[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PROPOSAL] Cluster RECENT-14 - 22 candidates

The following cluster contains 22 candidates that were announced
between March 11 and March 30, 2000.

The candidates are listed in order of priority.  Priority 1 and
Priority 2 candidates both deal with varying levels of vendor
confirmation, so they should be easy to review and it can be trusted
that the problems are real.

If you discover that any RECENT-XX cluster is incomplete with respect
to the problems discovered during the associated time frame, please
send that information to me so that candidates can be assigned.

- Steve



Summary of votes to use (in ascending order of "severity")
----------------------------------------------------------

ACCEPT - voter accepts the candidate as proposed
NOOP - voter has no opinion on the candidate
MODIFY - voter wants to change some MINOR detail (e.g. reference/description)
REVIEWING - voter is reviewing/researching the candidate, or needs more info
RECAST - candidate must be significantly modified, e.g. split or merged
REJECT - candidate is "not a vulnerability", or a duplicate, etc.

1) Please write your vote on the line that starts with "VOTE: ".  If
   you want to add comments or details, add them to lines after the
   VOTE: line.

2) If you see any missing references, please mention them so that they
   can be included.  References help greatly during mapping.

3) Note that a "MODIFY" is treated as an "ACCEPT" when counting votes.
   So if you don't have sufficient information for a candidate but you
   don't want to NOOP, use a REVIEWING.

********** NOTE ********** NOTE ********** NOTE ********** NOTE **********

Please keep in mind that your vote and comments will be recorded and
publicly viewable in the mailing list archives or in other formats.

=================================
Candidate: CAN-2000-0226
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000412
Assigned: 20000412
Category: SF
Reference: MS:MS00-018
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-018.asp
Reference: BID:1066
Reference: URL:http://www.securityfocus.com/bid/1066
Reference: XF:iis-chunked-encoding-dos

IIS 4.0 allows attackers to cause a denial of service by requesting a
large buffer in a POST or PUT command which consumes memory, aka the
"Chunked Transfer Encoding Buffer Overflow Vulnerability."


ED_PRI CAN-2000-0226 1


VOTE:

=================================
Candidate: CAN-2000-0228
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000412
Assigned: 20000412
Category: SF
Reference: MS:MS00-016
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-016.asp
Reference: BID:1058
Reference: URL:http://www.securityfocus.com/bid/1058

Microsoft Windows Media License Manager allows remote attackers to
cause a denial of service by sending a malformed request that causes
the manager to halt, aka the "Malformed Media License Request"
Vulnerability.


ED_PRI CAN-2000-0228 1


VOTE:

=================================
Candidate: CAN-2000-0232
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000412
Assigned: 20000412
Category: SF
Reference: MS:MS00-021
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-021.asp
Reference: BUGTRAQ:20000330 Remote DoS Attack in Windows 2000/NT 4.0 TCP/IP Print Request Server Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0306.html
Reference: BID:1082
Reference: URL:http://www.securityfocus.com/bid/1082

Microsoft TCP/IP Printing Services, aka Print Services for Unix,
allows an attacker to cause a denial of service via a malformed TCP/IP
print request.


ED_PRI CAN-2000-0232 1


VOTE:

=================================
Candidate: CAN-2000-0233
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000412
Assigned: 20000412
Category: SF
Reference: SUSE:20000327 Security hole in SuSE Linux IMAP Server
Reference: http://archives.neohapsis.com/archives/vendor/2000-q1/0035.html

SuSE Linux IMAP server allows remote attackers to bypass IMAP
authentication and gain privileges.


ED_PRI CAN-2000-0233 1


VOTE:

=================================
Candidate: CAN-2000-0235
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000412
Assigned: 20000412
Category: SF
Reference: FREEBSD:FreeBSD-SA-00:10
Reference: http://archives.neohapsis.com/archives/freebsd/2000-03/0068.html
Reference: BID:1070
Reference: URL:http://www.securityfocus.com/bid/1070

Buffer overflow in the huh program in the orville-write package allows
local users to gain root privileges.


ED_PRI CAN-2000-0235 1


VOTE:

=================================
Candidate: CAN-2000-0245
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000412
Assigned: 20000412
Category: SF
Reference: SGI:20000303-01-PX
Reference: URL:ftp://sgigate.sgi.com/security/20000303-01-PX
Reference: BUGTRAQ:20000328 Objectserver vulnerability
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=200003290852.aa27218@blaze.arl.mil
Reference: BID:1079
Reference: URL:http://www.securityfocus.com/bid/1079

Vulnerability in SGI IRIX objectserver daemon allows remote attackers
to create user accounts.


ED_PRI CAN-2000-0245 1


VOTE:

=================================
Candidate: CAN-2000-0246
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000412
Assigned: 20000412
Category: SF
Reference: MS:MS00-019
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-019.asp
Reference: MSKB:Q249599
Reference: URL:http://www.microsoft.com/technet/support/kb.asp?ID=249599
Reference: BID:1081
Reference: URL:http://www.securityfocus.com/bid/1081

IIS 4.0 and 5.0 does not properly perform ISAPI extension processing
if a virtual directory is mapped to a UNC share, which allows remote
attackers to read the source code of ASP and other files.


ED_PRI CAN-2000-0246 1


VOTE:

=================================
Candidate: CAN-2000-0234
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000412
Assigned: 20000412
Category: CF
Reference: BUGTRAQ:20000330 Cobalt apache configuration exposes .htaccess
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000330220757.28456.qmail@securityfocus.com
Reference: MISC:http://www.securityfocus.com/templates/advisory.html?id=2150
Reference: BID:1083
Reference: URL:http://www.securityfocus.com/bid/1083

The default configuration of Cobalt RaQ2 and RaQ3 as specified in
access.conf allows remote attackers to view sensitive contents of a
.htaccess file.


ED_PRI CAN-2000-0234 2


VOTE:

=================================
Candidate: CAN-2000-0243
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000412
Assigned: 20000412
Category: SF
Reference: BUGTRAQ:20000324 AnalogX SimpleServer 1.03 Remote Crash" at:
Reference: http://www.securityfocus.com/templates/archive.pike?list=1&msg=web-5645555@post2.rnci.com
Reference: XF:simpleserver-exception-dos
Reference: BID:1076
Reference: URL:http://www.securityfocus.com/bid/1076
Reference: MISC:http://www.analogx.com/contents/download/network/sswww.htm

Buffer overflow in AnalogX SimpleServer:WWW HTTP server 1.03 allows
remote attackers to cause a denial of service via a short GET request
to cgi-bin.


ED_PRI CAN-2000-0243 2


VOTE:

=================================
Candidate: CAN-2000-0247
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000412
Assigned: 20000412
Category: SF/CF/MP/SA/AN/unknown
Reference: BUGTRAQ:20000322 Local root compromise in GNQS 3.50.6 and 3.50.7
Reference: http://archives.neohapsis.com/archives/bugtraq/2000-03/0236.html
Reference: MISC:http://ftp.gnqs.org/pub/gnqs/source/by-version-number/v3.50/Generic-NQS-3.50.8-ChangeLog.txt

Vulnerability in Generic-NQS (GNQS) allows local users to gain root
privileges.


ED_PRI CAN-2000-0247 2


VOTE:

=================================
Candidate: CAN-2000-0227
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000412
Assigned: 20000412
Category: SF
Reference: BUGTRAQ:20000323 Local Denial-of-Service attack against Linux
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000323175509.A23709@clearway.com
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0254.html
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0272.html
Reference: BID:1072
Reference: URL:http://www.securityfocus.com/bid/1072
Reference: XF:linux-domain-socket-dos

The Linux 2.2.x kernel does not restrict the number of Unix domain
sockets as defined by the wmem_max paremeter, which allows local users
to cause a denial of service by requesting a large number of sockets.


ED_PRI CAN-2000-0227 3


VOTE:

=================================
Candidate: CAN-2000-0229
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000412
Assigned: 20000412
Category: SF
Reference: BUGTRAQ:20000322 gpm-root
Reference: http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000322182143.4498.qmail@securityfocus.com
Reference: http://archives.neohapsis.com/archives/bugtraq/2000-03/0242.html
Reference: BID:1069
Reference: URL:http://www.securityfocus.com/bid/1069
Reference: XF:linux-gpm-root

gpm-root in the gpm package does not properly drop privileges, which
allows local users to gain privileges by starting a utility from
gpm-root.


ED_PRI CAN-2000-0229 3


VOTE:

=================================
Candidate: CAN-2000-0230
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000412
Assigned: 20000412
Category: SF
Reference: BUGTRAQ:20000316 TESO & C-Skills development advisory -- imwheel
Reference: http://archives.neohapsis.com/archives/bugtraq/2000-03/0168.html
Reference: BID:1060
Reference: URL:http://www.securityfocus.com/bid/1060

Buffer overflow in imwheel allows local users to gain root privileges
via the imwheel-solo script and a long HOME environmental variable.


ED_PRI CAN-2000-0230 3


VOTE:

=================================
Candidate: CAN-2000-0231
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000412
Assigned: 20000412
Category: SF/CF/MP/SA/AN/unknown
Reference: BUGTRAQ:20000316 "TESO & C-Skills development advisory -- kreatecd" at:
Reference: http://archives.neohapsis.com/archives/bugtraq/2000-03/0162.html
Reference: XF:linux-kreatecd-path
Reference: BID:1061
Reference: URL:http://www.securityfocus.com/bid/1061

Linux kreatecd trusts a user-supplied path that is used to find the
cdrecord program, allowing local users to gain root privileges.


ED_PRI CAN-2000-0231 3


VOTE:

=================================
Candidate: CAN-2000-0236
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000412
Assigned: 20000412
Category: SF
Reference: BUGTRAQ:20000317 [SAFER 000317.EXP.1.5] Netscape Enterprise Server and '?wp' tags
Reference: http://www.securityfocus.com/templates/archive.pike?list=1&msg=38D2173D.24E39DD0@relaygroup.com
Reference: http://archives.neohapsis.com/archives/bugtraq/2000-03/0191.html
Reference: http://archives.neohapsis.com/archives/bugtraq/2000-03/0238.html
Reference: BID:1063
Reference: URL:http://www.securityfocus.com/bid/1063
Reference: XF:netscape-server-directory-indexing

Netscape Enterprise Server with Web Publishing enabled allows remote
attackers to list server directories via web publishing tags such as
?wp-ver-info and ?wp-cs-dump.


ED_PRI CAN-2000-0236 3


VOTE:

=================================
Candidate: CAN-2000-0237
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000412
Assigned: 20000412
Category: SF
Reference: MISC:http://zsh.stupidphat.com/advisory.cgi?000311-1
Reference: BID:1075
Reference: URL:http://www.securityfocus.com/bid/1075

Netscape Enterprise Server with Web Publishing enabled allows remote
attackers to list arbitrary directories via a GET request for the
/publisher directory, which provides a Java applet that allows the
attacker to browse the directories.


ED_PRI CAN-2000-0237 3


VOTE:

=================================
Candidate: CAN-2000-0238
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000412
Assigned: 20000412
Category: SF
Reference: BUGTRAQ:20000317 DoS with NAVIEG
Reference: http://www.securityfocus..com/templates/archive.pike?list=1&msg=s8d1f3e3.036@kib.co.kodiak.ak.us
Reference: XF:nav-email-gateway-dos
Reference: BID:1064
Reference: URL:http://www.securityfocus.com/bid/1064

Buffer overflow in the web server for Norton AntiVirus for Internet
Email Gateways allows remote attackers to cause a denial of service
via a long URL.


ED_PRI CAN-2000-0238 3


VOTE:

=================================
Candidate: CAN-2000-0239
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000412
Assigned: 20000412
Category: SF
Reference: BUGTRAQ:20000315 Local / Remote  DoS Attack in MERCUR WebView WebMail-Client 1.0
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95325335825295&w=2
Reference: URL:http://www.ussrback.com/labs36.html
Reference: BID:1056
Reference: URL:http://www.securityfocus.com/bid/1056
Reference: XF:mercur-webview-get-dos

Buffer overflow in the MERCUR WebView WebMail server allows remote
attackers to cause a denial of service via a long mail_user parameter
in the GET request.


ED_PRI CAN-2000-0239 3


VOTE:

=================================
Candidate: CAN-2000-0240
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000412
Assigned: 20000412
Category: SF
Reference: BUGTRAQ:20000321 vqserver /........../
Reference: http://www.securityfocus.com/templates/archive.pike?list=1&msg=4.1.20000321084646.0095c7f0@olga.swip.net
Reference: XF:vqserver-dir-traverse
Reference: BID:1067
Reference: URL:http://www.securityfocus.com/bid/1067

vqSoft vqServer program allows remote attackers to read arbitrary
files via a /........../ in the URL, a variation of a .. (dot dot)
attack.


ED_PRI CAN-2000-0240 3


VOTE:

=================================
Candidate: CAN-2000-0241
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000412
Assigned: 20000412
Category: SF/CF/MP/SA/AN/unknown
Reference: BUGTRAQ:20000321 vqserver /........../
Reference: http://www.securityfocus.com/templates/archive.pike?list=1&msg=4.1.20000321084646.0095c7f0@olga.swip.net
Reference: BID:1068
Reference: URL:http://www.securityfocus.com/bid/1068
Reference: XF:vqserver-passwd-plaintext

vqSoft vqServer stores sensitive information such as passwords in
cleartext in the server.cfg file, which allows attackers to gain
privileges.


ED_PRI CAN-2000-0241 3


VOTE:

=================================
Candidate: CAN-2000-0242
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000412
Assigned: 20000412
Category: SF
Reference: BUGTRAQ:20000325 Windmail allow web user get any file
Reference: http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-03-22&msg=20000325224146.6839.qmail@securityfocus.com
Reference: XF:windmail-fileread
Reference: XF:windmail-pipe-command
Reference: BID:1073
Reference: URL:http://www.securityfocus.com/bid/1073

WindMail allows remote attackers to read arbitrary files or execute
commands via shell metacharacters.


ED_PRI CAN-2000-0242 3


VOTE:

=================================
Candidate: CAN-2000-0244
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000412
Assigned: 20000412
Category: SF
Reference: BUGTRAQ:20000328 Citrix ICA Basic Encryption
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.BSO.4.20.0003290949280.2640-100000@naughty.monkey.org
Reference: BID:1077
Reference: URL:http://www.securityfocus.com/bid/1077

The Citrix ICA (Independent Computing Architecture) protocol uses weak
encryption (XOR) for user authentication.


ED_PRI CAN-2000-0244 3


VOTE:
Page Last Updated or Reviewed: May 22, 2007