[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PROPOSAL] Cluster RECENT-26 - 22 candidates

* Steven M. Christey (coley@LINUS.MITRE.ORG) [000719 23:37]:
> The following cluster contains 22 candidates that were announced
> between 6/26/2000 and 6/30/2000.
> 
> The candidates are listed in order of priority.  Priority 1 and
> Priority 2 candidates both deal with varying levels of vendor
> confirmation, so they should be easy to review and it can be trusted
> that the problems are real.
> 
> If you discover that any RECENT-XX cluster is incomplete with respect
> to the problems discovered during the associated time frame, please
> send that information to me so that candidates can be assigned.
> 
> - Steve
> 
> 
> Summary of votes to use (in ascending order of "severity")
> ----------------------------------------------------------
> 
> ACCEPT - voter accepts the candidate as proposed
> NOOP - voter has no opinion on the candidate
> MODIFY - voter wants to change some MINOR detail (e.g. reference/description)
> REVIEWING - voter is reviewing/researching the candidate, or needs more info
> RECAST - candidate must be significantly modified, e.g. split or merged
> REJECT - candidate is "not a vulnerability", or a duplicate, etc.
> 
> 1) Please write your vote on the line that starts with "VOTE: ".  If
>    you want to add comments or details, add them to lines after the
>    VOTE: line.
> 
> 2) If you see any missing references, please mention them so that they
>    can be included.  References help greatly during mapping.
> 
> 3) Note that a "MODIFY" is treated as an "ACCEPT" when counting votes.
>    So if you don't have sufficient information for a candidate but you
>    don't want to NOOP, use a REVIEWING.
> 
> ********** NOTE ********** NOTE ********** NOTE ********** NOTE **********
> 
> Please keep in mind that your vote and comments will be recorded and
> publicly viewable in the mailing list archives or in other formats.
> 
> =================================
> Candidate: CAN-2000-0585
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000719
> Assigned: 20000719
> Category: SF
> Reference: BUGTRAQ:20000624 Possible root exploit in ISC DHCP client.
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0247.html
> Reference: OPENBSD:20000624 A serious bug in dhclient(8) could allow strings from a malicious dhcp server to be executed in the shell as root.
> Reference: URL:http://www.openbsd.org/errata.html#dhclient
> Reference: DEBIAN:20000628 dhcp client: remote root exploit in dhcp client
> Reference: URL:http://www.debian.org/security/2000/20000628
> Reference: BUGTRAQ:20000702 [Security Announce] dhcp update
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0014.html
> Reference: SUSE:20000711 Security Hole in dhclient < 2.0
> Reference: URL:http://www.suse.de/de/support/security/suse_security_announce_56.txt
> Reference: XF:openbsd-isc-dhcp-bo
> Reference: NETBSD:NetBSD-SA2000-008
> Reference: URL:ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-008.txt.asc
> Reference: BID:1388
> Reference: URL:http://www.securityfocus.com/bid/1388
> 
> ISC DHCP client program dhclient allows remote attackers to execute
> arbitrary commands via shell metacharacters.
> 
> 
> ED_PRI CAN-2000-0585 1
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0596
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000719
> Assigned: 20000719
> Category: SF
> Reference: BUGTRAQ:20000627 IE 5 and Access 2000 vulnerability - executing programs
> Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=39589359.762392DB@nat.bg
> Reference: BUGTRAQ:20000627 FW: IE 5 and Access 2000 vulnerability - executing programs
> Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=000d01bfe0fb$418f59b0$96217aa8@src.bu.edu
> Reference: MS:MS00-049
> Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS00-049.asp
> Reference: XF:ie-access-vba-code-execute
> Reference: BID:1398
> Reference: URL:http://www.securityfocus.com/bid/1398
> 
> Internet Explorer 5.x does not warn a user before opening a Microsoft
> Access database file that is referenced within ActiveX OBJECT tags in
> an HTML document, which could allow remote attackers to execute
> arbitrary commands, aka the "IE Script" vulnerability.
> 
> 
> ED_PRI CAN-2000-0596 1
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0597
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000719
> Assigned: 20000719
> Category: SF
> Reference: BUGTRAQ:20000627 IE 5 and Excel 2000, PowerPoint 2000 vulnerability - executing programs
> Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=39589349.ED9DBCAB@nat.bg
> Reference: MS:MS00-049
> Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS00-049.asp
> Reference: BID:1399
> Reference: URL:http://www.securityfocus.com/bid/1399
> Reference: XF:ie-powerpoint-activex-object-execute
> 
> Microsoft Office 2000 (Excel and PowerPoint) and PowerPoint 97 are
> marked as safe for scripting, which allows remote attackers to force
> Internet Explorer or some email clients to save files to arbitrary
> locations via the Visual Basic for Applications (VBA) SaveAs function,
> aka the "Office HTML Script" vulnerability.
> 
> 
> ED_PRI CAN-2000-0597 1
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0616
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000719
> Assigned: 20000719
> Category: SF
> Reference: HP:HPSBMP0006-007
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0294.html
> Reference: BID:1405
> Reference: URL:http://www.securityfocus.com/bid/1405
> 
> Vulnerability in HP TurboIMAGE DBUTIL allows local users to gain
> additional privileges via DBUTIL.PUB.SYS.
> 
> 
> ED_PRI CAN-2000-0616 1
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0582
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000719
> Assigned: 20000719
> Category: SF
> Reference: BUGTRAQ:20000630 SecureXpert Advisory [SX-20000620-3]
> Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.3.96.1000630162106.4619C-100000@fjord.fscinternet.com
> Reference: XF:fw1-resource-overload-dos
> Reference: BID:1416
> Reference: URL:http://www.securityfocus.com/bid/1416
> 
> Check Point Firewall-1 4.0 and 4.1 allows remote attackers to cause a
> denial of service by sending a stream of binary zeros to the SMTP
> Security Server proxy.
> 
> 
> ED_PRI CAN-2000-0582 2
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0583
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000719
> Assigned: 20000719
> Category: SF
> Reference: BUGTRAQ:20000626 vpopmail-3.4.11 problems
> Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=395BD2A8.5D3396A7@secureaustin.com
> Reference: CONFIRM:http://www.vpopmail.cx/vpopmail-ChangeLog
> Reference: BID:1418
> Reference: URL:http://www.securityfocus.com/bid/1418
> 
> vchkpw program in vpopmail before version 4.8 does not properly cleanse
> an untrusted format string used in a call to syslog, which allows
> remote attackers to cause a denial of service via a USER or PASS
> command that contains arbitrary formatting directives.
> 
> 
> ED_PRI CAN-2000-0583 2
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0588
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000719
> Assigned: 20000719
> Category: SF
> Reference: BUGTRAQ:20000626 sawmill5.0.21 old path bug & weak hash algorithm
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0271.html
> Reference: BUGTRAQ:20000706 Patch for Flowerfire Sawmill Vulnerabilities Available
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0080.html
> Reference: BID:1402
> Reference: URL:http://www.securityfocus.com/bid/1402
> Reference: XF:sawmill-file-access
> 
> SawMill 5.0.21 CGI program allows remote attackers to read the first
> line of arbitrary files by listing the file in the rfcf parameter,
> whose contents SawMill attempts to parse as configuration commands.
> 
> 
> ED_PRI CAN-2000-0588 2
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0568
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000719
> Assigned: 20000719
> Category: SF
> Reference: BUGTRAQ:20000630 Multiple vulnerabilities in Sybergen Secure Desktop
> Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=4125690E.00524395.00@guardianit.se
> Reference: XF:sybergen-routing-table-modify
> Reference: BID:1417
> Reference: URL:http://www.securityfocus.com/bid/1417
> 
> Sybergen Secure Desktop 2.1 does not properly protect against false
> router advertisements (ICMP type 9), which allows remote attackers to
> modify default routes.
> 
> 
> ED_PRI CAN-2000-0568 3
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0569
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000719
> Assigned: 20000719
> Category: SF
> Reference: MISC:http://archives.neohapsis.com/archives/win2ksecadvice/2000-q2/0189.html
> Reference: BID:1420
> Reference: URL:http://www.securityfocus.com/bid/1420
> 
> Sybergen Sygate allows remote attackers to cause a denial of service
> by sending a malformed DNS UDP packet to its internal interface.
> 
> 
> ED_PRI CAN-2000-0569 3
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0570
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000719
> Assigned: 20000719
> Category: SF
> Reference: BUGTRAQ:20000627 DoS in FirstClass Internet Services 5.770
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0295.html
> Reference: XF:firstclass-large-bcc-dos
> Reference: BID:1421
> Reference: URL:http://www.securityfocus.com/bid/1421
> 
> FirstClass Internet Services server allows remote attackers to cause a
> denial of service by sending an email with a long To: mail header.
> 
> 
> ED_PRI CAN-2000-0570 3
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0575
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000719
> Assigned: 20000719
> Category: SF
> Reference: BUGTRAQ:20000630 Kerberos security vulnerability in SSH-1
> Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=200007010511.BAA16944@syrinx.oankali.net
> Reference: BID:1426
> Reference: URL:http://www.securityfocus.com/bid/1426
> 
> SSH 1.2.27 with Kerberos authentication support stores Kerberos
> tickets in a file which is created in the current directory of the
> user who is logging in, which could allow remote attackers to sniff
> the ticket cache if the home directory is installed on NFS.
> 
> 
> ED_PRI CAN-2000-0575 3
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0580
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000719
> Assigned: 20000719
> Category: SF
> Reference: BUGTRAQ:20000630 SecureXpert Advisory [SX-20000620-2]
> Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.3.96.1000630161935.4619B-100000@fjord.fscinternet.com
> Reference: XF:win2k-cpu-overload-dos
> Reference: BID:1415
> Reference: URL:http://www.securityfocus.com/bid/1415
> 
> Windows 2000 Server allows remote attackers to cause a denial of
> service by sending a continuous stream of binary zeros to various TCP
> and UDP ports, which significantly increases the CPU utilization.
> 
> 
> ED_PRI CAN-2000-0580 3
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0581
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000719
> Assigned: 20000719
> Category: SF
> Reference: BUGTRAQ:20000630 SecureXpert Advisory [SX-20000620-1]
> Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.3.96.1000630161841.4619A-100000@fjord.fscinternet.com
> Reference: XF:win2k-telnetserver-dos
> Reference: BID:1414
> Reference: URL:http://www.securityfocus.com/bid/1414
> 
> Windows 2000 Telnet Server allows remote attackers to cause a denial
> of service by sending a continuous stream of binary zeros, which
> causes the server to crash.
> 
> 
> ED_PRI CAN-2000-0581 3
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0586
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000719
> Assigned: 20000719
> Category: SF
> Reference: VULN-DEV:20000628 dalnet 4.6.5 remote vulnerability
> Reference: URL:http://archives.neohapsis.com/archives/vuln-dev/2000-q2/1092.html
> Reference: XF:ircd-dalnet-summon-bo
> Reference: BID:1404
> Reference: URL:http://www.securityfocus.com/bid/1404
> 
> Buffer overflow in Dalnet IRC server 4.6.5 allows remote attackers to
> cause a denial of service or execute arbitrary commands via the SUMMON
> command.
> 
> 
> ED_PRI CAN-2000-0586 3
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0587
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000719
> Assigned: 20000719
> Category: SF
> Reference: XF:glftpd-privpath-directive
> Reference: BUGTRAQ:20000626 Glftpd privpath bugs... +fix
> Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.10.10006261041360.31907-200000@twix.thrijswijk.nl
> Reference: BUGTRAQ:20000627 Re: Glftpd privpath bugs... +fix
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0317.html
> Reference: BID:1401
> Reference: URL:http://www.securityfocus.com/bid/1401
> 
> The privpath directive in glftpd 1.18 allows remote attackers to
> bypass access restrictions for directories by using the file name
> completion capability.
> 
> 
> ED_PRI CAN-2000-0587 3
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0589
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000719
> Assigned: 20000719
> Category: SF
> Reference: BUGTRAQ:20000626 sawmill5.0.21 old path bug & weak hash algorithm
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0271.html
> Reference: BUGTRAQ:20000706 Patch for Flowerfire Sawmill Vulnerabilities Available
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0080.html
> Reference: BID:1403
> Reference: URL:http://www.securityfocus.com/bid/1403
> Reference: XF:sawmill-weak-encryption
> 
> SawMill 5.0.21 uses weak encryption to store passwords, which allows
> attackers to easily decrypt the password and modify the SawMill
> configuration.
> 
> 
> ED_PRI CAN-2000-0589 3
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0592
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000719
> Assigned: 20000719
> Category: SF
> Reference: BUGTRAQ:20000627 [SPSadvisory #37]WinProxy 2.0.0/2.0.1 DoS and Exploitable Buffer Overflow
> Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=200006271417.GFE84146.-BJXON@lac.co.jp
> Reference: XF:winproxy-command-bo
> Reference: BID:1400
> Reference: URL:http://www.securityfocus.com/bid/1400
> 
> Buffer overflows in POP3 service in WinProxy 2.0 and 2.0.1 allow
> remote attackers to execute arbitrary commands via long USER, PASS,
> LIST, RETR, or DELE commands.
> 
> 
> ED_PRI CAN-2000-0592 3
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0593
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000719
> Assigned: 20000719
> Category: SF
> Reference: BUGTRAQ:20000627 [SPSadvisory #37]WinProxy 2.0.0/2.0.1 DoS and Exploitable Buffer Overflow
> Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=200006271417.GFE84146.-BJXON@lac.co.jp
> Reference: XF:winproxy-get-dos
> Reference: BID:1400
> Reference: URL:http://www.securityfocus.com/bid/1400
> 
> WinProxy 2.0 and 2.0.1 allows remote attackers to cause a denial of
> service by sending an HTTP GET request without listing an HTTP version
> number.
> 
> 
> ED_PRI CAN-2000-0593 3
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0598
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000719
> Assigned: 20000719
> Category: SF
> Reference: BUGTRAQ:20000626 Proxy+ Telnet Gateway Problems
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0268.html
> Reference: BID:1395
> Reference: URL:http://www.securityfocus.com/bid/1395
> Reference: XF:fortech-proxy-telnet-gateway
> Reference: XF:proxyplus-telnet-gateway
> 
> Fortech Proxy+ allows remote attackers to bypass access restrictions
> for to the administration service by redirecting their connections
> through the telnet proxy.
> 
> 
> ED_PRI CAN-2000-0598 3
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0599
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000719
> Assigned: 20000719
> Category: SF
> Reference: BUGTRAQ:20000629 iMesh 1.02 vulnerability
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0335.html
> Reference: XF:imesh-tcp-port-overflow
> Reference: BID:1407
> Reference: URL:http://www.securityfocus.com/bid/1407
> 
> Buffer overflow in iMesh 1.02 allows remote attackers to execute
> arbitrary commands via a long string to the iMesh port.
> 
> 
> ED_PRI CAN-2000-0599 3
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0600
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000719
> Assigned: 20000719
> Category: SF
> Reference: BUGTRAQ:20000626 Netscape Enterprise Server for NetWare Virtual Directory Vulnerab ility
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0264.html
> Reference: BID:1393
> Reference: URL:http://www.securityfocus.com/bid/1393
> Reference: XF:netscape-virtual-directory-bo
> Reference: XF:netscape-enterprise-netware-bo
> 
> Netscape Enterprise Server in NetWare 5.1 allows remote attackers to
> cause a denial of service or execute arbitrary commands via a
> malformed URL.
> 
> 
> ED_PRI CAN-2000-0600 3
> 
> 
> VOTE: ACCEPT
> 
> =================================
> Candidate: CAN-2000-0612
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000719
> Assigned: 20000719
> Category: SF
> Reference: BUGTRAQ:20000629 Buggy ARP handling in Windoze
> Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=395B7E64.9FB3D4DB@starzetz.de
> Reference: XF:win-arp-spoofing
> Reference: BID:1406
> Reference: URL:http://www.securityfocus.com/bid/1406
> 
> Windows 95 and Windows 98 do not properly process spoofed ARP packets,
> which allows remote attackers to overwrite static entries in the cache
> table.
> 
> 
> ED_PRI CAN-2000-0612 3
> 
> 
> VOTE: ACCEPT

-- 
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum
Page Last Updated or Reviewed: May 22, 2007