401.php

parse_xml.cgi in Apple Darwin Streaming Administration Server 4.1.2
and QuickTime Streaming Server 4.1.1 allows remote attackers to
execute arbitrary code via shell metacharacters.


Modifications:
  20040811 ADDREF BID:6954

Analysis
--------
Vendor Acknowledgement: yes

INFERRED ACTION: CAN-2003-0050 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Green, Baker
   NOOP(2) Wall, Cox


======================================================
Candidate: CAN-2003-0051
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0051
Final-Decision:
Interim-Decision: 20040825
Modified: 20040811
Proposed: 20030317
Assigned: 20030128
Category: SF
Reference: ATSTAKE:A032403-1
Reference: BUGTRAQ:20030224 QuickTime/Darwin Streaming Administration Server Multiple vulnerabilities
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104618904330226&w=2
Reference: CONFIRM:http://lists.apple.com/archives/security-announce/2003/Feb/25/applesa20030225macosx102.txt
Reference: BID:6956
Reference: URL:http://www.securityfocus.com/bid/6956
Reference: XF:quicktime-darwin-path-disclosure(11402)
Reference: URL:http://www.iss.net/security_center/static/11402.php

parse_xml.cgi in Apple Darwin Streaming Administration Server 4.1.2
and QuickTime Streaming Server 4.1.1 allows remote attackers to obtain
the physical path of the server's installation path via a NULL file
parameter.


Modifications:
  20040811 ADDREF BID:6956

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2003-0051 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Green, Baker
   NOOP(2) Wall, Cox

Voter Comments:
 Green> APPEARS TO BE ACKNOWLEDGED IN  AppleCare Knowledge Base Documents
   70171 and 70172


======================================================
Candidate: CAN-2003-0052
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0052
Final-Decision:
Interim-Decision: 20040825
Modified: 20040811
Proposed: 20030317
Assigned: 20030128
Category: SF
Reference: ATSTAKE:A032403-1
Reference: BUGTRAQ:20030224 QuickTime/Darwin Streaming Administration Server Multiple vulnerabilities
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104618904330226&w=2
Reference: CONFIRM:http://lists.apple.com/archives/security-announce/2003/Feb/25/applesa20030225macosx102.txt
Reference: BID:6955
Reference: URL:http://www.securityfocus.com/bid/6955
Reference: XF:quicktime-darwin-directory-disclosure(11403)
Reference: URL:http://www.iss.net/security_center/static/11403.php

parse_xml.cgi in Apple Darwin Streaming Administration Server 4.1.2
and QuickTime Streaming Server 4.1.1 allows remote attackers to list
arbitrary directories.


Modifications:
  20040811 ADDREF BID:6955

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2003-0052 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Green, Baker
   NOOP(2) Wall, Cox

Voter Comments:
 Green> APPEARS TO BE ACKNOWLEDGED IN  AppleCare Knowledge Base Documents
   70171 and 70172


======================================================
Candidate: CAN-2003-0053
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0053
Final-Decision:
Interim-Decision: 20040825
Modified: 20040811
Proposed: 20030317
Assigned: 20030128
Category: SF
Reference: ATSTAKE:A032403-1
Reference: BUGTRAQ:20030224 QuickTime/Darwin Streaming Administration Server Multiple vulnerabilities
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104618904330226&w=2
Reference: CONFIRM:http://lists.apple.com/archives/security-announce/2003/Feb/25/applesa20030225macosx102.txt
Reference: BID:6958
Reference: URL:http://www.securityfocus.com/bid/6958
Reference: XF:quicktime-darwin-parsexml-xss(11404)
Reference: URL:http://www.iss.net/security_center/static/11404.php

Cross-site scripting (XSS) vulnerability in parse_xml.cgi in Apple
Darwin Streaming Administration Server 4.1.2 and QuickTime Streaming
Server 4.1.1 allows remote attackers to insert arbitrary script via
the filename parameter, which is inserted into an error message.


Modifications:
  20040811 ADDREF BID:6958

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2003-0053 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Green, Baker
   NOOP(2) Wall, Cox

Voter Comments:
 Green> APPEARS TO BE ACKNOWLEDGED IN  AppleCare Knowledge Base Documents
   70171 and 70172


======================================================
Candidate: CAN-2003-0054
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0054
Final-Decision:
Interim-Decision: 20040825
Modified: 20040811
Proposed: 20030317
Assigned: 20030128
Category: SF
Reference: ATSTAKE:A032403-1
Reference: BUGTRAQ:20030224 QuickTime/Darwin Streaming Administration Server Multiple vulnerabilities
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104618904330226&w=2
Reference: CONFIRM:http://lists.apple.com/archives/security-announce/2003/Feb/25/applesa20030225macosx102.txt
Reference: BID:6960
Reference: URL:http://www.securityfocus.com/bid/6960
Reference: XF:quicktime-darwin-describe-xss(11405)
Reference: URL:http://www.iss.net/security_center/static/11405.php

Apple Darwin Streaming Administration Server 4.1.2 and QuickTime
Streaming Server 4.1.1 allows remote attackers to execute certain code
via a request to port 7070 with the script in an argument to the rtsp
DESCRIBE method, which is inserted into a log file and executed when
the log is viewed using a browser.


Modifications:
  20040811 ADDREF BID:6960

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2003-0054 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Green, Baker
   NOOP(2) Wall, Cox

Voter Comments:
 Green> APPEARS TO BE ACKNOWLEDGED IN AppleCare Knowledge Base
   Documents70171 and 70172


======================================================
Candidate: CAN-2003-0055
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0055
Final-Decision:
Interim-Decision: 20040825
Modified: 20040811
Proposed: 20030317
Assigned: 20030128
Category: SF
Reference: ATSTAKE:A032403-1
Reference: BUGTRAQ:20030224 QuickTime/Darwin Streaming Administration Server Multiple vulnerabilities
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104618904330226&w=2
Reference: CONFIRM:http://lists.apple.com/archives/security-announce/2003/Feb/25/applesa20030225macosx102.txt
Reference: BID:6957
Reference: URL:http://www.securityfocus.com/bid/6957
Reference: XF:quicktime-darwin-mp3-bo(11406)
Reference: URL:http://www.iss.net/security_center/static/11406.php

Buffer overflow in the MP3 broadcasting module of Apple Darwin
Streaming Administration Server 4.1.2 and QuickTime Streaming Server
4.1.1 allows remote attackers to execute arbitrary code via a long
filename.


Modifications:
  20040811 ADDREF BID:6957

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2003-0055 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Green, Baker
   NOOP(3) Wall, Christey, Cox

Voter Comments:
 Green> APPEARS TO BE ACKNOWLEDGED IN AppleCare Knowledge Base Documents
   7017 and 70172
 Christey> BID:6957
   URL:http://www.securityfocus.com/bid/6957


======================================================
Candidate: CAN-2003-0058
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0058
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20030131
Category: SF
Reference: CONFIRM:http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-001-multiple.txt
Reference: CERT-VN:VU#661243
Reference: URL:http://www.kb.cert.org/vuls/id/661243
Reference: CONECTIVA:CLSA-2003:639
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000639
Reference: MANDRAKE:MDKSA-2003:043
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:043
Reference: REDHAT:RHSA-2003:051
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-051.html
Reference: REDHAT:RHSA-2003:052
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-052.html
Reference: REDHAT:RHSA-2003:168
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-168.html
Reference: SUNALERT:50142
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/50142
Reference: BID:6683
Reference: URL:http://www.securityfocus.com/bid/6683
Reference: XF:kerberos-kdc-null-pointer-dos(10099)
Reference: URL:http://xforce.iss.net/xforce/xfdb/10099

MIT Kerberos V5 Key Distribution Center (KDC) before 1.2.5 allows
remote authenticated attackers to cause a denial of service (crash) on
KDCs within the same realm via a certain protocol request that causes
a null dereference.


Modifications:
  20040811 ADDREF CONECTIVA:CLSA-2003:639
  20040811 ADDREF REDHAT:RHSA-2003:051
  20040811 ADDREF REDHAT:RHSA-2003:052
  20040811 ADDREF MANDRAKE:MDKSA-2003:043
  20040811 ADDREF SUNALERT:50142
  20040811 ADDREF XF:kerberos-kdc-null-pointer-dos(10099)
  20040811 ADDREF BID:6683
  20040818 ADDREF REDHAT:RHSA-2003:168

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2003-0058 ACCEPT (4 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(2) Green, Baker
   MODIFY(2) Frech, Cox
   NOOP(3) Wall, Cole, Christey

Voter Comments:
 CHANGE> [Cox changed vote from ACCEPT to MODIFY]
 Cox> Addref RHSA-2003:051
 Cox> Addref REDHAT:RHSA-2003:052
 Green> PATCH ADDRESSING THIS ISSUE RELEASED 3/26/03
 Christey> MANDRAKE:MDKSA-2003:043
   (as suggested by Vincent Danen of Mandrake)
 Frech> XF:kerberos-kdc-null-pointer-dos(10099)


======================================================
Candidate: CAN-2003-0059
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0059
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20030131
Category: SF
Reference: CONFIRM:http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-001-multiple.txt
Reference: CONECTIVA:CLSA-2003:639
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000639
Reference: MANDRAKE:MDKSA-2003:043
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:043
Reference: REDHAT:RHSA-2003:051
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-051.html
Reference: REDHAT:RHSA-2003:052
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-052.html
Reference: REDHAT:RHSA-2003:168
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-168.html
Reference: CERT-VN:VU#684563
Reference: URL:http://www.kb.cert.org/vuls/id/684563
Reference: BID:6714
Reference: URL:http://www.securityfocus.com/bid/6714
Reference: XF:kerberos-kdc-user-spoofing(11188)
Reference: URL:http://xforce.iss.net/xforce/xfdb/11188

Unknown vulnerability in the chk_trans.c of the libkrb5 library for
MIT Kerberos V5 before 1.2.5 allows users from one realm to
impersonate users in other realms that have the same inter-realm keys.


Modifications:
  20040811 ADDREF CONECTIVA:CLSA-2003:639
  20040811 ADDREF REDHAT:RHSA-2003:051
  20040811 ADDREF REDHAT:RHSA-2003:052
  20040811 ADDREF MANDRAKE:MDKSA-2003:043
  20040811 ADDREF BID:6714
  20040811 ADDREF XF:kerberos-kdc-user-spoofing(11188)
  20040818 ADDREF REDHAT:RHSA-2003:168

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2003-0059 ACCEPT (4 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(2) Green, Baker
   MODIFY(2) Frech, Cox
   NOOP(3) Wall, Cole, Christey

Voter Comments:
 Cox> This is actually fixed in krb5 version 1.2.3 not 1.2.5
 Cox> Addref RHSA-2003:051
 Cox> Addref REDHAT:RHSA-2003:052
 Christey> MANDRAKE:MDKSA-2003:043
   (as suggested by Vincent Danen of Mandrake)
 Frech> XF:kerberos-kdc-user-spoofing(11188)


======================================================
Candidate: CAN-2003-0062
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0062
Final-Decision:
Interim-Decision: 20040825
Modified: 20040811
Proposed: 20030317
Assigned: 20030204
Category: SF
Reference: BUGTRAQ:20030210 iDEFENSE Security Advisory 02.10.03: Buffer Overflow In NOD32 Antivirus Software for Unix
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104490777824360&w=2
Reference: MISC:http://www.idefense.com/advisory/02.10.03.txt
Reference: BID:6803
Reference: URL:http://www.securityfocus.com/bid/6803
Reference: XF:nod32-pathname-bo(11282)
Reference: URL:http://www.iss.net/security_center/static/11282.php

Buffer overflow in Eset Software NOD32 for UNIX before 1.013 allows
local users to execute arbitrary code via a long path name.


Modifications:
  20040811 ADDREF BID:6803

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2003-0062 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Stracener, Baker
   NOOP(3) Wall, Green, Cox


======================================================
Candidate: CAN-2003-0063
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0063
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20030204
Category: SF
Reference: VULNWATCH:20030224 Terminal Emulator Security Issues
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0093.html
Reference: BUGTRAQ:20030224 Terminal Emulator Security Issues
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104612710031920&w=2
Reference: DEBIAN:DSA-380
Reference: URL:http://www.debian.org/security/2003/dsa-380
Reference: REDHAT:RHSA-2003:064
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-064.html
Reference: REDHAT:RHSA-2003:065
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-065.html
Reference: REDHAT:RHSA-2003:066
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-066.html
Reference: REDHAT:RHSA-2003:067
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-067.html
Reference: BID:6940
Reference: URL:http://www.securityfocus.com/bid/6940
Reference: XF:terminal-emulator-window-title(11414)
Reference: URL:http://www.iss.net/security_center/static/11414.php

The xterm terminal emulator in XFree86 4.2.0 and earlier allows
attackers to modify the window title via a certain character escape
sequence and then insert it back to the command line in the user's
terminal, e.g. when the user views a file containing the malicious
sequence, which could allow the attacker to execute arbitrary
commands.


Modifications:
  20040811 ADDREF BID:6940
  20040811 ADDREF DEBIAN:DSA-380
  20040811 ADDREF REDHAT:RHSA-2003:063
  20040811 ADDREF REDHAT:RHSA-2003:067
  20040818 ADDREF REDHAT:RHSA-2003:065
  20040818 ADDREF REDHAT:RHSA-2003:066

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2003-0063 ACCEPT (4 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Green, Baker
   MODIFY(1) Cox
   NOOP(2) Wall, Christey

Voter Comments:
 Cox> add "and earlier", this does not just affect 4.2.0
 Green> ENITRE CLASS OF TERMINAL EMULATOR EXPLOITS APPEARS TO BE
   VERIFIED AND REPLICATABLE
 Christey> REDHAT:RHSA-2003:067
   URL:http://www.redhat.com/support/errata/RHSA-2003-067.html
 Christey> DEBIAN:DSA-380


======================================================
Candidate: CAN-2003-0064
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0064
Final-Decision:
Interim-Decision: 20040825
Modified: 20040811
Proposed: 20030317
Assigned: 20030204
Category: SF
Reference: VULNWATCH:20030224 Terminal Emulator Security Issues
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0093.html
Reference: BUGTRAQ:20030224 Terminal Emulator Security Issues
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104612710031920&w=2
Reference: HP:HPSBUX0401-309
Reference: URL:http://www.securityfocus.com/advisories/6236
Reference: BID:6942
Reference: URL:http://www.securityfocus.com/bid/6942
Reference: XF:terminal-emulator-window-title(11414)
Reference: URL:http://www.iss.net/security_center/static/11414.php

The dtterm terminal emulator allows attackers to modify the window
title via a certain character escape sequence and then insert it back
to the command line in the user's terminal, e.g. when the user views a
file containing the malicious sequence, which could allow the attacker
to execute arbitrary commands.


Modifications:
  20040811 ADDREF BID:6942
  20040811 ADDREF HP:HPSBUX0401-309

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2003-0064 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Green, Baker, Cox
   NOOP(1) Wall

Voter Comments:
 Green> ENITRE CLASS OF TERMINAL EMULATOR EXPLOITS APPEARS TO BE
   VERIFIED AND REPLICATABLE


======================================================
Candidate: CAN-2003-0065
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0065
Final-Decision:
Interim-Decision: 20040825
Modified: 20040811
Proposed: 20030317
Assigned: 20030204
Category: SF
Reference: VULNWATCH:20030224 Terminal Emulator Security Issues
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0093.html
Reference: BUGTRAQ:20030224 Terminal Emulator Security Issues
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104612710031920&w=2
Reference: BID:6945
Reference: URL:http://www.securityfocus.com/bid/6945
Reference: XF:terminal-emulator-window-title(11414)
Reference: URL:http://www.iss.net/security_center/static/11414.php

The uxterm terminal emulator allows attackers to modify the window
title via a certain character escape sequence and then insert it back
to the command line in the user's terminal, e.g. when the user views a
file containing the malicious sequence, which could allow the attacker
to execute arbitrary commands.


Modifications:
  20040811 ADDREF BID:6945

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2003-0065 ACCEPT (4 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Green, Baker, Cox
   NOOP(1) Wall

Voter Comments:
 Green> ENITRE CLASS OF TERMINAL EMULATOR EXPLOITS APPEARS TO BE
   VERIFIED AND REPLICATABLE


======================================================
Candidate: CAN-2003-0066
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0066
Final-Decision:
Interim-Decision: 20040825
Modified: 20040811
Proposed: 20030317
Assigned: 20030204
Category: SF
Reference: BUGTRAQ:20030224 Terminal Emulator Security Issues
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104612710031920&w=2
Reference: VULNWATCH:20030224 Terminal Emulator Security Issues
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0093.html
Reference: GENTOO:200303-16
Reference: URL:http://www.securityfocus.com/advisories/5137
Reference: MANDRAKE:MDKSA-2003:003
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:003
Reference: REDHAT:RHSA-2003:054
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-054.html
Reference: REDHAT:RHSA-2003:055
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-055.html
Reference: BID:6953
Reference: URL:http://www.securityfocus.com/bid/6953
Reference: XF:terminal-emulator-window-title(11414)
Reference: URL:http://www.iss.net/security_center/static/11414.php

The rxvt terminal emulator 2.7.8 and earlier allows attackers to
modify the window title via a certain character escape sequence and
then insert it back to the command line in the user's terminal,
e.g. when the user views a file containing the malicious sequence,
which could allow the attacker to execute arbitrary commands.


Modifications:
  20040811 ADDREF GENTOO:200303-16
  20040811 ADDREF MANDRAKE:MDKSA-2003:003
  20040811 ADDREF REDHAT:RHSA-2003:055
  20040811 ADDREF BID:6953
  20040811 [desc] add "and earlier" for versions

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2003-0066 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Green, Baker
   MODIFY(1) Cox
   NOOP(2) Wall, Christey

Voter Comments:
 Cox> This also affects versions of rxvt prior to 2.7.8
   Addref: RHSA-2003:055
 Christey> MANDRAKE:MDKSA-2003:034
   URL:http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:034
 Green> ACKNOWLEDGED IN RHSA-2003:054-07
 Christey> MANDRAKE:MDKSA-2003:034
   (as suggested by Vincent Danen of Mandrake)


======================================================
Candidate: CAN-2003-0067
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0067
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20030317
Assigned: 20030204
Category: SF
Reference: VULNWATCH:20030224 Terminal Emulator Security Issues
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0093.html
Reference: BUGTRAQ:20030224 Terminal Emulator Security Issues
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104612710031920&w=2
Reference: XF:terminal-emulator-window-title(11414)
Reference: URL:http://www.iss.net/security_center/static/11414.php

The aterm terminal emulator 0.42 allows attackers to modify the window
title via a certain character escape sequence and then insert it back
to the command line in the user's terminal, e.g. when the user views a
file containing the malicious sequence, which could allow the attacker
to execute arbitrary commands.

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2003-0067 ACCEPT (4 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Green, Baker, Cox
   NOOP(1) Wall

Voter Comments:
 Green> ENITRE CLASS OF TERMINAL EMULATOR EXPLOITS APPEARS TO BE
   VERIFIED AND REPLICATABLE


======================================================
Candidate: CAN-2003-0068
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0068
Final-Decision:
Interim-Decision: 20040825
Modified: 20040811
Proposed: 20030317
Assigned: 20030204
Category: SF
Reference: VULNWATCH:20030224 Terminal Emulator Security Issues
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0093.html
Reference: BUGTRAQ:20030224 Terminal Emulator Security Issues
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104612710031920&w=2
Reference: DEBIAN:DSA-496
Reference: URL:http://www.debian.org/security/2004/dsa-496
Reference: GENTOO:GLSA-200303-1
Reference: URL:http://lwn.net/Articles/24193/
Reference: MANDRAKE:MDKSA-2003:040
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:040
Reference: BID:10237
Reference: URL:http://www.securityfocus.com/bid/10237
Reference: XF:terminal-emulator-window-title(11414)
Reference: URL:http://www.iss.net/security_center/static/11414.php

The Eterm terminal emulator 0.9.1 and earlier allows attackers to
modify the window title via a certain character escape sequence and
then insert it back to the command line in the user's terminal,
e.g. when the user views a file containing the malicious sequence,
which could allow the attacker to execute arbitrary commands.


Modifications:
  20040811 ADDREF BID:10237
  20040811 ADDREF DEBIAN:DSA-496
  20040811 ADDREF GENTOO:GLSA-200303-1
  20040811 ADDREF MANDRAKE:MDKSA-2003:040

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2003-0068 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Green, Baker, Cox
   NOOP(2) Wall, Christey

Voter Comments:
 Green> ENITRE CLASS OF TERMINAL EMULATOR EXPLOITS APPEARS TO BE
   VERIFIED AND REPLICATABLE
 Christey> MANDRAKE:MDKSA-2003:040
   URL:http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:040
 Christey> MANDRAKE:MDKSA-2003:040
   (as suggested by Vincent Danen of Mandrake)
 Christey> DEBIAN:DSA-496
   URL:http://www.debian.org/security/2004/dsa-496


======================================================
Candidate: CAN-2003-0069
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0069
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20030204
Category: SF
Reference: VULNWATCH:20030224 Terminal Emulator Security Issues
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0093.html
Reference: BUGTRAQ:20030224 Terminal Emulator Security Issues
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104612710031920&w=2
Reference: XF:terminal-emulator-window-title(11414)
Reference: URL:http://www.iss.net/security_center/static/11414.php
Reference: OSVDB:8347
Reference: URL:http://www.osvdb.org/8347

The PuTTY terminal emulator 0.53 allows attackers to modify the window
title via a certain character escape sequence and then insert it back
to the command line in the user's terminal, e.g. when the user views a
file containing the malicious sequence, which could allow the attacker
to execute arbitrary commands.


Modifications:
  20040818 ADDREF OSVDB:8347

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2003-0069 ACCEPT (4 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Green, Baker, Cox
   NOOP(1) Wall

Voter Comments:
 Green> RELEASE NOTES OF 2002-11-12 ACKNOWLEDGE THE RAPID7 FINDINGS


======================================================
Candidate: CAN-2003-0070
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0070
Final-Decision:
Interim-Decision: 20040825
Modified: 20040811
Proposed: 20030317
Assigned: 20030204
Category: SF
Reference: VULNWATCH:20030224 Terminal Emulator Security Issues
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0093.html
Reference: BUGTRAQ:20030224 Terminal Emulator Security Issues
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104612710031920&w=2
Reference: REDHAT:RHSA-2003:053
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-053.html
Reference: GENTOO:GLSA-200303-2
Reference: URL:http://seclists.org/lists/bugtraq/2003/Mar/0010.html
Reference: XF:terminal-emulator-window-title(11414)
Reference: URL:http://www.iss.net/security_center/static/11414.php

VTE, as used by default in gnome-terminal terminal emulator 2.2 and as
an option in gnome-terminal 2.0, allows attackers to modify the window
title via a certain character escape sequence and then insert it back
to the command line in the user's terminal, e.g. when the user views a
file containing the malicious sequence, which could allow the attacker
to execute arbitrary commands.


Modifications:
  20040811 [refs] normalize GENTOO

Analysis
--------
Vendor Acknowledgement: yes advisory

ACCURACY: Affected versions confirmed by Mark Cox of Red Hat via
email.

INFERRED ACTION: CAN-2003-0070 ACCEPT_REV (4 accept, 1 ack, 1 review)

Current Votes:
   ACCEPT(4) Cole, Armstrong, Green, Cox
   REVIEWING(1) Jones

Voter Comments:
 Jones> [JHJ] "gnome-terminal terminal"? flow/clarity?


======================================================
Candidate: CAN-2003-0071
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0071
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20030204
Category: SF
Reference: VULNWATCH:20030224 Terminal Emulator Security Issues
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0093.html
Reference: BUGTRAQ:20030224 Terminal Emulator Security Issues
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104612710031920&w=2
Reference: DEBIAN:DSA-380
Reference: URL:http://www.debian.org/security/2003/dsa-380
Reference: REDHAT:RHSA-2003:064
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-064.html
Reference: REDHAT:RHSA-2003:065
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-065.html
Reference: REDHAT:RHSA-2003:066
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-066.html
Reference: REDHAT:RHSA-2003:067
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-067.html
Reference: BID:6950
Reference: URL:http://www.securityfocus.com/bid/6950
Reference: XF:terminal-emulator-dec-udk(11415)
Reference: URL:http://www.iss.net/security_center/static/11415.php

The DEC UDK processing feature in the xterm terminal emulator in
XFree86 4.2.99.4 and earlier allows attackers to cause a denial of
service via a certain character escape sequence that causes the
terminal to enter a tight loop.


Modifications:
  20040811 ADDREF BID:6950
  20040811 ADDREF DEBIAN:DSA-380
  20040811 ADDREF REDHAT:RHSA-2003:067
  20040818 ADDREF REDHAT:RHSA-2003:064
  20040818 ADDREF REDHAT:RHSA-2003:065
  20040818 ADDREF REDHAT:RHSA-2003:066

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2003-0071 ACCEPT (4 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Green, Baker, Cox
   NOOP(2) Wall, Christey

Voter Comments:
 Green> ENITRE CLASS OF TERMINAL EMULATOR EXPLOITS APPEARS TO BE
   VERIFIED AND REPLICATABLE
 Christey> REDHAT:RHSA-2003:067
   URL:http://www.redhat.com/support/errata/RHSA-2003-067.html
 Christey> DEBIAN:DSA-380


======================================================
Candidate: CAN-2003-0073
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0073
Final-Decision:
Interim-Decision: 20040825
Modified: 20040824
Proposed: 20030317
Assigned: 20030204
Category: SF
Reference: CONFIRM:http://www.mysql.com/doc/en/News-3.23.55.html
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:013
Reference: BUGTRAQ:20030129 [OpenPKG-SA-2003.008] OpenPKG Security Advisory (mysql)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104385719107879&w=2
Reference: CONECTIVA:CLA-2003:743
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000743
Reference: DEBIAN:DSA-303
Reference: URL:http://www.debian.org/security/2003/dsa-303
Reference: ENGARDE:ESA-20030220-004
Reference: URL:http://www.linuxsecurity.com/advisories/engarde_advisory-2873.html
Reference: MANDRAKE:MDKSA-2003:013
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:013
Reference: REDHAT:RHSA-2003:093
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-093.html
Reference: REDHAT:RHSA-2003:094
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-094.html
Reference: REDHAT:RHSA-2003:166
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-166.html
Reference: BID:6718
Reference: URL:http://www.securityfocus.com/bid/6718
Reference: XF:mysql-mysqlchangeuser-doublefree-dos(11199)
Reference: URL:http://www.iss.net/security_center/static/11199.php
Reference: OVAL:OVAL436
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL436.html

Double-free vulnerability in mysqld for MySQL before 3.23.55 allows
attackers with MySQL access to cause a denial of service (crash) via
mysql_change_user.


Modifications:
  20040811 ADDREF CONECTIVA:CLA-2003:743
  20040811 ADDREF DEBIAN:DSA-303
  20040811 ADDREF REDHAT:RHSA-2003:093
  20040811 ADDREF REDHAT:RHSA-2003:094
  20040811 ADDREF BID:6718
  20040818 ADDREF REDHAT:RHSA-2003:166
  20040824 ADDREF OVAL:OVAL436

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2003-0073 ACCEPT_REV (4 accept, 3 ack, 1 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Green
   MODIFY(1) Cox
   NOOP(1) Christey
   REVIEWING(1) Jones

Voter Comments:
 Jones> [JHJ] double-free?
 CHANGE> [Cox changed vote from ACCEPT to MODIFY]
 Cox> ADDREF REDHAT:RHSA-2003:094
 Christey> REDHAT:RHSA-2003:093
   URL:http://www.redhat.com/support/errata/RHSA-2003-093.html
 Christey> DEBIAN:DSA-303
   URL:http://www.debian.org/security/2003/dsa-303
 Christey> CONECTIVA:CLA-2003:743
   URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000743


======================================================
Candidate: CAN-2003-0075
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0075
Final-Decision:
Interim-Decision: 20040825
Modified: 20040811
Proposed: 20030317
Assigned: 20030205
Category: SF
Reference: BUGTRAQ:20030202 Bladeenc 0.94.2 code execution
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104428700106672&w=2
Reference: MISC:http://www.pivx.com/luigi/adv/blade942-adv.txt
Reference: GENTOO:GLSA-200302-04
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104446346127432&w=2
Reference: BID:6745
Reference: URL:http://www.securityfocus.com/bid/6745
Reference: XF:bladeenc-myfseek-code-execution(11227)
Reference: URL:http://www.iss.net/security_center/static/11227.php

Integer signedness error in the myFseek function of samplein.c for
Blade encoder (BladeEnc) 0.94.2 and earlier allows remote attackers to
execute arbitrary code via a negative offset value following a "fmt"
wave chunk.


Modifications:
  20040811 ADDREF BID:6745
  20040811 [refs] normalize GENTOO

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2003-0075 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Green, Baker
   NOOP(2) Wall, Cox


======================================================
Candidate: CAN-2003-0077
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0077
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20030210
Category: SF
Reference: VULNWATCH:20030224 Terminal Emulator Security Issues
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0093.html
Reference: BUGTRAQ:20030224 Terminal Emulator Security Issues
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104612710031920&w=2
Reference: REDHAT:RHSA-2003:070
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-070.html
Reference: REDHAT:RHSA-2003:071
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-071.html
Reference: XF:terminal-emulator-window-title(11414)
Reference: URL:http://www.iss.net/security_center/static/11414.php
Reference: OSVDB:4917
Reference: URL:http://www.osvdb.org/4917

The hanterm (hanterm-xf) terminal emulator 2.0.5 and earlier, and
possibly later versions, allows attackers to modify the window title
via a certain character escape sequence and then insert it back to the
command line in the user's terminal, e.g. when the user views a file
containing the malicious sequence, which could allow the attacker to
execute arbitrary commands.


Modifications:
  20040811 ADDREF REDHAT:RHSA-2003:070
  20040811 [desc] change versions
  20040818 ADDREF REDHAT:RHSA-2003:071
  20040818 ADDREF OSVDB:4917

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2003-0077 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Green, Baker
   MODIFY(1) Cox
   NOOP(2) Wall, Christey

Voter Comments:
 Cox> This is not yet fixed upstream (2003-03-24) therefore "2.0.5" should
   be removed
 Green> ENITRE CLASS OF TERMINAL EMULATOR EXPLOITS APPEARS TO BE
   VERIFIED AND REPLICATABLE
 Christey> REDHAT:RHSA-2003:070
   URL:http://www.redhat.com/support/errata/RHSA-2003-070.html


======================================================
Candidate: CAN-2003-0078
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0078
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20030210
Category: SF
Reference: CONFIRM:http://www.openssl.org/news/secadv_20030219.txt
Reference: BUGTRAQ:20030219 OpenSSL 0.9.7a and 0.9.6i released
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104567627211904&w=2
Reference: CONECTIVA:CLSA-2003:570
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000570
Reference: DEBIAN:DSA-253
Reference: URL:http://www.debian.org/security/2003/dsa-253
Reference: ENGARDE:ESA-20030220-005
Reference: URL:http://www.linuxsecurity.com/advisories/engarde_advisory-2874.html
Reference: FREEBSD:FreeBSD-SA-03:02
Reference: GENTOO:GLSA-200302-10
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104577183206905&w=2
Reference: REDHAT:RHSA-2003:062
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-062.html
Reference: REDHAT:RHSA-2003:063
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-063.html
Reference: REDHAT:RHSA-2003:082
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-082.html
Reference: REDHAT:RHSA-2003:104
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-104.html
Reference: REDHAT:RHSA-2003:205
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-205.html
Reference: SGI:20030501-01-I
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20030501-01-I
Reference: TRUSTIX:2003-0005
Reference: URL:http://www.trustix.org/errata/2003/0005
Reference: MANDRAKE:MDKSA-2003:020
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:020
Reference: NETBSD:NetBSD-SA2003-001
Reference: SUSE:SuSE-SA:2003:011
Reference: BUGTRAQ:20030219 [OpenPKG-SA-2003.013] OpenPKG Security Advisory (openssl)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104568426824439&w=2
Reference: CIAC:N-051
Reference: URL:http://www.ciac.org/ciac/bulletins/n-051.shtml
Reference: BID:6884
Reference: URL:http://www.securityfocus.com/bid/6884
Reference: XF:ssl-cbc-information-leak(11369)
Reference: URL:http://www.iss.net/security_center/static/11369.php
Reference: OSVDB:3945
Reference: URL:http://www.osvdb.org/3945

ssl3_get_record in s3_pkt.c for OpenSSL before 0.9.7a and 0.9.6 before
0.9.6i does not perform a MAC computation if an incorrect block cipher
padding is used, which causes an information leak (timing discrepancy)
that may make it easier to launch cryptographic attacks that rely on
distinguishing between padding and MAC verification errors, possibly
leading to extraction of the original plaintext, aka the "Vaudenay
timing attack."


Modifications:
  20040811 [refs] normalize GENTOO
  20040811 [refs] normalize TRUSTIX
  20040811 ADDREF REDHAT:RHSA-2003:062
  20040811 ADDREF REDHAT:RHSA-2003:063
  20040811 ADDREF REDHAT:RHSA-2003:082
  20040811 ADDREF REDHAT:RHSA-2003:104
  20040811 ADDREF REDHAT:RHSA-2003:205
  20040811 ADDREF SGI:20030501-01-I
  20040811 ADDREF CIAC:N-051
  20040811 ADDREF BUGTRAQ:20030526 TLS timing attack on OpenSSL [can-2003-78] [bid 6884] exploit
  20040811 ADDREF BID:6884
  20040818 ADDREF OSVDB:3945

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2003-0078 ACCEPT (5 accept, 8 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Armstrong, Green, Jones
   MODIFY(1) Cox
   NOOP(1) Christey

Voter Comments:
 Christey> ** WARNING ** This candidate was accidentally assigned to two
   different issues.  It is for the OpenSSL issue *ONLY*.  A
   separate candidate will be provided for the hanterm-xf
   window title reporting bug.
 Cox> Addref: RHSA-2003:104
   Addref: RHSA-2003:082
   Addref: RHSA-2003:063
   Addref: RHSA-2003:062
 Christey> BUGTRAQ:20030526 TLS timing attack on OpenSSL [can-2003-78] [bid 6884] exploit
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104869795326445&w=2
 Christey> SGI:20030501-01-I
   URL:ftp://patches.sgi.com/support/free/security/advisories/20030501-01-I
 Christey> CIAC:N-051
   URL:http://www.ciac.org/ciac/bulletins/n-051.shtml - URL
   REDHAT:RHSA-2003:062
   URL:http://www.redhat.com/support/errata/RHSA-2003-062.html
 Christey> REDHAT:RHSA-2003:205


======================================================
Candidate: CAN-2003-0079
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0079
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20030210
Category: SF
Reference: VULNWATCH:20030224 Terminal Emulator Security Issues
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0093.html
Reference: BUGTRAQ:20030224 Terminal Emulator Security Issues
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104612710031920&w=2
Reference: REDHAT:RHSA-2003:070
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-070.html
Reference: REDHAT:RHSA-2003:071
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-071.html
Reference: BID:6944
Reference: URL:http://www.securityfocus.com/bid/6944
Reference: XF:terminal-emulator-dec-udk(11415)
Reference: URL:http://www.iss.net/security_center/static/11415.php
Reference: OSVDB:4918
Reference: URL:http://www.osvdb.org/4918

The DEC UDK processing feature in the hanterm (hanterm-xf) terminal
emulator before 2.0.5 allows attackers to cause a denial of service
via a certain character escape sequence that causes the terminal to
enter a tight loop.


Modifications:
  20040811 ADDREF REDHAT:RHSA-2003:070
  20040811 ADDREF REDHAT:RHSA-2003:071
  20040811 ADDREF BID:6944
  20040818 ADDREF OSVDB:4918

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2003-0079 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Green, Baker, Cox
   NOOP(2) Wall, Christey

Voter Comments:
 Green> ENITRE CLASS OF TERMINAL EMULATOR EXPLOITS APPEARS TO BE
   VERIFIED AND REPLICATABLE
 Christey> REDHAT:RHSA-2003:070
   URL:http://www.redhat.com/support/errata/RHSA-2003-070.html


======================================================
Candidate: CAN-2003-0081
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0081
Final-Decision:
Interim-Decision: 20040825
Modified: 20040824
Proposed: 20030317
Assigned: 20030210
Category: SF
Reference: FULLDISC:20030308 Ethereal format string bug, yet still ethereal much better than windows
Reference: URL:http://seclists.org/lists/fulldisclosure/2003/Mar/0080.html
Reference: MISC:http://www.guninski.com/etherre.html
Reference: CONFIRM:http://www.ethereal.com/appnotes/enpa-sa-00008.html
Reference: CONECTIVA:CLSA-2003:627
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000627
Reference: DEBIAN:DSA-258
Reference: URL:http://www.debian.org/security/2003/dsa-258
Reference: GENTOO:GLSA-200303-10
Reference: URL:http://www.linuxsecurity.com/advisories/gentoo_advisory-2949.html
Reference: MANDRAKE:MDKSA-2003:051
Reference: URL:http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:051
Reference: REDHAT:RHSA-2003:076
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-076.html
Reference: REDHAT:RHSA-2003:077
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-077.html
Reference: SUSE:SuSE-SA:2003:019
Reference: URL:http://www.suse.de/de/security/2003_019_ethereal.html
Reference: BID:7049
Reference: URL:http://www.securityfocus.com/bid/7049
Reference: XF:ethereal-socks-format-string(11497)
Reference: URL:http://xforce.iss.net/xforce/xfdb/11497
Reference: OVAL:OVAL54
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL54.html

Format string vulnerability in packet-socks.c of the SOCKS dissector
for Ethereal 0.8.7 through 0.9.9 allows remote attackers to execute
arbitrary code via SOCKS packets containing format string specifiers.


Modifications:
  20040811 ADDREF CONECTIVA:CLSA-2003:627
  20040811 ADDREF GENTOO:GLSA-200303-10
  20040811 ADDREF REDHAT:RHSA-2003:076
  20040811 ADDREF REDHAT:RHSA-2003:077
  20040811 ADDREF SUSE:SuSE-SA:2003:019
  20040811 CHANGEREF BUGTRAQ FULLDISC
  20040811 ADDREF BID:7049
  20040811 ADDREF XF:ethereal-socks-format-string(11497)
  20040824 ADDREF OVAL:OVAL54

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2003-0081 ACCEPT (4 accept, 4 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Armstrong, Green, Cox
   NOOP(2) Christey, Jones

Voter Comments:
 Christey> SUSE:SuSE-SA:2003:019
   URL:http://www.suse.de/de/security/2003_019_ethereal.html
 Christey> MANDRAKE:MDKSA-2003:051
   URL:http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:051


======================================================
Candidate: CAN-2003-0087
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0087
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20030210
Category: SF
Reference: BUGTRAQ:20030212 iDEFENSE Security Advisory 02.12.03: Buffer Overflow in AIX libIM.a
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104508375107938&w=2
Reference: VULNWATCH:20030212 iDEFENSE Security Advisory 02.12.03: Buffer Overflow in AIX libIM.a
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0066.html
Reference: BUGTRAQ:20030212 libIM.a buffer overflow vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104508833214691&w=2
Reference: MISC:http://www.idefense.com/advisory/02.12.03.txt
Reference: AIXAPAR:IY40307
Reference: AIXAPAR:IY40317
Reference: AIXAPAR:IY40320
Reference: BID:6840
Reference: URL:http://www.securityfocus.com/bid/6840
Reference: XF:aix-aixterm-libim-bo(11309)
Reference: URL:http://xforce.iss.net/xforce/xfdb/11309
Reference: OSVDB:7996
Reference: URL:http://www.osvdb.org/7996

Buffer overflow in libIM library (libIM.a) for National Language
Support (NLS) on AIX 4.3 through 5.2 allows local users to gain
privileges via several possible attack vectors, including a long -im
argument to aixterm.


Modifications:
  20040811 ADDREF XF:aix-aixterm-libim-bo(11309)
  20040811 ADDREF BID:6840
  20040818 ADDREF OSVDB:7996

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2003-0087 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Armstrong, Green, Bollinger
   MODIFY(1) Jones
   NOOP(1) Cox

Voter Comments:
 Bollinger> local attacker can execute arbitrary code as root
 Jones> Change "...allows local users to gain privileges..." to "...allows
   local users to gain additional privileges..."


======================================================
Candidate: CAN-2003-0088
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0088
Final-Decision:
Interim-Decision: 20040825
Modified: 20040811
Proposed: 20030317
Assigned: 20030210
Category: SF
Reference: ATSTAKE:A021403-1
Reference: URL:http://www.atstake.com/research/advisories/2003/a021403-1.txt
Reference: CONFIRM:http://docs.info.apple.com/article.html?artnum=61798
Reference: CONFIRM:http://lists.apple.com/archives/security-announce/2003/Feb/25/applesa20030225macosx102.txt
Reference: BID:6859
Reference: URL:http://www.securityfocus.com/bid/6859
Reference: XF:macos-trublueenvironment-gain-privileges(11332)
Reference: URL:http://www.iss.net/security_center/static/11332.php

TruBlueEnvironment for MacOS 10.2.3 and earlier allows local users to
overwrite or create arbitrary files and gain root privileges by
setting a certain environment variable that is used to write debugging
information.


Modifications:
  20040811 ADDREF BID:6859

Analysis
--------
Vendor Acknowledgement: yes

INFERRED ACTION: CAN-2003-0088 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Green, Baker
   NOOP(2) Wall, Cox


======================================================
Candidate: CAN-2003-0093
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0093
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20030212
Category: SF
Reference: MISC:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=81585
Reference: DEBIAN:DSA-261
Reference: URL:http://www.debian.org/security/2003/dsa-261
Reference: MANDRAKE:MDKSA-2003:027
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:027
Reference: REDHAT:RHSA-2003:032
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-032.html
Reference: REDHAT:RHSA-2003:033
Reference: URL:http://rhn.redhat.com/errata/RHSA-2003-033.html
Reference: REDHAT:RHSA-2003:214
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-214.html
Reference: XF:tcpdump-radius-decoder-dos(11324)
Reference: URL:http://xforce.iss.net/xforce/xfdb/11324

The RADIUS decoder in tcpdump 3.6.2 and earlier allows remote
attackers to cause a denial of service (crash) via an invalid RADIUS
packet with a header length field of 0, which causes tcpdump to
generate data within an infinite loop.


Modifications:
  20040811 ADDREF REDHAT:RHSA-2003:032
  20040811 ADDREF MANDRAKE:MDKSA-2003:027
  20040811 ADDREF XF:tcpdump-radius-decoder-dos(11324)
  20040818 ADDREF REDHAT:RHSA-2003:214

Analysis
--------
Vendor Acknowledgement: yes

INFERRED ACTION: CAN-2003-0093 ACCEPT (5 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(5) Cole, Armstrong, Green, Cox, Jones
   NOOP(1) Christey

Voter Comments:
 Christey> REDHAT:RHSA-2003:032
   URL:http://www.redhat.com/support/errata/RHSA-2003-032.html
 Christey> MANDRAKE:MDKSA-2003:027
   (as suggested by Vincent Danen of Mandrake)


======================================================
Candidate: CAN-2003-0094
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0094
Final-Decision:
Interim-Decision: 20040825
Modified: 20040811
Proposed: 20030317
Assigned: 20030214
Category: SF
Reference: MANDRAKE:MDKSA-2003:016
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:016
Reference: BID:6855
Reference: URL:http://www.securityfocus.com/bid/6855
Reference: XF:utillinux-mcookie-cookie-predictable(11318)
Reference: URL:http://xforce.iss.net/xforce/xfdb/11318

A patch for mcookie in the util-linux package for Mandrake Linux 8.2
and 9.0 uses /dev/urandom instead of /dev/random, which causes mcookie
to use an entropy source that is more predictable than expected, which
may make it easier for certain types of attacks to succeed.


Modifications:
  20040811 ADDREF BID:6855
  20040811 ADDREF XF:utillinux-mcookie-cookie-predictable(11318)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2003-0094 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Armstrong, Green, Jones
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> BID:6855
   URL:http://www.securityfocus.com/bid/6855
   XF:utillinux-mcookie-cookie-predictable(11318)
   URL:http://xforce.iss.net/xforce/xfdb/11318


======================================================
Candidate: CAN-2003-0095
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0095
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20030218
Category: SF
Reference: VULNWATCH:20030217 Oracle unauthenticated remote system compromise (#NISR16022003a)
Reference: BUGTRAQ:20030217 Oracle unauthenticated remote system compromise (#NISR16022003a)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104549693426042&w=2
Reference: CONFIRM:http://otn.oracle.com/deploy/security/pdf/2003alert51.pdf
Reference: CERT:CA-2003-05
Reference: URL:http://www.cert.org/advisories/CA-2003-05.html
Reference: CERT-VN:VU#953746
Reference: URL:http://www.kb.cert.org/vuls/id/953746
Reference: CIAC:N-046
Reference: URL:http://www.ciac.org/ciac/bulletins/n-046.shtml
Reference: BID:6849
Reference: URL:http://www.securityfocus.com/bid/6849
Reference: XF:oracle-username-bo(11328)
Reference: URL:http://www.iss.net/security_center/static/11328.php
Reference: OSVDB:6319
Reference: URL:http://www.osvdb.org/6319

Buffer overflow in ORACLE.EXE for Oracle Database Server 9i, 8i,
8.1.7, and 8.0.6 allows remote attackers to execute arbitrary code via
a long username that is provided during login, as exploitable through
client applications that perform their own authentication, as
demonstrated using LOADPSP.


Modifications:
  20040811 ADDREF CIAC:N-046
  20040811 ADDREF BID:6849
  20040818 ADDREF OSVDB:6319

Analysis
--------
Vendor Acknowledgement: yes advisory

ABSTRACTION: According to the Oracle advisories, CAN-2003-0095 appears
in 8.0.x, whereas CAN-2003-0096 does not; therefore, CD:SF-LOC
suggests that the issues be SPLIT.

INFERRED ACTION: CAN-2003-0095 ACCEPT (4 accept, 4 ack, 0 review)

Current Votes:
   ACCEPT(4) Wall, Cole, Baker, Frech
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> BID:6849
   URL:http://www.securityfocus.com/bid/6849
 Christey> CIAC:N-046
   URL:http://www.ciac.org/ciac/bulletins/n-046.shtml


======================================================
Candidate: CAN-2003-0097
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0097
Final-Decision:
Interim-Decision: 20040825
Modified: 20040811
Proposed: 20030317
Assigned: 20030218
Category: SF
Reference: BUGTRAQ:20030217 PHP Security Advisory: CGI vulnerability in PHP version 4.3.0
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104550977011668&w=2
Reference: VULNWATCH:20030217 PHP Security Advisory: CGI vulnerability in PHP version 4.3.0
Reference: GENTOO:GLSA-200302-09
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104567042700840&w=2
Reference: GENTOO:GLSA-200302-09.1
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104567137502557&w=2
Reference: CONFIRM:http://www.slackware.com/changelog/current.php?cpu=i386
Reference: BID:6875
Reference: URL:http://www.securityfocus.com/bid/6875
Reference: XF:php-cgi-sapi-access(11343)
Reference: URL:http://www.iss.net/security_center/static/11343.php

Unknown vulnerability in CGI module for PHP 4.3.0 allows attackers to
access arbitrary files as the PHP user, and possibly execute PHP code,
by bypassing the CGI force redirect settings (cgi.force_redirect or
--enable-force-cgi-redirect).


Modifications:
  20040811 [refs] normalize GENTOO
  20040811 ADDREF BID:6875

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2003-0097 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Green, Baker, Cox
   NOOP(1) Wall


======================================================
Candidate: CAN-2003-0100
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0100
Final-Decision:
Interim-Decision: 20040825
Modified: 20040811
Proposed: 20030317
Assigned: 20030224
Category: SF
Reference: BUGTRAQ:20030220 Cisco IOS OSPF exploit
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104576100719090&w=2
Reference: BUGTRAQ:20030221 Re: Cisco IOS OSPF exploit
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104587206702715&w=2
Reference: BID:6895
Reference: URL:http://www.securityfocus.com/bid/6895
Reference: XF:cisco-ios-ospf-bo(11373)
Reference: URL:http://www.iss.net/security_center/static/11373.php

Buffer overflow in Cisco IOS 11.2.x to 12.0.x allows remote attackers
to cause a denial of service and possibly execute commands via a large
number of OSPF neighbor announcements.


Modifications:
  20040811 ADDREF BID:6895

Analysis
--------
Vendor Acknowledgement: yes followup

INFERRED ACTION: CAN-2003-0100 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Wall, Cole, Green, Baker
   NOOP(1) Cox


======================================================
Candidate: CAN-2003-0102
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0102
Final-Decision:
Interim-Decision: 20040825
Modified: 20040811
Proposed: 20030317
Assigned: 20030225
Category: SF
Reference: BUGTRAQ:20030304 iDEFENSE Security Advisory 03.04.03: Locally Exploitable Buffer Overflow in file(1)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104680706201721&w=2
Reference: MISC:http://www.idefense.com/advisory/03.04.03.txt
Reference: DEBIAN:DSA-260
Reference: URL:http://www.debian.org/security/2003/dsa-260
Reference: IMMUNIX:IMNX-2003-7+-012-01
Reference: URL:http://lwn.net/Alerts/34908/
Reference: MANDRAKE:MDKSA-2003:030
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:030
Reference: NETBSD:NetBSD-SA2003-003
Reference: URL:ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-003.txt.asc
Reference: SUSE:SuSE-SA:2003:017
Reference: URL:http://www.suse.de/de/security/2003_017_file.html
Reference: REDHAT:RHSA-2003:086
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-086.html
Reference: REDHAT:RHSA-2003:087
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-087.html

Buffer overflow in tryelf() in readelf.c of the file command allows
attackers to execute arbitrary code as the user running file, possibly
via a large entity size value in an ELF header (elfhdr.e_shentsize).


Modifications:
  20040811 ADDREF REDHAT:RHSA-2003:087
  20040811 ADDREF MANDRAKE:MDKSA-2003:030
  20040811 ADDREF SUSE:SuSE-SA:2003:017
  20040811 ADDREF IMMUNIX:IMNX-2003-7+-012-01

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2003-0102 ACCEPT (5 accept, 4 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Green
   MODIFY(2) Jones, Cox
   NOOP(1) Christey

Voter Comments:
 Christey> SUSE:SuSE-SA:2003:017
   URL:http://www.suse.de/de/security/2003_017_file.html
 Cox> Addref: RHSA-2003:087
 Jones> Change "...user running file,..." to "...user running the file
   command," for clarity
 Christey> MANDRAKE:MDKSA-2003:030
   (as suggested by Vincent Danen of Mandrake)
 Christey> IMMUNIX:IMNX-2003-7+-012-01


======================================================
Candidate: CAN-2003-0103
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0103
Final-Decision:
Interim-Decision: 20040825
Modified: 20040811
Proposed: 20030317
Assigned: 20030225
Category: SF
Reference: ATSTAKE:A022503-1
Reference: BID:6952
Reference: URL:http://www.securityfocus.com/bid/6952
Reference: XF:nokia-6210-vcard-dos(11421)
Reference: URL:http://www.iss.net/security_center/static/11421.php

Format string vulnerability in Nokia 6210 handset allows remote
attackers to cause a denial of service (crash, lockup, or restart) via
a Multi-Part vCard with fields containing a large number of format
string specifiers.


Modifications:
  20040811 ADDREF BID:6952

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2003-0103 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Green, Baker
   NOOP(2) Wall, Cox


======================================================
Candidate: CAN-2003-0104
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0104
Final-Decision:
Interim-Decision: 20040825
Modified: 20040811
Proposed: 20030317
Assigned: 20030225
Category: SF
Reference: ISS:20030310 PeopleSoft PeopleTools Remote Command Execution Vulnerability
Reference: URL:http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21999
Reference: BID:7053
Reference: URL:http://www.securityfocus.com/bid/7053
Reference: XF:peoplesoft-schedulertransfer-create-files(10962)
Reference: URL:http://www.iss.net/security_center/static/10962.php

Directory traversal vulnerability in PeopleTools 8.10 through 8.18,
8.40, and 8.41 allows remote attackers to overwrite arbitrary files
via the SchedulerTransfer servlet.


Modifications:
  20040811 ADDREF BID:7053

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2003-0104 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Stracener, Baker
   NOOP(4) Wall, Cole, Green, Cox


======================================================
Candidate: CAN-2003-0107
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0107
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20030226
Category: SF
Reference: BUGTRAQ:20030222 buffer overrun in zlib 1.1.4
Reference: URL:http://online.securityfocus.com/archive/1/312869
Reference: BUGTRAQ:20030223 poc zlib sploit just for fun :)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104610337726297&w=2
Reference: BUGTRAQ:20030224 Re: buffer overrun in zlib 1.1.4
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104610536129508&w=2
Reference: BUGTRAQ:20030225 [sorcerer-spells] ZLIB-SORCERER2003-02-25
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104620610427210&w=2
Reference: CALDERA:CSSA-2003-011.0
Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2003-011.0.txt
Reference: CONECTIVA:CLSA-2003:619
Reference: URL:http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000619
Reference: GENTOO:GLSA-200303-25
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104887247624907&w=2
Reference: MANDRAKE:MDKSA-2003:033
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:033
Reference: NETBSD:NetBSD-SA2003-004
Reference: URL:ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-004.txt.asc
Reference: REDHAT:RHSA-2003:079
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-079.html
Reference: REDHAT:RHSA-2003:081
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-081.html
Reference: SUNALERT:57405
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57405
Reference: CONFIRM:http://lists.apple.com/mhonarc/security-announce/msg00038.html
Reference: CERT-VN:VU#142121
Reference: URL:http://www.kb.cert.org/vuls/id/142121
Reference: BID:6913
Reference: URL:http://online.securityfocus.com/bid/6913
Reference: XF:zlib-gzprintf-bo(11381)
Reference: URL:http://www.iss.net/security_center/static/11381.php
Reference: OSVDB:6599
Reference: URL:http://www.osvdb.org/6599

Buffer overflow in the gzprintf function in zlib 1.1.4, when zlib is
compiled without vsnprintf or when long inputs are truncated using
vsnprintf, allows attackers to cause a denial of service or possibly
execute arbitrary code.


Modifications:
  20040811 ADDREF GENTOO:GLSA-200303-25
  20040811 ADDREF MANDRAKE:MDKSA-2003:033
  20040811 ADDREF REDHAT:RHSA-2003:079
  20040811 ADDREF CERT-VN:VU#142121
  20040811 ADDREF SUNALERT:57405
  20040811 ADDREF CONFIRM:http://lists.apple.com/mhonarc/security-announce/msg00038.html
  20040811 ADDREF CALDERA:CSSA-2003-011.0
  20040811 ADDREF NETBSD:NetBSD-SA2003-004
  20040811 ADDREF CONECTIVA:CLSA-2003:619
  20040818 ADDREF REDHAT:RHSA-2003:081
  20040818 ADDREF OSVDB:6599

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2003-0107 ACCEPT (4 accept, 5 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Green, Baker, Cox
   NOOP(2) Wall, Christey

Voter Comments:
 Christey> MANDRAKE:MDKSA-2003:033
   URL:http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:033
 Christey> BUGTRAQ:20030328 GLSA:  zlib (200303-25)
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104887247624907&w=2
 Christey> MANDRAKE:MDKSA-2003:033
   (as suggested by Vincent Danen of Mandrake)
 Christey> REDHAT:RHSA-2003:079
   URL:http://www.redhat.com/support/errata/RHSA-2003-079.html
 Christey> CERT-VN:VU#142121
   URL:http://www.kb.cert.org/vuls/id/142121
 Christey> SUNALERT:57405
   URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57405
 Christey> CONFIRM:http://lists.apple.com/mhonarc/security-announce/msg00038.html
 Christey> CALDERA:CSSA-2003-011.0
   URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2003-011.0.txt
   NETBSD:NetBSD-SA2003-004
   URL:ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-004.txt.asc
 Christey> CONECTIVA:CLSA-2003:619
   URL:http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000619


======================================================
Candidate: CAN-2003-0108
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0108
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20030226
Category: SF
Reference: BUGTRAQ:20030227 iDEFENSE Security Advisory 02.27.03: TCPDUMP Denial of Service Vulnerability in ISAKMP Packet Parsin
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104637420104189&w=2
Reference: MISC:http://www.idefense.com/advisory/02.27.03.txt
Reference: CONECTIVA:CLA-2003:629
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000629
Reference: DEBIAN:DSA-255
Reference: URL:http://www.debian.org/security/2003/dsa-255
Reference: MANDRAKE:MDKSA-2003:027
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:027
Reference: REDHAT:RHSA-2003:032
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-032.html
Reference: REDHAT:RHSA-2003:085
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-085.html
Reference: REDHAT:RHSA-2003:214
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-214.html
Reference: SUSE:SuSE-SA:2003:0015
Reference: URL:http://www.suse.de/de/security/2003_015_tcpdump.html
Reference: BUGTRAQ:20030304 [OpenPKG-SA-2003.014] OpenPKG Security Advisory (tcpdump)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104678787109030&w=2
Reference: BID:6974
Reference: URL:http://www.securityfocus.com/bid/6974
Reference: XF:tcpdump-isakmp-dos(11434)
Reference: URL:http://www.iss.net/security_center/static/11434.php

isakmp_sub_print in tcpdump 3.6 through 3.7.1 allows remote attackers
to cause a denial of service (CPU consumption) via a certain malformed
ISAKMP packet to UDP port 500, which causes tcpdump to enter an
infinite loop.


Modifications:
  20040811 ADDREF CONECTIVA:CLA-2003:629
  20040811 ADDREF REDHAT:RHSA-2003:032
  20040811 ADDREF BID:6974
  20040818 ADDREF REDHAT:RHSA-2003:085
  20040818 ADDREF REDHAT:RHSA-2003:214

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2003-0108 ACCEPT (4 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Armstrong, Green, Cox
   NOOP(2) Jones, Christey

Voter Comments:
 Christey> REDHAT:RHSA-2003:032
   URL:http://www.redhat.com/support/errata/RHSA-2003-032.html
 Christey> CONECTIVA:CLA-2003:629
   URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000629
 Christey> BID:6974
   URL:http://www.securityfocus.com/bid/6974


======================================================
Candidate: CAN-2003-0120
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0120
Final-Decision:
Interim-Decision: 20040825
Modified: 20040811
Proposed: 20030317
Assigned: 20030228
Category: SF
Reference: DEBIAN:DSA-256
Reference: URL:http://www.debian.org/security/2003/dsa-256
Reference: BID:6978
Reference: URL:http://www.securityfocus.com/bid/6978
Reference: XF:mhc-adb2mhc-insecure-tmp(11439)
Reference: URL:http://www.iss.net/security_center/static/11439.php

adb2mhc in the mhc-utils package before 0.25+20010625-7.1 allows local
users to overwrite arbitrary files via a symlink attack on a default
temporary directory with a predictable name.


Modifications:
  20040811 [desc] fix typo
  20040811 ADDREF BID:6978

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2003-0120 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Green
   MODIFY(1) Jones
   NOOP(2) Christey, Cox

Voter Comments:
 Jones> change "diectory" to "directory"
 Christey> BID:6978
   URL:http://www.securityfocus.com/bid/6978


======================================================
Candidate: CAN-2003-0122
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0122
Final-Decision:
Interim-Decision: 20040825
Modified: 20040811
Proposed: 20030317
Assigned: 20030310
Category: SF
Reference: BUGTRAQ:20030313 R7-0010: Buffer Overflow in Lotus Notes Protocol Authentication
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104757319829443&w=2
Reference: VULNWATCH:20030313 R7-0010: Buffer Overflow in Lotus Notes Protocol Authentication
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0125.html
Reference: MISC:http://www.rapid7.com/advisories/R7-0010.html
Reference: CONFIRM:http://www-1.ibm.com/support/docview.wss?rs=482&q=Domino&uid=swg21105101
Reference: CERT:CA-2003-11
Reference: URL:http://www.cert.org/advisories/CA-2003-11.html
Reference: CERT-VN:VU#433489
Reference: URL:http://www.kb.cert.org/vuls/id/433489
Reference: CIAC:N-065
Reference: URL:http://www.ciac.org/ciac/bulletins/n-065.shtml
Reference: BID:7037
Reference: URL:http://www.securityfocus.com/bid/7037
Reference: XF:lotus-nrpc-bo(11526)
Reference: URL:http://xforce.iss.net/xforce/xfdb/11526

Buffer overflow in Notes server before Lotus Notes R4, R5 before
5.0.11, and early R6 allows remote attackers to execute arbitrary code
via a long distinguished name (DN) during NotesRPC authentication and
an outer field length that is less than that of the DN field.


Modifications:
  20040811 ADDREF CERT:CA-2003-11
  20040811 ADDREF CERT-VN:VU#433489
  20040811 ADDREF CIAC:N-065
  20040811 ADDREF XF:lotus-nrpc-bo(11526)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2003-0122 ACCEPT (4 accept, 4 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Green, Baker, Bollinger
   NOOP(3) Wall, Christey, Cox

Voter Comments:
 Green> ACKNOWLEDGED IN LOTUS SPR #DBAR5CJJJS
 Christey> CERT-VN:VU#433489
   URL:http://www.kb.cert.org/vuls/id/433489
   CERT:CA-2003-11
   URL:http://www.cert.org/advisories/CA-2003-11.html
 Christey> CIAC:N-065
   URL:http://www.ciac.org/ciac/bulletins/n-065.shtml
   XF:lotus-nrpc-bo(11526)
   URL:http://xforce.iss.net/xforce/xfdb/11526


======================================================
Candidate: CAN-2003-0123
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0123
Final-Decision:
Interim-Decision: 20040825
Modified: 20040811
Proposed: 20030317
Assigned: 20030310
Category: SF
Reference: BUGTRAQ:20030313 R7-0011: Lotus Notes/Domino Web Retriever HTTP Status Buffer Overflow
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104757545500368&w=2
Reference: MISC:http://www.rapid7.com/advisories/R7-0011.html
Reference: CONFIRM:http://www-1.ibm.com/support/docview.wss?rs=482&q=Domino&uid=swg21105060
Reference: CERT:CA-2003-11
Reference: URL:http://www.cert.org/advisories/CA-2003-11.html
Reference: CERT-VN:VU#411489
Reference: URL:http://www.kb.cert.org/vuls/id/411489
Reference: CIAC:N-065
Reference: URL:http://www.ciac.org/ciac/bulletins/n-065.shtml
Reference: BID:7038
Reference: URL:http://www.securityfocus.com/bid/7038
Reference: XF:lotus-web-retriever-bo(11525)
Reference: URL:http://xforce.iss.net/xforce/xfdb/11525

Buffer overflow in Web Retriever client for Lotus Notes/Domino R4.5
through R6 allows remote malicious web servers to cause a denial of
service (crash) via a long HTTP status line.


Modifications:
  20040811 ADDREF CERT:CA-2003-11
  20040811 ADDREF CERT-VN:VU#411489
  20040811 ADDREF CIAC:N-065
  20040811 ADDREF XF:lotus-web-retriever-bo(11525)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2003-0123 ACCEPT (4 accept, 4 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Green, Baker, Bollinger
   NOOP(3) Wall, Christey, Cox

Voter Comments:
 Christey> CERT-VN:VU#411489
   URL:http://www.kb.cert.org/vuls/id/411489
   CERT:CA-2003-11
   URL:http://www.cert.org/advisories/CA-2003-11.html
 Christey> CIAC:N-065
   URL:http://www.ciac.org/ciac/bulletins/n-065.shtml
   XF:lotus-web-retriever-bo(11525)
   URL:http://xforce.iss.net/xforce/xfdb/11525
   CONFIRM:http://www-1.ibm.com/support/docview.wss?rs=482&q=Domino&uid=swg21105060


======================================================
Candidate: CAN-2003-0124
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0124
Final-Decision:
Interim-Decision: 20040825
Modified: 20040811
Proposed: 20030317
Assigned: 20030312
Category: SF
Reference: BUGTRAQ:20030311 Vulnerability in man < 1.5l
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104740927915154&w=2
Reference: CONECTIVA:CLSA-2003:620
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000620
Reference: GENTOO:GLSA-200303-13
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104802285112752&w=2
Reference: REDHAT:RHSA-2003:133
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-133.html
Reference: REDHAT:RHSA-2003:134
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-134.html
Reference: BID:7066
Reference: URL:http://www.securityfocus.com/bid/7066
Reference: XF:man-myxsprintf-code-execution(11512)
Reference: URL:http://xforce.iss.net/xforce/xfdb/11512

man before 1.51 allows attackers to execute arbitrary code via a
malformed man file with improper quotes, which causes the my_xsprintf
function to return a string with the value "unsafe," which is then
executed as a program via a system call if it is in the search path of
the user who runs man.


Modifications:
  20040811 ADDREF GENTOO:200303-13
  20040811 ADDREF REDHAT:RHSA-2003:133
  20040811 ADDREF REDHAT:RHSA-2003:134
  20040811 ADDREF CONECTIVA:CLSA-2003:620
  20040811 ADDREF BID:7066
  20040811 ADDREF XF:man-myxsprintf-code-execution(11512)
  20040811 [desc] clarify issue

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2003-0124 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Green, Baker
   MODIFY(1) Cox
   NOOP(3) Wall, Cole, Christey

Voter Comments:
 Christey> BUGTRAQ:20030318 GLSA:  man (200303-13)
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104802285112752&w=2
 Cox> This vulnerability will only execute the arbitrary code as the
   user that runs 'man' and only if that user has an executable called
   'unsafe' somewhere on their path to which the attacker has
   access.  Suggest modification of description to take this into
   account.
 Green> NEW VERSION RELEASE FOLLOWING REPORT OF VULNERABILITY
 Cox> ADDREF REDHAT:RHSA-2003:134
 Christey> REDHAT:RHSA-2003:133


======================================================
Candidate: CAN-2003-0125
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0125
Final-Decision:
Interim-Decision: 20040825
Modified: 20040811
Proposed: 20030317
Assigned: 20030312
Category: SF
Reference: MISC:http://www.krusesecurity.dk/advisories/routefind550bof.txt
Reference: VULNWATCH:20030311 SOHO Routefinder 550 VPN, DoS and Buffer Overflow
Reference: CONFIRM:ftp://ftp.multitech.com/Routers/RF550VPN.TXT
Reference: BID:7067
Reference: URL:http://www.securityfocus.com/bid/7067
Reference: XF:routefinder-vpn-options-bo(11514)
Reference: URL:http://xforce.iss.net/xforce/xfdb/11514

Buffer overflow in the web interface for SOHO Routefinder 550 before
firmware 4.63 allows remote attackers to cause a denial of service
(reboot) and execute arbitrary code via a long GET /OPTIONS value.


Modifications:
  20040811 ADDREF BID:7067
  20040811 ADDREF XF:routefinder-vpn-options-bo(11514)

Analysis
--------
Vendor Acknowledgement: yes

INFERRED ACTION: CAN-2003-0125 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Green, Baker
   NOOP(2) Wall, Cox


======================================================
Candidate: CAN-2003-0143
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0143
Final-Decision:
Interim-Decision: 20040825
Modified: 20040811
Proposed: 20030317
Assigned: 20030313
Category: SF
Reference: BUGTRAQ:20030310 QPopper 4.0.x buffer overflow vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104739841223916&w=2
Reference: BUGTRAQ:20030312 Re: QPopper 4.0.x buffer overflow vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104748775900481&w=2
Reference: DEBIAN:DSA-259
Reference: URL:http://www.debian.org/security/2003/dsa-259
Reference: GENTOO:GLSA-200303-12
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104792541215354&w=2
Reference: SUSE:SuSE-SA:2003:018
Reference: URL:http://www.suse.de/de/security/2003_018_qpopper.html
Reference: BUGTRAQ:20030314 [OpenPKG-SA-2003.018] OpenPKG Security Advisory (qpopper)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104768137314397&w=2
Reference: BID:7058
Reference: URL:http://www.securityfocus.com/bid/7058
Reference: XF:qpopper-popmsg-macroname-bo(11516)
Reference: URL:http://xforce.iss.net/xforce/xfdb/11516

The pop_msg function in qpopper 4.0.x before 4.0.5fc2 does not null
terminate a message buffer after a call to Qvsnprintf, which could
allow authenticated users to execute arbitrary code via a buffer
overflow in a mdef command with a long macro name.


Modifications:
  20040811 CHANGEREF GENTOO [normalize]
  20040811 ADDREF SUSE:SuSE-SA:2003:018
  20040811 ADDREF BID:7058
  20040811 ADDREF XF:qpopper-popmsg-macroname-bo(11516)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2003-0143 ACCEPT (4 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(4) Jones, Cole, Armstrong, Green
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> SUSE:SuSE-SA:2003:018
   URL:http://www.suse.de/de/security/2003_018_qpopper.html


======================================================
Candidate: CAN-2003-0145
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0145
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20030317
Assigned: 20030314
Category: SF
Reference: CONFIRM:http://www.tcpdump.org/tcpdump-changes.txt
Reference: DEBIAN:DSA-261
Reference: URL:http://www.debian.org/security/2003/dsa-261
Reference: MANDRAKE:MDKSA-2003:027
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:027
Reference: REDHAT:RHSA-2003:032
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-032.html
Reference: REDHAT:RHSA-2003:151
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-151.html
Reference: REDHAT:RHSA-2003:214
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-214.html
Reference: XF:tcpdump-radius-attribute-dos(11857)
Reference: URL:http://xforce.iss.net/xforce/xfdb/11857

Unknown vulnerability in tcpdump before 3.7.2 related to an inability
to "Handle unknown RADIUS attributes properly," allows remote
attackers to cause a denial of service (infinite loop), a different
vulnerability than CAN-2003-0093.


Modifications:
  20040811 ADDREF MANDRAKE:MDKSA-2003:027
  20040811 ADDREF REDHAT:RHSA-2003:032
  20040811 ADDREF REDHAT:RHSA-2003:151
  20040811 ADDREF XF:tcpdump-radius-attribute-dos(11857)
  20040818 ADDREF REDHAT:RHSA-2003:214
  20040818 ADDREF DEBIAN:DSA-261

Analysis
--------
Vendor Acknowledgement: yes changelog

ACCURACY: Via email on March 14, 2003, Martin Schulze confirmed that
this is a different issue than CAN-2003-0093.

INFERRED ACTION: CAN-2003-0145 ACCEPT_REV (3 accept, 3 ack, 1 review)

Current Votes:
   ACCEPT(3) Cole, Green, Baker
   NOOP(2) Wall, Christey
   REVIEWING(1) Cox

Voter Comments:
 Christey> REDHAT:RHSA-2003:032
   URL:http://www.redhat.com/support/errata/RHSA-2003-032.html
 Christey> MANDRAKE:MDKSA-2003:027
   (as suggested by Vincent Danen of Mandrake)
 Christey> REDHAT:RHSA-2003:151
   URL:http://www.redhat.com/support/errata/RHSA-2003-151.html


======================================================
Candidate: CAN-2003-0825
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0825
Final-Decision:
Interim-Decision: 20040825
Modified: 20040824
Proposed: 20040318
Assigned: 20030918
Category: SF
Reference: MS:MS04-006
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms04-006.asp
Reference: CERT-VN:VU#445214
Reference: URL:http://www.kb.cert.org/vuls/id/445214
Reference: BID:9624
Reference: URL:http://www.securityfocus.com/bid/9624
Reference: XF:win-wins-gsflag-dos(15037)
Reference: URL:http://xforce.iss.net/xforce/xfdb/15037
Reference: OSVDB:3903
Reference: URL:http://www.osvdb.org/3903
Reference: OVAL:OVAL704
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL704.html
Reference: OVAL:OVAL800
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL800.html
Reference: OVAL:OVAL801
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL801.html
Reference: OVAL:OVAL802
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL802.html

The Windows Internet Naming Service (WINS) for Microsoft Windows
Server 2003, and possibly Windows NT and Server 2000, does not
properly validate the length of certain packets, which allows
attackers to cause a denial of service and possibly execute arbitrary
code.


Modifications:
  20040811 ADDREF CERT-VN:VU#445214
  20040811 ADDREF BID:9624
  20040811 ADDREF XF:win-wins-gsflag-dos(15037)
  20040818 ADDREF OSVDB:3903
  20040824 ADDREF OVAL:OVAL704
  20040824 ADDREF OVAL:OVAL800
  20040824 ADDREF OVAL:OVAL801
  20040824 ADDREF OVAL:OVAL802

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2003-0825 ACCEPT (4 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Wall, Cole, Armstrong
   NOOP(1) Cox


======================================================
Candidate: CAN-2003-0903
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0903
Final-Decision:
Interim-Decision: 20040825
Modified: 20040824
Proposed: 20040318
Assigned: 20031104
Category: SF
Reference: MS:MS04-003
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms04-003.asp
Reference: CERT-VN:VU#139150
Reference: URL:http://www.kb.cert.org/vuls/id/139150
Reference: BID:9407
Reference: URL:http://www.securityfocus.com/bid/9407
Reference: XF:mdac-broadcastrequest-bo(14187)
Reference: URL:http://xforce.iss.net/xforce/xfdb/14187
Reference: OSVDB:3457
Reference: URL:http://www.osvdb.org/3457
Reference: OVAL:OVAL525
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL525.html
Reference: OVAL:OVAL553
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL553.html
Reference: OVAL:OVAL751
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL751.html
Reference: OVAL:OVAL775
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL775.html

Buffer overflow in a component of Microsoft Data Access Components
(MDAC) 2.5 through 2.8 allows remote attackers to execute arbitrary
code via a malformed UDP response to a broadcast request.


Modifications:
  20040811 ADDREF CERT-VN:VU#139150
  20040811 ADDREF BID:9407
  20040811 ADDREF XF:mdac-broadcastrequest-bo(14187)
  20040818 ADDREF OSVDB:3457
  20040824 ADDREF OVAL:OVAL525
  20040824 ADDREF OVAL:OVAL553
  20040824 ADDREF OVAL:OVAL751
  20040824 ADDREF OVAL:OVAL775

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2003-0903 ACCEPT (5 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(5) Baker, Wall, Cole, Armstrong, Green
   NOOP(1) Cox


======================================================
Candidate: CAN-2003-0905
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0905
Final-Decision:
Interim-Decision: 20040825
Modified: 20040824
Proposed: 20040318
Assigned: 20031104
Category: SF
Reference: MS:MS04-008
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms04-008.asp
Reference: CERT-VN:VU#982630
Reference: URL:http://www.kb.cert.org/vuls/id/982630
Reference: BID:9825
Reference: URL:http://www.securityfocus.com/bid/9825
Reference: XF:win-media-services-dos(15038)
Reference: URL:http://xforce.iss.net/xforce/xfdb/15038
Reference: OVAL:OVAL842
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL842.html

Unknown vulnerability in Windows Media Station Service and Windows
Media Monitor Service components of Windows Media Services 4.1 allows
remote attackers to cause a denial of service (disallowing new
connections) via a certain sequence of TCP/IP packets.


Modifications:
  20040811 ADDREF CERT-VN:VU#982630
  20040811 ADDREF BID:9825
  20040811 ADDREF XF:win-media-services-dos(15038)
  20040824 ADDREF OVAL:OVAL842

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2003-0905 ACCEPT (6 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(5) Baker, Balinsky, Wall, Cole, Armstrong
   MODIFY(1) Frech
   NOOP(1) Cox

Voter Comments:
 Frech> XF:win-media-services-dos(15038)
   http://xforce.iss.net/xforce/xfdb/15038


======================================================
Candidate: CAN-2003-0924
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0924
Final-Decision:
Interim-Decision: 20040825
Modified: 20040824
Proposed: 20040318
Assigned: 20031104
Category: SF
Reference: DEBIAN:DSA-426
Reference: URL:http://www.debian.org/security/2004/dsa-426
Reference: REDHAT:RHSA-2004:030
Reference: URL:http://www.redhat.com/support/errata/RHSA-2004-030.html
Reference: REDHAT:RHSA-2004:031
Reference: URL:http://www.redhat.com/support/errata/RHSA-2004-031.html
Reference: SGI:20040201-01-U
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20040201-01-U.asc
Reference: MANDRAKE:MDKSA-2004:011
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:011
Reference: CERT-VN:VU#487102
Reference: URL:http://www.kb.cert.org/vuls/id/487102
Reference: BID:9442
Reference: URL:http://www.securityfocus.com/bid/9442
Reference: XF:netpbm-temp-insecure-file(14874)
Reference: URL:http://xforce.iss.net/xforce/xfdb/14874
Reference: OVAL:OVAL804
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL804.html
Reference: OVAL:OVAL810
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL810.html

netpbm 9.25 and earlier does not properly create temporary files,
which allows local users to overwrite arbitrary files.


Modifications:
  20040811 ADDREF BID:9442
  20040811 ADDREF XF:netpbm-temp-insecure-file(14874)
  20040811 [desc] fix affected version
  20040824 ADDREF OVAL:OVAL804
  20040824 ADDREF OVAL:OVAL810

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2003-0924 ACCEPT (6 accept, 4 ack, 0 review)

Current Votes:
   ACCEPT(5) Baker, Wall, Cole, Armstrong, Green
   MODIFY(1) Cox

Voter Comments:
 Cox> 2:9.25 is a Mandrake-specific version identifier


======================================================
Candidate: CAN-2003-0966
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0966
Final-Decision:
Interim-Decision: 20040825
Modified: 20040811
Proposed: 20040318
Assigned: 20031126
Category: SF
Reference: REDHAT:RHSA-2004:009
Reference: URL:http://www.redhat.com/support/errata/RHSA-2004-009.html
Reference: SGI:20040103-01-U
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20040103-01-U.asc
Reference: MISC:http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=112078
Reference: BID:9430
Reference: URL:http://www.securityfocus.com/bid/9430
Reference: XF:elm-frm-subject-bo(14840)
Reference: URL:http://xforce.iss.net/xforce/xfdb/14840

Buffer overflow in the frm command in elm 2.5.6 and earlier, and
possibly later versions, allows remote attackers to execute arbitrary
code via a long Subject line.


Modifications:
  20040811 ADDREF MISC:http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=112078
  20040811 ADDREF BID:9430
  20040811 ADDREF XF:elm-frm-subject-bo(14840)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2003-0966 ACCEPT (6 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(5) Baker, Wall, Cole, Armstrong, Green
   MODIFY(1) Cox

Voter Comments:
 Cox> ADDREF: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=112078
   add "and later versions" because this isn't fixed upstream.


======================================================
Candidate: CAN-2003-0969
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0969
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20040318
Assigned: 20031201
Category: SF
Reference: DEBIAN:DSA-411
Reference: URL:http://www.debian.org/security/2004/dsa-411
Reference: SUSE:SuSE-SA:2004:002
Reference: URL:http://www.suse.com/de/security/2004_02_tcpdump.html
Reference: BID:9364
Reference: URL:http://www.securityfocus.com/bid/9364
Reference: XF:mpg321-mp3-format-string(14148)
Reference: URL:http://xforce.iss.net/xforce/xfdb/14148
Reference: OSVDB:3331
Reference: URL:http://www.osvdb.org/3331

mpg321 0.2.10 allows remote attackers to overwrite memory and possibly
execute arbitrary code via an mp3 file that passes certain strings to
the printf function, possibly triggering a format string
vulnerability.


Modifications:
  20040811 ADDREF SUSE:SuSE-SA:2004:002
  20040811 ADDREF BID:9364
  20040818 ADDREF OSVDB:3331

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2003-0969 ACCEPT (5 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(5) Baker, Cox, Williams, Cole, Armstrong
   NOOP(1) Wall

Voter Comments:
 Williams> http://www.suse.com/de/security/2004_02_tcpdump.html
   http://www.debian.org/security/2004/dsa-411


======================================================
Candidate: CAN-2003-0985
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0985
Final-Decision:
Interim-Decision: 20040825
Modified: 20040824
Proposed: 20040318
Assigned: 20031216
Category: SF
Reference: BUGTRAQ:20040105 Linux kernel mremap vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107332782121916&w=2
Reference: MISC:http://isec.pl/vulnerabilities/isec-0013-mremap.txt
Reference: BUGTRAQ:20040105 Linux kernel do_mremap() proof-of-concept exploit code
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107340358402129&w=2
Reference: BUGTRAQ:20040106 Linux mremap bug correction
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107340814409017&w=2
Reference: DEBIAN:DSA-423
Reference: URL:http://www.debian.org/security/2004/dsa-423
Reference: DEBIAN:DSA-450
Reference: URL:http://www.debian.org/security/2004/dsa-450
Reference: SUSE:SuSE-SA:2004:001
Reference: SUSE:SuSE-SA:2004:003
Reference: URL:http://www.suse.com/de/security/2004_03_linux_kernel.html
Reference: CONECTIVA:CLA-2004:799
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000799
Reference: ENGARDE:ESA-20040105-001
Reference: URL:http://www.linuxsecurity.com/advisories/engarde_advisory-3904.html
Reference: REDHAT:RHSA-2003:416
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-416.html
Reference: REDHAT:RHSA-2003:417
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-417.html
Reference: REDHAT:RHSA-2003:418
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-418.html
Reference: REDHAT:RHSA-2003:419
Reference: URL:http://www.redhat.com/support/errata/RHSA-2003-419.html
Reference: DEBIAN:DSA-413
Reference: URL:http://www.debian.org/security/2004/dsa-413
Reference: DEBIAN:DSA-417
Reference: URL:http://www.debian.org/security/2004/dsa-417
Reference: DEBIAN:DSA-427
Reference: URL:http://www.debian.org/security/2004/dsa-427
Reference: DEBIAN:DSA-439
Reference: URL:http://www.debian.org/security/2004/dsa-439
Reference: DEBIAN:DSA-440
Reference: URL:http://www.debian.org/security/2004/dsa-440
Reference: DEBIAN:DSA-442
Reference: URL:http://www.debian.org/security/2004/dsa-442
Reference: DEBIAN:DSA-470
Reference: URL:http://www.debian.org/security/2004/dsa-470
Reference: DEBIAN:DSA-475
Reference: URL:http://www.debian.org/security/2004/dsa-475
Reference: IMMUNIX:IMNX-2004-73-001-01
Reference: MANDRAKE:MDKSA-2004:001
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:001
Reference: SGI:20040102-01-U
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20040102-01-U
Reference: TRUSTIX:2004-0001
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107332754521495&w=2
Reference: BUGTRAQ:20040107 [slackware-security]  Kernel security update  (SSA:2004-006-01)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107350348418373&w=2
Reference: BUGTRAQ:20040108 [slackware-security] Slackware 8.1 kernel security update (SSA:2004-008-01)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2004-01/0070.html
Reference: BUGTRAQ:20040112 SmoothWall Project Security Advisory SWP-2004:001
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107394143105081&w=2
Reference: XF:linux-domremap-gain-privileges(14135)
Reference: URL:http://xforce.iss.net/xforce/xfdb/14135
Reference: OSVDB:3315
Reference: URL:http://www.osvdb.org/3315
Reference: OVAL:OVAL860
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL860.html
Reference: OVAL:OVAL867
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL867.html

The mremap system call (do_mremap) in Linux kernel 2.4.x before 2.4.21
does not properly perform bounds checks, which allows local users to
cause a denial of service and possibly gain privileges by causing a
remapping of a virtual memory area (VMA) to create a zero length VMA,
a different vulnerability than CAN-2004-0077.


Modifications:
  20040811 ADDREF DEBIAN:DSA-470
  20040811 ADDREF DEBIAN:DSA-475
  20040811 ADDREF REDHAT:RHSA-2003:418
  20040811 [refs] normalize TRUSTIX
  20040811 [desc] fix affected versions
  20040818 ADDREF DEBIAN:DSA-423
  20040818 ADDREF DEBIAN:DSA-450
  20040818 ADDREF OSVDB:3315
  20040824 ADDREF OVAL:OVAL860
  20040824 ADDREF OVAL:OVAL867

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2003-0985 ACCEPT (6 accept, 4 ack, 0 review)

Current Votes:
   ACCEPT(4) Baker, Wall, Cole, Armstrong
   MODIFY(2) Cox, Williams
   NOOP(1) Christey

Voter Comments:
 Cox> This issue was fixed in 2.4.21 (proof at URL below)
   Addref: http://linux.bkbits.net:8080/linux-2.4/cset@rusty@rustcorp.com.au|ChangeSet|20030421172337|61834
   This issue did not affect 2.6 (proof: rusty@rustcorp.com.au|ChangeSet|20030506080426|32903)
   Addref: REDHAT:RHSA-2003:418
 Williams> Modify in accordance with Cox comments.
 Christey> DEBIAN:DSA-470
   URL:http://www.debian.org/security/2004/dsa-470
 Christey> DEBIAN:DSA-475
   URL:http://www.debian.org/security/2004/dsa-475
 Christey> Normalize Trustix reference to TRUSTIX:2004-0001


======================================================
Candidate: CAN-2003-0988
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0988
Final-Decision:
Interim-Decision: 20040825
Modified: 20040824
Proposed: 20040318
Assigned: 20031216
Category: SF
Reference: BUGTRAQ:20040114 KDE Security Advisory: VCF file information reader vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107412130407906&w=2
Reference: CONFIRM:http://www.kde.org/info/security/advisory-20040114-1.txt
Reference: CONECTIVA:CLA-2004:810
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000810
Reference: GENTOO:GLSA-200404-02
Reference: URL:http://security.gentoo.org/glsa/glsa-200404-02.xml
Reference: MANDRAKE:MDKSA-2004:003
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:003
Reference: REDHAT:RHSA-2004:005
Reference: URL:http://www.redhat.com/support/errata/RHSA-2004-005.html
Reference: REDHAT:RHSA-2004:006
Reference: URL:http://www.redhat.com/support/errata/RHSA-2004-006.html
Reference: CERT-VN:VU#820798
Reference: URL:http://www.kb.cert.org/vuls/id/820798
Reference: BID:9419
Reference: URL:http://www.securityfocus.com/bid/9419
Reference: XF:kde-kdepim-bo(14833)
Reference: URL:http://xforce.iss.net/xforce/xfdb/14833
Reference: OVAL:OVAL858
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL858.html
Reference: OVAL:OVAL865
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL865.html

Buffer overflow in the VCF file information reader for KDE Personal
Information Management (kdepim) suite in KDE 3.1.0 through 3.1.4
allows attackers to execute arbitrary code via a VCF file.


Modifications:
  20040811 ADDREF REDHAT:RHSA-2004:006
  20040811 ADDREF CERT-VN:VU#820798
  20040811 ADDREF BID:9419
  20040811 ADDREF XF:kde-kdepim-bo(14833)
  20040824 ADDREF OVAL:OVAL858
  20040824 ADDREF OVAL:OVAL865

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2003-0988 ACCEPT (6 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(6) Baker, Cox, Wall, Cole, Armstrong, Green
   NOOP(1) Christey

Voter Comments:
 Cox> Addref: REDHAT:RHSA-2004:006
 Christey> BUGTRAQ:20040406 [ GLSA 200404-02 ] KDE Personal Information Management Suite Remote Buffer Overflow Vulnerability
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=108127782900563&w=2


======================================================
Candidate: CAN-2003-0991
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0991
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20040318
Assigned: 20031216
Category: SF
Reference: MLIST:[Mailman-Announce] 20040208 RELEASED: Mailman 2.0.14 patch-only release
Reference: URL:http://mail.python.org/pipermail/mailman-announce/2004-February/000067.html
Reference: CONECTIVA:CLA-2004:842
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000842
Reference: DEBIAN:DSA-436
Reference: URL:http://www.debian.org/security/2004/dsa-436
Reference: REDHAT:RHSA-2004:019
Reference: URL:http://www.redhat.com/support/errata/RHSA-2004-019.html
Reference: SGI:20040201-01-U
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20040201-01-U.asc
Reference: MANDRAKE:MDKSA-2004:013
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:013
Reference: XF:mailman-command-handler-dos(15106)
Reference: URL:http://xforce.iss.net/xforce/xfdb/15106
Reference: BID:9620
Reference: URL:http://www.securityfocus.com/bid/9620

Unknown vulnerability in the mail command handler in Mailman before
2.0.14 allows remote attackers to cause a denial of service (crash)
via malformed e-mail commands.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2003-0991 ACCEPT (5 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(5) Baker, Cox, Wall, Cole, Armstrong
   NOOP(1) Christey

Voter Comments:
 Christey> CONECTIVA:CLA-2004:842
   URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000842


======================================================
Candidate: CAN-2003-0993
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0993
Final-Decision:
Interim-Decision: 20040825
Modified: 20040811
Proposed: 20040318
Assigned: 20031216
Category: SF
Reference: CONFIRM:http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23850
Reference: MLIST:[apache-cvs] 20040307 cvs commit: apache-1.3/src/modules/standard mod_access.c
Reference: URL:http://marc.theaimsgroup.com/?l=apache-cvs&m=107869603013722
Reference: CONFIRM:http://www.apacheweek.com/features/security-13
Reference: GENTOO:GLSA-200405-22
Reference: URL:http://security.gentoo.org/glsa/glsa-200405-22.xml
Reference: MANDRAKE:MDKSA-2004:046
Reference: URL:http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:046
Reference: SLACKWARE:SSA:2004-133
Reference: URL:http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.529643
Reference: TRUSTIX:2004-0027
Reference: URL:http://www.trustix.org/errata/2004/0027
Reference: BUGTRAQ:20040512 [OpenPKG-SA-2004.021] OpenPKG Security Advisory (apache)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=108437852004207&w=2
Reference: XF:apache-modaccess-obtain-information(15422)
Reference: URL:http://xforce.iss.net/xforce/xfdb/15422
Reference: BID:9829
Reference: URL:http://www.securityfocus.com/bid/9829

mod_access in Apache 1.3 before 1.3.30, when running big-endian 64-bit
platforms, does not properly parse Allow/Deny rules using IP addresses
without a netmask, which could allow remote attackers to bypass
intended access restrictions.


Modifications:
  20040811 ADDREF BUGTRAQ:20040512 [OpenPKG-SA-2004.021] OpenPKG Security Advisory (apache)
  20040811 ADDREF SLACKWARE:SSA:2004-133
  20040811 ADDREF TRUSTIX:2004-0027
  20040811 ADDREF MANDRAKE:MDKSA-2004:046
  20040811 ADDREF GENTOO:GLSA-200405-22

Analysis
--------
Vendor Acknowledgement: yes

INFERRED ACTION: CAN-2003-0993 ACCEPT (5 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(5) Baker, Cox, Balinsky, Cole, Armstrong
   NOOP(2) Wall, Christey

Voter Comments:
 Christey> BUGTRAQ:20040512 [OpenPKG-SA-2004.021] OpenPKG Security Advisory (apache)
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=108437852004207&w=2
 Christey> SLACKWARE:SSA:2004-133
   URL:http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.529643
   TRUSTIX:2004-0027
   URL:http://www.trustix.org/errata/2004/0027
 Christey> MANDRAKE:MDKSA-2004:046
   URL:http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:046
 Christey> BUGTRAQ:20040526 [ GLSA 200405-22 ] Apache 1.3: Multiple vulnerabilities
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=108559521611694&w=2


======================================================
Candidate: CAN-2003-0994
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0994
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20040318
Assigned: 20031216
Category: SF
Reference: FULLDISC:20040112 SRT2004-01-9-1022 - Symantec LiveUpdate allows local users to become SYSTEM
Reference: URL:http://lists.netsys.com/pipermail/full-disclosure/2004-January/015510.html
Reference: BUGTRAQ:20040112 SRT2004-01-9-1022 - Symantec LiveUpdate allows local users to become SYSTEM
Reference: URL:http://lists.netsys.com/pipermail/full-disclosure/2004-January/015510.html
Reference: BUGTRAQ:20040112 Re:   SRT2004-01-9-1022 - Symantec LiveUpdate allows local users to become SYSTEM
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107393473928245&w=2
Reference: MISC:http://www.secnetops.biz/research/SRT2004-01-09-1022.txt
Reference: OSVDB:3428
Reference: URL:http://www.osvdb.org/3428

The GUI functionality for an interactive session in Symantec
LiveUpdate 1.70.x through 1.90.x, as used in Norton Internet Security
2001 through 2004, SystemWorks 2001 through 2004, and AntiVirus and
Norton AntiVirus Pro 2001 through 2004, AntiVirus for Handhelds v3.0,
allows local users to gain SYSTEM privileges.


Modifications:
  20040818 ADDREF OSVDB:3428

Analysis
--------
Vendor Acknowledgement: yes followup

INFERRED ACTION: CAN-2003-0994 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Baker, Williams, Wall, Cole, Armstrong
   NOOP(1) Cox


======================================================
Candidate: CAN-2003-1022
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-1022
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20040318
Assigned: 20031219
Category: SF
Reference: DEBIAN:DSA-416
Reference: URL:http://www.debian.org/security/2004/dsa-416
Reference: CIAC:O-048
Reference: URL:http://www.ciac.org/ciac/bulletins/o-048.shtml
Reference: XF:fspsuite-dot-directory-traversal(14154)
Reference: URL:http://xforce.iss.net/xforce/xfdb/14154
Reference: BID:9377
Reference: URL:http://www.securityfocus.com/bid/9377
Reference: OSVDB:3346
Reference: URL:http://www.osvdb.org/3346

Directory traversal vulnerability in fsp before 2.81.b18 allows remote
users to access files outside the FSP root directory.


Modifications:
  20040818 ADDREF OSVDB:3346

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2003-1022 ACCEPT (5 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(5) Williams, Wall, Cole, Armstrong, Baker
   NOOP(1) Cox


======================================================
Candidate: CAN-2003-1326
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-1326
Final-Decision:
Interim-Decision: 20040825
Modified: 20040824
Proposed: 20030317
Assigned: 20030206
Category: SF
Reference: MS:MS03-004
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms03-004.asp
Reference: CIAC:N-038
Reference: URL:http://www.ciac.org/ciac/bulletins/n-038.shtml
Reference: BID:6779
Reference: URL:http://www.securityfocus.com/bid/6779
Reference: XF:ie-dialog-zone-bypass(11258)
Reference: URL:http://www.iss.net/security_center/static/11258.php
Reference: OVAL:OVAL126
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL126.html
Reference: OVAL:OVAL178
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL178.html
Reference: OVAL:OVAL49
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL49.html

Microsoft Internet Explorer 5.5 and 6.0 allows remote attackers
to bypass the cross-domain security model to run malicious script or
arbitrary programs via dialog boxes, aka "Improper Cross Domain
Security Validation with dialog box."


Modifications:
  20040811 [desc] fix affected versions
  20040811 ADDREF CIAC:N-038
  20040811 ADDREF BID:6779
  20040824 ADDREF OVAL:OVAL126
  20040824 ADDREF OVAL:OVAL178
  20040824 ADDREF OVAL:OVAL49

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2003-1326 ACCEPT (3 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(3) Wall, Cole, Green
   NOOP(2) Cox, Christey

Voter Comments:
 Christey> Need to remove 5.01 from the affected versions list; MS03-004
   says "Internet Explorer 5.01 users are not affected by the
   first vulnerability," which is this issue.
 Christey> CIAC:N-038
   URL:http://www.ciac.org/ciac/bulletins/n-038.shtml
   BID:6779
   URL:http://www.securityfocus.com/bid/6779


======================================================
Candidate: CAN-2003-1328
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-1328
Final-Decision:
Interim-Decision: 20040825
Modified: 20040824
Proposed: 20030317
Assigned: 20030206
Category: SF
Reference: BUGTRAQ:20030206 showHelp("file:") disables security in IE - Sandblad advisory #11
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2003-02/0083.html
Reference: MS:MS03-004
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms03-004.asp
Reference: CERT-VN:VU#400577
Reference: URL:http://www.kb.cert.org/vuls/id/400577
Reference: CIAC:N-038
Reference: URL:http://www.ciac.org/ciac/bulletins/n-038.shtml
Reference: BID:6780
Reference: URL:http://www.securityfocus.com/bid/6780
Reference: XF:ie-showhelp-zone-bypass(11259)
Reference: URL:http://www.iss.net/security_center/static/11259.php
Reference: OVAL:OVAL57
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL57.html

The showHelp() function in Microsoft Internet Explorer 5.01, 5.5, and
6.0 supports certain types of pluggable protocols that allow remote
attackers to bypass the cross-domain security model and execute
arbitrary code, aka "Improper Cross Domain Security Validation with
ShowHelp functionality."


Modifications:
  20040811 [desc] fix affected versions
  20040811 ADDREF BUGTRAQ:20030206 showHelp("file:") disables security in IE - Sandblad advisory #11
  20040811 ADDREF CIAC:N-038
  20040811 ADDREF CERT-VN:VU#400577
  20040811 ADDREF BID:6780
  20040824 ADDREF OVAL:OVAL57

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2003-1328 ACCEPT (3 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(3) Wall, Cole, Green
   NOOP(2) Cox, Christey

Voter Comments:
 Christey> Need to add 5.01 to the affected versions list.
 Christey> BUGTRAQ:20030206 showHelp("file:") disables security in IE - Sandblad advisory #11
   URL:http://archives.neohapsis.com/archives/bugtraq/2003-02/0083.html
   CIAC:N-038
   URL:http://www.ciac.org/ciac/bulletins/n-038.shtml
   CERT-VN:VU#400577
   URL:http://www.kb.cert.org/vuls/id/400577
   BID:6780
   URL:http://www.securityfocus.com/bid/6780


======================================================
Candidate: CAN-2004-0001
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0001
Final-Decision:
Interim-Decision: 20040825
Modified: 20040824
Proposed: 20040318
Assigned: 20040105
Category: SF
Reference: REDHAT:RHSA-2004:017
Reference: URL:http://www.redhat.com/support/errata/RHSA-2004-017.html
Reference: GENTOO:GLSA-200402-06
Reference: URL:http://security.gentoo.org/glsa/glsa-200402-06.xml
Reference: CERT-VN:VU#337238
Reference: URL:http://www.kb.cert.org/vuls/id/337238
Reference: XF:linux-ptrace-gain-privilege(14888)
Reference: URL:http://xforce.iss.net/xforce/xfdb/14888
Reference: BID:9429
Reference: URL:http://www.securityfocus.com/bid/9429
Reference: OVAL:OVAL868
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL868.html

Unknown vulnerability in the eflags checking in the 32-bit ptrace
emulation for the Linux kernel on AMD64 systems allows local users to
gain privileges.


Modifications:
  20040824 ADDREF OVAL:OVAL868

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2004-0001 ACCEPT (6 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(6) Cole, Armstrong, Green, Baker, Cox, Wall


======================================================
Candidate: CAN-2004-0004
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0004
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20040318
Assigned: 20040105
Category: SF
Reference: BUGTRAQ:20040116 [OpenCA Advisory] Vulnerability in signature verification
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107427313700554&w=2
Reference: CONFIRM:http://www.openca.org/news/CAN-2004-0004.txt
Reference: CERT-VN:VU#336446
Reference: URL:http://www.kb.cert.org/vuls/id/336446
Reference: BID:9435
Reference: URL:http://www.securityfocus.com/bid/9435
Reference: XF:openca-improper-signature-verification(14847)
Reference: URL:http://xforce.iss.net/xforce/xfdb/14847
Reference: OSVDB:3615
Reference: URL:http://www.osvdb.org/3615

The libCheckSignature function in crypto-utils.lib for OpenCA 0.9.1.6
and earlier only compares the serial of the signer's certificate and
the one in the database, which can cause OpenCA to incorrectly accept
a signature if the certificate's chain is trusted by OpenCA's chain
directory, allowing remote attackers to spoof requests from other
users.


Modifications:
  20040811 ADDREF CERT-VN:VU#336446
  20040811 ADDREF BID:9435
  20040811 ADDREF XF:openca-improper-signature-verification(14847)
  20040818 ADDREF OSVDB:3615

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2004-0004 ACCEPT (3 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2004-0009
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0009
Final-Decision:
Interim-Decision: 20040825
Modified: 20040820
Proposed: 20040318
Assigned: 20040105
Category: SF
Reference: BUGTRAQ:20040206 Apache-SSL security advisory - apache_1.3.28+ssl_1.52 and prior
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107619127531765&w=2
Reference: FULLDISC:20040206 [apache-ssl] Apache-SSL security advisory - apache_1.3.28+ssl_1.52 and prior
Reference: URL:http://lists.netsys.com/pipermail/full-disclosure/2004-February/016870.html
Reference: CONFIRM:http://www.apache-ssl.org/advisory-20040206.txt
Reference: XF:apachessl-default-password(15065)
Reference: URL:http://xforce.iss.net/xforce/xfdb/15065
Reference: BID:9590
Reference: URL:http://www.securityfocus.com/bid/9590
Reference: OSVDB:3877
Reference: URL:http://www.osvdb.org/3877

Apache-SSL 1.3.28+1.52 and earlier, with SSLVerifyClient set to 1 or 3
and SSLFakeBasicAuth enabled, allows remote attackers to forge a
client certificate by using basic authentication with the "one-line
DN" of the target user.


Modifications:
  20040818 ADDREF OSVDB:3877

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2004-0009 ACCEPT_REV (4 accept, 1 ack, 1 review)

Current Votes:
   ACCEPT(4) Cole, Armstrong, Baker, Cox
   REVIEWING(1) Wall


======================================================
Candidate: CAN-2004-0011
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0011
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20040318
Assigned: 20040105
Category: SF
Reference: DEBIAN:DSA-416
Reference: URL:http://www.debian.org/security/2003/dsa-416
Reference: CIAC:O-048
Reference: URL:http://www.ciac.org/ciac/bulletins/o-048.shtml
Reference: BID:9377
Reference: URL:http://www.securityfocus.com/bid/9377
Reference: XF:fsp-boundry-error-bo(14155)
Reference: URL:http://xforce.iss.net/xforce/xfdb/14155

Buffer overflow in fsp before 2.81.b18 allows remote users to execute
arbitrary code.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2004-0011 ACCEPT (5 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(5) Cole, Armstrong, Baker, Williams, Wall
   NOOP(1) Cox

Voter Comments:
 Williams> http://cvs.sourceforge.net/viewcvs.py/fsp/fsp/ChangeLog?view=auto


======================================================
Candidate: CAN-2004-0013
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0013
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20040318
Assigned: 20040105
Category: SF
Reference: DEBIAN:DSA-414
Reference: URL:http://www.debian.org/security/2004/dsa-414
Reference: MANDRAKE:MDKSA-2004:005
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:005
Reference: BID:9376
Reference: URL:http://www.securityfocus.com/bid/9376
Reference: XF:jabber-ssl-connections-dos(14158)
Reference: URL:http://xforce.iss.net/xforce/xfdb/14158
Reference: OSVDB:3345
Reference: URL:http://www.osvdb.org/3345

jabber 1.4.2, 1.4.2a, and possibly earlier versions, does not properly
handle SSL connections, which allows remote attackers to cause a
denial of service (crash).


Modifications:
  20040811 ADDREF BID:9376
  20040811 ADDREF XF:jabber-ssl-connections-dos(14158)
  20040811 [desc] fix versions
  20040818 ADDREF OSVDB:3345

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2004-0013 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Armstrong, Baker, Wall
   MODIFY(1) Williams
   NOOP(1) Cox

Voter Comments:
 Williams> http://jabberd.jabberstudio.org/1.4/release-1.4.3.shtml

   versions currently listed in desc may be wrong (fixed in 1.4.3?).


======================================================
Candidate: CAN-2004-0015
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0015
Final-Decision:
Interim-Decision: 20040825
Modified: 20040811
Proposed: 20040318
Assigned: 20040105
Category: SF
Reference: DEBIAN:DSA-418
Reference: URL:http://www.debian.org/security/2004/dsa-418
Reference: BID:9381
Reference: URL:http://www.securityfocus.com/bid/9381
Reference: XF:vbox3-gain-privileges(14170)
Reference: URL:http://xforce.iss.net/xforce/xfdb/14170

vbox3 0.1.8 and earlier does not properly drop privileges before
executing a user-provided TCL script, which allows local users to gain
privileges.


Modifications:
  20040811 ADDREF BID:9381
  20040811 ADDREF XF:vbox3-gain-privileges(14170)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2004-0015 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Armstrong, Baker, Williams
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2004-0016
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0016
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20040318
Assigned: 20040105
Category: SF
Reference: DEBIAN:DSA-419
Reference: URL:http://www.debian.org/security/2004/dsa-419
Reference: BID:9387
Reference: URL:http://www.securityfocus.com/bid/9387
Reference: XF:phpgroupware-calendar-file-include(13489)
Reference: URL:http://xforce.iss.net/xforce/xfdb/13489
Reference: OSVDB:6860
Reference: URL:http://www.osvdb.org/6860

The calendar module for phpgroupware 0.9.14 does not enforce the "save
extension" feature for holiday files, which allows remote attackers to
create and execute PHP files.


Modifications:
  20040811 ADDREF BID:9387
  20040811 ADDREF XF:phpgroupware-calendar-file-include(13489)
  20040818 ADDREF OSVDB:6860

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2004-0016 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   MODIFY(1) Williams
   NOOP(2) Cox, Wall

Voter Comments:
 Williams> i believe this affects phpGroupWare 0.9.14.006 and earlier.  fixed in 0.9.14.007.
   http://phpgroupware.org/downloads


======================================================
Candidate: CAN-2004-0028
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0028
Final-Decision:
Interim-Decision: 20040825
Modified: 20040811
Proposed: 20040318
Assigned: 20040106
Category: SF
Reference: DEBIAN:DSA-420
Reference: URL:http://www.debian.org/security/2004/dsa-420
Reference: BID:9397
Reference: URL:http://www.securityfocus.com/bid/9397
Reference: XF:jitterbug-execute-code(14207)
Reference: URL:http://xforce.iss.net/xforce/xfdb/14207

jitterbug 1.6.2 does not properly sanitize inputs, which allows remote
authenticated users to execute arbitrary commands.


Modifications:
  20040811 ADDREF BID:9397
  20040811 ADDREF XF:jitterbug-execute-code(14207)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2004-0028 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Armstrong, Baker, Williams
   NOOP(2) Cox, Wall

Voter Comments:
 Williams> note that this software is no longer supported.
   http://samba.anu.edu.au/jitterbug/


======================================================
Candidate: CAN-2004-0031
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0031
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20040318
Assigned: 20040106
Category: SF
Reference: BUGTRAQ:20040106 Vuln in PHPGEDVIEW 2.61 Multi-Problem
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107340840209453&w=2
Reference: XF:phpgedview-modify-admin-password(14161)
Reference: URL:http://xforce.iss.net/xforce/xfdb/14161
Reference: OSVDB:3403
Reference: URL:http://www.osvdb.org/3403

PHPGEDVIEW 2.61 allows remote attackers to reinstall the software and
change the administrator password via a direct HTTP request to
editconfig.php.


Modifications:
  20040818 ADDREF OSVDB:3403

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2004-0031 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Armstrong, Baker, Williams
   NOOP(3) Cole, Cox, Wall

Voter Comments:
 Williams> http://phpgedview.sourceforge.net/


======================================================
Candidate: CAN-2004-0032
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0032
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20040318
Assigned: 20040106
Category: SF
Reference: BUGTRAQ:20040106 Vuln in PHPGEDVIEW 2.61 Multi-Problem
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107340840209453&w=2
Reference: BID:9369
Reference: URL:http://www.securityfocus.com/bid/9369
Reference: XF:phpgedview-search-xss(14160)
Reference: URL:http://xforce.iss.net/xforce/xfdb/14160
Reference: OSVDB:3402
Reference: URL:http://www.osvdb.org/3402

Cross-site scripting (XSS) vulnerability in search.php in PHPGEDVIEW
2.61 allows remote attackers to inject arbitrary HTML and web script
via the firstname parameter.


Modifications:
  20040811 ADDREF BID:9369
  20040818 ADDREF OSVDB:3402

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2004-0032 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Armstrong, Baker, Williams
   NOOP(3) Cole, Cox, Wall

Voter Comments:
 Williams> http://phpgedview.sourceforge.net/


======================================================
Candidate: CAN-2004-0033
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0033
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20040318
Assigned: 20040106
Category: SF
Reference: BUGTRAQ:20040106 Vuln in PHPGEDVIEW 2.61 Multi-Problem
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107340840209453&w=2
Reference: XF:phpgedview-admin-info-disclosure(14162)
Reference: URL:http://xforce.iss.net/xforce/xfdb/14162
Reference: OSVDB:3404
Reference: URL:http://www.osvdb.org/3404

admin.php in PHPGEDVIEW 2.61 allows remote attackers to obtain
sensitive information via an action parameter with a phpinfo command.


Modifications:
  20040818 ADDREF OSVDB:3404

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2004-0033 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Armstrong, Baker, Williams
   NOOP(3) Cole, Cox, Wall

Voter Comments:
 Williams> http://phpgedview.sourceforge.net/


======================================================
Candidate: CAN-2004-0035
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0035
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20040318
Assigned: 20040107
Category: SF
Reference: BUGTRAQ:20040105 Multiple Vulnerabilities in Phorum 3.4.5
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107340481804110&w=2
Reference: BID:9363
Reference: URL:http://www.securityfocus.com/bid/9363
Reference: XF:phorum-register-sql-injection(14146)
Reference: URL:http://xforce.iss.net/xforce/xfdb/14146
Reference: OSVDB:3508
Reference: URL:http://www.osvdb.org/3508

SQL injection vulnerability in register.php for Phorum 3.4.5 and
earlier allows remote attackers to execute arbitrary SQL commands via
the hide_email parameter.


Modifications:
  20040811 ADDREF BID:9363
  20040818 ADDREF OSVDB:3508

Analysis
--------
Vendor Acknowledgement: yes advisory

ACKNOWLEDGEMENT: The Phorum home page includes a news item for Phorum
3.4.6 that says it fixed some "cross sight scripting issues that were
found by Calum Power [the Bugtraq poster]... [including]
register.php."  While the Phorum announcement implies it's an XSS
issue, the coincidence with Power's post is sufficient enough to
reasonably assume that Phorum's statement is erroneous with respect to
implying that it's XSS instead of SQL injection.

INFERRED ACTION: CAN-2004-0035 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Armstrong, Baker, Williams
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2004-0036
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0036
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20040318
Assigned: 20040107
Category: SF
Reference: BUGTRAQ:20040105 vBulletin Forum 2.3.xx calendar.php SQL Injection
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107340358202123&w=2
Reference: CONFIRM:http://www.vbulletin.com/forum/showthread.php?postid=588825
Reference: BID:9360
Reference: URL:http://www.securityfocus.com/bid/9360
Reference: XF:vbulletin-calendar-sql-injection(14144)
Reference: URL:http://xforce.iss.net/xforce/xfdb/14144
Reference: OSVDB:3344
Reference: URL:http://www.osvdb.org/3344

SQL injection vulnerability in calendar.php for vBulletin Forum 2.3.x
before 2.3.4 allows remote attackers to steal sensitive information
via the eventid parameter.


Modifications:
  20040811 ADDREF BID:9360
  20040812 ADDREF CONFIRM:http://www.vbulletin.com/forum/showthread.php?postid=588825
  20040818 ADDREF OSVDB:3344

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2004-0036 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Armstrong, Baker, Williams
   NOOP(2) Cox, Wall

Voter Comments:
 Williams> http://www.vbulletin.com/forum/showthread.php?postid=588825


======================================================
Candidate: CAN-2004-0040
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0040
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20040318
Assigned: 20040107
Category: SF
Reference: ISS:20040204 Checkpoint VPN-1/SecureClient ISAKMP Buffer Overflow
Reference: URL:http://xforce.iss.net/xforce/alerts/id/163
Reference: BUGTRAQ:20040205 Two checkpoint fw-1/vpn-1 vulns
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107604682227031&w=2
Reference: MISC:http://www.us-cert.gov/cas/techalerts/TA04-036A.html
Reference: CERT-VN:VU#873334
Reference: URL:http://www.kb.cert.org/vuls/id/873334
Reference: CIAC:O-073
Reference: URL:http://www.ciac.org/ciac/bulletins/o-073.shtml
Reference: XF:vpn1-ike-bo(14150)
Reference: URL:http://xforce.iss.net/xforce/xfdb/14150
Reference: BID:9582
Reference: URL:http://www.securityfocus.com/bid/9582
Reference: OSVDB:3821
Reference: URL:http://www.osvdb.org/3821
Reference: OSVDB:4432
Reference: URL:http://www.osvdb.org/4432

Stack-based buffer overflow in Check Point VPN-1 Server 4.1 through
4.1 SP6 and Check Point SecuRemote/SecureClient 4.1 through 4.1 build
4200 allows remote attackers to execute arbitrary code via an ISAKMP
packet with a large Certificate Request packet.


Modifications:
  20040818 ADDREF OSVDB:3821
  20040818 ADDREF OSVDB:4432

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2004-0040 ACCEPT (4 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Armstrong, Baker, Wall
   NOOP(1) Cox


======================================================
Candidate: CAN-2004-0044
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0044
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20040318
Assigned: 20040112
Category: SF
Reference: CISCO:20040108 Cisco Personal Assistant User Password Bypass Vulnerability
Reference: URL:http://www.cisco.com/warp/public/707/cisco-sa-20040108-pa.shtml
Reference: BID:9384
Reference: URL:http://www.securityfocus.com/bid/9384
Reference: XF:ciscopersonalassistant-config-file-access(14172)
Reference: URL:http://xforce.iss.net/xforce/xfdb/14172
Reference: OSVDB:3430
Reference: URL:http://www.osvdb.org/3430

Cisco Personal Assistant 1.4(1) and 1.4(2) disables password
authentication when "Allow Only Cisco CallManager Users" is enabled
and the Corporate Directory settings refer to the directory service
being used by Cisco CallManager, which allows remote attackers to gain
access with a valid username.


Modifications:
  20040812 ADDREF BID:9384
  20040812 ADDREF XF:ciscopersonalassistant-config-file-access(14172)
  20040818 ADDREF OSVDB:3430

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2004-0044 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Cole, Armstrong, Baker, Williams, Wall
   NOOP(1) Cox


======================================================
Candidate: CAN-2004-0045
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0045
Final-Decision:
Interim-Decision: 20040825
Modified: 20040812
Proposed: 20040318
Assigned: 20040112
Category: SF
Reference: BUGTRAQ:20040107 [SECURITY] INN: Buffer overflow in control message handling
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2004-01/0063.html
Reference: SLACKWARE:SSA:2004-014-02
Reference: URL:http://www.slackware.org/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.365791
Reference: BUGTRAQ:20040108 [OpenPKG-SA-2004.001] OpenPKG Security Advisory (inn)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2004-01/0064.html
Reference: BID:9382
Reference: URL:http://www.securityfocus.com/bid/9382
Reference: XF:inn-artpost-control-message-bo(14190)
Reference: URL:http://xforce.iss.net/xforce/xfdb/14190

Buffer overflow in the ARTpost function in art.c in the control
message handling code for INN 2.4.0 may allow remote attackers to
execute arbitrary code.


Modifications:
  20040812 [desc] add ARTpost function
  20040812 ADDREF SLACKWARE:SSA:2004-014-02
  20040812 ADDREF BID:9382
  20040812 ADDREF XF:inn-artpost-control-message-bo(14190)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2004-0045 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Cole, Armstrong, Baker, Cox, Williams
   NOOP(1) Wall

Voter Comments:
 Williams> http://www.isc.org/products/INN/


======================================================
Candidate: CAN-2004-0049
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0049
Final-Decision:
Interim-Decision: 20040825
Modified: 20040812
Proposed: 20040318
Assigned: 20040114
Category: SF
Reference: VULNWATCH:20040318 ptl-2004-02: RealNetworks Helix Server 9 Administration Server Buffer Overflow
Reference: URL:http://seclists.org/lists/vulnwatch/2004/Jan-Mar/0057.html
Reference: BUGTRAQ:20040318 ptl-2004-02: RealNetworks Helix Server 9 Administration Server Buffer Overflow
Reference: URL:http://www.securityfocus.com/archive/1/357834
Reference: CONFIRM:http://service.real.com/help/faq/security/040112_dos/
Reference: CONFIRM:http://service.real.com/help/faq/security/security022604.html

Helix Universal Server/Proxy 9 and Mobile Server 10 allow remote
attackers to cause a denial of service via certain HTTP POST messages
to the Administration System port.


Modifications:
  20040812 ADDREF VULNWATCH:20040318 ptl-2004-02: RealNetworks Helix Server 9 Administration Server Buffer Overflow
  20040812 ADDREF BUGTRAQ:20040318 ptl-2004-02: RealNetworks Helix Server 9 Administration Server Buffer Overflow
  20040812 ADDREF CONFIRM:http://service.real.com/help/faq/security/security022604.html

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2004-0049 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Armstrong, Baker, Wall
   MODIFY(1) Williams
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> The following post has more details, stating that it's a
   buffer overflow and that code execution is possible:
   VULNWATCH:20040318 ptl-2004-02: RealNetworks Helix Server 9 Administration Server Buffer Overflow
 Williams> vendor conf on the bof w/ code exec issue.
   http://service.real.com/help/faq/security/security022604.html


======================================================
Candidate: CAN-2004-0063
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0063
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20040318
Assigned: 20040114
Category: SF
Reference: CONFIRM:http://www.ncipher.com/support/advisories/advisory8_payshield.html
Reference: BUGTRAQ:20040114 nCipher Advisory #8: payShield library may verify bad requests
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107411819503569&w=2
Reference: BID:9422
Reference: URL:http://www.securityfocus.com/bid/9422
Reference: XF:payshield-incorrect-request-verification(14832)
Reference: URL:http://xforce.iss.net/xforce/xfdb/14832
Reference: OSVDB:3537
Reference: URL:http://www.osvdb.org/3537

The SPP_VerifyPVV function in nCipher payShield SPP library 1.3.12,
1.5.18 and 1.6.18 returns a Status_OK value even if the HSM returns a
different status code, which could cause applications to make
incorrect security-critical decisions, e.g. by accepting an invalid
PIN number.


Modifications:
  20040812 ADDREF BID:9422
  20040812 ADDREF XF:payshield-incorrect-request-verification(14832)
  20040818 ADDREF OSVDB:3537

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2004-0063 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2004-0068
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0068
Final-Decision:
Interim-Decision: 20040825
Modified: 20040812
Proposed: 20040318
Assigned: 20040115
Category: SF
Reference: BUGTRAQ:20040114 PhpDig 1.6.x: remote command execution
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107412194008671&w=2
Reference: CONFIRM:http://www.phpdig.net/showthread.php?s=58bcc71c822830ec3bbdaae6d56846e0&threadid=393
Reference: BID:9424
Reference: URL:http://www.securityfocus.com/bid/9424
Reference: XF:phpdig-config-file-include(14826)
Reference: URL:http://xforce.iss.net/xforce/xfdb/14826

PHP remote code injection vulnerability in config.php for PhpDig 1.6.5
and earlier allows remote attackers to execute arbitrary PHP code by
modifying the $relative_script_path parameter to reference a URL on a
remote web server that contains the code.


Modifications:
  20040812 ADDREF BID:9424
  20040812 ADDREF XF:phpdig-config-file-include(14826)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2004-0068 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2004-0070
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0070
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20040318
Assigned: 20040115
Category: SF
Reference: BUGTRAQ:20040110 Remote Code Execution in ezContents
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107392588915627&w=2
Reference: CONFIRM:http://www.ezcontents.org/forum/viewtopic.php?t=361
Reference: BID:9396
Reference: URL:http://www.securityfocus.com/bid/9396
Reference: XF:ezcontents-php-file-include(14199)
Reference: URL:http://xforce.iss.net/xforce/xfdb/14199
Reference: OSVDB:6878
Reference: URL:http://www.osvdb.org/6878

PHP remote code injection vulnerability in module.php for ezContents
allows remote attackers to execute arbitrary PHP code by modifying the
link parameter to reference a URL on a remote web server that contains
the code.


Modifications:
  20040812 ADDREF BID:9396
  20040812 ADDREF XF:ezcontents-php-file-include(14199)
  20040818 ADDREF OSVDB:6878

Analysis
--------
Vendor Acknowledgement: yes

ACKNOWLEDGEMENT: the vendor's web site includes an item "Wed Feb 04,
2004 9:48 am" which explicitly lists CAN-2004-0070.

INFERRED ACTION: CAN-2004-0070 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Armstrong, Baker, Williams
   NOOP(3) Cole, Cox, Wall


======================================================
Candidate: CAN-2004-0075
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0075
Final-Decision:
Interim-Decision: 20040825
Modified: 20040824
Proposed: 20040318
Assigned: 20040119
Category: SF
Reference: CONECTIVA:CLA-2004:846
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000846
Reference: MANDRAKE:MDKSA-2004:015
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:015
Reference: REDHAT:RHSA-2004:065
Reference: URL:http://www.redhat.com/support/errata/RHSA-2004-065.html
Reference: SUSE:SuSE-SA:2004:005
Reference: URL:http://www.suse.de/de/security/2004_05_linux_kernel.html
Reference: XF:linux-vicam-dos(15246)
Reference: URL:http://xforce.iss.net/xforce/xfdb/15246
Reference: OVAL:OVAL836
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL836.html

The Vicam USB driver in Linux before 2.4.25 does not use the
copy_from_user function when copying data from userspace to kernel
space, which crosses security boundaries and allows local users to
cause a denial of service.


Modifications:
  20040812 ADDREF CONECTIVA:CLA-2004:846
  20040812 ADDREF BID:9690
  20040824 ADDREF OVAL:OVAL836

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2004-0075 ACCEPT_REV (3 accept, 2 ack, 1 review)

Current Votes:
   ACCEPT(3) Armstrong, Baker, Cox
   NOOP(2) Cole, Christey
   REVIEWING(1) Wall

Voter Comments:
 Christey> CONECTIVA:CLA-2004:846
   URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000846


======================================================
Candidate: CAN-2004-0077
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0077
Final-Decision:
Interim-Decision: 20040825
Modified: 20040824
Proposed: 20040318
Assigned: 20040119
Category: SF
Reference: BUGTRAQ:20040218 Second critical mremap() bug found in all Linux kernels
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107711762014175&w=2
Reference: VULNWATCH:20040218 Second critical mremap() bug found in all Linux kernels
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2004-q1/0040.html
Reference: MISC:http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt
Reference: CONECTIVA:CLA-2004:820
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000820
Reference: DEBIAN:DSA-438
Reference: URL:http://www.debian.org/security/2004/dsa-438
Reference: DEBIAN:DSA-439
Reference: URL:http://www.debian.org/security/2004/dsa-439
Reference: DEBIAN:DSA-440
Reference: URL:http://www.debian.org/security/2004/dsa-440
Reference: DEBIAN:DSA-441
Reference: URL:http://www.debian.org/security/2004/dsa-441
Reference: DEBIAN:DSA-442
Reference: URL:http://www.debian.org/security/2004/dsa-442
Reference: DEBIAN:DSA-444
Reference: URL:http://www.debian.org/security/2004/dsa-444
Reference: DEBIAN:DSA-450
Reference: URL:http://www.debian.org/security/2004/dsa-450
Reference: DEBIAN:DSA-453
Reference: URL:http://www.debian.org/security/2004/dsa-453
Reference: DEBIAN:DSA-454
Reference: URL:http://www.debian.org/security/2004/dsa-454
Reference: DEBIAN:DSA-456
Reference: URL:http://www.debian.org/security/2004/dsa-456
Reference: DEBIAN:DSA-466
Reference: URL:http://www.debian.org/security/2004/dsa-466
Reference: DEBIAN:DSA-470
Reference: URL:http://www.debian.org/security/2004/dsa-470
Reference: DEBIAN:DSA-514
Reference: URL:http://www.debian.org/security/2004/dsa-514
Reference: DEBIAN:DSA-475
Reference: URL:http://www.debian.org/security/2004/dsa-475
Reference: REDHAT:RHSA-2004:065
Reference: URL:http://www.redhat.com/support/errata/RHSA-2004-065.html
Reference: REDHAT:RHSA-2004:066
Reference: URL:http://www.redhat.com/support/errata/RHSA-2004-066.html
Reference: REDHAT:RHSA-2004:069
Reference: URL:http://www.redhat.com/support/errata/RHSA-2004-069.html
Reference: REDHAT:RHSA-2004:106
Reference: URL:http://www.redhat.com/support/errata/RHSA-2004-106.html
Reference: SLACKWARE:SSA:2004-049
Reference: URL:http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.541911
Reference: SUSE:SuSE-SA:2004:005
Reference: URL:http://www.suse.de/de/security/2004_05_linux_kernel.html
Reference: TRUSTIX:2004-0007
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107712137732553&w=2
Reference: TRUSTIX:2004-0008
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107755871932680&w=2
Reference: GENTOO:GLSA-200403-02
Reference: URL:http://security.gentoo.org/glsa/glsa-200403-02.xml
Reference: CERT-VN:VU#981222
Reference: URL:http://www.kb.cert.org/vuls/id/981222
Reference: XF:linux-mremap-gain-privileges(15244)
Reference: URL:http://xforce.iss.net/xforce/xfdb/15244
Reference: BID:9686
Reference: URL:http://www.securityfocus.com/bid/9686
Reference: OSVDB:3986
Reference: URL:http://www.osvdb.org/3986
Reference: OVAL:OVAL825
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL825.html
Reference: OVAL:OVAL837
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL837.html

The do_mremap function for the mremap system call in Linux 2.2 to
2.2.25, 2.4 to 2.4.24, and 2.6 to 2.6.2, does not properly check the
return value from the do_munmap function when the maximum number of
VMA descriptors is exceeded, which allows local users to gain root
privileges, a different vulnerability than CAN-2003-0985.


Modifications:
  20040812 ADDREF DEBIAN:DSA-466
  20040812 ADDREF DEBIAN:DSA-470
  20040812 ADDREF DEBIAN:DSA-475
  20040812 ADDREF DEBIAN:DSA-514
  20040812 ADDREF REDHAT:RHSA-2004:069
  20040812 ADDREF CERT-VN:VU#981222
  20040812 [refs] Normalize Trustix references
  20040818 ADDREF REDHAT:RHSA-2004:106
  20040818 ADDREF DEBIAN:DSA-450
  20040818 ADDREF DEBIAN:DSA-453
  20040818 ADDREF DEBIAN:DSA-454
  20040818 ADDREF OSVDB:3986
  20040824 ADDREF OVAL:OVAL825
  20040824 ADDREF OVAL:OVAL837

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2004-0077 ACCEPT (5 accept, 5 ack, 0 review)

Current Votes:
   ACCEPT(5) Cole, Armstrong, Baker, Cox, Wall
   NOOP(1) Christey

Voter Comments:
 Christey> DEBIAN:DSA-466
   URL:http://www.debian.org/security/2004/dsa-466
   CERT-VN:VU#981222
   URL:http://www.kb.cert.org/vuls/id/981222
 Cox> Addref: REDHAT:RHSA-2004:069
 Christey> DEBIAN:DSA-470
   URL:http://www.debian.org/security/2004/dsa-470
 Christey> DEBIAN:DSA-475
   URL:http://www.debian.org/security/2004/dsa-475
 Christey> Normalize Trustix references
 Christey> DEBIAN:DSA-514
   URL:http://www.debian.org/security/2004/dsa-514


======================================================
Candidate: CAN-2004-0078
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0078
Final-Decision:
Interim-Decision: 20040825
Modified: 20040824
Proposed: 20040318
Assigned: 20040119
Category: SF
Reference: BUGTRAQ:20040211 Mutt-1.4.2 fixes buffer overflow.
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107651677817933&w=2
Reference: CALDERA:CSSA-2004-013.0
Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2004-013.0.txt
Reference: REDHAT:RHSA-2004:050
Reference: URL:http://www.redhat.com/support/errata/RHSA-2004-050.html
Reference: REDHAT:RHSA-2004:051
Reference: URL:http://www.redhat.com/support/errata/RHSA-2004-051.html
Reference: MANDRAKE:MDKSA-2004:010
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:010
Reference: SLACKWARE:SSA:2004-043
Reference: URL:http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.405607
Reference: CONFIRM:http://bugs.debian.org/126336
Reference: BUGTRAQ:20040215 LNSA-#2004-0001: mutt remote crash
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107696262905039&w=2
Reference: BUGTRAQ:20040309 [OpenPKG-SA-2004.005] OpenPKG Security Advisory (mutt)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107884956930903&w=2
Reference: XF:mutt-index-menu-bo(15134)
Reference: URL:http://xforce.iss.net/xforce/xfdb/15134
Reference: BID:9641
Reference: URL:http://www.securityfocus.com/bid/9641
Reference: OSVDB:3918
Reference: URL:http://www.osvdb.org/3918
Reference: OVAL:OVAL811
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL811.html
Reference: OVAL:OVAL838
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL838.html

Buffer overflow in the index menu code (menu_pad_string of menu.c) for
Mutt 1.4.1 and earlier allows remote attackers to cause a denial of
service (crash) and possibly execute arbitrary code via certain mail
messages.


Modifications:
  20040812 ADDREF CALDERA:CSSA-2004-013.0
  20040818 ADDREF OSVDB:3918
  20040824 ADDREF OVAL:OVAL811
  20040824 ADDREF OVAL:OVAL838

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2004-0078 ACCEPT (5 accept, 4 ack, 0 review)

Current Votes:
   ACCEPT(5) Cole, Armstrong, Baker, Cox, Wall
   NOOP(1) Christey

Voter Comments:
 Christey> CALDERA:CSSA-2004-013.0
   URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2004-013.0.txt


======================================================
Candidate: CAN-2004-0080
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0080
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20040318
Assigned: 20040119
Category: SF
Reference: GENTOO:GLSA-200404-06
Reference: URL:http://security.gentoo.org/glsa/glsa-200404-06.xml
Reference: REDHAT:RHSA-2004:056
Reference: URL:http://www.redhat.com/support/errata/RHSA-2004-056.html
Reference: SGI:20040201-01-U
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20040201-01-U.asc
Reference: SGI:20040406-01-U
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=108318777829802&w=2
Reference: BUGTRAQ:20040331 OpenLinux: util-linux could leak sensitive data
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=108077689801698&w=2
Reference: BUGTRAQ:20040408 LNSA-#2004-0010: login may leak sensitive data
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=108144719532385&w=2
Reference: CERT-VN:VU#801526
Reference: URL:http://www.kb.cert.org/vuls/id/801526
Reference: BID:9558
Reference: URL:http://www.securityfocus.com/bid/9558
Reference: XF:utillinux-information-leak(15016)
Reference: URL:http://xforce.iss.net/xforce/xfdb/15016
Reference: OSVDB:3796
Reference: URL:http://www.osvdb.org/3796

The login program in util-linux 2.11 and earlier uses a pointer after
it has been freed and reallocated, which could cause login to leak
sensitive data.


Modifications:
  20040812 ADDREF BUGTRAQ:20040331 OpenLinux: util-linux could leak sensitive data
  20040812 ADDREF BUGTRAQ:20040408 LNSA-#2004-0010: login may leak sensitive data
  20040812 ADDREF GENTOO:GLSA-200404-06
  20040812 ADDREF SGI:20040406-01-U
  20040812 ADDREF CERT-VN:VU#801526
  20040812 ADDREF BID:9558
  20040812 ADDREF XF:utillinux-information-leak(15016)
  20040818 ADDREF OSVDB:3796

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2004-0080 ACCEPT (5 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(5) Cole, Armstrong, Baker, Cox, Wall
   NOOP(1) Christey

Voter Comments:
 Christey> BUGTRAQ:20040331 OpenLinux: util-linux could leak sensitive data
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=108077689801698&w=2
 Christey> BUGTRAQ:20040408 LNSA-#2004-0010: login may leak sensitive data
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=108144719532385&w=2
 Christey> SGI:20040406-01-U
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=108318777829802&w=2


======================================================
Candidate: CAN-2004-0082
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0082
Final-Decision:
Interim-Decision: 20040825
Modified: 20040824
Proposed: 20040318
Assigned: 20040119
Category: SF
Reference: REDHAT:RHSA-2004:064
Reference: URL:http://www.redhat.com/support/errata/RHSA-2004-064.html
Reference: CONFIRM:http://us1.samba.org/samba/ftp/WHATSNEW-3.0.2a.txt
Reference: CONFIRM:http://www.vuxml.org/freebsd/3388eff9-5d6e-11d8-80e3-0020ed76ef5a.html
Reference: CIAC:O-078
Reference: URL:http://www.ciac.org/ciac/bulletins/o-078.shtml
Reference: BID:9637
Reference: URL:http://www.securityfocus.com/bid/9637
Reference: XF:samba-mksmbpasswd-gain-access(15132)
Reference: URL:http://xforce.iss.net/xforce/xfdb/15132
Reference: OSVDB:3919
Reference: URL:http://www.osvdb.org/3919
Reference: OVAL:OVAL827
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL827.html

The mksmbpasswd shell script (mksmbpasswd.sh) in Samba 3.0.0 and
3.0.1, when creating an account but marking it as disabled, may
overwrite the user password with an uninitialized buffer, which could
enable the account with a more easily guessable password.


Modifications:
  20040812 ADDREF CIAC:O-078
  20040812 ADDREF BID:9637
  20040812 ADDREF CONFIRM:http://www.vuxml.org/freebsd/3388eff9-5d6e-11d8-80e3-0020ed76ef5a.html
  20040818 ADDREF OSVDB:3919
  20040824 ADDREF OVAL:OVAL827

Analysis
--------
Vendor Acknowledgement: yes advisory

ACKNOWLEDGEMENT: The release notes for Samba 3.02, dated February 9,
2004, explicitly reference this identifier.

INFERRED ACTION: CAN-2004-0082 ACCEPT (5 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(5) Cole, Armstrong, Baker, Cox, Wall
   NOOP(1) Christey

Voter Comments:
 Christey> CIAC:O-078
   URL:http://www.ciac.org/ciac/bulletins/o-078.shtml
   BID:9637
   URL:http://www.securityfocus.com/bid/9637


======================================================
Candidate: CAN-2004-0089
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0089
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20040318
Assigned: 20040120
Category: SF
Reference: ATSTAKE:A012704-1
Reference: URL:http://www.atstake.com/research/advisories/2004/a012704-1.txt
Reference: APPLE:APPLE-SA-2004-01-26
Reference: URL:http://www.securityfocus.com/advisories/6269
Reference: CERT-VN:VU#902374
Reference: URL:http://www.kb.cert.org/vuls/id/902374
Reference: BID:9731
Reference: URL:http://www.securityfocus.com/bid/9731
Reference: XF:macosx-trublue-environmentvariable-bo(14968)
Reference: URL:http://xforce.iss.net/xforce/xfdb/14968
Reference: OSVDB:6821
Reference: URL:http://www.osvdb.org/6821

Buffer overflow in TruBlueEnvironment in Mac OS X 10.3.x and 10.2.x
allows local users to gain privileges via a long environment variable.


Modifications:
  20040812 ADDREF APPLE:APPLE-SA-2004-01-26
  20040812 ADDREF CERT-VN:VU#902374
  20040812 ADDREF BID:9731
  20040812 ADDREF XF:macosx-trublue-environmentvariable-bo(14968)
  20040812 DELREF CONFIRM's - normalize to APPLE instead
  20040818 ADDREF OSVDB:6821

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2004-0089 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Armstrong, Green, Baker
   NOOP(3) Cole, Cox, Wall

Voter Comments:
 Green> Ack'ed by CAN# in Apple bulletin at
   http://docs.info.apple.com/article.html?artnum=61798


======================================================
Candidate: CAN-2004-0093
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0093
Final-Decision:
Interim-Decision: 20040825
Modified: 20040812
Proposed: 20040318
Assigned: 20040123
Category: SF
Reference: CONECTIVA:CLSA-2004:824
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000824
Reference: DEBIAN:DSA-443
Reference: URL:http://www.debian.org/security/2004/dsa-443
Reference: REDHAT:RHSA-2004:152
Reference: URL:http://www.redhat.com/support/errata/RHSA-2004-152.html
Reference: SGI:20040406-01-U
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20040406-01-U
Reference: BID:9701
Reference: URL:http://www.securityfocus.com/bid/9701
Reference: XF:xfree86-glx-array-dos(15272)
Reference: URL:http://xforce.iss.net/xforce/xfdb/15272

XFree86 4.1.0 allows remote attackers to cause a denial of service and
possibly execute arbitrary code via an out-of-bounds array index when
using the GLX extension and Direct Rendering Infrastructure (DRI).


Modifications:
  20040812 ADDREF CONECTIVA:CLSA-2004:824
  20040812 ADDREF SGI:20040406-01-U
  20040812 ADDREF REDHAT:RHSA-2004:152
  20040812 ADDREF BID:9701

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2004-0093 ACCEPT (4 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Armstrong, Baker, Cox
   NOOP(2) Christey, Wall

Voter Comments:
 Christey> SGI:20040406-01-U
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=108318777829802&w=2


======================================================
Candidate: CAN-2004-0094
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0094
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20040318
Assigned: 20040123
Category: SF
Reference: CONECTIVA:CLSA-2004:824
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000824
Reference: DEBIAN:DSA-443
Reference: URL:http://www.debian.org/security/2004/dsa-443
Reference: REDHAT:RHSA-2004:152
Reference: URL:http://www.redhat.com/support/errata/RHSA-2004-152.html
Reference: SGI:20040406-01-U
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20040406-01-U
Reference: BID:9701
Reference: URL:http://www.securityfocus.com/bid/9701
Reference: XF:xfree86-glx-integer-dos(15273)
Reference: URL:http://xforce.iss.net/xforce/xfdb/15273

Integer signedness errors in XFree86 4.1.0 allow remote attackers to
cause a denial of service and possibly execute arbitrary code when
using the GLX extension and Direct Rendering Infrastructure (DRI).


Modifications:
  20040812 ADDREF CONECTIVA:CLSA-2004:824
  20040812 ADDREF SGI:20040406-01-U
  20040812 ADDREF REDHAT:RHSA-2004:152
  20040812 ADDREF BID:9701

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2004-0094 ACCEPT (4 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Armstrong, Baker, Cox
   NOOP(2) Christey, Wall

Voter Comments:
 Christey> SGI:20040406-01-U
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=108318777829802&w=2


======================================================
Candidate: CAN-2004-0095
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0095
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20040318
Assigned: 20040126
Category: SF
Reference: CONFIRM:http://download.nai.com/products/patches/ePO/v3.1.0/EPO3013.zip
Reference: BID:9476
Reference: URL:http://www.securityfocus.com/bid/9476
Reference: XF:epolicy-contentlength-post-dos(14989)
Reference: URL:http://xforce.iss.net/xforce/xfdb/14989
Reference: OSVDB:3744
Reference: URL:http://www.osvdb.org/3744

McAfee ePolicy Orchestrator agent allows remote attackers to cause a
denial of service (memory consumption and crash) and possibly execute
arbitrary code via an HTTP POST request with an invalid Content-Length
value, possibly triggering a buffer overflow.


Modifications:
  20040812 ADDREF CONFIRM
  20040812 ADDREF XF:epolicy-contentlength-post-dos(14989)
  20040818 ADDREF OSVDB:3744

Analysis
--------
Vendor Acknowledgement: yes patch

ACKNOWLEDGEMENT: NAI patch EPO3013 includes a Patch3.txt file that
specifically mentions this CVE item.

INFERRED ACTION: CAN-2004-0095 ACCEPT_REV (3 accept, 1 ack, 1 review)

Current Votes:
   ACCEPT(3) Armstrong, Green, Baker
   NOOP(2) Cole, Cox
   REVIEWING(1) Wall

Voter Comments:
 Green> Vendor ack'ed by CAN # in
   Network Associates Patch EPO3013


======================================================
Candidate: CAN-2004-0096
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0096
Final-Decision:
Interim-Decision: 20040825
Modified: 20040812
Proposed: 20040318
Assigned: 20040126
Category: SF
Reference: MLIST:[mod_python] 20040122 [ANNOUNCE] Mod_python 2.7.10
Reference: URL:http://www.modpython.org/pipermail/mod_python/2004-January/014879.html
Reference: GENTOO:GLSA-200401-03
Reference: URL:http://security.gentoo.org/glsa/glsa-200401-03.xml
Reference: REDHAT:RHSA-2004:058
Reference: URL:http://www.redhat.com/support/errata/RHSA-2004-058.html
Reference: REDHAT:RHSA-2004:063
Reference: URL:http://www.redhat.com/support/errata/RHSA-2004-063.html

Unknown vulnerability in mod_python 2.7.9 allows remote attackers to
cause a denial of service (httpd crash) via a certain query string, a
variant of CAN-2003-0973.


Modifications:
  20040812 ADDREF GENTOO:GLSA-200401-03
  20040812 ADDREF REDHAT:RHSA-2004:058
  20040812 ADDREF REDHAT:RHSA-2004:063

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2004-0096 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Cole, Armstrong, Green, Baker, Cox
   NOOP(2) Christey, Wall

Voter Comments:
 Christey> BUGTRAQ:20040127 [ GLSA 200401-03 ] Apache mod_python Denial of Service vulnerability
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107522658715931&w=2
 Green> http://www.modpython.org/pipermail/mod_python/2004-January/014879.html
 CHANGE> [Cox changed vote from REVIEWING to ACCEPT]


======================================================
Candidate: CAN-2004-0099
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0099
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20040318
Assigned: 20040129
Category: SF
Reference: FREEBSD:FreeBSD-SA-04:01
Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:01.mksnap_ffs.asc
Reference: BID:9533
Reference: URL:http://www.securityfocus.com/bid/9533
Reference: XF:freebsd-mksnapffs-bypass-security(15005)
Reference: URL:http://xforce.iss.net/xforce/xfdb/15005
Reference: OSVDB:3790
Reference: URL:http://www.osvdb.org/3790

mksnap_ffs in FreeBSD 5.1 and 5.2 only sets the snapshot flag when
creating a snapshot for a file system, which causes default values for
other flags to be used, possibly disabling security-critical settings
and allowing a local user to bypass intended access restrictions.


Modifications:
  20040812 ADDREF BID:9533
  20040812 ADDREF XF:freebsd-mksnapffs-bypass-security(15005)
  20040818 ADDREF OSVDB:3790

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2004-0099 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2004-0108
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0108
Final-Decision:
Interim-Decision: 20040825
Modified: 20040812
Proposed: 20040318
Assigned: 20040202
Category: SF
Reference: REDHAT:RHSA-2004:053
Reference: URL:http://www.redhat.com/support/errata/RHSA-2004-053.html
Reference: DEBIAN:DSA-460
Reference: URL:http://www.debian.org/security/2004/dsa-460
Reference: SGI:20040302-01-U
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20040302-01-U.asc
Reference: BID:9844
Reference: URL:http://www.securityfocus.com/bid/9844
Reference: XF:sysstat-isag-symlink(15437)
Reference: URL:http://xforce.iss.net/xforce/xfdb/15437

The isag utility, which processes sysstat data, allows local users to
overwrite arbitrary files via a symlink attack on temporary files, a
different vulnerability than CAN-2004-0107.


Modifications:
  20040812 ADDREF BID:9844
  20040812 ADDREF XF:sysstat-isag-symlink(15437)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2004-0108 ACCEPT (7 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(6) Cole, Armstrong, Baker, Cox, Balinsky, Wall
   MODIFY(1) Frech
   NOOP(1) Christey

Voter Comments:
 Frech> XF:sysstat-isag-symlink(15437)
   http://xforce.iss.net/xforce/xfdb/15437
 Christey> BID:9844
   URL:http://www.securityfocus.com/bid/9844
   XF:sysstat-isag-symlink(15437)
   URL:http://xforce.iss.net/xforce/xfdb/15437


======================================================
Candidate: CAN-2004-0111
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0111
Final-Decision:
Interim-Decision: 20040825
Modified: 20040824
Proposed: 20040318
Assigned: 20040202
Category: SF
Reference: DEBIAN:DSA-464
Reference: URL:http://www.debian.org/security/2004/dsa-464
Reference: MANDRAKE:MDKSA-2004:020
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:020
Reference: REDHAT:RHSA-2004:102
Reference: URL:http://www.redhat.com/support/errata/RHSA-2004-102.html
Reference: REDHAT:RHSA-2004:103
Reference: URL:http://www.redhat.com/support/errata/RHSA-2004-103.html
Reference: BID:9842
Reference: URL:http://www.securityfocus.com/bid/9842
Reference: XF:gdk-pixbuf-bitmap-dos(15426)
Reference: URL:http://xforce.iss.net/xforce/xfdb/15426
Reference: OVAL:OVAL845
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL845.html
Reference: OVAL:OVAL846
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL846.html

gdk-pixbuf before 0.20 allows attackers to cause a denial of service
(crash) via a malformed bitmap (BMP) file.


Modifications:
  20040812 ADDREF DEBIAN:DSA-464
  20040812 ADDREF REDHAT:RHSA-2004:102
  20040812 ADDREF BID:9842
  20040812 ADDREF XF:gdk-pixbuf-bitmap-dos(15426)
  20040824 ADDREF OVAL:OVAL845
  20040824 ADDREF OVAL:OVAL846

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2004-0111 ACCEPT_REV (6 accept, 2 ack, 1 review)

Current Votes:
   ACCEPT(5) Cole, Armstrong, Baker, Cox, Balinsky
   MODIFY(1) Frech
   NOOP(1) Christey
   REVIEWING(1) Wall

Voter Comments:
 Christey> DEBIAN:DSA-464
   URL:http://www.debian.org/security/2004/dsa-464
 Frech> XF:gdk-pixbuf-bitmap-dos(15426)
   http://xforce.iss.net/xforce/xfdb/15426
 Cox> Addref: REDHAT:RHSA-2004:102
 Christey> XF:gdk-pixbuf-bitmap-dos(15426)
   URL:http://xforce.iss.net/xforce/xfdb/15426
   BID:9842
   URL:http://www.securityfocus.com/bid/9842


======================================================
Candidate: CAN-2004-0113
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0113
Final-Decision:
Interim-Decision: 20040825
Modified: 20040824
Proposed: 20040318
Assigned: 20040202
Category: SF
Reference: MISC:http://nagoya.apache.org/bugzilla/show_bug.cgi?id=27106
Reference: MLIST:[apache-cvs] 20040307 cvs commit: httpd-2.0/modules/ssl ssl_engine_io.c
Reference: URL:http://marc.theaimsgroup.com/?l=apache-cvs&m=107869699329638
Reference: CONFIRM:http://www.apacheweek.com/features/security-20
Reference: APPLE:APPLE-SA-2004-05-03
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=108369640424244&w=2
Reference: CONECTIVA:CLSA-2004:839
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000839
Reference: GENTOO:GLSA-200403-04
Reference: URL:http://security.gentoo.org/glsa/glsa-200403-04.xml
Reference: HP:SSRT4717
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=108731648532365&w=2
Reference: MANDRAKE:MDKSA-2004:043
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:043
Reference: REDHAT:RHSA-2004:084
Reference: URL:http://www.redhat.com/support/errata/RHSA-2004-084.html
Reference: REDHAT:RHSA-2004:182
Reference: URL:http://www.redhat.com/support/errata/RHSA-2004-182.html
Reference: TRUSTIX:2004-0017
Reference: URL:http://www.trustix.org/errata/2004/0017
Reference: BUGTRAQ:20040325 LNSA-#2004-0006: bug workaround for Apache 2.0.48
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=108034113406858&w=2
Reference: XF:apache-modssl-plain-dos(15419)
Reference: URL:http://xforce.iss.net/xforce/xfdb/15419
Reference: BID:9826
Reference: URL:http://www.securityfocus.com/bid/9826
Reference: OSVDB:4182
Reference: URL:http://www.osvdb.org/4182
Reference: OVAL:OVAL876
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL876.html

Memory leak in ssl_engine_io.c for mod_ssl in Apache 2 before 2.0.49
allows remote attackers to cause a denial of service (memory
consumption) via plain HTTP requests to the SSL port of an SSL-enabled
server.


Modifications:
  20040812 ADDREF CONECTIVA:CLSA-2004:839
  20040812 ADDREF GENTOO:GLSA-200403-04
  20040812 ADDREF MANDRAKE:MDKSA-2004:043
  20040812 ADDREF REDHAT:RHSA-2004:084
  20040812 ADDREF REDHAT:RHSA-2004:182
  20040812 ADDREF TRUSTIX:2004-0017
  20040812 ADDREF HP:SSRT4717
  20040812 ADDREF APPLE:APPLE-SA-2004-05-03
  20040812 ADDREF BUGTRAQ:20040325 LNSA-#2004-0006: bug workaround for Apache 2.0.48
  20040818 ADDREF OSVDB:4182
  20040824 ADDREF OVAL:OVAL876

Analysis
--------
Vendor Acknowledgement: yes

INFERRED ACTION: CAN-2004-0113 ACCEPT (6 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(6) Cole, Armstrong, Baker, Cox, Balinsky, Wall
   NOOP(1) Christey

Voter Comments:
 Christey> REDHAT:RHSA-2004:084
   URL:http://www.redhat.com/support/errata/RHSA-2004-084.html
 Christey> BUGTRAQ:20040330 TSLSA-2004-0017 - apache
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=108066914830552&w=2
 Christey> BUGTRAQ:20040325 GLSA200403-04 Multiple security vulnerabilities in Apache 2
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=108024081011678&w=2
   BUGTRAQ:20040325 LNSA-#2004-0006: bug workaround for Apache 2.0.48
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=108034113406858&w=2
 Christey> REDHAT:RHSA-2004:182
   URL:http://www.redhat.com/support/errata/RHSA-2004-182.html
 Christey> APPLE:APPLE-SA-2004-05-03
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=108369640424244&w=2
 Christey> MANDRAKE:MDKSA-2004:043
   URL:http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:043
 Christey> HP:SSRT4717
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=108731648532365&w=2


======================================================
Candidate: CAN-2004-0114
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0114
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20040318
Assigned: 20040203
Category: SF
Reference: BUGTRAQ:20040205 [PINE-CERT-20040201] reference count overflow in shmat()
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107608375207601&w=2
Reference: MISC:http://www.pine.nl/press/pine-cert-20040201.txt
Reference: FREEBSD:FreeBSD-SA-04:02
Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:02.shmat.asc
Reference: NETBSD:NetBSD-SA2004-004
Reference: URL:ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2004-004.txt.asc
Reference: BID:9586
Reference: URL:http://www.securityfocus.com/bid/9586
Reference: XF:bsd-shmat-gain-privileges(15061)
Reference: URL:http://xforce.iss.net/xforce/xfdb/15061
Reference: OSVDB:3836
Reference: URL:http://www.osvdb.org/3836

The shmat system call in the System V Shared Memory interface for
FreeBSD 5.2 and earlier, NetBSD 1.3 and earlier, and OpenBSD 2.6 and
earlier, does not properly decrement a shared memory segment's
reference count when the vm_map_find function fails, which could allow
local users to gain read or write access to a portion of kernel memory
and gain privileges.


Modifications:
  20040818 ADDREF OSVDB:3836

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2004-0114 ACCEPT (3 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2004-0115
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0115
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20040318
Assigned: 20040203
Category: SF
Reference: ATSTAKE:A021004-1
Reference: URL:http://www.atstake.com/research/advisories/2004/a021004-1.txt
Reference: MS:MS04-005
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms04-005.asp
Reference: CIAC:O-076
Reference: URL:http://www.ciac.org/ciac/bulletins/o-076.shtml
Reference: BID:9632
Reference: URL:http://www.securityfocus.com/bid/9632
Reference: XF:virtual-pc-gain-privileges(15113)
Reference: URL:http://xforce.iss.net/xforce/xfdb/15113
Reference: OSVDB:3893
Reference: URL:http://www.osvdb.org/3893

VirtualPC_Services in Microsoft Virtual PC for Mac 6.0 through 6.1
allows local attackers to truncate and overwrite arbitrary files, and
execute arbitrary code, via a symlink attack on the VPCServices_Log
temporary file.


Modifications:
  20040812 ADDREF CIAC:O-076
  20040812 ADDREF BID:9632
  20040812 ADDREF XF:virtual-pc-gain-privileges(15113)
  20040818 ADDREF OSVDB:3893

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2004-0115 ACCEPT (4 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Armstrong, Baker, Wall
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> CIAC:O-076
   URL:http://www.ciac.org/ciac/bulletins/o-076.shtml
   XF:virtual-pc-gain-privileges(15113)
   URL:http://xforce.iss.net/xforce/xfdb/15113
   BID:9632
   URL:http://www.securityfocus.com/bid/9632


======================================================
Candidate: CAN-2004-0121
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0121
Final-Decision:
Interim-Decision: 20040825
Modified: 20040824
Proposed: 20040318
Assigned: 20040203
Category: SF
Reference: IDEFENSE:20040309 Microsoft Outlook "mailto:" Parameter Passing Vulnerability
Reference: URL:http://www.idefense.com/application/poi/display?id=79&type=vulnerabilities
Reference: BUGTRAQ:20040310 Outlook mailto: URL argument injection vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107893704602842&w=2
Reference: MS:MS04-009
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms04-009.asp
Reference: CERT-VN:VU#305206
Reference: URL:http://www.kb.cert.org/vuls/id/305206
Reference: BID:9827
Reference: URL:http://www.securityfocus.com/bid/9827
Reference: XF:outlook-mailtourl-execute-code(15414)
Reference: URL:http://xforce.iss.net/xforce/xfdb/15414
Reference: OVAL:OVAL843
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL843.html

Argument injection vulnerability in Microsoft Outlook 2002 does not
sufficiently filter parameters of mailto: URLs when using them as
arguments when calling OUTLOOK.EXE, which allows remote attackers to
use script code in the Local Machine zone and execute arbitrary
programs.


Modifications:
  20040812 ADDREF CERT-VN:VU#305206
  20040812 ADDREF XF:outlook-mailtourl-execute-code(15414)
  20040812 ADDREF BID:9827
  20040812 CHANGEREF MISC - normalize to IDEFENSE
  20040812 [desc] say "argument injection vulnerability"
  20040824 ADDREF OVAL:OVAL843

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2004-0121 ACCEPT (6 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(5) Cole, Armstrong, Baker, Balinsky, Wall
   MODIFY(1) Frech
   NOOP(2) Christey, Cox

Voter Comments:
 Frech> XF:outlook-mailtourl-execute-code(15414)
   http://xforce.iss.net/xforce/xfdb/15414
 Christey> modify desc to say "argument injection vulnerability"


======================================================
Candidate: CAN-2004-0122
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0122
Final-Decision:
Interim-Decision: 20040825
Modified: 20040824
Proposed: 20040318
Assigned: 20040203
Category: SF
Reference: MS:MS04-010
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms04-010.asp
Reference: CERT-VN:VU#688094
Reference: URL:http://www.kb.cert.org/vuls/id/688094
Reference: XF:msn-request-view-files(15415)
Reference: URL:http://xforce.iss.net/xforce/xfdb/15415
Reference: OVAL:OVAL844
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL844.html

Microsoft MSN Messenger 6.0 and 6.1 does not properly handle certain
requests, which allows remote attackers to read arbitrary files.


Modifications:
  20040812 ADDREF CERT-VN:VU#688094
  20040812 ADDREF XF:msn-request-view-files(15415)
  20040824 ADDREF OVAL:OVAL844

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2004-0122 ACCEPT (6 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(5) Cole, Armstrong, Baker, Balinsky, Wall
   MODIFY(1) Frech
   NOOP(1) Cox

Voter Comments:
 Frech> XF:msn-request-view-files(15415)
   http://xforce.iss.net/xforce/xfdb/15415


======================================================
Candidate: CAN-2004-0126
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0126
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20040318
Assigned: 20040203
Category: SF
Reference: FREEBSD:FreeBSD-SA-04:03
Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:03.jail.asc
Reference: XF:freebsd-jailattach-gain-privileges(15344)
Reference: URL:http://xforce.iss.net/xforce/xfdb/15344
Reference: BID:9762
Reference: URL:http://www.securityfocus.com/bid/9762
Reference: OSVDB:4101
Reference: URL:http://www.osvdb.org/4101

The jail_attach system call in FreeBSD 5.1 and 5.2 changes the
directory of a calling process even if the process doesn't have
permission to change directory, which allows local users to gain
read/write privileges to files and directories within another jail.


Modifications:
  20040818 ADDREF OSVDB:4101

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2004-0126 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2004-0128
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0128
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20040318
Assigned: 20040204
Category: SF
Reference: BUGTRAQ:20040129 PHP Code Injection Vulnerabilities in phpGedView 2.65.1 and prior
Reference: URL:http://www.securityfocus.com/archive/1/352355
Reference: CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=141517
Reference: BID:9531
Reference: URL:http://www.securityfocus.com/bid/9531
Reference: XF:phpgedview-gedfilconf-file-include(14987)
Reference: URL:http://xforce.iss.net/xforce/xfdb/14987
Reference: OSVDB:3769
Reference: URL:http://www.osvdb.org/3769

PHP remote code injection vulnerability in the GEDCOM configuration
script for phpGedView 2.65.1 and earlier allows remote attackers to
execute arbitrary PHP code by modifying the PGV_BASE_DIRECTORY
parameter to reference a URL on a remote web server that contains a
malicious theme.php script.


Modifications:
  20040812 ADDREF BID:9531
  20040812 ADDREF XF:phpgedview-gedfilconf-file-include(14987)
  20040818 ADDREF OSVDB:3769

Analysis
--------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: the changelog for PhpGedView v2.65.2, dated January
28, 2004, includes an item that says the developer "Fixed
vulnerability in $INDEX_DIRECTORY/gedcom.ged_conf.php."

INFERRED ACTION: CAN-2004-0128 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2004-0129
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0129
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20040318
Assigned: 20040204
Category: SF
Reference: BUGTRAQ:20040203 Arbitrary File Disclosure Vulnerability in phpMyAdmin 2.5.5-pl1 and prior
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107582619125932&w=2
Reference: CONFIRM:http://sourceforge.net/forum/forum.php?forum_id=350228
Reference: CONFIRM:http://www.phpmyadmin.net/home_page/relnotes.php?rel=0
Reference: GENTOO:GLSA-200402-05
Reference: URL:http://security.gentoo.org/glsa/glsa-200402-05.xml
Reference: BID:9564
Reference: URL:http://www.securityfocus.com/bid/9564
Reference: XF:phpmyadmin-dotdot-directory-traversal(15021)
Reference: URL:http://xforce.iss.net/xforce/xfdb/15021
Reference: OSVDB:3800
Reference: URL:http://www.osvdb.org/3800

Directory traversal vulnerability in export.php in phpMyAdmin 2.5.5
and earlier allows remote attackers to read arbitrary files via
.. (dot dot) sequences in the what parameter.


Modifications:
  20040611 Normalize Gentoo reference
  20040813 ADDREF BID:9564
  20040813 ADDREF XF:phpmyadmin-dotdot-directory-traversal(15021)
  20040818 ADDREF OSVDB:3800

Analysis
--------
Vendor Acknowledgement: unknown discloser-claimed

ACKNOWLEDGEMENT: the Changelog for version 2.5.6-rc1 states that "a
security fix" was made, and a diff of export.php with an earlier
version confirms it.

INFERRED ACTION: CAN-2004-0129 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Armstrong, Baker
   NOOP(4) Cole, Christey, Cox, Wall

Voter Comments:
 Christey> Normalize Gentoo reference


======================================================
Candidate: CAN-2004-0131
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0131
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20040318
Assigned: 20040210
Category: SF
Reference: IDEFENSE:20040204 GNU Radius Remote Denial of Service Vulnerability
Reference: URL:http://www.idefense.com/application/poi/display?id=71&type=vulnerabilities&flashstatus=true
Reference: CONFIRM:http://ftp.gnu.org/gnu/radius/radius-1.2.tar.gz
Reference: CERT-VN:VU#277396
Reference: URL:http://www.kb.cert.org/vuls/id/277396
Reference: BID:9578
Reference: URL:http://www.securityfocus.com/bid/9578
Reference: XF:radius-radprintrequest-dos(15046)
Reference: URL:http://xforce.iss.net/xforce/xfdb/15046
Reference: OSVDB:3824
Reference: URL:http://www.osvdb.org/3824

The rad_print_request function in logger.c for GNU Radius daemon
(radiusd) before 1.2 allows remote atackers to cause a denial of
service (crash) via a UDP packet with an Acct-Status-Type attribute
without a value and no Acct-Session-Id attribute, which causes a null
dereference.


Modifications:
  20040813 CHANGEREF IDEFENSE normalize from FULLDISC
  20040818 ADDREF OSVDB:3824

Analysis
--------
Vendor Acknowledgement: unknown

ACKNOWLEDGEMENT: the ChangeLog for Radius 1.2 includes an item dated
2003-11-26 which says "(rad_print_request): Removed."

INFERRED ACTION: CAN-2004-0131 ACCEPT_ACK (2 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(2) Armstrong, Baker
   NOOP(3) Cole, Cox, Wall


======================================================
Candidate: CAN-2004-0148
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0148
Final-Decision:
Interim-Decision: 20040825
Modified: 20040813
Proposed: 20040318
Assigned: 20040213
Category: SF
Reference: DEBIAN:DSA-457
Reference: URL:http://www.debian.org/security/2004/dsa-457
Reference: HP:SSRT4704
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=108999466902690&w=2
Reference: REDHAT:RHSA-2004:096
Reference: URL:http://www.redhat.com/support/errata/RHSA-2004-096.html
Reference: BID:9832
Reference: URL:http://www.securityfocus.com/bid/9832
Reference: XF:wuftpd-restrictedgid-gain-access(15423)
Reference: URL:http://xforce.iss.net/xforce/xfdb/15423

wu-ftpd 2.6.2 and earlier, with the restricted-gid option enabled,
allows local users to bypass access restrictions by changing the
permissions to prevent access to their home directory, which causes
wu-ftpd to use the root directory instead.


Modifications:
  20040813 ADDREF BID:9832
  20040813 ADDREF XF:wuftpd-restrictedgid-gain-access(15423)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2004-0148 ACCEPT (7 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(6) Cole, Armstrong, Baker, Cox, Balinsky, Wall
   MODIFY(1) Frech

Voter Comments:
 Frech> XF:wuftpd-restrictedgid-gain-access(15423)
   http://xforce.iss.net/xforce/xfdb/15423


======================================================
Candidate: CAN-2004-0150
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0150
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20040318
Assigned: 20040213
Category: SF
Reference: DEBIAN:DSA-458
Reference: URL:http://www.debian.org/security/2004/dsa-458
Reference: MANDRAKE:MDKSA-2004:019
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:019
Reference: BID:9836
Reference: URL:http://www.securityfocus.com/bid/9836
Reference: XF:python-getaddrinfo-bo(15409)
Reference: URL:http://xforce.iss.net/xforce/xfdb/15409
Reference: OSVDB:4172
Reference: URL:http://www.osvdb.org/4172

Buffer overflow in the getaddrinfo function in Python 2.2 before
2.2.2, when IPv6 support is disabled, allows remote attackers to
execute arbitrary code via an IPv6 address that is obtained using DNS.


Modifications:
  20040813 ADDREF BID:9836
  20040813 ADDREF XF:python-getaddrinfo-bo(15409)
  20040818 ADDREF OSVDB:4172

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2004-0150 ACCEPT (6 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Armstrong, Baker, Balinsky
   MODIFY(2) Frech, Cox
   NOOP(1) Wall

Voter Comments:
 Frech> XF:python-getaddrinfo-bo(15409)
   http://xforce.iss.net/xforce/xfdb/15409
 Cox> Fixed in 2.2.2, does not affect servers which have IPv6 support
   enabled.  Suggested replacement text: "Buffer overflow in the
   getaddrinfo in Python 2.2 before 2.2.2 where IPv6 support is disabled
   allows remote attackers to executer arbitrary code via an IPv6 address
   that is obtained using DNS."


======================================================
Candidate: CAN-2004-0159
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0159
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20040318
Assigned: 20040213
Category: SF
Reference: DEBIAN:DSA-447
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107755803218677&w=2
Reference: FULLDISC:20040223 Re: [SECURITY] [DSA 447-1] New hsftp packages fix format string vulnerability
Reference: URL:http://lists.netsys.com/pipermail/full-disclosure/2004-February/017737.html
Reference: BID:9715
Reference: URL:http://www.securityfocus.com/bid/9715
Reference: XF:hsftp-format-string(15276)
Reference: URL:http://xforce.iss.net/xforce/xfdb/15276
Reference: OSVDB:4029
Reference: URL:http://www.osvdb.org/4029

Format string vulnerability in hsftp 1.11 allows remote authenticated
users to cause a denial of service and possibly execute arbitrary code
via file names containing format string characters that are not
properly handled when executing an "ls" command.


Modifications:
  20040813 ADDREF BID:9715
  20040818 ADDREF OSVDB:4029

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2004-0159 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2004-0160
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0160
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20040318
Assigned: 20040213
Category: SF
Reference: DEBIAN:DSA-446
Reference: URL:http://www.debian.org/security/2004/dsa-446
Reference: XF:synaesthesia-configuration-symlink-attack(15279)
Reference: URL:http://xforce.iss.net/xforce/xfdb/15279
Reference: BID:9713
Reference: URL:http://www.securityfocus.com/bid/9713

Synaesthesia 2.2 and earlier allows local users to execute arbitrary
code via a symlink attack on the configuration file.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2004-0160 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2004-0165
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0165
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20040318
Assigned: 20040218
Category: SF
Reference: ATSTAKE:A022304-1
Reference: URL:http://www.atstake.com/research/advisories/2004/a022304-1.txt
Reference: CONFIRM:http://docs.info.apple.com/article.html?artnum=61798
Reference: CONFIRM:http://lists.apple.com/mhonarc/security-announce/msg00046.html
Reference: CERT-VN:VU#841742
Reference: URL:http://www.kb.cert.org/vuls/id/841742
Reference: XF:macos-pppd-format-string(15297)
Reference: URL:http://xforce.iss.net/xforce/xfdb/15297
Reference: BID:9730
Reference: URL:http://www.securityfocus.com/bid/9730
Reference: OSVDB:6822
Reference: URL:http://www.osvdb.org/6822

Format string vulnerability in Point-to-Point Protocol (PPP) daemon
(pppd) 2.4.0 for Mac OS X 10.3.2 and earlier allows remote attackers
to read arbitrary pppd process data, including PAP or CHAP
authentication credentials, to gain privileges.


Modifications:
  20040818 ADDREF OSVDB:6822

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2004-0165 ACCEPT (3 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2004-0167
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0167
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20040318
Assigned: 20040218
Category: SF
Reference: CONFIRM:http://docs.info.apple.com/article.html?artnum=61798
Reference: CONFIRM:http://lists.apple.com/mhonarc/security-announce/msg00046.html
Reference: CERT-VN:VU#578886
Reference: URL:http://www.kb.cert.org/vuls/id/578886
Reference: BID:9731
Reference: URL:http://www.securityfocus.com/bid/9731
Reference: XF:macos-diskarbitration-unknown(15300)
Reference: URL:http://xforce.iss.net/xforce/xfdb/15300
Reference: OSVDB:6824
Reference: URL:http://www.osvdb.org/6824

DiskArbitration in Mac OS X 10.2.8 and 10.3.2 does not properly
initialize writeable removable media.


Modifications:
  20040818 ADDREF OSVDB:6824

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2004-0167 ACCEPT (3 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2004-0169
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0169
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20040318
Assigned: 20040218
Category: SF
Reference: CONFIRM:http://docs.info.apple.com/article.html?artnum=61798
Reference: CONFIRM:http://lists.apple.com/mhonarc/security-announce/msg00046.html
Reference: IDEFENSE:20040223 Darwin Streaming Server Remote Denial of Service Vulnerability
Reference: URL:http://www.idefense.com/application/poi/display?id=75&type=vulnerabilities
Reference: CERT-VN:VU#460350
Reference: URL:http://www.kb.cert.org/vuls/id/460350
Reference: XF:darwin-describe-request-dos(15291)
Reference: URL:http://xforce.iss.net/xforce/xfdb/15291
Reference: BID:9735
Reference: URL:http://www.securityfocus.com/bid/9735
Reference: OSVDB:6826
Reference: URL:http://www.osvdb.org/6826
Reference: OSVDB:6837
Reference: URL:http://www.osvdb.org/6837

QuickTime Streaming Server in MacOS X 10.2.8 and 10.3.2 allows remote
attackers to cause a denial of service (crash) via DESCRIBE requests
with long User-Agent fields, which causes an Assert error to be
triggered in the BufferIsFull function.


Modifications:
  20040813 CHANGEREF IDEFENSE [normalize from BUGTRAQ]
  20040818 ADDREF OSVDB:6826
  20040818 ADDREF OSVDB:6837

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2004-0169 ACCEPT (3 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2004-0171
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0171
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20040318
Assigned: 20040219
Category: SF
Reference: IDEFENSE:20040302 FreeBSD Memory Buffer Exhaustion Denial of Service Vulnerability
Reference: URL:http://www.idefense.com/application/poi/display?id=78&type=vulnerabilities
Reference: APPLE:APPLE-SA-2004-05-28
Reference: URL:http://lists.seifried.org/pipermail/security/2004-May/003743.html
Reference: FREEBSD:FreeBSD-SA-04:04
Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:04.tcp.asc
Reference: CERT-VN:VU#395670
Reference: URL:http://www.kb.cert.org/vuls/id/395670
Reference: BID:9792
Reference: URL:http://www.securityfocus.com/bid/9792
Reference: XF:freebsd-mbuf-dos(15369)
Reference: URL:http://xforce.iss.net/xforce/xfdb/15369
Reference: OSVDB:4124
Reference: URL:http://www.osvdb.org/4124

FreeBSD 5.1 and earlier, and Mac OS X before 10.3.4, allows remote
attackers to cause a denial of service (resource exhaustion of memory
buffers and system crash) via a large number of out-of-sequence TCP
packets, which prevents the operating system from creating new
connections.


Modifications:
  20040813 ADDREF APPLE:APPLE-SA-2004-05-28
  20040813 ADDREF CERT-VN:VU#395670
  20040813 ADDREF BID:9792
  20040813 CHANGEREF IDEFENSE [normalize from FULLDISC]
  20040813 [desc] add system crash impact
  20040818 ADDREF OSVDB:4124

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2004-0171 ACCEPT (4 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   MODIFY(1) Balinsky
   NOOP(3) Christey, Cox, Wall

Voter Comments:
 Balinsky> Advisory says that the bug can cause a system crash. Add this to the description.
 Christey> APPLE:APPLE-SA-2004-05-28
   URL:http://docs.info.apple.com/article.html?artnum=61798


======================================================
Candidate: CAN-2004-0173
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0173
Final-Decision:
Interim-Decision: 20040825
Modified: 20040813
Proposed: 20040318
Assigned: 20040225
Category: SF
Reference: BUGTRAQ:20040224 STG Security Advisory: [SSA-20040217-06] Apache for cygwin
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107765545431387&w=2
Reference: FULLDISC:20040224 STG Security Advisory: [SSA-20040217-06] Apache for cygwin directory traversal vulnerability
Reference: URL:http://lists.netsys.com/pipermail/full-disclosure/2004-February/017740.html
Reference: CONFIRM:http://www.apacheweek.com/issues/04-03-12
Reference: CONFIRM:http://nagoya.apache.org/bugzilla/show_bug.cgi?id=26152
Reference: BID:9733
Reference: URL:http://www.securityfocus.com/bid/9733
Reference: XF:apache-cygwin-directory-traversal(15293)
Reference: URL:http://xforce.iss.net/xforce/xfdb/15293

Directory traversal vulnerability in Apache 1.3.29 and earlier, and
Apache 2.0.48 and earlier, when running on Cygwin, allows remote
attackers to read arbitrary files via a URL containing "..%5C" (dot
dot encoded backslash) sequences.


Modifications:
  20040813 ADDREF CONFIRM:http://www.apacheweek.com/issues/04-03-12

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2004-0173 ACCEPT_REV (5 accept, 1 ack, 1 review)

Current Votes:
   ACCEPT(4) Cole, Armstrong, Baker, Cox
   MODIFY(1) Frech
   REVIEWING(1) Wall

Voter Comments:
 Frech> XF:apache-cygwin-directory-traversal(15293)
   http://xforce.iss.net/xforce/xfdb/15293


======================================================
Candidate: CAN-2004-0185
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0185
Final-Decision:
Interim-Decision: 20040825
Modified: 20040813
Proposed: 20040318
Assigned: 20040302
Category: SF
Reference: MISC:http://www.securiteam.com/unixfocus/6X00Q1P8KC.html
Reference: CONFIRM:ftp://ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply_to_2.6.2/skeychallenge.patch
Reference: MISC:http://unixpunx.org/txt/exploits_archive/packetstorm/0310-advisories/wuftpd-skey.txt
Reference: DEBIAN:DSA-457
Reference: URL:http://www.debian.org/security/2004/dsa-457
Reference: REDHAT:RHSA-2004:096
Reference: URL:http://www.redhat.com/support/errata/RHSA-2004-096.html
Reference: BID:8893
Reference: URL:http://www.securityfocus.com/bid/8893
Reference: XF:wuftpd-skey-bo(13518)
Reference: URL:http://xforce.iss.net/xforce/xfdb/13518

Buffer overflow in the skey_challenge function in ftpd.c for wu-ftp
daemon (wu-ftpd) 2.6.2 allows remote attackers to cause a denial of
service and possibly execute arbitrary code via a s/key (SKEY) request
with a long name.


Modifications:
  20040813 ADDREF BID:8893

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2004-0185 ACCEPT (3 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(3) Armstrong, Baker, Cox
   NOOP(2) Cole, Wall


======================================================
Candidate: CAN-2004-0186
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0186
Final-Decision:
Interim-Decision: 20040825
Modified: 20040820
Proposed: 20040318
Assigned: 20040302
Category: SF
Reference: BUGTRAQ:20040209 Samba 3.x + kernel 2.6.x local root vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107636290906296&w=2
Reference: BUGTRAQ:20040211 Re: Samba 3.x + kernel 2.6.x local root vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107657505718743&w=2
Reference: DEBIAN:DSA-463
Reference: URL:http://www.debian.org/security/2004/dsa-463
Reference: XF:samba-smbmnt-gain-privileges(15131)
Reference: URL:http://xforce.iss.net/xforce/xfdb/15131
Reference: BID:9619
Reference: URL:http://www.securityfocus.com/bid/9619
Reference: OSVDB:3916
Reference: URL:http://www.osvdb.org/3916

smbmnt in Samba 2.x and 3.x on Linux 2.6, when installed setuid,
allows local users to gain root privileges by mounting a Samba share
that contains a setuid root program, whose setuid attributes are not
cleared when the share is mounted.


Modifications:
  20040818 ADDREF OSVDB:3916

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2004-0186 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Armstrong, Baker, Cox
   NOOP(1) Wall


======================================================
Candidate: CAN-2004-0188
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0188
Final-Decision:
Interim-Decision: 20040825
Modified: 20040813
Proposed: 20040318
Assigned: 20040302
Category: SF
Reference: BUGTRAQ:20040227 Calife heap corrupt / potential local root exploit
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107789737832092&w=2
Reference: DEBIAN:DSA-461
Reference: URL:http://www.debian.org/security/2004/dsa-461
Reference: BID:9756
Reference: URL:http://www.securityfocus.com/bid/9756
Reference: XF:calife-long-password-bo(15335)
Reference: URL:http://xforce.iss.net/xforce/xfdb/15335

Heap-based buffer overflow in Calife 2.8.5 and earlier may allow local
users to execute arbitrary code via a long password.


Modifications:
  20040813 ADDREF BID:9756

Analysis
--------
Vendor Acknowledgement: yes followup

INFERRED ACTION: CAN-2004-0188 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2004-0189
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0189
Final-Decision:
Interim-Decision: 20040825
Modified: 20040824
Proposed: 20040318
Assigned: 20040303
Category: SF
Reference: CONFIRM:http://www.squid-cache.org/Advisories/SQUID-2004_1.txt
Reference: CONECTIVA:CLA-2004:838
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000838
Reference: DEBIAN:DSA-474
Reference: URL:http://www.debian.org/security/2004/dsa-474
Reference: GENTOO:GLSA-200403-11
Reference: URL:http://security.gentoo.org/glsa/glsa-200403-11.xml
Reference: MANDRAKE:MDKSA-2004:025
Reference: URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:025
Reference: REDHAT:RHSA-2004:133
Reference: URL:http://www.redhat.com/support/errata/RHSA-2004-133.html
Reference: REDHAT:RHSA-2004:134
Reference: URL:http://www.redhat.com/support/errata/RHSA-2004-134.html
Reference: SGI:20040404-01-U
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20040404-01-U
Reference: BUGTRAQ:20040401 [OpenPKG-SA-2004.008] OpenPKG Security  Advisory (squid)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=108084935904110&w=2
Reference: BID:9778
Reference: URL:http://www.securityfocus.com/bid/9778
Reference: XF:squid-urlregex-acl-bypass(15366)
Reference: URL:http://xforce.iss.net/xforce/xfdb/15366
Reference: OSVDB:5916
Reference: URL:http://www.osvdb.org/5916
Reference: OVAL:OVAL877
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL877.html
Reference: OVAL:OVAL941
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL941.html

The "%xx" URL decoding function in Squid 2.5STABLE4 and earlier allows
remote attackers to bypass url_regex ACLs via a URL with a NULL
("%00") characterm, which causes Squid to use only a portion of the
requested URL when comparing it against the access control lists.


Modifications:
  20040813 ADDREF CONECTIVA:CLA-2004:838
  20040813 ADDREF DEBIAN:DSA-474
  20040813 ADDREF GENTOO:GLSA-200403-11
  20040813 ADDREF MANDRAKE:MDKSA-2004:025
  20040813 ADDREF REDHAT:RHSA-2004:133
  20040813 ADDREF REDHAT:RHSA-2004:134
  20040813 ADDREF SGI:20040404-01-U
  20040813 ADDREF BUGTRAQ:20040401 [OpenPKG-SA-2004.008] OpenPKG Security  Advisory (squid)
  20040818 ADDREF OSVDB:5916
  20040824 ADDREF OVAL:OVAL877
  20040824 ADDREF OVAL:OVAL941

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2004-0189 ACCEPT (3 accept, 4 ack, 0 review)

Current Votes:
   ACCEPT(3) Armstrong, Baker, Cox
   NOOP(3) Cole, Christey, Wall

Voter Comments:
 Christey> REDHAT:RHSA-2004:134
   URL:http://www.redhat.com/support/errata/RHSA-2004-134.html
 Christey> MANDRAKE:MDKSA-2004:025
 Christey> BUGTRAQ:20040331 [ GLSA 200403-11 ] Squid ACL [url_regex] bypass vulnerability
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=108075225114097&w=2
   BUGTRAQ:20040401 [OpenPKG-SA-2004.008] OpenPKG Security  Advisory (squid)
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=108084935904110&w=2
 Christey> DEBIAN:DSA-474
   URL:http://www.debian.org/security/2004/dsa-474
 Christey> CONECTIVA:CLA-2004:838
   URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000838
 Christey> REDHAT:RHSA-2004:133
   URL:http://www.redhat.com/support/errata/RHSA-2004-133.html
 Christey> SGI:20040404-01-U
   URL:ftp://patches.sgi.com/support/free/security/advisories/20040404-01-U.asc


======================================================
Candidate: CAN-2004-0190
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0190
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20040318
Assigned: 20040303
Category: SF
Reference: BUGTRAQ:20040216 Symantec FireWall/VPN Appliance model 200 leak of security
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107694794031839&w=2
Reference: FULLDISC:20040216 Symantec FireWall/VPN Appliance model 200 leak of security
Reference: URL:http://lists.netsys.com/pipermail/full-disclosure/2004-February/017414.html
Reference: XF:symantec-firewallvpn-password-plaintext(15212)
Reference: URL:http://xforce.iss.net/xforce/xfdb/15212
Reference: OSVDB:4117
Reference: URL:http://www.osvdb.org/4117

Symantec FireWall/VPN Appliance model 200 records a cleartext
password for the password administration page, which may be cached on
the administrator's local system or in a proxy, which allows attackers
to steal the password and gain privileges.


Modifications:
  20040818 ADDREF OSVDB:4117

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2004-0190 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2004-0191
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0191
Final-Decision:
Interim-Decision: 20040825
Modified: 20040824
Proposed: 20040318
Assigned: 20040303
Category: SF
Reference: BUGTRAQ:20040225 Sandblad #13: Cross-domain exploit on zombie document with event handlers
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107774710729469&w=2
Reference: CONFIRM:http://bugzilla.mozilla.org/show_bug.cgi?id=227417
Reference: REDHAT:RHSA-2004:110
Reference: URL:http://www.redhat.com/support/errata/RHSA-2004-110.html
Reference: REDHAT:RHSA-2004:112
Reference: URL:http://www.redhat.com/support/errata/RHSA-2004-112.html
Reference: HP:SSRT4722
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=108448379429944&w=2
Reference: XF:mozilla-event-handler-xss(15322)
Reference: URL:http://xforce.iss.net/xforce/xfdb/15322
Reference: BID:9747
Reference: URL:http://www.securityfocus.com/bid/9747
Reference: OSVDB:4062
Reference: URL:http://www.osvdb.org/4062
Reference: OVAL:OVAL874
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL874.html
Reference: OVAL:OVAL937
Reference: URL:http://oval.mitre.org/oval/definitions/pseudo/OVAL937.html

Mozilla before 1.4.2 executes Javascript events in the context of a
new page while it is being loaded, allowing it to interact with the
previous page (zombie document) and enable cross-domain and cross-site
scripting (XSS) attacks, as demonstrated using onmousemove events.


Modifications:
  20040813 ADDREF REDHAT:RHSA-2004:112
  20040813 ADDREF HP:SSRT4722
  20040818 ADDREF REDHAT:RHSA-2004:110
  20040818 ADDREF OSVDB:4062
  20040824 ADDREF OVAL:OVAL874
  20040824 ADDREF OVAL:OVAL937

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2004-0191 ACCEPT (3 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(3) Armstrong, Baker, Cox
   NOOP(3) Cole, Christey, Wall

Voter Comments:
 Christey> REDHAT:RHSA-2004:112
   URL:http://www.redhat.com/support/errata/RHSA-2004-112.html
 Cox> Addref: RHSA-2004:112
 Christey> URL:http://marc.theaimsgroup.com/?l=bugtraq&m=108448379429944&w=2
   HP:SSRT4722


======================================================
Candidate: CAN-2004-0193
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0193
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20040318
Assigned: 20040304
Category: SF
Reference: BUGTRAQ:20040227 EEYE: RealSecure/BlackICE Server Message Block (SMB) Processing Overflow
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107789851117176&w=2
Reference: MISC:http://www.eeye.com/html/Research/Upcoming/20040213.html
Reference: ISS:20040226 Vulnerability in SMB Parsing in ISS Products
Reference: URL:http://xforce.iss.net/xforce/alerts/id/165
Reference: CERT-VN:VU#150326
Reference: URL:http://www.kb.cert.org/vuls/id/150326
Reference: XF:pam-smb-protocol-bo(15207)
Reference: URL:http://xforce.iss.net/xforce/xfdb/15207

Heap-based buffer overflow in the ISS Protocol Analysis Module (PAM),
as used in certain versions of RealSecure Network 7.0 and Server
Sensor 7.0, Proventia A, G, and M Series, RealSecure Desktop 7.0 and
3.6, RealSecure Guard 3.6, RealSecure Sentry 3.6, BlackICE PC
Protection 3.6, and BlackICE Server Protection 3.6, allows remote
attackers to execute arbitrary code via an SMB packet containing an
authentication request with a long username.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2004-0193 ACCEPT (4 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Armstrong, Baker, Wall
   NOOP(1) Cox


======================================================
Candidate: CAN-2004-0194
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0194
Final-Decision:
Interim-Decision: 20040825
Modified: 20040820
Proposed: 20040318
Assigned: 20040304
Category: SF
Reference: BUGTRAQ:20040303 Abobe Reader 5.1 XFDF Buffer Overflow Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107842545022724&w=2
Reference: FULLDISC:20040303 Adobe Acrobat Reader XML Forms Data Format Buffer Overflow
Reference: URL:http://lists.netsys.com/pipermail/full-disclosure/2004-March/018227.html
Reference: MISC:http://www.nextgenss.com/advisories/adobexfdf.txt
Reference: BID:9802
Reference: URL:http://www.securityfocus.com/bid/9802
Reference: XF:acrobatreader-xfdf-bo(15384)
Reference: URL:http://xforce.iss.net/xforce/xfdb/15384
Reference: OSVDB:4135
Reference: URL:http://www.osvdb.org/4135

Stack-based buffer overflow in the OutputDebugString function for
Adobe Acrobat Reader 5.1 allows remote attackers to execute arbitrary
code via a PDF document with XML Forms Data Format (XFDF) data.


Modifications:
  20040813 ADDREF BID:9802
  20040818 ADDREF OSVDB:4135

Analysis
--------
Vendor Acknowledgement: unknown

INFERRED ACTION: CAN-2004-0194 ACCEPT_REV (3 accept, 0 ack, 1 review)

Current Votes:
   ACCEPT(3) Armstrong, Baker, Balinsky
   NOOP(2) Cole, Cox
   REVIEWING(1) Wall


======================================================
Candidate: CAN-2004-0256
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0256
Final-Decision:
Interim-Decision: 20040825
Modified: 20040820
Proposed: 20040318
Assigned: 20040317
Category: SF
Reference: BUGTRAQ:20040130 Symlink Vulnerability in GNU libtool <1.5.2
Reference: URL:http://www.securityfocus.com/archive/1/352333
Reference: CONECTIVA:CLA-2004:811
Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000811
Reference: MISC:http://www.geocrawler.com/mail/msg.php3?msg_id=3438808&list=405
Reference: BID:9530
Reference: URL:http://www.securityfocus.com/bid/9530
Reference: XF:libtool-insecure-temp-directory(15017)
Reference: URL:http://xforce.iss.net/xforce/xfdb/15017
Reference: OSVDB:3795
Reference: URL:http://www.osvdb.org/3795

GNU libtool before 1.5.2, during compile time, allows local users to
overwrite arbitrary files via a symlink attack on libtool directories
in /tmp.


Modifications:
  20040818 ADDREF OSVDB:3795

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2004-0256 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Cole, Armstrong, Green, Baker, Cox
   NOOP(1) Wall


======================================================
Candidate: CAN-2004-0257
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0257
Final-Decision:
Interim-Decision: 20040825
Modified: 20040820
Proposed: 20040318
Assigned: 20040317
Category: SF
Reference: BUGTRAQ:20040205 OpenBSD IPv6 remote kernel crash
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107604603226564&w=2
Reference: FULLDISC:20040204 Remote openbsd crash with ip6, yet still openbsd much better than windows
Reference: URL:http://lists.netsys.com/pipermail/full-disclosure/2004-February/016704.html
Reference: MISC:http://www.guninski.com/obsdmtu.html
Reference: CONFIRM:http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet6/ip6_output.c
Reference: NETBSD:NetBSD-SA2004-002
Reference: URL:ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2004-002.txt.asc
Reference: XF:openbsd-ipv6-dos(15044)
Reference: URL:http://xforce.iss.net/xforce/xfdb/15044
Reference: BID:9577
Reference: URL:http://www.securityfocus.com/bid/9577
Reference: OSVDB:3825
Reference: URL:http://www.osvdb.org/3825

OpenBSD 3.4 and NetBSD 1.6 and 1.6.1 allow remote attackers to cause a
denial of service (crash) by sending an IPv6 packet with a small MTU
to a listening port and then issuing a TCP connect to that port.


Modifications:
  20040813 CHANGEREF FULLDISC [normalize]
  20040818 ADDREF OSVDB:3825

Analysis
--------
Vendor Acknowledgement: yes changelog

INFERRED ACTION: CAN-2004-0257 ACCEPT (3 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2004-0261
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0261
Final-Decision:
Interim-Decision: 20040825
Modified: 20040820
Proposed: 20040318
Assigned: 20040317
Category: SF
Reference: BUGTRAQ:20040206 Open Journal Blog Authenticaion Bypassing Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107619136600713&w=2
Reference: CONFIRM:http://www.grohol.com/downloads/oj/latest/changelog.txt
Reference: BID:9598
Reference: URL:http://www.securityfocus.com/bid/9598
Reference: XF:openjournal-uid-admin-access(15069)
Reference: URL:http://xforce.iss.net/xforce/xfdb/15069
Reference: OSVDB:3872
Reference: URL:http://www.osvdb.org/3872

oj.cgi in OpenJournal 2.0 through 2.0.5 allows remote attackers to
bypass authentication and access the control panel via a 0 in the uid
parameter.


Modifications:
  20040818 ADDREF OSVDB:3872

Analysis
--------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: the vendor changelog's entry under v2.06 - 05 Feb
2004 says "Fixed security issue in oj.cgi and oj.cfg"

INFERRED ACTION: CAN-2004-0261 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2004-0263
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0263
Final-Decision:
Interim-Decision: 20040825
Modified: 20040820
Proposed: 20040318
Assigned: 20040317
Category: SF
Reference: GENTOO:GLSA-200402-01
Reference: URL:http://http://security.gentoo.org/glsa/glsa-200402-01.xml
Reference: BID:9599
Reference: URL:http://www.securityfocus.com/bid/9599
Reference: XF:php-virtualhost-info-disclosure(15072)
Reference: URL:http://xforce.iss.net/xforce/xfdb/15072
Reference: OSVDB:3878
Reference: URL:http://www.osvdb.org/3878

PHP 4.3.4 and earlier in Apache 1.x and 2.x (mod_php) can leak global
variables between virtual hosts that are handled by the same Apache
child process but have different settings, which could allow remote
attackers to obtain sensitive information.


Modifications:
  20040611 normalize Gentoo reference
  20040813 ADDREF BID:9599
  20040818 ADDREF OSVDB:3878

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2004-0263 ACCEPT (5 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Cole, Armstrong, Baker, Cox, Wall
   NOOP(1) Christey

Voter Comments:
 Christey> BID:9599
 Christey> Normalize Gentoo reference
 CHANGE> [Cox changed vote from REVIEWING to ACCEPT]


======================================================
Candidate: CAN-2004-0270
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0270
Final-Decision:
Interim-Decision: 20040825
Modified: 20040820
Proposed: 20040318
Assigned: 20040317
Category: SF
Reference: BUGTRAQ:20040209 clamav 0.65 remote DOS exploit
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107634700823822&w=2
Reference: CONFIRM:http://www.freebsd.org/cgi/query-pr.cgi?pr=62586
Reference: GENTOO:GLSA-200402-07
Reference: URL:http://security.gentoo.org/glsa/glsa-200402-07.xml
Reference: XF:clam-antivirus-uuencoded-dos(15077)
Reference: URL:http://xforce.iss.net/xforce/xfdb/15077
Reference: BID:9610
Reference: URL:http://www.securityfocus.com/bid/9610
Reference: OSVDB:3894
Reference: URL:http://www.osvdb.org/3894

libclamav in Clam AntiVirus 0.65 allows remote attackers to cause a
denial of service (crash) via a uuencoded e-mail message with an
invalid line length (e.g., a lowercase character), which causes an
assert error in clamd that terminates the calling program.


Modifications:
  20040611 Normalize Gentoo reference
  20040818 ADDREF OSVDB:3894

Analysis
--------
Vendor Acknowledgement: yes

INFERRED ACTION: CAN-2004-0270 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   NOOP(3) Christey, Cox, Wall

Voter Comments:
 Christey> Normalize Gentoo reference


======================================================
Candidate: CAN-2004-0273
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0273
Final-Decision:
Interim-Decision: 20040825
Modified: 20040813
Proposed: 20040318
Assigned: 20040317
Category: SF
Reference: BUGTRAQ:20040210 Directory traversal in RealPlayer allows code execution
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107642978524321&w=2
Reference: CONFIRM:http://service.real.com/help/faq/security/040123_player/EN/
Reference: CERT-VN:VU#514734
Reference: URL:http://www.kb.cert.org/vuls/id/514734
Reference: XF:realoneplayer-rmp-directory-traversal(15123)
Reference: URL:http://xforce.iss.net/xforce/xfdb/15123

Directory traversal vulnerability in RealOne Player, RealOne Player
2.0, and RealOne Enterprise Desktop allows remote attackers to upload
arbitrary files via an RMP file that contains .. (dot dot) sequences
in a .rjs skin file.


Modifications:
  20040813 ADDREF CERT-VN:VU#514734
  20040813 ADDREF XF:realoneplayer-rmp-directory-traversal(15123)

Analysis
--------
Vendor Acknowledgement: yes

ACKNOWLEDGEMENT:at
http://service.real.com/help/faq/security/040123_player/EN/ under
exploit 2 it says "To fashion RMP files which allow an attacker to
download and execute arbitrary code on a user's machine."

INFERRED ACTION: CAN-2004-0273 ACCEPT (4 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Armstrong, Baker, Wall
   NOOP(2) Christey, Cox

Voter Comments:
 Christey> CERT-VN:VU#514734
   URL:http://www.kb.cert.org/vuls/id/514734


======================================================
Candidate: CAN-2004-0274
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0274
Final-Decision:
Interim-Decision: 20040825
Modified: 20040820
Proposed: 20040318
Assigned: 20040317
Category: SF
Reference: BUGTRAQ:20040208 Eggrop bug
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107634593827102&w=2
Reference: BUGTRAQ:20040210 Re: Eggrop bug
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107643315623958&w=2
Reference: MISC:http://mogan.nonsoloirc.com/egg_advisory.txt
Reference: XF:eggdrop-sharemod-gain-access(15084)
Reference: URL:http://xforce.iss.net/xforce/xfdb/15084
Reference: BID:9606
Reference: URL:http://www.securityfocus.com/bid/9606
Reference: OSVDB:3928
Reference: URL:http://www.osvdb.org/3928

Share.mod in Eggheads Eggdrop IRC bot 1.6.10 through 1.6.15 can
mistakenly assign STAT_OFFERED status to a bot that is not a sharebot,
which allows remote attackers to use STAT_OFFERED to promote a bot to
a sharebot and conduct unauthorized activities.


Modifications:
  20040818 ADDREF OSVDB:3928

Analysis
--------
Vendor Acknowledgement: yes followup

INFERRED ACTION: CAN-2004-0274 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2004-0276
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0276
Final-Decision:
Interim-Decision: 20040825
Modified: 20040820
Proposed: 20040318
Assigned: 20040317
Category: SF
Reference: BUGTRAQ:20040211 Denial of Service in Monkey httpd <= 0.8.1
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107652610506968&w=2
Reference: MISC:http://aluigi.altervista.org/poc/monkeydos.zip
Reference: CONFIRM:http://monkeyd.sourceforge.net/
Reference: XF:monkey-getrealstring-dos(15187)
Reference: URL:http://xforce.iss.net/xforce/xfdb/15187
Reference: BID:9642
Reference: URL:http://www.securityfocus.com/bid/9642
Reference: OSVDB:3921
Reference: URL:http://www.osvdb.org/3921

The get_real_string function in Monkey HTTP Daemon (monkeyd) 0.8.1 and
earlier allows remote attackers to cause a denial of service (crash)
via an HTTP request with a sequence of "%" characters and a missing
Host field.


Modifications:
  20040818 ADDREF OSVDB:3921

Analysis
--------
Vendor Acknowledgement: yes

ACKNOWLEDGEMENT: the announcement for Monkey 0.8.2 says that there are
"a lot of bug fixes (including a fix for a DoS). Thanks to Luigi
A."

INFERRED ACTION: CAN-2004-0276 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   NOOP(2) Cox, Wall


======================================================
Candidate: CAN-2004-0297
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0297
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20040318
Assigned: 20040317
Category: SF
Reference: IDEFENSE:20040217 Ipswitch IMail LDAP Daemon Remote Buffer Overflow
Reference: URL:http://www.idefense.com/application/poi/display?id=74
Reference: CONFIRM:http://www.ipswitch.com/support/imail/releases/imail_professional/im805HF2.html
Reference: CERT-VN:VU#972334
Reference: URL:http://www.kb.cert.org/vuls/id/972334
Reference: BID:9682
Reference: URL:http://www.securityfocus.com/bid/9682
Reference: XF:imail-ldap-tag-bo(15243)
Reference: URL:http://xforce.iss.net/xforce/xfdb/15243
Reference: OSVDB:3984
Reference: URL:http://www.osvdb.org/3984

Buffer overflow in the Lightweight Directory Access Protocol (LDAP)
daemon (iLDAP.exe 3.9.15.10) in Ipswitch IMail Server 8.03 allows
remote attackers to cause a denial of service (crash) and execute
arbitrary code via an LDAP message with a large tag length.


Modifications:
  20040813 CHANGEREF IDEFENSE [normalize from BUGTRAQ]
  20040818 ADDREF OSVDB:3984

Analysis
--------
Vendor Acknowledgement: yes

ACKNOWLEDGEMENT: at
http://www.ipswitch.com/support/imail/releases/imail_professional/im805HF2.html
it says "fixes a possible LDAP Denial of Service vulnerability" and
the poster refers to this patch and the patch is dated Feb 17.

INFERRED ACTION: CAN-2004-0297 ACCEPT (4 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Armstrong, Baker, Wall
   NOOP(1) Cox


======================================================
Candidate: CAN-2004-0306
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0306
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20040318
Assigned: 20040317
Category: CF
Reference: CISCO:20040219 Cisco ONS 15327, ONS 15454, ONS 15454 SDH, and ONS 15600 Vulnerabilities
Reference: URL:http://www.cisco.com/warp/public/707/cisco-sa-20040219-ONS.shtml
Reference: XF:cisco-ons-file-upload(15264)
Reference: URL:http://xforce.iss.net/xforce/xfdb/15264
Reference: BID:9699
Reference: URL:http://www.securityfocus.com/bid/9699

Cisco ONS 15327 before 4.1(3), ONS 15454 before 4.6(1), ONS 15454 SD
before 4.1(3), and Cisco ONS 15600 before 1.3(0) enable TFTP service
on UDP port 69 by default, which allows remote attackers to GET or PUT
ONS system files on the current active TCC in the /flash0 or /flash1
directories.

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2004-0306 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Armstrong, Baker, Wall
   NOOP(1) Cox


======================================================
Candidate: CAN-2004-0307
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0307
Final-Decision:
Interim-Decision: 20040825
Modified: 20040820
Proposed: 20040318
Assigned: 20040317
Category: SF
Reference: CISCO:20040219 Cisco ONS 15327, ONS 15454, ONS 15454 SDH, and ONS 15600 Vulnerabilities
Reference: URL:http://www.cisco.com/warp/public/707/cisco-sa-20040219-ONS.shtml
Reference: BID:9699
Reference: URL:http://www.securityfocus.com/bid/9699
Reference: XF:cisco-ons-ack-dos(15265)
Reference: URL:http://xforce.iss.net/xforce/xfdb/15265
Reference: OSVDB:4009
Reference: URL:http://www.osvdb.org/4009

Cisco ONS 15327 before 4.1(3), ONS 15454 before 4.6(1), and ONS 15454
SD before 4.1(3) allows remote attackers to cause a denial of service
(reset) by not sending the ACK portion of the TCP three-way handshake
and sending an invalid response instead.


Modifications:
  20040818 ADDREF OSVDB:4009

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2004-0307 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Armstrong, Baker, Wall
   NOOP(1) Cox


======================================================
Candidate: CAN-2004-0309
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0309
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20040318
Assigned: 20040317
Category: SF
Reference: BUGTRAQ:20040219 EEYE: ZoneLabs SMTP Processing Buffer Overflow
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107722656827427&w=2
Reference: CERT-VN:VU#619982
Reference: URL:http://www.kb.cert.org/vuls/id/619982
Reference: CIAC:O-084
Reference: URL:http://www.ciac.org/ciac/bulletins/o-084.shtml
Reference: CONFIRM:http://download.zonelabs.com/bin/free/securityAlert/8.html
Reference: XF:zonelabs-multiple-products-bo(14991)
Reference: URL:http://xforce.iss.net/xforce/xfdb/14991
Reference: BID:9696
Reference: URL:http://www.securityfocus.com/bid/9696
Reference: OSVDB:3991
Reference: URL:http://www.osvdb.org/3991

Stack-based buffer overflow in the SMTP service support in vsmon.exe
in Zone Labs ZoneAlarm before 4.5.538.001, ZoneLabs Integrity client
4.0 before 4.0.146.046, and 4.5 before 4.5.085, allows remote
attackers to execute arbitrary code via a long RCPT TO argument.


Modifications:
  20040818 ADDREF OSVDB:3991

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2004-0309 ACCEPT (4 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Armstrong, Baker, Wall
   NOOP(1) Cox


======================================================
Candidate: CAN-2004-0320
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0320
Final-Decision:
Interim-Decision: 20040825
Modified: 20040818
Proposed: 20040318
Assigned: 20040317
Category: SF
Reference: BUGTRAQ:20040223 nCipher Advisory #9: Host-side attackers can access secret data
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107755899018249&w=2
Reference: XF:ncipher-hsm-obtain-info(15281)
Reference: URL:http://xforce.iss.net/xforce/xfdb/15281
Reference: BID:9717
Reference: URL:http://www.securityfocus.com/bid/9717
Reference: OSVDB:4055
Reference: URL:http://www.osvdb.org/4055

Unknown vulnerability in nCipher Hardware Security Modules (HSM)
1.67.x through 1.99.x allows local users to access secrets stored in
the module's run-time memory via certain sequences of commands.


Modifications:
  20040818 ADDREF OSVDB:4055

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2004-0320 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   NOOP(2) Wall, Cox


======================================================
Candidate: CAN-2004-0336
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0336
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20040318
Assigned: 20040317
Category: SF
Reference: BUGTRAQ:20040228 LAN SUITE Web Mail 602Pro Multiple Vulnerabilities
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107799540630302&w=2
Reference: BUGTRAQ:20040310 Re: LAN SUITE Web Mail 602Pro Multiple Vulnerabilities
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2004-03/0096.html
Reference: XF:602pro-path-disclosure(15350)
Reference: URL:http://xforce.iss.net/xforce/xfdb/15350
Reference: BID:9781
Reference: URL:http://www.securityfocus.com/bid/9781

LAN SUITE Web Mail 602Pro allows remote attackers to gain sensitive
information via the mail login form, which contains the path to the
mail directory.

Analysis
--------
Vendor Acknowledgement: yes followup

INFERRED ACTION: CAN-2004-0336 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   NOOP(2) Wall, Cox


======================================================
Candidate: CAN-2004-0347
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0347
Final-Decision:
Interim-Decision: 20040825
Modified: 20040813
Proposed: 20040318
Assigned: 20040317
Category: SF
Reference: BUGTRAQ:20040302 03-02-04 XSS Bug in NetScreen-SA 5000 Series of SSL VPN appliance
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107826362024112&w=2
Reference: FULLDISC:20040302 03-02-04 XSS Bug in NetScreen-SA 5000 Series of SSL VPN appliance
Reference: URL:http://lists.netsys.com/pipermail/full-disclosure/2004-March/018120.html
Reference: BUGTRAQ:20040304 NetScreen Advisory 58412: XSS Bug in NetScreen-SA SSL VPN
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107850564102190&w=2
Reference: CERT-VN:VU#114070
Reference: URL:http://www.kb.cert.org/vuls/id/114070
Reference: BID:9791
Reference: URL:http://www.securityfocus.com/bid/9791
Reference: XF:netscreen-delhomepagecgi-xss(15368)
Reference: URL:http://xforce.iss.net/xforce/xfdb/15368

Cross-site scripting (XSS) vulnerability in delhomepage.cgi in
NetScreen-SA 5000 Series running firmware 3.3 Patch 1 (build 4797)
allows remote authenticated users to execute arbitrary script as other
users via the row parameter.


Modifications:
  20040813 ADDREF CERT-VN:VU#114070
  20040813 ADDREF BID:9791
  20040813 ADDREF XF:netscreen-delhomepagecgi-xss(15368)

Analysis
--------
Vendor Acknowledgement: yes advisory

INFERRED ACTION: CAN-2004-0347 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   NOOP(2) Wall, Cox


======================================================
Candidate: CAN-2004-0356
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0356
Final-Decision:
Interim-Decision: 20040825
Modified:
Proposed: 20040318
Assigned: 20040317
Category: SF
Reference: BUGTRAQ:20040305 SLMail Pro Supervisor Report Center Buffer Overflow (#NISR05022004a)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107850488326232&w=2
Reference: CONFIRM:http://216.26.170.92/Download/webfiles/Patches/SLMPPatch-2.0.14.pdf
Reference: MISC:http://www.nextgenss.com/advisories/slmailsrc.txt
Reference: XF:slmail-src-stack-bo(15398)
Reference: URL:http://xforce.iss.net/xforce/xfdb/15398
Reference: BID:9809
Reference: URL:http://www.securityfocus.com/bid/9809

Stack-based buffer overflow in Supervisor Report Center in SL Mail Pro
2.0.9 and earlier allows remote attackers to execute arbitrary code
via an HTTP request with a long HTTP sub-version.

Analysis
--------
Vendor Acknowledgement: yes

ACKNOWLEDGEMENT: the patch document for SL Mail 2.0.14 includes the
item: "Security Issues: SL Supervisor buffer overflow"

INFERRED ACTION: CAN-2004-0356 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Baker
   NOOP(2) Wall, Cox

Page Last Updated or Reviewed: May 22, 2007