[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[INTERIM] ACCEPT 53 candidates from various clusters (Final 3/20)



I have made an Interim Decision to ACCEPT the following 53 candidates
from various clusters.  I will make a Final Decision on Monday, March
20, 2000.

The candidates come from the following clusters:

   4 UNIX-VEN
   5 MISC-01
  15 UNIX-UNCONF
   3 RECENT-03
  12 RECENT-04
   4 RECENT-07
   1 RECENT-08
   6 RECENT-09
   3 RECENT-10

Voters:
  Wall ACCEPT(7) MODIFY(1) NOOP(3)
  LeBlanc ACCEPT(4) NOOP(5)
  Ozancin ACCEPT(15)
  Cole ACCEPT(19) MODIFY(1) NOOP(1)
  Meunier ACCEPT(2)
  Bishop ACCEPT(6)
  Stracener ACCEPT(35) MODIFY(4)
  Frech ACCEPT(5) MODIFY(19)
  Christey NOOP(8)
  Armstrong ACCEPT(12)
  Prosser ACCEPT(3) MODIFY(1)
  Blake ACCEPT(10)



=================================
Candidate: CAN-1999-0189
Published:
Final-Decision:
Interim-Decision: 20000315
Modified: 20000313-01
Proposed: 19991222
Assigned: 19990607
Category: SF
Reference: NAI:NAI-15
Reference: SUN:00142
Reference: XF:rpc-32771

Solaris rpcbind listens on a high numbered UDP port, which may not be
filtered since the standard port number is 111.

Modifications:
  ADDREF XF:rpc-32771
  ADDREF NAI:NAI-15

INFERRED ACTION: CAN-1999-0189 ACCEPT (3 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(2) Stracener, Ozancin
   MODIFY(1) Frech

Comments:
 Frech> XF:rpc-32771


=================================
Candidate: CAN-1999-0390
Published:
Final-Decision:
Interim-Decision: 20000315
Modified: 20000204-01
Proposed: 19991222
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19990104 Dosemu/S-Lang Overflow + sploit
Reference: CALDERA:CSSA-1999-006.1
Reference: BID:187

Buffer overflow in Dosemu Slang library in Linux.

Modifications:
  ADDREF CALDERA:CSSA-1999-006.1

INFERRED ACTION: CAN-1999-0390 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Stracener, Ozancin


=================================
Candidate: CAN-1999-0678
Published:
Final-Decision:
Interim-Decision: 20000315
Modified: 20000313-01
Proposed: 19991222
Assigned: 19991125
Category: CF
Reference: XF:apache-debian-usrdoc
Reference: BUGTRAQ:19990405 An issue with Apache on Debian
Reference: BID:318

A default configuration of Apache on Debian Linux sets the ServerRoot
to /usr/doc, which allows remote users to read documentation files
for the entire server.

Modifications:
  ADDREF BID:318

INFERRED ACTION: CAN-1999-0678 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Stracener, Ozancin, Frech
   NOOP(1) Christey

Comments:
 Christey> This candidate is unconfirmed by the vendor.


=================================
Candidate: CAN-1999-0727
Published:
Final-Decision:
Interim-Decision: 20000315
Modified: 20000313-01
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: OPENBSD:19990608 Packets that should have been handled by IPsec may be transmitted as cleartext
Reference: XF:openbsd-ipsec-cleartext

A kernel leak in the OpenBSD kernel allows IPsec packets to be sent
unencrypted.

Modifications:
  ADDREF OPENBSD:19990608 Packets that should have been handled by IPsec may be transmitted as cleartext
  ADDREF XF:openbsd-ipsec-cleartext

INFERRED ACTION: CAN-1999-0727 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(1) Ozancin
   MODIFY(2) Stracener, Frech

Comments:
 Stracener> Add Ref: OPENBSD:19990608  Packets that should have been handled by
 Stracener> IPsec maybe transmitted as cleartext. PF_KEY SA expirations may leak
 Stracener> kernel resources.
 Frech> XF:openbsd-ipsec-cleartext
 Frech> ADDREF OPENBSD:OpenBSD Security Advisory, August 6, 1999, "Packets that
 Frech> should have been handled by IPsec may be transmitted as cleartexrt" at
 Frech> http://www.openbsd.com/errata25.html#ipsec_in_use


=================================
Candidate: CAN-1999-0733
Published:
Final-Decision:
Interim-Decision: 20000315
Modified: 20000313-01
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990626 VMWare Advisory - buffer overflows
Reference: XF:vmware-bo

Buffer overflow in VMWare 1.0.1 for Linux via a long HOME
environmental variable.

Modifications:
  DELREF XF:linux-vmware-buffer-overflows
  ADDREF XF:vmware-bo

INFERRED ACTION: CAN-1999-0733 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Stracener, Ozancin
   MODIFY(1) Frech

Comments:
 Frech> XF:vmware-bo
 Frech> DELREF XF:linux-vmware-buffer-overflows


=================================
Candidate: CAN-1999-0740
Published:
Final-Decision:
Interim-Decision: 20000315
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: BID:594
Reference: XF:linux-telnetd-term
Reference: CALDERA:CSSA-1999:022
Reference: REDHAT:RHSA1999029_01

Remote attackers can cause a denial of service on Linux in.telnetd
telnet daemon through a malformed TERM environmental variable.

INFERRED ACTION: CAN-1999-0740 ACCEPT (3 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(3) Stracener, Ozancin, Frech


=================================
Candidate: CAN-1999-0746
Published:
Final-Decision:
Interim-Decision: 20000315
Modified: 20000313-01
Proposed: 19991222
Assigned: 19991125
Category: CF
Reference: BUGTRAQ:19990814 DOS against SuSE's identd
Reference: SUSE:19990824 Security hole in netcfg
Reference: BID:587
Reference: XF:suse-identd-dos

A default configuration of in.identd in SuSE Linux waits 120 seconds
between requests, allowing a remote attacker to conduct a denial of
service.

Modifications:
  ADDREF SUSE:19990824 Security hole in netcfg

INFERRED ACTION: CAN-1999-0746 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Stracener, Ozancin, Frech
   NOOP(1) Christey

Comments:
 Christey> ADDREF SUSE:19990824 Security hole in netcfg


=================================
Candidate: CAN-1999-0778
Published:
Final-Decision:
Interim-Decision: 20000315
Modified: 20000313-01
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: KSRT:011
Reference: XF:accelx-display-bo

Buffer overflow in Xi Graphics Accelerated-X server allows local
users to gain root access via a long display or query parameter.

Modifications:
  CHANGEREF XF:accelx-bo XF:accelx-display-bo

INFERRED ACTION: CAN-1999-0778 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(1) Stracener
   MODIFY(1) Frech

Comments:
 Frech> XF:accelx-display-bo


=================================
Candidate: CAN-1999-0783
Published:
Final-Decision:
Interim-Decision: 20000315
Modified: 20000313-01
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: FreeBSD:FreeBSD-SA-98:05
Reference: CIAC:I-057
Reference: XF:freebsd-nfs-link-dos

FreeBSD allows local users to conduct a denial of service by creating
a hard link from a device special file to a file on an NFS file
system.

Modifications:
  ADDREF XF:freebsd-nfs-link-dos

INFERRED ACTION: CAN-1999-0783 ACCEPT (5 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Blake, Stracener, Prosser
   MODIFY(1) Frech

Comments:
 Frech> XF:freebsd-nfs-link-dos


=================================
Candidate: CAN-1999-0785
Published:
Final-Decision:
Interim-Decision: 20000315
Modified: 20000313-01
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990511 INN 2.0 and higher. Root compromise potential
Reference: SUSE:19990518 Security hole in INN
Reference: XF:inn-pathrun
Reference: BID:254

The INN inndstart program allows local users to gain root privileges
via the "pathrun" parameter in the inn.conf file.

Modifications:
  ADDREF SUSE:19990518 Security hole in INN
  ADDREF BID:254

INFERRED ACTION: CAN-1999-0785 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Stracener, Ozancin, Frech
   NOOP(1) Christey

Comments:
 Christey> BID:255 and BID:254 have a good explanation for why this is
 Christey> different than CAN-1999-0754
 Christey>
 Christey> ADDREF SUSE:19990518 Security hole in INN
 Christey> Also see http://www.redhat.com/corp/support/errata/inn99_05_22.html


=================================
Candidate: CAN-1999-0786
Published:
Final-Decision:
Interim-Decision: 20000315
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990922 LD_PROFILE local root exploit for solaris 2.6
Reference: BID:659

The dynamic linker in Solaris allows a local user to create arbitrary
files via the LD_PROFILE environmental variable and a symlink attack.

INFERRED ACTION: CAN-1999-0786 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Stracener, Ozancin


=================================
Candidate: CAN-1999-0789
Published:
Final-Decision:
Interim-Decision: 20000315
Modified: 20000313-02
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990928 Remote bufferoverflow exploit for ftpd from AIX 4.3.2 running on an RS6000
Reference: IBM:ERS-SVA-E01-1999:004.1
Reference: CIAC:J-072
Reference: XF:aix-ftpd-bo
Reference: BID:679

Buffer overflow in AIX ftpd in the libc library.

Modifications:
  CHANGEREF BUGTRAQ [add date]
  ADDREF CIAC:J-072
  CHANGEREF IBM:ERS-SVA-E01-1 IBM:ERS-SVA-E01-1999:004.1
  ADDREF BID:679
  ADDREF XF:aix-ftpd-bo

INFERRED ACTION: CAN-1999-0789 ACCEPT (5 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Blake
   MODIFY(3) Stracener, Prosser, Frech

Comments:
 Stracener> Add Ref: CIAC: J-072
 Prosser> ref should read ERS-SVA-E01-1999:004.1
 Prosser> add reference  BID 679
 Frech> XF:aix-ftpd-bo
 Frech> On BUGTRAQ reference, add 19990927 as date
 Frech> On IBM reference, correctly cite as ERS-SVA-E01-1999:004.1


=================================
Candidate: CAN-1999-0796
Published:
Final-Decision:
Interim-Decision: 20000315
Modified: 20000313-01
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: FREEBSD:SA-98.03
Reference: XF:freebsd-ttcp-spoof

FreeBSD T/TCP Extensions for Transactions can be subjected to spoofing
attacks.

Modifications:
  ADDREF XF:freebsd-ttcp-spoof

INFERRED ACTION: CAN-1999-0796 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Blake, Stracener, Prosser
   MODIFY(1) Frech
   NOOP(1) Cole

Comments:
 Frech> XF:freebsd-ttcp-spoof


=================================
Candidate: CAN-1999-0797
Published:
Final-Decision:
Interim-Decision: 20000315
Modified: 20000313-01
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: ISS:19980629 Distributed DoS attack against NIS/NIS+ based networks.
Reference: CIAC:I-070
Reference: XF:sun-nis-nisplus

NIS finger allows an attacker to conduct a denial of service via a
large number of finger requests, resulting in a large number of NIS
queries.

Modifications:
  ADDREF XF:sun-nis-nisplus
  ADDREF ISS:19980629 Distributed DoS attack against NIS/NIS+ based networks.

INFERRED ACTION: CAN-1999-0797 ACCEPT (3 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(2) Stracener, Ozancin
   MODIFY(1) Frech

Comments:
 Frech> XF:sun-nis-nisplus


=================================
Candidate: CAN-1999-0806
Published:
Final-Decision:
Interim-Decision: 20000315
Modified: 20000313-01
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990510 Solaris2.6,2.7 dtprintinfo exploits
Reference: URL:http://www.netspace.org/cgi-bin/wa?A2=ind9905B&L=bugtraq&P=R1173
Reference: XF:cde-dtprintinfo

Buffer overflow in Solaris dtprintinfo program.

Modifications:
  ADDREF BUGTRAQ:19990510 Solaris2.6,2.7 dtprintinfo exploits

INFERRED ACTION: CAN-1999-0806 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Ozancin, Frech
   MODIFY(1) Stracener
   NOOP(1) Christey

Comments:
 Stracener> Add Ref: BUGTRAQ:19990510:Solaris2.6,2.7 dtprintinfo exploits
 Christey> This candidate is unconfirmed by the vendor.
 Christey>
 Christey> Posted by UNYUN of Shadow Penguin Security; Darren J
 Christey> Moffat claims it is Sun Bug# 4139394.


=================================
Candidate: CAN-1999-0890
Published:
Final-Decision:
Interim-Decision: 20000315
Modified: 20000313-01
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19990928 Team Asylum: iHTML Merchant Vulnerabilities
Reference: XF:ihtml-merchant-file-access

iHTML Merchant allows remote attackers to obtain sensitive information
or execute commands via a code parsing error.

Modifications:
  ADDREF XF:ihtml-merchant-file-access

INFERRED ACTION: CAN-1999-0890 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(1) Stracener
   MODIFY(1) Frech

Comments:
 Frech> ADDREF XF:ihtml-merchant-file-access


=================================
Candidate: CAN-1999-0893
Published:
Final-Decision:
Interim-Decision: 20000315
Modified: 20000313-01
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19991011 SCO OpenServer 5.0.5 overwrite /etc/shadow
Reference: XF:sco-openserver-userosa-script

userOsa in SCO OpenServer allows local users to corrupt files via a
symlink attack.

Modifications:
  ADDREF XF:sco-openserver-userosa-script

INFERRED ACTION: CAN-1999-0893 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Stracener, Ozancin
   MODIFY(1) Frech

Comments:
 Frech> XF:sco-openserver-userosa-script


=================================
Candidate: CAN-1999-0896
Published:
Final-Decision:
Interim-Decision: 20000315
Modified: 20000313-01
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19991109 RealNetworks RealServer G2 buffer overflow.
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.3.96.991105022225.914A-100000@attica.gen.nz
Reference: MISC:http://service.real.com/help/faq/servg260.html
Reference: XF:realserver-g2-pw-bo
Reference: BID:767

Buffer overflow in RealNetworks RealServer administration utility
allows remote attackers to execute arbitrary commands via a long
username and password.

Modifications:
  ADDREF XF:realserver-g2-pw-bo
  ADDREF MISC:http://service.real.com/help/faq/servg260.html

INFERRED ACTION: CAN-1999-0896 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(1) Stracener
   MODIFY(1) Frech
   NOOP(1) Christey

Comments:
 Frech> ADDREF XF:realserver-g2-pw-bo
 Christey> This candidate is unconfirmed by the vendor.


=================================
Candidate: CAN-1999-0908
Published:
Final-Decision:
Interim-Decision: 20000315
Modified: 20000313-01
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19990921 solaris DoS
Reference: BID:655
Reference: XF:sun-tcp-mutex-enter-dos

Denial of service in Solaris TCP streams driver via a malicious
connection that causes the server to panic as a result of recursive
calls to mutex_enter.

Modifications:
  ADDREF XF:sun-tcp-mutex-enter-dos

INFERRED ACTION: CAN-1999-0908 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Stracener, Ozancin
   MODIFY(1) Frech

Comments:
 Frech> sun-tcp-mutex-enter-dos


=================================
Candidate: CAN-1999-0916
Published:
Final-Decision:
Interim-Decision: 20000315
Modified:
Proposed: 19991222
Assigned: 19991208
Category: CF
Reference: ISS:19990629 Bad Permissions on Passwords Stored by WebTrends Software
Reference: URL:http://xforce.iss.net/alerts/advise29.php3

WebTrends software stores account names and passwords in a file which
does not have restricted access permissions.

INFERRED ACTION: CAN-1999-0916 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(1) Stracener
   MODIFY(1) Frech

Comments:
 Frech> XF:webtrends-bad-perms


=================================
Candidate: CAN-1999-0920
Published:
Final-Decision:
Interim-Decision: 20000315
Modified: 20000313-01
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19990526 Remote vulnerability in pop2d
Reference: XF:pop2-fold-bo

Buffer overflow in the pop-2d POP daemon in the IMAP package allows
remote attackers to gain privileges via the FOLD command.

Modifications:
  ADDREF XF:pop2-fold-bo

INFERRED ACTION: CAN-1999-0920 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Stracener, Ozancin
   MODIFY(1) Frech

Comments:
 Frech> ADDREF XF:pop2-fold-bo


=================================
Candidate: CAN-1999-0931
Published:
Final-Decision:
Interim-Decision: 20000315
Modified: 20000313-01
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19990930 Security flaw in Mediahouse Statistics Server v4.28 & 5.01
Reference: BID:734
Reference: XF:mediahouse-stats-login-bo

Buffer overflow in Mediahouse Statistics Server allows remote
attackers to execute commands.

Modifications:
  ADDREF XF:mediahouse-stats-login-bo

INFERRED ACTION: CAN-1999-0931 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(1) Stracener
   MODIFY(1) Frech

Comments:
 Frech> ADDREF XF:mediahouse-stats-login-bo


=================================
Candidate: CAN-1999-0964
Published:
Final-Decision:
Interim-Decision: 20000315
Modified: 20000313-01
Proposed: 19991214
Assigned: 19991208
Category: SF
Reference: FREEBSD:FreeBSD-SA-97:01
Reference: XF:freebsd-setlocale-bo

Buffer overflow in FreeBSD setlocale in the libc module.

Modifications:
  ADDREF XF:freebsd-setlocale-bo

INFERRED ACTION: CAN-1999-0964 ACCEPT (6 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(5) Cole, Blake, Stracener, Prosser, Meunier
   MODIFY(1) Frech

Comments:
 Frech> XF:freebsd-setlocale-bo


=================================
Candidate: CAN-1999-0966
Published:
Final-Decision:
Interim-Decision: 20000315
Modified:
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: L0PHT:19970127 Solaris libc - getopt(3)

Buffer overflow in Solaris getopt in libc allows local users to gain
root privileges via a long argv[0].

INFERRED ACTION: CAN-1999-0966 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Stracener, Ozancin, Meunier


=================================
Candidate: CAN-1999-0996
Published:
Final-Decision:
Interim-Decision: 20000315
Modified: 20000313-01
Proposed: 19991222
Assigned: 19991221
Category: SF
Reference: EEYE:AD19991215
Reference: BUGTRAQ:19991216 Infoseek Ultraseek Remote Buffer Overflow
Reference: NTBUGTRAQ:19991216 Infoseek Ultraseek Remote Buffer Overflow
Reference: XF:infoseek-ultraseek-bo

Buffer overflow in Infoseek Ultraseek search engine allows remote
attackers to execute commands via a long GET request.

Modifications:
  ADDREF XF:infoseek-ultraseek-bo

INFERRED ACTION: CAN-1999-0996 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Stracener
   MODIFY(1) Frech
   NOOP(1) Wall

Comments:
 Frech> XF:infoseek-ultraseek-bo


=================================
Candidate: CAN-1999-0998
Published:
Final-Decision:
Interim-Decision: 20000315
Modified: 20000313-01
Proposed: 19991222
Assigned: 19991221
Category: SF
Reference: CISCO:19991216 Cisco Cache Engine Authentication Vulnerabilities
Reference: BUGTRAQ:19991216 Cisco Security Advisory: Cisco Cache Engine Authentication Vulnerabilities
Reference: XF:cisco-cache-engine-replace

Cisco Cache Engine allows an attacker to replace content in the cache.

Modifications:
  ADDREF XF:cisco-cache-engine-replace

INFERRED ACTION: CAN-1999-0998 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(1) Stracener
   MODIFY(2) Cole, Frech
   NOOP(1) Wall

Comments:
 Cole> This vulnerability exists in PPP CHAP authentication.  Also the BID is 693.
 Cole> If I have the right vulnerability.  The description is not that clear.
 Frech> XF:cisco-cache-engine-replace


=================================
Candidate: CAN-1999-1000
Published:
Final-Decision:
Interim-Decision: 20000315
Modified: 20000313-01
Proposed: 19991222
Assigned: 19991221
Category: SF
Reference: CISCO:19991216 Cisco Cache Engine Authentication Vulnerabilities
Reference: BUGTRAQ:19991216 Cisco Security Advisory: Cisco Cache Engine Authentication Vulnerabilities
Reference: XF:cisco-cache-engine-performance

The web administration interface for Cisco Cache Engine allows remote
attackers to view performance statistics.

Modifications:
  ADDREF XF:cisco-cache-engine-performance

INFERRED ACTION: CAN-1999-1000 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Stracener
   MODIFY(1) Frech
   NOOP(1) Wall

Comments:
 Frech> XF:cisco-cache-engine-performance


=================================
Candidate: CAN-2000-0003
Published:
Final-Decision:
Interim-Decision: 20000315
Modified: 20000313-01
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991230 UnixWare rtpm exploit + discussion
Reference: BUGTRAQ:20000127 New SCO patches...

Buffer overflow in UnixWare rtpm program allows local users to gain
privileges via a long environmental variable.

Modifications:
  ADDREF BUGTRAQ:20000127 New SCO patches...

INFERRED ACTION: CAN-2000-0003 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Stracener, Armstrong
   NOOP(1) Christey

Comments:
 Christey> ADDREF BUGTRAQ:20000127 New SCO patches...


=================================
Candidate: CAN-2000-0022
Published:
Final-Decision:
Interim-Decision: 20000315
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991221 serious Lotus Domino HTTP denial of service
Reference: BUGTRAQ:19991227 Re: Lotus Domino HTTP denial of service attack

Lotus Domino HTTP server does not properly disable anonymous access
for the cgi-bin directory.

INFERRED ACTION: CAN-2000-0022 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Stracener, Armstrong


=================================
Candidate: CAN-2000-0023
Published:
Final-Decision:
Interim-Decision: 20000315
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991221 serious Lotus Domino HTTP denial of service
Reference: BUGTRAQ:19991222 Lotus Notes HTTP cgi-bin vulnerability: possible workaround
Reference: BUGTRAQ:19991227 Re: Lotus Domino HTTP denial of service attack

Buffer overflow in Lotus Domino HTTP server allows remote attackers to
cause a denial of service via a long URL.

INFERRED ACTION: CAN-2000-0023 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Stracener, Armstrong


=================================
Candidate: CAN-2000-0025
Published:
Final-Decision:
Interim-Decision: 20000315
Modified: 20000313-01
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: MS:MS99-058
Reference: MSKB:Q238606

IIS 4.0 and Site Server 3.0 allow remote attackers to read source code
for ASP files if the file is in a virtual directory whose name
includes extensions such as .com, .exe, .sh, .cgi, or .dll, aka the
"Virtual Directory Naming" vulnerability.

Modifications:
  ADDREF MSKB:Q238606

INFERRED ACTION: CAN-2000-0025 ACCEPT_ACK (2 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(1) Armstrong
   MODIFY(1) Stracener

Comments:
 Stracener> Add Ref: MSKB:Q238606


=================================
Candidate: CAN-2000-0026
Published:
Final-Decision:
Interim-Decision: 20000315
Modified: 20000120-01
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991222 UnixWare i2odialogd remote root exploit
Reference: BUGTRAQ:19991223 FYI, SCO Security patches available.

Buffer overflow in UnixWare i2odialogd daemon allows remote attackers
to gain root access via a long username/password authorization
string.

Modifications:
  ADDREF BUGTRAQ:19991223 FYI, SCO Security patches available.

INFERRED ACTION: CAN-2000-0026 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Stracener, Armstrong


=================================
Candidate: CAN-2000-0029
Published:
Final-Decision:
Interim-Decision: 20000315
Modified: 20000120-01
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991227 UnixWare local pis exploit
Reference: BUGTRAQ:20000113 Info on some security holes reported against SCO Unixware.
Reference: BID:901

UnixWare pis and mkpis commands allow local users to gain privileges
via a symlink attack.

Modifications:
  ADDREF BUGTRAQ:20000113 Info on some security holes reported against SCO Unixware.

INFERRED ACTION: CAN-2000-0029 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Stracener, Armstrong


=================================
Candidate: CAN-2000-0031
Published:
Final-Decision:
Interim-Decision: 20000315
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: L0PHT:19991227 initscripts-4.48-1 RedHat Linux 6.1
Reference: REDHAT:RHSA-1999:052-04

The initscripts package in Red Hat Linux allows local users to gain
privileges via a symlink attack.

INFERRED ACTION: CAN-2000-0031 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Stracener, Armstrong


=================================
Candidate: CAN-2000-0036
Published:
Final-Decision:
Interim-Decision: 20000315
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: MS:MS99-060
Reference: MSKB:Q249082

Outlook Express 5 for Macintosh downloads attachments to HTML mail
without prompting the user, aka the "HTML Mail Attachment"
vulnerability.

INFERRED ACTION: CAN-2000-0036 ACCEPT_ACK (2 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(2) Stracener, Armstrong


=================================
Candidate: CAN-2000-0037
Published:
Final-Decision:
Interim-Decision: 20000315
Modified: 20000207-01
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991228 majordomo local exploit
Reference: BUGTRAQ:20000113 Info on some security holes reported against SCO Unixware.
Reference: BUGTRAQ:20000124 majordomo 1.94.5 does not fix all vulnerabilities
Reference: BID:903

Majordomo wrapper allows local users to gain privileges by specifying
an alternate configuration file.

Modifications:
  ADDREF BUGTRAQ:20000113 Info on some security holes reported against SCO Unixware.
  ADDREF BUGTRAQ:20000124 majordomo 1.94.5 does not fix all vulnerabilities

INFERRED ACTION: CAN-2000-0037 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Stracener, Armstrong


=================================
Candidate: CAN-2000-0039
Published:
Final-Decision:
Interim-Decision: 20000315
Modified: 20000121-01
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991229 AltaVista
Reference: BUGTRAQ:19991230 Follow UP AltaVista
Reference: BUGTRAQ:19991229 AltaVista followup and monitor script
Reference: BUGTRAQ:20000103 FW: Patch issued for AltaVista Search Engine Directory TraversalVulnerability
Reference: BUGTRAQ:20000109 Altavista followup
Reference: BID:896

AltaVista search engine allows remote attackers to read files above
the document root via a .. (dot dot) in the query.cgi CGI program.

INFERRED ACTION: CAN-2000-0039 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Stracener, Armstrong


=================================
Candidate: CAN-2000-0040
Published:
Final-Decision:
Interim-Decision: 20000315
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991223 Multiple vulnerabilites in glFtpD (current versions)

glFtpD allows local users to gain privileges via metacharacters in the
SITE ZIPCHK command.

INFERRED ACTION: CAN-2000-0040 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Stracener, Armstrong


=================================
Candidate: CAN-2000-0041
Published:
Final-Decision:
Interim-Decision: 20000315
Modified:
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: BUGTRAQ:19991229 The "Mac DoS Attack," a Scheme for Blocking Internet Connections
Reference: BID:890

Macintosh systems generate large ICMP datagrams in response to
malformed datagrams, allowing them to be used as amplifiers in a flood
attack.

INFERRED ACTION: CAN-2000-0041 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Stracener, Armstrong


=================================
Candidate: CAN-2000-0088
Published:
Final-Decision:
Interim-Decision: 20000315
Modified:
Proposed: 20000208
Assigned: 20000202
Category: SF
Reference: MS:MS00-002
Reference: XF:office-malformed-convert
Reference: BID:946

Buffer overflow in the conversion utilities for Japanese, Korean and
Chinese Word 5 documents allows an attacker to execute commands, aka
the "Malformed Conversion Data" vulnerability.

INFERRED ACTION: CAN-2000-0088 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Wall, Cole


=================================
Candidate: CAN-2000-0089
Published:
Final-Decision:
Interim-Decision: 20000315
Modified: 20000313-01
Proposed: 20000208
Assigned: 20000202
Category: SF
Reference: NTBUGTRAQ:20000121 RDISK registry enumeration file vulnerability in Windows NT 4.0 Terminal Server Edition
Reference: BUGTRAQ:20000122 RDISK registry enumeration file vulnerability in Windows NT 4.0 Terminal Server Edition
Reference: MS:MS00-004
Reference: MSKB:Q249108
Reference: BID:947
Reference: XF:nt-rdisk-enum-file

The rdisk utility in Microsoft Terminal Server Edition and Windows NT
4.0 stores registry hive information in a temporary file with
permissions that allow local users to read it, aka the "RDISK Registry
Enumeration File" vulnerability.

Modifications:
  DESC Add Win NT 4.0

INFERRED ACTION: CAN-2000-0089 ACCEPT_ACK (2 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(1) Cole
   MODIFY(1) Wall

Comments:
 Wall> Add Windows NT 4.0 server and workstation as well.  It works on these platforms
 Wall> as well.


=================================
Candidate: CAN-2000-0097
Published:
Final-Decision:
Interim-Decision: 20000315
Modified:
Proposed: 20000208
Assigned: 20000202
Category: SF
Reference: NTBUGTRAQ:20000127 Alert: MS IIS 4 / IS 2 (Cerberus Security Advisory CISADV000126)
Reference: MS:MS00-006
Reference: BID:950
Reference: XF:http-indexserver-dirtrans

The WebHits ISAPI filter in Microsoft Index Server allows remote
attackers to read arbitrary files, aka the "Malformed Hit-Highlighting
Argument" vulnerability.

INFERRED ACTION: CAN-2000-0097 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Wall, Cole


=================================
Candidate: CAN-2000-0098
Published:
Final-Decision:
Interim-Decision: 20000315
Modified:
Proposed: 20000208
Assigned: 20000202
Category: SF
Reference: MS:MS00-006

Microsoft Index Server allows remote attackers to determine the real
path for a web directory via a request to an Internet Data Query file
that does not exist.

INFERRED ACTION: CAN-2000-0098 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Wall, Cole


=================================
Candidate: CAN-2000-0121
Published:
Final-Decision:
Interim-Decision: 20000315
Modified:
Proposed: 20000208
Assigned: 20000208
Category: SF
Reference: NTBUGTRAQ:20000201 "Recycle Bin Creation" Vulnerability in Windows NT / Windows 2000
Reference: MS:MS00-007
Reference: MSKB:Q248399
Reference: BID:963

The Recycle Bin utility in Windows NT and Windows 2000 allows local
users to read or modify files by creating a subdirectory with the
victim's SID in the recycler directory, aka the "Recycle Bin
Creation" vulnerability.

INFERRED ACTION: CAN-2000-0121 ACCEPT_ACK (2 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(2) Wall, Cole


=================================
Candidate: CAN-2000-0139
Published:
Final-Decision:
Interim-Decision: 20000315
Modified:
Proposed: 20000216
Assigned: 20000216
Category: SF
Reference: BUGTRAQ:20000210 remote DoS on Internet Anywhere Mail Server Ver.3.1.3
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95021326417936&w=2
Reference: BID:982
Reference: URL:http://www.securityfocus.com/bid/982

Internet Anywhere POP3 Mail Server allows local users to cause a
denial of service via a malformed RETR command.

INFERRED ACTION: CAN-2000-0139 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Bishop, Cole, Blake
   NOOP(2) LeBlanc, Christey

Comments:
 Christey> This candidate is unconfirmed by the vendor.
 Christey>
 Christey> Reported by Nobuo Miwa, moderator of BUGTRAQ-JP.
 Blake> In his Bugtraq post, Nobuo claims to have discussed it with the vendor and
 Blake> that they said they were working on a fix.  That's good enough for me.


=================================
Candidate: CAN-2000-0145
Published:
Final-Decision:
Interim-Decision: 20000315
Modified:
Proposed: 20000216
Assigned: 20000216
Category: CF
Reference: http://archives.neohapsis.com/archives/bugtraq/2000-02/0038.html
Reference: BUGTRAQ:20000205 Debian (frozen): Perms on /usr/lib/libguile.so.6.0.0

The libguile.so library file used by gnucash in Debian Linux is
installed with world-writable permissions.

INFERRED ACTION: CAN-2000-0145 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Bishop, Blake, Cole
   NOOP(2) LeBlanc, Christey


=================================
Candidate: CAN-2000-0148
Published:
Final-Decision:
Interim-Decision: 20000315
Modified:
Proposed: 20000216
Assigned: 20000216
Category: SF
Reference: http://archives.neohapsis.com/archives/bugtraq/2000-02/0053.html
Reference: BUGTRAQ:20000208 Remote access vulnerability in all MySQL server versions
Reference: BUGTRAQ:20000214 MySQL 3.22.32 released
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-8&msg=Pine.BSO.4.21.0002141636590.27495-100000@birdie.sekure.net
Reference: BID:975
Reference: URL:http://www.securityfocus.com/bid/975

MySQL 3.22 allows remote attackers to bypass password authentication
and access a database via a short check string.

INFERRED ACTION: CAN-2000-0148 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Bishop, Blake, Cole
   NOOP(1) LeBlanc


=================================
Candidate: CAN-2000-0149
Published:
Final-Decision:
Interim-Decision: 20000315
Modified:
Proposed: 20000216
Assigned: 20000216
Category: SF
Reference: http://archives.neohapsis.com/archives/bugtraq/2000-02/0057.html
Reference: BUGTRAQ:20000209 [SAFER 000209.EXP.1.2] Zeus Web Server - obtaining source of CGI scripts
Reference: BUGTRAQ:20000208 Zeus Web Server: Null Terminated Strings
Reference: BID:977
Reference: URL:http://www.securityfocus.com/bid/977

Zeus web server allows remote attackers to view the source code for
CGI programs via a null character (%00) at the end of a URL.

INFERRED ACTION: CAN-2000-0149 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Bishop, Blake, Cole
   NOOP(1) LeBlanc


=================================
Candidate: CAN-2000-0150
Published:
Final-Decision:
Interim-Decision: 20000315
Modified:
Proposed: 20000216
Assigned: 20000216
Category: SF
Reference: BUGTRAQ:20000209 FireWall-1 FTP Server Vulnerability
Reference: BUGTRAQ:20000212 Re: FireWall-1 FTP Server Vulnerability
Reference: BUGTRAQ:20000210 Multiple firewalls: FTP Application Level Gateway "PASV" Vulnerability
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-8&msg=51A8E31DE32DD211A0590008C71E7E4C59686E@tro-03-msg.merkantildata.no
Reference: BID:979
Reference: URL:http://www.securityfocus.com/bid/979

Firewall-1 allows remote attackers to bypass port access restrictions
on an FTP server by forcing it to send malicious packets which
Firewall-1 misinterprets as a valid 227 response to a client's PASV
attempt.

INFERRED ACTION: CAN-2000-0150 ACCEPT (4 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(4) LeBlanc, Bishop, Blake, Cole


=================================
Candidate: CAN-2000-0152
Published:
Final-Decision:
Interim-Decision: 20000315
Modified:
Proposed: 20000216
Assigned: 20000216
Category: SF
Reference: BUGTRAQ:20000209 Novell BorderManager 3.5 Remote Slow Death
Reference: BUGTRAQ:20000211 BorderManager csatpxy.nlm fix avalable.

Remote attackers can cause a denial of service in Novell BorderManager
3.5 by pressing the enter key in a telnet connection to port 2000.

INFERRED ACTION: CAN-2000-0152 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Bishop, Blake, Cole
   NOOP(1) LeBlanc


=================================
Candidate: CAN-2000-0156
Published:
Final-Decision:
Interim-Decision: 20000315
Modified:
Proposed: 20000223
Assigned: 20000223
Category: SF
Reference: MS:MS00-009
Reference: URL:http://www.microsoft.com/technet/security/bulletins/ms00-009.asp

Internet Explorer 4.x and 5.x allow a remote web server to access
files on the client that are outside of its security domain, aka the
"Image Source Redirect" vulnerability.

INFERRED ACTION: CAN-2000-0156 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Wall, Cole, LeBlanc


=================================
Candidate: CAN-2000-0161
Published:
Final-Decision:
Interim-Decision: 20000315
Modified:
Proposed: 20000223
Assigned: 20000223
Category: SF
Reference: MS:MS00-010
Reference: URL:http://www.microsoft.com/technet/security/bulletins/ms00-010.asp
Reference: BID:994
Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=994

Sample web sites on Microsoft Site Server 3.0 Commerce Edition do not
validate an identification number, which allows remote attackers to
execute SQL commands.

INFERRED ACTION: CAN-2000-0161 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Wall, Cole, LeBlanc


=================================
Candidate: CAN-2000-0162
Published:
Final-Decision:
Interim-Decision: 20000315
Modified:
Proposed: 20000223
Assigned: 20000223
Category: SF
Reference: MS:MS00-011
Reference: URL:http://www.microsoft.com/technet/security/bulletins/ms00-011.asp

The Microsoft virtual machine (VM) in Internet Explorer 4.x and 5.x
allows a remote attacker to read files via a malicious Java applet
that escapes the Java sandbox, aka the "VM File Reading"
vulnerability.

INFERRED ACTION: CAN-2000-0162 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(3) Wall, Cole, LeBlanc

Page Last Updated or Reviewed: May 22, 2007