• CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Buffer overflow in the bootp server in the Debian Linux netstd package.
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
Assigning CNA
MITRE Corporation
Date Record Created
19990607 Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Modified (19991207)
Votes (Legacy)
ACCEPT(3) Baker, Ozancin, Stracener
MODIFY(1) Frech
REVIEWING(1) Christey
Comments (Legacy)
 Christey> Is CVE-1999-0389 a duplicate of CVE-1999-0798?  CVE-1999-0389
   has January 1999 dates associated with it, while CVE-1999-0798
   was reported in late December.
   Also, is this the same line of code as CVE-1999-0914?  Both are in
   the netstd package, it could look like a library problem.
   However, deep in the changelog in the
   netstd_3.07-7slink.3.diff on Debian, Herbert Xu includes
   the following entry:
   +netstd (3.07-7slink.1) frozen; urgency=high
   +  * bootpd:     Applied patch from Redhat as well as a fix for the overflow in
   +                report() (fixes #30675).
   +  * netkit-ftp: Applied patch from RedHat that fixes some obscure overflow
   +                bugs.
   + -- Herbert Xu <>  Sat, 19 Dec 1998 14:36:48 +1100
   This tells me that two separate bugs are involved.
   Note that Red Hat posted *some* fix for *some* bootp problem
   in June 1998.  See:
 Frech> XF:debian-netstd-bo
 Christey> Further analysis indicates that this is a duplicate of CVE-1999-0799
 CHANGE> [Christey changed vote from REJECT to REVIEWING]
 Christey> The fix information for BID:324 suggests that there are two
   overflows, one of which is in handle_request (bootpd.c) and is
   likely related to a file name; but there is another issue in
   report (report.c) which also looks like a straightforward
   overflow, which would suggest that this is not a duplicate of
   CVE-1999-0798 or CVE-1999-0799.
   Note: see comments for CVE-1999-0798 which explain how that
   candidate is not related to CVE-1999-0799.

Proposed (Legacy)
This is a record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.