[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[VOTES] Vote details for RECENT-XX clusters



This "ALL-NEW" meta-cluster contains voting details for all clusters
related to the "live" candidate assignment that has been taking place
in recent weeks.

RECENT-04
RECENT-03
RECENT-02
RECENT-01


- Steve




--------------------- CLUSTER RECENT-04 ---------------------

RECENT-04 (43 candidates)
--------------------
Proposed: 1/10/00
Scheduled Interim Decision: 1/24/00
Scheduled Final Decision: 1/28/00

Recent problems announced between 12/20/1999 and 1/1/2000


Voters:


<PROPOSED> --> 43

=================================
Candidate: CAN-2000-0001
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991222 RealMedia Server 5.0 Crasher (rmscrash.c)

RealMedia server allows remote attackers to cause a denial of service
via a long ramgen request.

INFERRED ACTION: CAN-2000-0001 MOREVOTES (0 accept, 0 ack, 0 review)

Current Votes:


=================================
Candidate: CAN-2000-0002
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: NTBUGTRAQ:19991223 Local / Remote GET Buffer Overflow Vulnerability in ZBServer 1.5 Pro Edition for Win98/NT
Reference: BUGTRAQ:19991223 Local / Remote GET Buffer Overflow Vulnerability in ZBServer 1.5 Pro Edition for Win98/NT

Buffer overflow in ZBServer Pro allows remote attackers to execute
commands via a long GET request.

INFERRED ACTION: CAN-2000-0002 MOREVOTES (0 accept, 0 ack, 0 review)

Current Votes:


=================================
Candidate: CAN-2000-0003
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991230 UnixWare rtpm exploit + discussion

Buffer overflow in UnixWare rtpm program allows local users to gain
privileges via a long environmental variable.

INFERRED ACTION: CAN-2000-0003 MOREVOTES (0 accept, 0 ack, 0 review)

Current Votes:


=================================
Candidate: CAN-2000-0004
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: NTBUGTRAQ:19991223 Local / Remote GET Buffer Overflow Vulnerability in ZBServer 1.5 Pro Edition for Win98/NT
Reference: BUGTRAQ:19991223 Local / Remote GET Buffer Overflow Vulnerability in ZBServer 1.5 Pro Edition for Win98/NT

ZBServer Pro allows remote attackers to read source code for
executable files by inserting a . (dot) into the URL.

INFERRED ACTION: CAN-2000-0004 MOREVOTES (0 accept, 0 ack, 0 review)

Current Votes:


=================================
Candidate: CAN-2000-0005
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991230 aserver.sh
Reference: BUGTRAQ:20000102 HPUX Aserver revisited.
Reference: HP:HPSBUX0001-108

HP-UX aserver program allows local users to gain privileges via a
symlink attack.

INFERRED ACTION: CAN-2000-0005 MOREVOTES (0 accept, 2 ack, 0 review)

Current Votes:


=================================
Candidate: CAN-2000-0006
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991225 strace can lie

strace allows local users to read arbitrary files via memory mapped
file names.

INFERRED ACTION: CAN-2000-0006 MOREVOTES (0 accept, 0 ack, 0 review)

Current Votes:


=================================
Candidate: CAN-2000-0007
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991230 PC-Cillin 6.x DoS Attack

Trend Micro PC-Cillin does not restrict access to its to its internal
proxy port, allowing remote attackers to conduct a denial of service.

INFERRED ACTION: CAN-2000-0007 MOREVOTES (0 accept, 0 ack, 0 review)

Current Votes:


=================================
Candidate: CAN-2000-0008
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF/CF/MP/SA/AN/unknown
Reference: BUGTRAQ:19991227 FTPPro insecuities

FTPPro allows local users to read sensitive information, which is
stored in plain text.

INFERRED ACTION: CAN-2000-0008 MOREVOTES (0 accept, 0 ack, 0 review)

Current Votes:


=================================
Candidate: CAN-2000-0009
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991230 bna,sh
Reference: BID:907

bna_pass program in Optivity NETarchitect allows local users to gain
privileges via a symlink attack.

INFERRED ACTION: CAN-2000-0009 MOREVOTES (0 accept, 0 ack, 0 review)

Current Votes:


=================================
Candidate: CAN-2000-0010
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991226 WebWho+ ADVISORY

WebWho+ whois.cgi program allows remote attackers to execute commands
via shell metacharacters in the TLD parameter.

INFERRED ACTION: CAN-2000-0010 MOREVOTES (0 accept, 0 ack, 0 review)

Current Votes:


=================================
Candidate: CAN-2000-0011
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991231 Local / Remote GET Buffer Overflow Vulnerability in AnalogX SimpleServer:WWW HTTP Server v1.1
Reference: BID:906

Buffer overflow in AnalogX SimpleServer:WWW allows remote attackers to
execute commands via a long GET request.

INFERRED ACTION: CAN-2000-0011 MOREVOTES (0 accept, 0 ack, 0 review)

Current Votes:


=================================
Candidate: CAN-2000-0012
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991227 remote buffer overflow in miniSQL
Reference: BID:898

Buffer overflow in w3-msql CGI program in miniSQL package allows
remote attackers to execute commands.

INFERRED ACTION: CAN-2000-0012 MOREVOTES (0 accept, 0 ack, 0 review)

Current Votes:


=================================
Candidate: CAN-2000-0013
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991231 irix-soundplayer.sh
Reference: BID:909

IRIX midikeys program allows local users to gain privileges via a
symlink attack.

INFERRED ACTION: CAN-2000-0013 MOREVOTES (0 accept, 0 ack, 0 review)

Current Votes:


=================================
Candidate: CAN-2000-0014
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991228 Local / Remote D.o.S Attack in Savant Web Server V2.0 WIN9X / NT / 2K
Reference: BID:897

Denial of service in Savant web server via a null character in the
requested URL.

INFERRED ACTION: CAN-2000-0014 MOREVOTES (0 accept, 0 ack, 0 review)

Current Votes:


=================================
Candidate: CAN-2000-0015
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991231 tftpserv.sh
Reference: BID:910

CascadeView TFTP server allows local users to gain privileges via a
symlink attack.

INFERRED ACTION: CAN-2000-0015 MOREVOTES (0 accept, 0 ack, 0 review)

Current Votes:


=================================
Candidate: CAN-2000-0016
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: NTBUGTRAQ:19991001 Vulnerabilities in the Internet Anywhere Mail Server
Reference: BUGTRAQ:19991227 Remote DoS/Access Attack in Internet Anywhere Mail Server(POP 3) v2.3.1
Reference: BID:730

Buffer overflow in Internet Anywhere POP3 Mail Server allows remote
attackers to cause a denial of service or execute commands via a long
username.

INFERRED ACTION: CAN-2000-0016 MOREVOTES (0 accept, 0 ack, 0 review)

Current Votes:


=================================
Candidate: CAN-2000-0017
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991221 (Possible) Linuxconf Remote Buffer Overflow Vulnerability

Buffer overflow in Linux linuxconf package allows remote attackers to
gain root privileges via a long parameter.

INFERRED ACTION: CAN-2000-0017 MOREVOTES (0 accept, 0 ack, 0 review)

Current Votes:


=================================
Candidate: CAN-2000-0018
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991221 Wmmon under FreeBSD

wmmon in FreeBSD allows local users to gain privileges via the
.wmmonrc configuration file.

INFERRED ACTION: CAN-2000-0018 MOREVOTES (0 accept, 0 ack, 0 review)

Current Votes:


=================================
Candidate: CAN-2000-0019
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991221 [w00giving '99 #11] IMail's password encryption scheme

IMail POP3 daemon uses weak encryption, which allows local users to
read files.

CONTENT-DECISIONS: DESIGN-WEAK-ENCRYPTION

INFERRED ACTION: CAN-2000-0019 MOREVOTES (0 accept, 0 ack, 0 review) HAS_CDS

Current Votes:


=================================
Candidate: CAN-2000-0020
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: NTBUGTRAQ:19991221 Remote D.o.S Attack in DNS PRO v5.7 WinNT From FBLI Software Vulnerability
Reference: BUGTRAQ:19991221 Remote D.o.S Attack in DNS PRO v5.7 WinNT From FBLI Software Vulnerability

DNS PRO allows remote attackers to conduct a denial of service via a
large number of connections.

INFERRED ACTION: CAN-2000-0020 MOREVOTES (0 accept, 0 ack, 0 review)

Current Votes:


=================================
Candidate: CAN-2000-0021
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF/CF/MP/SA/AN/unknown
Reference: BUGTRAQ:19991221 serious Lotus Domino HTTP denial of service
Reference: BUGTRAQ:19991227 Re: Lotus Domino HTTP denial of service attack

Lotus Domino HTTP server allows remote attackers to determine the real
path of the server via a request to a non-existent script in
/cgi-bin.

CONTENT-DECISIONS: DESIGN-REAL-PATH

INFERRED ACTION: CAN-2000-0021 MOREVOTES (0 accept, 1 ack, 0 review) HAS_CDS

Current Votes:


=================================
Candidate: CAN-2000-0022
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991221 serious Lotus Domino HTTP denial of service
Reference: BUGTRAQ:19991227 Re: Lotus Domino HTTP denial of service attack

Lotus Domino HTTP server does not properly disable anonymous access
for the cgi-bin directory.

INFERRED ACTION: CAN-2000-0022 MOREVOTES (0 accept, 1 ack, 0 review)

Current Votes:


=================================
Candidate: CAN-2000-0023
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991221 serious Lotus Domino HTTP denial of service
Reference: BUGTRAQ:19991222 Lotus Notes HTTP cgi-bin vulnerability: possible workaround
Reference: BUGTRAQ:19991227 Re: Lotus Domino HTTP denial of service attack

Buffer overflow in Lotus Domino HTTP server allows remote attackers to
cause a denial of service via a long URL.

INFERRED ACTION: CAN-2000-0023 MOREVOTES (0 accept, 1 ack, 0 review)

Current Votes:


=================================
Candidate: CAN-2000-0024
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: MS:MS99-061
Reference: BUGTRAQ:19991228 Third Party Software Affected by IIS "Escape Character Parsing" Vulnerability
Reference: BUGTRAQ:19991229 More info on MS99-061 (IIS escape character vulnerability)

IIS does not properly canonicalize URLs, potentially allowing remote
attackers to bypass access restrictions in third-party software via
escape characters, aka the "Escape Character Parsing" vulnerability.

INFERRED ACTION: CAN-2000-0024 MOREVOTES (0 accept, 2 ack, 0 review)

Current Votes:


=================================
Candidate: CAN-2000-0025
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: MS:MS99-058

IIS 4.0 and Site Server 3.0 allow remote attackers to read source code
for ASP files if the file is in a virtual directory whose name
includes extensions such as .com, .exe, .sh, .cgi, or .dll, aka the
"Virtual Directory Naming" vulnerability.

INFERRED ACTION: CAN-2000-0025 MOREVOTES (0 accept, 2 ack, 0 review)

Current Votes:


=================================
Candidate: CAN-2000-0026
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991222 UnixWare i2odialogd remote root exploit

Buffer overflow in UnixWare i2odialogd daemon allows remote attackers
to gain root access via a long username/password authorization
string.

INFERRED ACTION: CAN-2000-0026 MOREVOTES (0 accept, 0 ack, 0 review)

Current Votes:


=================================
Candidate: CAN-2000-0027
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991227 IBM NetStation/UnixWare local root exploit
Reference: BID:900

IBM Network Station Manager NetStation allows local users to gain
privileges via a symlink attack.

INFERRED ACTION: CAN-2000-0027 MOREVOTES (0 accept, 0 ack, 0 review)

Current Votes:


=================================
Candidate: CAN-2000-0028
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991222 IE 5.01 vulnerabilities in external.NavigateAndFind()

Internet Explorer 5.0 and 5.01 allows remote attackers to bypass the
cross frame security policy and read files via the
external.NavigateAndFind function.

INFERRED ACTION: CAN-2000-0028 MOREVOTES (0 accept, 0 ack, 0 review)

Current Votes:


=================================
Candidate: CAN-2000-0029
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991227 UnixWare local pis exploit
Reference: BID:901

UnixWare pis and mkpis commands allow local users to gain privileges
via a symlink attack.

INFERRED ACTION: CAN-2000-0029 MOREVOTES (0 accept, 0 ack, 0 review)

Current Votes:


=================================
Candidate: CAN-2000-0030
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991222 Solaris 2.7 dmispd local/remote problems

Solaris dmispd dmi_cmd allows local users to fill up restricted disk
space by adding files to the /var/dmi/db database.

INFERRED ACTION: CAN-2000-0030 MOREVOTES (0 accept, 0 ack, 0 review)

Current Votes:


=================================
Candidate: CAN-2000-0031
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: L0PHT:19991227 initscripts-4.48-1 RedHat Linux 6.1
Reference: REDHAT:RHSA-1999:052-04

The initscripts package in Red Hat Linux allows local users to gain
privileges via a symlink attack.

INFERRED ACTION: CAN-2000-0031 MOREVOTES (0 accept, 2 ack, 0 review)

Current Votes:


=================================
Candidate: CAN-2000-0032
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991222 Solaris 2.7 dmispd local/remote problems

Solaris dmi_cmd allows local users to crash the dmispd daemon by
adding a malformed file to the /var/dmi/db database.

INFERRED ACTION: CAN-2000-0032 MOREVOTES (0 accept, 0 ack, 0 review)

Current Votes:


=================================
Candidate: CAN-2000-0033
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991227 Trend Micro InterScan VirusWall SMTP bug
Reference: BID:899

InterScan VirusWall SMTP scanner does not properly scan messages with
malformed attachments.

INFERRED ACTION: CAN-2000-0033 MOREVOTES (0 accept, 0 ack, 0 review)

Current Votes:


=================================
Candidate: CAN-2000-0034
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991222 More Netscape Passwords Available.

Netscape 4.7 records user passwords in the preferences.js file during
an IMAP or POP session, even if the user has not enabled "remember
passwords."

INFERRED ACTION: CAN-2000-0034 MOREVOTES (0 accept, 0 ack, 0 review)

Current Votes:


=================================
Candidate: CAN-2000-0035
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991228 majordomo local exploit
Reference: BID:902

resend command in Majordomo allows local users to gain privileges via
shell metacharacters.

INFERRED ACTION: CAN-2000-0035 MOREVOTES (0 accept, 0 ack, 0 review)

Current Votes:


=================================
Candidate: CAN-2000-0036
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: MS:MS99-060
Reference: MSKB:Q249082

Outlook Express 5 for Macintosh downloads attachments to HTML mail
without prompting the user, aka the "HTML Mail Attachment"
vulnerability.

INFERRED ACTION: CAN-2000-0036 MOREVOTES (0 accept, 3 ack, 0 review)

Current Votes:


=================================
Candidate: CAN-2000-0037
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991228 majordomo local exploit
Reference: BID:903

Majordomo wrapper allows local users to gain privileges by specifying
an alternate configuration file.

INFERRED ACTION: CAN-2000-0037 MOREVOTES (0 accept, 0 ack, 0 review)

Current Votes:


=================================
Candidate: CAN-2000-0038
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: CF
Reference: BUGTRAQ:19991223 Multiple vulnerabilites in glFtpD (current versions)

glFtpD includes a default glftpd user account with a default password
and a UID of 0.

CONTENT-DECISIONS: CF-PASS

INFERRED ACTION: CAN-2000-0038 MOREVOTES (0 accept, 0 ack, 0 review) HAS_CDS

Current Votes:


=================================
Candidate: CAN-2000-0039
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991229 AltaVista
Reference: BUGTRAQ:19991230 Follow UP AltaVista
Reference: BUGTRAQ:19991229 AltaVista followup and monitor script
Reference: BUGTRAQ:20000103 FW: Patch issued for AltaVista Search Engine Directory TraversalVulnerability
Reference: BUGTRAQ:20000109 Altavista followup
Reference: BID:896

AltaVista search engine allows remote attackers to read files above
the document root via a .. (dot dot) in the query program.

INFERRED ACTION: CAN-2000-0039 MOREVOTES (0 accept, 1 ack, 0 review)

Current Votes:


=================================
Candidate: CAN-2000-0040
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991223 Multiple vulnerabilites in glFtpD (current versions)

glFtpD allows local users to gain privileges via metacharacters in the
SITE ZIPCHK command.

INFERRED ACTION: CAN-2000-0040 MOREVOTES (0 accept, 1 ack, 0 review)

Current Votes:


=================================
Candidate: CAN-2000-0041
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991229 The "Mac DoS Attack," a Scheme for Blocking Internet Connections
Reference: BID:890

Macintosh systems generate large ICMP datagrams in response to
malformed datagrams, allowing them to be used as amplifiers in a flood
attack.

INFERRED ACTION: CAN-2000-0041 MOREVOTES (0 accept, 1 ack, 0 review)

Current Votes:


=================================
Candidate: CAN-2000-0042
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991229 Local / Remote D.o.S Attack in  CSM Mail Server for Windows 95/NT v.2000.08.A
Reference: BID:895

Buffer overflow in CSM mail server allows remote attackers to cause a
denial of service or execute commands via a long HELO command.

INFERRED ACTION: CAN-2000-0042 MOREVOTES (0 accept, 0 ack, 0 review)

Current Votes:


=================================
Candidate: CAN-2000-0043
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991230 Local / Remote GET Buffer Overflow Vulnerability in CamShot WebCam HTTP Server v2.5 for Win9x/NT
Reference: BID:905

Buffer overflow in CamShot WebCam HTTP server allows remote attackers
to execute commands via a long GET request.

INFERRED ACTION: CAN-2000-0043 MOREVOTES (0 accept, 0 ack, 0 review)

Current Votes:




--------------------- CLUSTER RECENT-03 ---------------------

RECENT-03 (19 candidates)
--------------------
Proposed: 12/21
Scheduled Proposed: 12/20
Scheduled Interim Decision: 1/3
Scheduled Final Decision: 1/7

Recent problems announced between 12/13/1999 and 12/20/1999


Voters:
  Wall ACCEPT(6) MODIFY(1) NOOP(12)
  Christey NOOP(1)
  Cole ACCEPT(14) MODIFY(2) NOOP(3)
  Stracener ACCEPT(18) NOOP(1)


<INTERIM> --> 5
<PROPOSED> --> 14
ACCEPT --> 15
MODIFY --> 3
NOOP --> 1

=================================
Candidate: CAN-1999-0992
Published:
Final-Decision:
Interim-Decision: 20000111
Modified:
Proposed: 19991222
Assigned: 19991221
Category: SF
Reference: HP:HPSBUX9912-107

HP VirtualVault with the PHSS_17692 patch allows unprivileged
processes to bypass access restrictions via the Trusted Gateway Proxy
(TGP).

INFERRED ACTION: CAN-1999-0992 ACCEPT_ACK (2 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Stracener
   NOOP(1) Wall


=================================
Candidate: CAN-1999-0993
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991221
Category: unknown
Reference: NTBUGTRAQ:19991213 Changing ACL's in Exchange Server

Modifications to ACLs (Access Control Lists) in Microsoft Exchange
5.5 do not take effect until the directory store cache is refreshed.

CONTENT-DECISIONS: NOVULN

INFERRED ACTION: CAN-1999-0993 MOREVOTES (2 accept, 0 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(2) Wall, Stracener
   NOOP(1) Cole


=================================
Candidate: CAN-1999-0994
Published:
Final-Decision:
Interim-Decision: 20000111
Modified:
Proposed: 19991222
Assigned: 19991221
Category: SF
Reference: BINDVIEW:19991216 Windows NT's SYSKEY feature
Reference: MS:MS99-056
Reference: MSKB:Q248183
Reference: BID:873

Windows NT with SYSKEY reuses the keystream that is used for
encrypting SAM password hashes, allowing an attacker to crack
passwords.

INFERRED ACTION: CAN-1999-0994 ACCEPT (3 accept, 4 ack, 0 review)

Current Votes:
   ACCEPT(3) Wall, Cole, Stracener


=================================
Candidate: CAN-1999-0995
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19991222
Assigned: 19991221
Category: SF
Reference: NAI:19991216 Windows NT LSA Remote Denial of Service
Reference: MS:MS99-057
Reference: MSKB:Q248185
Reference: BID:875

Windows NT Local Security Authority (LSA) allows remote attackers to
cause a denial of service via malformed arguments to the LsaLookupSids
function which looks up the SID, aka "Malformed Security Identifier
Request."

Modifications:
  ADDREF BID:875

INFERRED ACTION: CAN-1999-0995 ACCEPT (3 accept, 4 ack, 0 review)

Current Votes:
   ACCEPT(3) Wall, Cole, Stracener


=================================
Candidate: CAN-1999-0996
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991221
Category: SF
Reference: EEYE:AD19991215
Reference: BUGTRAQ:19991216 Infoseek Ultraseek Remote Buffer Overflow
Reference: NTBUGTRAQ:19991216 Infoseek Ultraseek Remote Buffer Overflow

Buffer overflow in Infoseek Ultraseek search engine allows remote
attackers to execute commands via a long GET request.

INFERRED ACTION: CAN-1999-0996 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Stracener
   NOOP(1) Wall


=================================
Candidate: CAN-1999-0997
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991221
Category: unknown
Reference: BUGTRAQ:19991220 Security vulnerability in certain wu-ftpd (and derivitives) configurations (fwd)

wu-ftp with FTP conversion enabled allows an attacker to execute
commands via a malformed file name that is interpreted as an argument
to the program that does the conversion, e.g. tar or uncompress.

INFERRED ACTION: CAN-1999-0997 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Wall, Cole, Stracener


=================================
Candidate: CAN-1999-0998
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991221
Category: SF
Reference: CISCO:19991216 Cisco Cache Engine Authentication Vulnerabilities
Reference: BUGTRAQ:19991216 Cisco Security Advisory: Cisco Cache Engine Authentication Vulnerabilities

Cisco Cache Engine allows an attacker to replace content in the cache.

INFERRED ACTION: CAN-1999-0998 ACCEPT_ACK (2 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(1) Stracener
   MODIFY(1) Cole
   NOOP(1) Wall

Comments:
 Cole> This vulnerability exists in PPP CHAP authentication.  Also the BID is 693.
 Cole> If I have the right vulnerability.  The description is not that clear.


=================================
Candidate: CAN-1999-0999
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19991222
Assigned: 19991221
Category: SF
Reference: MS:MS99-059
Reference: MSKB:Q248749
Reference: BID:817

Microsoft SQL 7.0 server allows a remote attacker to cause a denial of
service via a malformed TDS packet.

Modifications:
  DESC Add version
  ADDREF BID:817

INFERRED ACTION: CAN-1999-0999 ACCEPT (3 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Stracener
   MODIFY(1) Wall

Comments:
 Wall> Microsoft SQL 7.0 server allows a remote attacker to cause a denial of
 Wall> service via a malformed TDS packet.


=================================
Candidate: CAN-1999-1000
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991221
Category: SF
Reference: CISCO:19991216 Cisco Cache Engine Authentication Vulnerabilities
Reference: BUGTRAQ:19991216 Cisco Security Advisory: Cisco Cache Engine Authentication Vulnerabilities

The web administration interface for Cisco Cache Engine allows remote
attackers to view performance statistics.

INFERRED ACTION: CAN-1999-1000 ACCEPT_ACK (2 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Stracener
   NOOP(1) Wall


=================================
Candidate: CAN-1999-1001
Published:
Final-Decision:
Interim-Decision: 20000111
Modified:
Proposed: 19991222
Assigned: 19991221
Category: SF
Reference: CISCO:19991216 Cisco Cache Engine Authentication Vulnerabilities
Reference: BUGTRAQ:19991216 Cisco Security Advisory: Cisco Cache Engine Authentication Vulnerabilities

Cisco Cache Engine allows a remote attacker to gain access via a null
username and password.

INFERRED ACTION: CAN-1999-1001 ACCEPT_ACK (2 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(1) Stracener
   MODIFY(1) Cole
   NOOP(2) Wall, Christey

Comments:
 Cole> The references are not that clear.
 Christey> While vendor-supplied advisories sometimes aren't clear, they
 Christey> have acknowledged the problem and provided enough information
 Christey> to attach a CVE name to them.


=================================
Candidate: CAN-1999-1002
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991221
Category: SF
Reference: http://www.rstcorp.com/news/bad-crypto.html
Reference: BUGTRAQ:19991216 Reinventing the wheel (aka "Decoding Netscape Mail passwords")
Reference: BUGTRAQ:19991220 Netscape password scrambling

Netscape Navigator uses weak encryption for storing a user's Netscape
mail password.

CONTENT-DECISIONS: DESIGN-WEAK-ENCRYPTION

INFERRED ACTION: CAN-1999-1002 ACCEPT (3 accept, 1 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(3) Wall, Cole, Stracener


=================================
Candidate: CAN-1999-1003
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991221
Category: SF
Reference: BUGTRAQ:19991214 Local / Remote D.o.S Attack in War FTP Daemon 1.70 Vulnerability
Reference: BUGTRAQ:19991216 Statement: Local / Remote D.o.S Attack in War FTP Daemon 1.70

War FTP Daemon 1.70 allows remote attackers to cause a denial of
service by flooding it with connections.

CONTENT-DECISIONS: BETA

INFERRED ACTION: CAN-1999-1003 ACCEPT_ACK (2 accept, 1 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(2) Cole, Stracener
   NOOP(1) Wall


=================================
Candidate: CAN-1999-1004
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991221
Category: SF
Reference: BUGTRAQ:19991217 NAV2000 Email Protection DoS
Reference: BUGTRAQ:19991220 Norton Email Protection Remote Overflow (Addendum)

Buffer overflow in the POP server POProxy for the Norton Anti-Virus
protection NAV2000 program via a large USER command.

INFERRED ACTION: CAN-1999-1004 MOREVOTES (1 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Stracener
   NOOP(2) Wall, Cole


=================================
Candidate: CAN-1999-1005
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991221
Category: SF
Reference: BUGTRAQ:19991219 Groupewise Web Interface

Groupwise web server GWWEB.EXE allows remote attackers to read
arbitrary files with .htm extensions via a .. (dot dot) attack using
the HELP parameter.

INFERRED ACTION: CAN-1999-1005 MOREVOTES (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Stracener
   NOOP(1) Wall


=================================
Candidate: CAN-1999-1006
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991221
Category: SF
Reference: BUGTRAQ:19991219 Groupewise Web Interface

Groupwise web server GWWEB.EXE allows remote attackers to determine
the real path of the web server via the HELP parameter.

CONTENT-DECISIONS: DESIGN-REAL-PATH

INFERRED ACTION: CAN-1999-1006 MOREVOTES (2 accept, 0 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(2) Cole, Stracener
   NOOP(1) Wall


=================================
Candidate: CAN-1999-1007
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991221
Category: SF
Reference: BUGTRAQ:19991213 VDO Live Player 3.02 Buffer Overflow
Reference: BID:872

Buffer overflow in VDO Live Player allows remote attackers to execute
commands on the VDO client via a malformed .vdo file.

INFERRED ACTION: CAN-1999-1007 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Wall, Cole, Stracener


=================================
Candidate: CAN-1999-1008
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991221
Category: SF
Reference: BUGTRAQ:19991215 FreeBSD 3.3 xsoldier root exploit
Reference: BID:871

xsoldier program allows local users to gain root access via a
long argument.

INFERRED ACTION: CAN-1999-1008 MOREVOTES (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Stracener
   NOOP(1) Wall


=================================
Candidate: CAN-1999-1009
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991221
Category: unknown
Reference: BUGTRAQ:19991213 Privacy hole in Go Express Search

The Disney Go Express Search allows remote attackers to access and
modify search information for users by connecting to an HTTP server on
the user's system.

CONTENT-DECISIONS: PRIVACY

INFERRED ACTION: CAN-1999-1009 MOREVOTES (0 accept, 0 ack, 0 review) HAS_CDS

Current Votes:
   NOOP(3) Wall, Cole, Stracener


=================================
Candidate: CAN-1999-1010
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991221
Category: SF
Reference: BUGTRAQ:19991214 sshd1 allows unencrypted sessions regardless of server policy

An SSH 1.2.27 server allows a client to use the "none" cipher, even if
it is not allowed by the server policy.

INFERRED ACTION: CAN-1999-1010 MOREVOTES (2 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Stracener
   NOOP(1) Wall




--------------------- CLUSTER RECENT-02 ---------------------

RECENT-02 (20 candidates)
--------------------
Proposed: 12/13
Scheduled Proposed: 12/13
Scheduled Interim Decision: 12/27
Scheduled Final Decision: 12/31

Recent problems announced between 12/04/1999 and 12/12/1999


Voters:
  Christey REVIEWING(4)
  Cole ACCEPT(4) NOOP(2)
  Stracener ACCEPT(5) RECAST(1)
  Blake ACCEPT(5) RECAST(1)


<FINAL> --> 14
<INTERIM> --> 1
<PROPOSED> --> 5
ACCEPT --> 1
RECAST --> 2
REVIEWING --> 3

=================================
Candidate: CAN-1999-0972
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991214
Category: SF
Reference: BUGTRAQ:19991209 xsw 1.24 remote buffer overflow
Reference: BID:863

Buffer overflow in Xshipwars xsw program.

INFERRED ACTION: CAN-1999-0972 MOREVOTES (0 accept, 0 ack, 0 review)

Current Votes:


=================================
Candidate: CAN-1999-0973
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991214
Category: SF
Reference: BUGTRAQ:19991206 [w00giving #8] Solaris 2.7's snoop
Reference: BUGTRAQ:19991209 Clarification needed on the snoop vuln(s) (fwd)
Reference: BID:858

Buffer overflow in Solaris snoop program allows remote attackers to
gain root privileges via a long domain name when snoop is running in
verbose mode.

INFERRED ACTION: CAN-1999-0973 MOREVOTES (0 accept, 1 ack, 0 review)

Current Votes:


=================================
Candidate: CAN-1999-0974
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991214
Category: SF
Reference: ISS:19991209 Buffer Overflow in Solaris Snoop
Reference: SUN:00190
Reference: BUGTRAQ:19991209 Clarification needed on the snoop vuln(s) (fwd)
Reference: BID:864

Buffer overflow in Solaris snoop allows remote attackers to gain root
privileges via GETQUOTA requests to the rpc.rquotad service.

INFERRED ACTION: CAN-1999-0974 MOREVOTES (0 accept, 3 ack, 0 review)

Current Votes:


=================================
Candidate: CAN-1999-0975
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991214
Category: SF
Reference: BUGTRAQ:19991207 Local user can fool another to run executable. .CNT/.GID/.HLP M$WINNT
Reference: BID:868

The Windows help system can allow a local user to execute commands as
another user by editing a table of contents metafile with a .CNT
extension and modifying the topic action to include the commands to be
executed when the .hlp file is accessed.

INFERRED ACTION: CAN-1999-0975 MOREVOTES (0 accept, 0 ack, 0 review)

Current Votes:


=================================
Candidate: CAN-1999-0976
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991214
Assigned: 19991214
Category: SF
Reference: BUGTRAQ:19991207 [Debian] New version of sendmail released
Reference: BID:857

Sendmail in Debian GNU/Linux 2.1 allows local users to reinitialize
the aliases database, then cause a denial of service by interrupting
Sendmail.

INFERRED ACTION: CAN-1999-0976 RECAST (1 recast, 2 accept, 0 review)

Current Votes:
   ACCEPT(2) Cole, Stracener
   RECAST(1) Blake

Comments:
 Blake> *This issue is insufficiently defined.  I can't see why it should be
 Blake> restricted to Debian, in fact, I just ran newaliases on FreeBSD-3.2 as a
 Blake> regular user and is ran.  Perhaps the entry can be broadened to include
 Blake> incorrect permissions on the newaliases binary...


=================================
Candidate: CAN-1999-0977
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991214
Category: SF
Reference: SF-INCIDENTS:19991209 sadmind
Reference: BUGTRAQ:19991210 Solaris sadmind Buffer Overflow Vulnerability
Reference: CERT:CA-99-16
Reference: BID:866

Buffer overflow in Solaris sadmind allows remote attackers to gain
root privileges using a NETMGT_PROC_SERVICE request.

INFERRED ACTION: CAN-1999-0977 MOREVOTES (0 accept, 2 ack, 0 review)

Current Votes:


=================================
Candidate: CAN-1999-0978
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991214
Assigned: 19991214
Category: SF
Reference: DEBIAN:19991209
Reference: BID:867

htdig allows remote attackers to execute commands via filenames with
shell metacharacters.

Modifications:
  DESC exclude Debian

INFERRED ACTION: CAN-1999-0978 MOREVOTES (0 accept, 2 ack, 0 review)

Current Votes:


=================================
Candidate: CAN-1999-0979
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991214
Category: SF
Reference: BUGTRAQ:19991209 Fundamental flaw in UnixWare 7 security
Reference: BUGTRAQ:19991215 Recent postings about SCO UnixWare 7
Reference: BID:869

The SCO UnixWare privileged process system allows local users to gain
root privileges by using a debugger such as gdb to insert traps into
_init before the privileged process is executed.

INFERRED ACTION: CAN-1999-0979 MOREVOTES (0 accept, 1 ack, 0 review)

Current Votes:


=================================
Candidate: CAN-1999-0980
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991214
Category: SF
Reference: MS:MS99-055
Reference: MSKB:Q246045

Windows NT Service Control Manager (SCM) allows remote attackers to
cause a denial of service via a malformed argument in a resource
enumeration request.

INFERRED ACTION: CAN-1999-0980 MOREVOTES (0 accept, 3 ack, 0 review)

Current Votes:


=================================
Candidate: CAN-1999-0981
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991214
Category: SF
Reference: MS:MS99-050
Reference: MSKB:Q246094

Internet Explorer 5.01 and earlier allows a remote attacker to create
a reference to a client window and use a server-side redirect to
access local files via that window, aka "Server-side Page Reference
Redirect."

INFERRED ACTION: CAN-1999-0981 MOREVOTES (0 accept, 3 ack, 0 review)

Current Votes:


=================================
Candidate: CAN-1999-0982
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991214
Category: unknown
Reference: BUGTRAQ:19991206 Solaris WBEM 1.0: plaintext password stored in world readable file

The Sun Web-Based Enterprise Management (WBEM) installation script
stores a password in plaintext in a world readable file.

INFERRED ACTION: CAN-1999-0982 MOREVOTES (0 accept, 0 ack, 0 review)

Current Votes:


=================================
Candidate: CAN-1999-0983
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991214
Assigned: 19991214
Category: SF
Reference: BUGTRAQ:19991109 Whois.cgi - ADVISORY.

Whois Internic Lookup program whois.cgi allows remote attackers to
execute commands via shell metacharacters in the domain entry.

CONTENT-DECISIONS: SF-CODEBASE

INFERRED ACTION: CAN-1999-0983 SMC_REVIEW (3 accept, 1 review) HAS_CDS

Current Votes:
   ACCEPT(3) Cole, Blake, Stracener
   REVIEWING(1) Christey

Comments:
 Christey> More examination is required to determine if CAN-1999-0983,
 Christey> CAN-1999-0984, or CAN-1999-0985 are the same codebase.


=================================
Candidate: CAN-1999-0984
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991214
Assigned: 19991214
Category: SF
Reference: BUGTRAQ:19991109 Whois.cgi - ADVISORY.

Matt's Whois program whois.cgi allows remote attackers to
execute commands via shell metacharacters in the domain entry.

CONTENT-DECISIONS: SF-CODEBASE

INFERRED ACTION: CAN-1999-0984 SMC_REVIEW (2 accept, 1 review) HAS_CDS

Current Votes:
   ACCEPT(2) Blake, Stracener
   NOOP(1) Cole
   REVIEWING(1) Christey

Comments:
 Cole> How is this different than the previous?
 Christey> More examination is required to determine if CAN-1999-0983,
 Christey> CAN-1999-0984, or CAN-1999-0985 are the same codebase.


=================================
Candidate: CAN-1999-0985
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991214
Assigned: 19991214
Category: SF
Reference: BUGTRAQ:19991109 Whois.cgi - ADVISORY.

CC Whois program whois.cgi allows remote attackers to execute commands
via shell metacharacters in the domain entry.

CONTENT-DECISIONS: SF-CODEBASE

INFERRED ACTION: CAN-1999-0985 SMC_REVIEW (2 accept, 1 review) HAS_CDS

Current Votes:
   ACCEPT(2) Blake, Stracener
   NOOP(1) Cole
   REVIEWING(1) Christey

Comments:
 Cole> I would combine all of these.
 Christey> More examination is required to determine if CAN-1999-0983,
 Christey> CAN-1999-0984, or CAN-1999-0985 are the same codebase.


=================================
Candidate: CAN-1999-0986
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991214
Category: SF
Reference: BUGTRAQ:19991209 Big problem on 2.0.x?
Reference: BID:870

The ping command in Linux 2.0.3x allows local users to cause a denial
of service by sending large packets with the -R (record route)
option.

INFERRED ACTION: CAN-1999-0986 MOREVOTES (0 accept, 0 ack, 0 review)

Current Votes:


=================================
Candidate: CAN-1999-0987
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991214
Category: SF
Reference: NTBUGTRAQ:19991118 NT System Policy for Win95 Not downloaded when adding a space after domain name
Reference: MSKB:Q237923

Windows NT does not properly download a system policy if the domain
user logs into the domain with a space at the end of the domain name.

INFERRED ACTION: CAN-1999-0987 MOREVOTES (0 accept, 2 ack, 0 review)

Current Votes:


=================================
Candidate: CAN-1999-0988
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991214
Assigned: 19991214
Category: SF
Reference: BUGTRAQ:19991204 UnixWare pkg* command exploits
Reference: BUGTRAQ:19991215 Recent postings about SCO UnixWare 7

UnixWare pkgtrans allows local users to read arbitrary files via a
symlink attack.

INFERRED ACTION: CAN-1999-0988 RECAST (1 recast, 2 accept, 1 review)

Current Votes:
   ACCEPT(2) Cole, Blake
   RECAST(1) Stracener
   REVIEWING(1) Christey

Comments:
 Stracener> The pkg* programs pkgtrans, pkginfo, pkgcat, pkginstall, and pkgparam
 Stracener> can be used to mount etc/shadow printing attacks as a result of the
 Stracener> "dacread" permission (cf. /etc/security/tcb/privs). The procedural
 Stracener> differences between the individual exploits for each of these utilities
 Stracener> are therefore inconsequential. CAN-1999-0988 should be merged with
 Stracener> CAN-1999-0828. From the standpoint of maintaining consistency of the
 Stracener> level of abstraction used in CVE, the co-existence of CANS
 Stracener> 1999-0988/1999-0828 present two choices: either merge 0988 with 0828, or
 Stracener> split 0828 into 4 distinct candidates, keeping 0988 intact. Due to the
 Stracener> very small differences (in principle) between the exploits subsumed by
 Stracener> 0828 and 0988 and the shared dacread permissions of the pkg* suite, I
 Stracener> suggest a merge. Below is a summary of the data upon which my decision
 Stracener> was based.
 Stracener> utility         exploit
 Stracener> --------      ----------------------------------
 Stracener> pkgtrans  --> symlink + dacread permission prob
 Stracener> pkginfo   --> truss (debugging utility) in conjunction with pkginfio -d
 Stracener> etc/shadow. In this case, it captures the interaction between
 Stracener> pkginfo                the shadow file. Once again: dacread.
 Stracener> pkgcat    --> buffer overflow  + dacread permission prob
 Stracener> pkginstall -> buffer overflow + dacread permission prob
 Stracener> pkgparam --> -f etc/shadow (works because of dacread).
 Christey> This is a tough one.  While there are few procedural
 Christey> differences, one could view "assignment of an improper
 Christey> permission" as a "class" of problems along the lines of
 Christey> buffer overflows and the like.  Just like some programs
 Christey> were fine until they got turned into CGI scripts, this
 Christey> could be an emerging pattern which should be given
 Christey> consideration.  Consider the Eyedog and scriptlet.typelib
 Christey> ActiveX utilities being marked as safe for scripting
 Christey> (CAN-1999-0668 and 0669).


=================================
Candidate: CAN-1999-0989
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991214
Category: SF
Reference: NTBUGTRAQ:19991205 new IE5 remote exploit
Reference: BUGTRAQ:19991205 new IE5 remote exploit
Reference: BID:861

Buffer overflow in Internet Explorer 5 directshow filter (MSDXM.OCX)
allows remote attackers to execute commands via the vnd.ms.radio
protocol.

INFERRED ACTION: CAN-1999-0989 MOREVOTES (0 accept, 0 ack, 0 review)

Current Votes:


=================================
Candidate: CAN-1999-0990
Published:
Final-Decision:
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991214
Category: SF
Reference: BUGTRAQ:19991205 gdm thing

Error messages generated by gdm with the VerboseAuth setting allows an
attacker to identify valid users on a system.

CONTENT-DECISIONS: SA-INFO

INFERRED ACTION: CAN-1999-0990 ACCEPT (3 accept, 0 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(3) Cole, Blake, Stracener


=================================
Candidate: CAN-1999-0991
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991214
Category: SF
Reference: NTBUGTRAQ:19991206 Remote DoS Attack in GoodTech Telnet Server NT v2.2.1 Vulnerability
Reference: BUGTRAQ:19991206 Remote DoS Attack in GoodTech Telnet Server NT v2.2.1 Vulnerability
Reference: BID:862

Buffer overflow in GoodTech Telnet Server NT allows remote users to
cause a denial of service via a long login name.

INFERRED ACTION: CAN-1999-0991 MOREVOTES (0 accept, 0 ack, 0 review)

Current Votes:




--------------------- CLUSTER RECENT-01 ---------------------

RECENT-01 (40 candidates)
--------------------
Proposed: 12/8
Scheduled Proposed: 12/6
Scheduled Interim Decision: 12/20
Scheduled Final Decision: 12/24

Recent problems announced between 11/24/1999 and 12/03/1999


Voters:
  Frech MODIFY(40)
  Christey NOOP(1) RECAST(1) REVIEWING(3)
  Cole ACCEPT(20) MODIFY(14) NOOP(4) REJECT(2)
  Armstrong ACCEPT(34) NOOP(4) REVIEWING(2)
  Prosser ACCEPT(8) MODIFY(1) NOOP(1) REVIEWING(30)
  Stracener ACCEPT(37) MODIFY(2) NOOP(1)


<INTERIM> --> 4
<PROPOSED> --> 36
MODIFY --> 7
RECAST --> 1
REJECT --> 2
REVIEWING --> 30

=================================
Candidate: CAN-1999-0818
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991130 another hole of Solaris7 kcms_configure
Reference: BID:831

Buffer overflow in Solaris kcms_configure via a long NETPATH
environmental variable.

INFERRED ACTION: CAN-1999-0818 ACCEPT_REV (4 accept, 0 ack, 1 review)

Current Votes:
   ACCEPT(2) Armstrong, Stracener
   MODIFY(2) Cole, Frech
   REVIEWING(1) Prosser

Comments:
 Cole> This can cause code to be executed.
 Frech> XF:sol-kcms-conf-netpath-bo


=================================
Candidate: CAN-1999-0819
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: NTBUGTRAQ:19991130 NTmail and VRFY
Reference: BUGTRAQ:19991130 NTmail and VRFY

NTMail does not disable the VRFY command, even if the administrator
has explicitly disabled it.

INFERRED ACTION: CAN-1999-0819 ACCEPT_REV (3 accept, 1 ack, 1 review)

Current Votes:
   ACCEPT(1) Stracener
   MODIFY(2) Cole, Frech
   NOOP(1) Armstrong
   REVIEWING(1) Prosser

Comments:
 Cole> The references are wrong.  The BID is 856 and the full ID is
 Cole> 19991129 not 30.
 Cole> I would add that NTMail does not disable the VRFY command on ESMTP
 Cole> servers, even ...  This can be used to gather information about users email
 Cole> addresses.
 Frech> XF:nt-mail-vrfy


=================================
Candidate: CAN-1999-0820
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991130 Several FreeBSD-3.3 vulnerabilities
Reference: BID:838

FreeBSD seyon allows users to gain privileges via a modified PATH
variable for finding the xterm and seyon-emu commands.

INFERRED ACTION: CAN-1999-0820 ACCEPT_REV (4 accept, 0 ack, 1 review)

Current Votes:
   ACCEPT(2) Armstrong, Stracener
   MODIFY(2) Cole, Frech
   REVIEWING(1) Prosser

Comments:
 Cole> There are actually several vulenrabilities with seyon which allow
 Cole> users to elevate priviliges
 Frech> XF:freebsd-seyon-dir-add


=================================
Candidate: CAN-1999-0821
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991130 Several FreeBSD-3.3 vulnerabilities
Reference: BID:838

FreeBSD seyon allows local users to gain privileges by providing a
malicious program in the -emulator argument.

INFERRED ACTION: CAN-1999-0821 REJECT (1 reject, 3 accept, 1 review)

Current Votes:
   ACCEPT(2) Armstrong, Stracener
   MODIFY(1) Frech
   REJECT(1) Cole
   REVIEWING(1) Prosser

Comments:
 Cole> I would combine this with the previous.  To me the general
 Cole> vulnerabilities are similar it is just the end result that changes.
 Frech> XF:freebsd-seyon-setgid


=================================
Candidate: CAN-1999-0822
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991130 serious Qpopper 3.0 vulnerability
Reference: BUGTRAQ:19991130 qpop3.0b20 and below - notes and exploit
Reference: BID:830

Buffer overflow in Qpopper (qpop) 3.0 allows remote root access via
AUTH command.

INFERRED ACTION: CAN-1999-0822 ACCEPT_REV (4 accept, 1 ack, 1 review)

Current Votes:
   ACCEPT(3) Armstrong, Cole, Stracener
   MODIFY(1) Frech
   REVIEWING(1) Prosser

Comments:
 Frech> XF:qpopper-auth-bo


=================================
Candidate: CAN-1999-0823
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BID:839
Reference: BUGTRAQ:19991130 Several FreeBSD-3.3 vulnerabilities

Buffer overflow in FreeBSD xmindpath allows local users to gain
privileges via -f argument.

INFERRED ACTION: CAN-1999-0823 ACCEPT_REV (4 accept, 0 ack, 1 review)

Current Votes:
   ACCEPT(2) Armstrong, Stracener
   MODIFY(2) Cole, Frech
   REVIEWING(1) Prosser

Comments:
 Cole> This is via a buffer overflow attack.
 Frech> XF:freebsd-xmindpath


=================================
Candidate: CAN-1999-0824
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BID:833
Reference: NTBUGTRAQ:19991130 SUBST problem
Reference: BUGTRAQ:19991130 Subst.exe carelessness (fwd)

A Windows NT user can use SUBST to map a drive letter to a folder,
which is not unmapped after the user logs off, potentially allowing
that user to modify the location of folders accessed by later users.

INFERRED ACTION: CAN-1999-0824 ACCEPT_REV (3 accept, 0 ack, 1 review)

Current Votes:
   ACCEPT(2) Stracener, Prosser
   MODIFY(1) Frech
   NOOP(1) Cole
   REVIEWING(1) Armstrong

Comments:
 Frech> XF:nt-subst


=================================
Candidate: CAN-1999-0825
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: CF
Reference: BUGTRAQ:19991203 UnixWare read/modify users' mail
Reference: BUGTRAQ:19991215 Recent postings about SCO UnixWare 7
Reference: BID:849

The default permissions for UnixWare /var/mail allow local users to
read and modify other users' mail.

CONTENT-DECISIONS: CF-PERMS

INFERRED ACTION: CAN-1999-0825 ACCEPT_REV (4 accept, 1 ack, 1 review) HAS_CDS

Current Votes:
   ACCEPT(3) Armstrong, Cole, Stracener
   MODIFY(1) Frech
   REVIEWING(1) Prosser

Comments:
 Frech> XF:sco-mail-permissions


=================================
Candidate: CAN-1999-0826
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BID:840
Reference: BUGTRAQ:19991130 Several FreeBSD-3.3 vulnerabilities

Buffer overflow in FreeBSD angband allows local users to gain
privileges.

INFERRED ACTION: CAN-1999-0826 ACCEPT_REV (4 accept, 0 ack, 1 review)

Current Votes:
   ACCEPT(3) Armstrong, Cole, Stracener
   MODIFY(1) Frech
   REVIEWING(1) Prosser

Comments:
 Frech> XF:angband-bo


=================================
Candidate: CAN-1999-0827
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991130 Default IE 5.0 security settings allow frame spoofing

By default, Internet Explorer 5.0 and other versions enables the
"Navigate sub-frames across different domains" option, which allows
frame spoofing.

CONTENT-DECISIONS: CF-CHECKBOX

INFERRED ACTION: CAN-1999-0827 ACCEPT_REV (4 accept, 0 ack, 1 review) HAS_CDS

Current Votes:
   ACCEPT(2) Armstrong, Stracener
   MODIFY(2) Cole, Frech
   REVIEWING(1) Prosser

Comments:
 Cole> The BID is 855.  If I have the right vulnerability, this allows an
 Cole> attacker to access URL's of there choosing which could lead to a compromise
 Cole> of private information.
 Frech> XF:http-frame-spoof
 Frech> Question: Similar vulnerability to MS98-020 / CAN-1999-0869?


=================================
Candidate: CAN-1999-0828
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: unknown
Reference: BUGTRAQ:19991203 UnixWare and the dacread permission
Reference: BUGTRAQ:19991204 UnixWare pkg* command exploits
Reference: BID:853

UnixWare pkg commands such as pkginfo, pkgcat, and pkgparam
allow local users to read arbitrary files via the dacread permission.

CONTENT-DECISIONS: CF-PERMS, SF-EXEC, SF-LOC

INFERRED ACTION: CAN-1999-0828 SMC_REVIEW (4 accept, 2 review) HAS_CDS

Current Votes:
   ACCEPT(2) Armstrong, Stracener
   MODIFY(2) Cole, Frech
   REVIEWING(2) Prosser, Christey

Comments:
 Cole> This is BID 850.
 Christey> See comments on CAN-1999-0988.  Perhaps these two should be
 Christey> merged.
 Frech> XF:sco-pkg-dacread-fileread


=================================
Candidate: CAN-1999-0829
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991201 HP Secure Web Console

HP Secure Web Console uses weak encryption.

CONTENT-DECISIONS: DESIGN-WEAK-ENCRYPTION

INFERRED ACTION: CAN-1999-0829 ACCEPT_REV (3 accept, 0 ack, 1 review) HAS_CDS

Current Votes:
   ACCEPT(2) Armstrong, Stracener
   MODIFY(1) Frech
   NOOP(1) Cole
   REVIEWING(1) Prosser

Comments:
 Cole> I could not find details on this using the above references.
 Frech> XF:hp-secure-console


=================================
Candidate: CAN-1999-0830
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991126 [w00giving '99 #6]: UnixWare 7's Xsco

Buffer overflow in SCO UnixWare Xsco command via a long argument.

INFERRED ACTION: CAN-1999-0830 ACCEPT_REV (4 accept, 0 ack, 1 review)

Current Votes:
   ACCEPT(2) Armstrong, Stracener
   MODIFY(2) Cole, Frech
   REVIEWING(1) Prosser

Comments:
 Cole> This is BID 824 and the BUGTRAQ reference is 19991125.
 Frech> XF:sco-unixware-xsco


=================================
Candidate: CAN-1999-0831
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: CALDERA:CSSA-1999-035.0
Reference: REDHAT:RHSA1999055-01
Reference: SUSE:19991118 syslogd-1.3.33 (a1)
Reference: BUGTRAQ:19991130 [david@slackware.com: New Patches for Slackware 4.0 Available]
Reference: BID:809
Reference: XF:slackware-syslogd-dos

Denial of service in Linux syslogd via a large number of connections.

Modifications:
  ADDREF CALDERA:CSSA-1999-035.0
  ADDREF REDHAT:RHSA1999055-01
  ADDREF SUSE:19991118 syslogd-1.3.33 (a1)
  DESC Change description to apply to all Linux
  ADDREF XF:slackware-syslogd-dos
  ADDREF BID:809

INFERRED ACTION: CAN-1999-0831 ACCEPT (5 accept, 4 ack, 0 review)

Current Votes:
   ACCEPT(3) Armstrong, Cole, Prosser
   MODIFY(2) Stracener, Frech
   NOOP(1) Christey

Comments:
 Christey> ADDREF CALDERA:CSSA-1999-035.0
 Christey> ADDREF REDHAT:RHSA1999055-01
 Christey> ADDREF SUSE:19991118 syslogd-1.3.33 (a1)
 Christey> Change description to apply to all Linux
 Stracener> Given that this issue is not slackware-specific, the description should
 Stracener> be made more generic, possibly: "Denial of service in syslogd via a
 Stracener> large number of connections"
 Stracener> Add Ref: CSSA-1999-035.0
 Stracener> Add Ref: RHSA1999055-01
 Stracener> Add Ref: SuSE Security Announcement - syslogd (a1)
 Stracener> Add Ref: Cobalt Networks -- Security Advisory -- 11.20.1999 (syslog)
 Frech> XF:slackware-syslogd-dos


=================================
Candidate: CAN-1999-0832
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991130 [david@slackware.com: New Patches for Slackware 4.0 Available]

Buffer overflow in Slackware 7.0 NFS server allows attackers to
execute commands via a long pathname.

INFERRED ACTION: CAN-1999-0832 ACCEPT_REV (4 accept, 1 ack, 1 review)

Current Votes:
   ACCEPT(2) Armstrong, Cole
   MODIFY(2) Stracener, Frech
   REVIEWING(1) Prosser

Comments:
 Stracener> Suggest removing "Slackware 7.0" from the description
 Stracener> Add Ref: CSSA-1999-033.0
 Stracener> Add Ref: DEBIAN: nfs-server: buffer overflow in nfs server 11/11/99
 Stracener> Add Ref: SuSE Security Announcement "nfs-server < 2.2beta47 within
 Stracener> nkita" 11/12/99
 Frech> XF:linux-nfs-maxpath-bo


=================================
Candidate: CAN-1999-0834
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991201 Security Advisory: Buffer overflow in RSAREF2
Reference: BUGTRAQ:19991202 OpenBSD sslUSA26 advisory (Re: CORE-SDI: Buffer overflow in RSAREF2)
Reference: CERT:CA-99-15
Reference: BID:843
Reference: XF:rsaref-bo

Buffer overflow in RSAREF2 via the encryption and decryption functions
in the RSAREF library.

Modifications:
  ADDREF XF:rsaref-bo

INFERRED ACTION: CAN-1999-0834 ACCEPT (5 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(3) Armstrong, Cole, Stracener
   MODIFY(2) Prosser, Frech

Comments:
 Prosser> Ref:  CERT Ca-99-15, Buffer Overflows in SSH Daemon and RSAREF2 Library
 Prosser> SecuriTeam.com, SSH1.2.27 is vulnerable to a remote buffer overflow (RSAREF)
 Frech> XF:rsaref-bo


=================================
Candidate: CAN-1999-0836
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991202 UnixWare 7 uidadmin exploit + discussion

UnixWare uidadmin allows local users to modify arbitrary files via
a symlink attack.

INFERRED ACTION: CAN-1999-0836 ACCEPT_REV (3 accept, 1 ack, 2 review)

Current Votes:
   ACCEPT(1) Stracener
   MODIFY(2) Cole, Frech
   REVIEWING(2) Armstrong, Prosser

Comments:
 Cole> The BID is 842.
 Frech> unixware-uid-admin


=================================
Candidate: CAN-1999-0838
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991202 Remote DoS Attack in Serv-U FTP-Server v2.5a Vulnerability

Buffer overflow in Serv-U FTP 2.5 allows remote users to conduct a
denial of service via the SITE command.

INFERRED ACTION: CAN-1999-0838 SMC_REVIEW (5 accept, 1 review)

Current Votes:
   ACCEPT(4) Armstrong, Cole, Stracener, Prosser
   MODIFY(1) Frech
   REVIEWING(1) Christey

Comments:
 Christey> DUPE CVE-1999-0219?
 Frech> XF:servu-ftp-site-bo


=================================
Candidate: CAN-1999-0840
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BID:832
Reference: BUGTRAQ:19991129 Solaris7 dtmail/dtmailpr/mailtool Buffer Overflow

Buffer overflow in CDE dtmail and dtmailpr programs via the -f
option.

CONTENT-DECISIONS: SF-CODEBASE, SF-LOC

INFERRED ACTION: CAN-1999-0840 ACCEPT_REV (3 accept, 0 ack, 1 review) HAS_CDS

Current Votes:
   ACCEPT(2) Armstrong, Stracener
   MODIFY(1) Frech
   NOOP(1) Cole
   REVIEWING(1) Prosser

Comments:
 Cole> I went to 1129 and it looks like a reference for a different
 Cole> vulnerability.
 Frech> In the description, should dtmailptr be dtmailpr?
 Frech> XF:solaris-dtmailpr-overflow
 Frech> XF:solaris-dtmail-overflow


=================================
Candidate: CAN-1999-0841
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BID:832
Reference: BUGTRAQ:19991129 Solaris7 dtmail/dtmailpr/mailtool Buffer Overflow

Buffer overflow in CDE mailtool allows local users to gain root
privilege via a long MIME Content-Type.

CONTENT-DECISIONS: SF-CODEBASE, SF-LOC

INFERRED ACTION: CAN-1999-0841 ACCEPT_REV (4 accept, 0 ack, 1 review) HAS_CDS

Current Votes:
   ACCEPT(3) Armstrong, Cole, Stracener
   MODIFY(1) Frech
   REVIEWING(1) Prosser

Comments:
 Frech> XF:cde-mailtool-bo


=================================
Candidate: CAN-1999-0842
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BID:827
Reference: NTBUGTRAQ:19991129 Symantec Mail-Gear 1.0 Web interface Server Directory Traversal Vulnerability
Reference: BUGTRAQ:19991129 Symantec Mail-Gear 1.0 Web interface Server Directory Traversal Vulnerability

Symantec Mail-Gear 1.0 web interface server allows remote users to
read arbitrary files via a .. (dot dot) attack.

INFERRED ACTION: CAN-1999-0842 ACCEPT_REV (4 accept, 0 ack, 1 review)

Current Votes:
   ACCEPT(3) Armstrong, Cole, Stracener
   MODIFY(1) Frech
   REVIEWING(1) Prosser

Comments:
 Frech> XF:symantec-mail-dir-traversal


=================================
Candidate: CAN-1999-0843
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991104 Cisco NAT DoS (VD#1)
Reference: BUGTRAQ:19991128 Re: Cisco NAT DoS (VD#1)

Denial of service in Cisco routers running NAT via a PORT command from
an FTP client to a Telnet port.

INFERRED ACTION: CAN-1999-0843 ACCEPT_REV (3 accept, 0 ack, 1 review)

Current Votes:
   ACCEPT(2) Cole, Stracener
   MODIFY(1) Frech
   NOOP(1) Armstrong
   REVIEWING(1) Prosser

Comments:
 Frech> XF:cisco-nat-dos


=================================
Candidate: CAN-1999-0844
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: NTBUGTRAQ:19991124 Remote DoS Attack in WorldClient Server v2.0.0.0 Vulnerability
Reference: BUGTRAQ:19991130 Fwd: RE: Multiples Remotes DoS Attacks in MDaemon Server v2.8.5.0 Vulnerability
Reference: BID:823
Reference: BID:820

Denial of service in MDaemon WorldClient and WebConfig services via
a long URL.

CONTENT-DECISIONS: SF-EXEC, SF-LOC

INFERRED ACTION: CAN-1999-0844 RECAST (1 recast, 3 accept, 1 review) HAS_CDS

Current Votes:
   ACCEPT(1) Stracener
   MODIFY(2) Cole, Frech
   NOOP(1) Armstrong
   RECAST(1) Christey
   REVIEWING(1) Prosser

Comments:
 Cole> 823 and 820 are two different vulnerabilities and should be
 Cole> separated out.  They are both buffer overflows but accomplish it in a
 Cole> different fashion and the end exploit is different.
 Frech> (RECAST?)
 Frech> XF:mdaemon-worldclient-dos
 Frech> XF:mdaemon-webconfig-dos
 Frech> Recast request: This is really two services exhibiting the same problem.
 Christey> as suggested by others.


=================================
Candidate: CAN-1999-0845
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991126 [w00giving '99 #5 and w00news]: UnixWare 7's su
Reference: SCO:99.19
Reference: BUGTRAQ:19991128 SCO su patches

Buffer overflow in SCO su program allows local users to gain root
access via a long username.

CONTENT-DECISIONS: CAN-1999-0317, DISCOVERY-DATE, SF-CODEBASE

INFERRED ACTION: CAN-1999-0845 SMC_REVIEW (5 accept, 1 review) HAS_CDS

Current Votes:
   ACCEPT(4) Armstrong, Cole, Stracener, Prosser
   MODIFY(1) Frech
   REVIEWING(1) Christey

Comments:
 Christey> DUPE CAN-1999-0317?
 Frech> XF:sco-su-username-bo


=================================
Candidate: CAN-1999-0846
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991129 MDaemon 2.7 J DoS
Reference: BUGTRAQ:19991130 Fwd: RE: Multiples Remotes DoS Attacks in MDaemon Server v2.8.5.0 Vulnerability

Denial of service in MDaemon 2.7 via a large number of connection
attempts.

INFERRED ACTION: CAN-1999-0846 ACCEPT_REV (4 accept, 1 ack, 1 review)

Current Votes:
   ACCEPT(3) Armstrong, Cole, Stracener
   MODIFY(1) Frech
   REVIEWING(1) Prosser

Comments:
 Frech> XF:mdaemon-dos


=================================
Candidate: CAN-1999-0847
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991129 FICS buffer overflow
Reference: XF:fics-board-bo

Buffer overflow in free internet chess server (FICS) program, xboard.

Modifications:
  ADDREF XF:fics-board-bo

INFERRED ACTION: CAN-1999-0847 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Armstrong, Stracener
   MODIFY(1) Frech
   NOOP(2) Cole, Prosser

Comments:
 Frech> XF:fics-board-bo


=================================
Candidate: CAN-1999-0850
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: CF
Reference: BID:845
Reference: BUGTRAQ:19991202 Insecure default permissions for MailMan Professional Edition, version 3.0.18

The default permissions for Endymion MailMan allow local users to read
email or modify files.

CONTENT-DECISIONS: CF-PERMS

INFERRED ACTION: CAN-1999-0850 ACCEPT_REV (3 accept, 0 ack, 1 review) HAS_CDS

Current Votes:
   ACCEPT(2) Cole, Stracener
   MODIFY(1) Frech
   NOOP(1) Armstrong
   REVIEWING(1) Prosser

Comments:
 Frech> XF:endymion-mailman-perms


=================================
Candidate: CAN-1999-0852
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: CF
Reference: BID:844
Reference: BUGTRAQ:19991202 WebSphere protections from installation

IBM WebSphere sets permissions that allow a local user to modify a
deinstallation script or its data files stored in /usr/bin.

CONTENT-DECISIONS: CF-PERMS

INFERRED ACTION: CAN-1999-0852 ACCEPT_REV (4 accept, 0 ack, 1 review) HAS_CDS

Current Votes:
   ACCEPT(3) Armstrong, Cole, Stracener
   MODIFY(1) Frech
   REVIEWING(1) Prosser

Comments:
 Frech> XF:websphere-protect


=================================
Candidate: CAN-1999-0853
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BID:847
Reference: ISS:19991201 Buffer Overflow in Netscape Enterprise and FastTrack Authentication Procedure
Reference: XF:netscape-fasttrack-auth-bo

Buffer overflow in Netscape Enterprise Server and Netscape
FastTrack Server allows remote attackers to gain privileges via the
HTTP Basic Authentication procedure.

Modifications:
  ADDREF XF:netscape-fasttrack-auth-bo

INFERRED ACTION: CAN-1999-0853 ACCEPT (5 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(3) Armstrong, Stracener, Prosser
   MODIFY(2) Cole, Frech

Comments:
 Cole> I would add that this is a remote buffer overflow...
 Frech> XF:netscape-fasttrack-auth-bo


=================================
Candidate: CAN-1999-0854
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: unknown
Reference: BUGTRAQ:19991130 Ultimate Bulletin Board v5.3x? Bug

Ultimate Bulletin Board stores data files in the cgi-bin directory,
allowing remote attackers to view the data if an error occurs when the
HTTP server attempts to execute the file.

INFERRED ACTION: CAN-1999-0854 ACCEPT_REV (3 accept, 0 ack, 1 review)

Current Votes:
   ACCEPT(2) Armstrong, Cole
   MODIFY(1) Frech
   NOOP(1) Stracener
   REVIEWING(1) Prosser

Comments:
 Frech> XF:http-ultimate-bbs


=================================
Candidate: CAN-1999-0855
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BID:834
Reference: BUGTRAQ:19991130 FreeBSD 3.3 gated-3.1.5 local exploit

Buffer overflow in FreeBSD gdc program.

CONTENT-DECISIONS: SF-LOC

INFERRED ACTION: CAN-1999-0855 ACCEPT (5 accept, 0 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(3) Armstrong, Stracener, Prosser
   MODIFY(2) Cole, Frech

Comments:
 Cole> The BID is 834 and the reference is 19991201 not 1130.
 Frech> XF:freebsd-gdc-bo


=================================
Candidate: CAN-1999-0856
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991202 Slackware 7.0 - login bug

login in Slackware 7.0 allows remote attackers to identify valid users
on the system by reporting an encryption error when an account is
locked or does not exist.

INFERRED ACTION: CAN-1999-0856 ACCEPT_REV (4 accept, 0 ack, 1 review)

Current Votes:
   ACCEPT(3) Armstrong, Cole, Stracener
   MODIFY(1) Frech
   REVIEWING(1) Prosser

Comments:
 Frech> XF:slackware-remote-login


=================================
Candidate: CAN-1999-0857
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991130 FreeBSD 3.3 gated-3.1.5 local exploit
Reference: BID:835

FreeBSD gdc program allows local users to modify files via a symlink
attack.

CONTENT-DECISIONS: SF-LOC

INFERRED ACTION: CAN-1999-0857 ACCEPT (5 accept, 0 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(3) Armstrong, Stracener, Prosser
   MODIFY(2) Cole, Frech

Comments:
 Cole> This is via debug output.
 Frech> XF:freebsd-gdc


=================================
Candidate: CAN-1999-0859
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991130 Solaris 2.x chkperm/arp vulnerabilities
Reference: BID:837

Solaris arp allows local users to read files via the -f parameter,
which lists lines in the file that do not parse properly.

INFERRED ACTION: CAN-1999-0859 ACCEPT_REV (4 accept, 1 ack, 1 review)

Current Votes:
   ACCEPT(2) Armstrong, Stracener
   MODIFY(2) Cole, Frech
   REVIEWING(1) Prosser

Comments:
 Cole> This attack makes it possible to read bin and owned files to which
 Cole> read access is not permitted to local users through exploiting subtle
 Cole> vulenrabilties in arp and chkperm.
 Frech> XF:sol-arp-parse


=================================
Candidate: CAN-1999-0860
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991130 Solaris 2.x chkperm/arp vulnerabilities
Reference: BID:837

Solaris chkperm allows local users to read files owned by bin via
the VMSYS environmental variable and a symlink attack.

INFERRED ACTION: CAN-1999-0860 REJECT (1 reject, 3 accept, 1 review)

Current Votes:
   ACCEPT(2) Armstrong, Stracener
   MODIFY(1) Frech
   REJECT(1) Cole
   REVIEWING(1) Prosser

Comments:
 Cole> This is the same as the pervious.
 Frech> XF:sol-chkperm-vmsys


=================================
Candidate: CAN-1999-0862
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: CF
Reference: BUGTRAQ:19991202 PostgreSQL RPM's permission problems

Insecure directory permissions in RPM distribution for PostgreSQL
allows local users to gain privileges by reading a plaintext password
file.

CONTENT-DECISIONS: CF-PERMS

INFERRED ACTION: CAN-1999-0862 ACCEPT_REV (4 accept, 0 ack, 1 review) HAS_CDS

Current Votes:
   ACCEPT(3) Armstrong, Cole, Stracener
   MODIFY(1) Frech
   REVIEWING(1) Prosser

Comments:
 Frech> XF:postgresql-insecure-perms


=================================
Candidate: CAN-1999-0863
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19970617 Seyon vulnerability - IRIX
Reference: BUGTRAQ:19991108 FreeBSD 3.3's seyon vulnerability
Reference: BUGTRAQ:19991130 Several FreeBSD-3.3 vulnerabilities

Buffer overflow in FreeBSD seyon via HOME environmental variable,
-emulator argument, -modems argument, or the GUI.

CONTENT-DECISIONS: SF-LOC

INFERRED ACTION: CAN-1999-0863 ACCEPT (5 accept, 0 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(4) Armstrong, Cole, Stracener, Prosser
   MODIFY(1) Frech

Comments:
 Frech> XF:freebsd-seyon-bo


=================================
Candidate: CAN-1999-0864
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991202 UnixWare coredumps follow symlinks
Reference: BUGTRAQ:19991215 Recent postings about SCO UnixWare 7
Reference: BID:851

UnixWare programs that dump core allow a local user to
modify files via a symlink attack on the ./core.pid file.

INFERRED ACTION: CAN-1999-0864 ACCEPT_REV (4 accept, 1 ack, 1 review)

Current Votes:
   ACCEPT(3) Armstrong, Cole, Stracener
   MODIFY(1) Frech
   REVIEWING(1) Prosser

Comments:
 Frech> XF:sco-coredump-symlink


=================================
Candidate: CAN-1999-0865
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991203 CommuniGatePro 3.1 for NT DoS
Reference: NTBUGTRAQ:19991203 CommuniGatePro 3.1 for NT Buffer Overflow

Buffer overflow in CommuniGatePro via a long string to the HTTP
configuration port.

INFERRED ACTION: CAN-1999-0865 ACCEPT_REV (4 accept, 1 ack, 1 review)

Current Votes:
   ACCEPT(3) Armstrong, Cole, Stracener
   MODIFY(1) Frech
   REVIEWING(1) Prosser

Comments:
 Frech> XF:communigate-pro-bo


=================================
Candidate: CAN-1999-0866
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991203 UnixWare gain root with non-su/gid binaries
Reference: BUGTRAQ:19991215 Recent postings about SCO UnixWare 7
Reference: BID:848

Buffer overflow in UnixWare xauto program allows local users to gain
root privilege.

INFERRED ACTION: CAN-1999-0866 ACCEPT_REV (4 accept, 1 ack, 1 review)

Current Votes:
   ACCEPT(2) Armstrong, Stracener
   MODIFY(2) Cole, Frech
   REVIEWING(1) Prosser

Comments:
 Cole> I would take out the word local.
 Frech> XF:sco-xauto-bo

Page Last Updated or Reviewed: May 22, 2007