[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FINAL] ACCEPT 34 recent candidates

To: cve-editorial-board-list@lists.mitre.org
Subject: [FINAL] ACCEPT 34 recent candidates
From: "Steven M. Christey" <coley@linus.mitre.org>
Date: Thu, 1 Jun 2000 22:28:40 -0400 (EDT)
Delivery-Date: Thu Jun 1 22:28:47 2000
Sender: owner-cve-editorial-board-list@lists.mitre.org
I have made a Final Decision to ACCEPT the following candidates.
These candidates are now assigned CVE names as noted below.  The
resulting CVE entries will be published in the near future in a new
version of CVE.  Voting details and comments are provided at the end
of this report.

- Steve


Candidate	CVE Name
---------	----------
CAN-1999-0819	CVE-1999-0819
CAN-1999-0832	CVE-1999-0832
CAN-1999-0836	CVE-1999-0836
CAN-1999-0838	CVE-1999-0838
CAN-1999-0842	CVE-1999-0842
CAN-1999-0854	CVE-1999-0854
CAN-1999-0856	CVE-1999-0856
CAN-1999-0859	CVE-1999-0859
CAN-1999-0864	CVE-1999-0864
CAN-1999-0865	CVE-1999-0865
CAN-1999-0866	CVE-1999-0866
CAN-1999-0976	CVE-1999-0976
CAN-2000-0004	CVE-2000-0004
CAN-2000-0113	CVE-2000-0113
CAN-2000-0169	CVE-2000-0169
CAN-2000-0171	CVE-2000-0171
CAN-2000-0226	CVE-2000-0226
CAN-2000-0228	CVE-2000-0228
CAN-2000-0229	CVE-2000-0229
CAN-2000-0230	CVE-2000-0230
CAN-2000-0231	CVE-2000-0231
CAN-2000-0232	CVE-2000-0232
CAN-2000-0233	CVE-2000-0233
CAN-2000-0234	CVE-2000-0234
CAN-2000-0235	CVE-2000-0235
CAN-2000-0245	CVE-2000-0245
CAN-2000-0246	CVE-2000-0246
CAN-2000-0258	CVE-2000-0258
CAN-2000-0260	CVE-2000-0260
CAN-2000-0267	CVE-2000-0267
CAN-2000-0268	CVE-2000-0268
CAN-2000-0274	CVE-2000-0274
CAN-2000-0277	CVE-2000-0277
CAN-2000-0294	CVE-2000-0294



=================================
Candidate: CAN-1999-0819
Published:
Final-Decision: 20000602
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: NTBUGTRAQ:19991130 NTmail and VRFY
Reference: BUGTRAQ:19991130 NTmail and VRFY
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94398141118586&w=2
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94407764018739&w=2
Reference: XF:nt-mail-vrfy

NTMail does not disable the VRFY command, even if the administrator
has explicitly disabled it.

Modifications:
  ADDREF XF:nt-mail-vrfy

INFERRED ACTION: CAN-1999-0819 FINAL (Final Decision 20000602)

Current Votes:
   ACCEPT(2) Stracener, Prosser
   MODIFY(2) Cole, Frech
   NOOP(2) Armstrong, Christey

Comments:
 Cole> The references are wrong.  The BID is 856 and the full ID is
 Cole> 19991129 not 30.
 Cole> I would add that NTMail does not disable the VRFY command on ESMTP
 Cole> servers, even ...  This can be used to gather information about users email
 Cole> addresses.
 Frech> XF:nt-mail-vrfy
 Christey> Mike Prosser's REVIEWING vote expires on May 8, 2000


=================================
Candidate: CAN-1999-0832
Published:
Final-Decision: 20000602
Interim-Decision: 20000530
Modified: 20000526-02
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991109 undocumented bugs - nfsd
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.20.9911091058140.12964-100000@mail.zigzag.pl
Reference: DEBIAN:19991111 buffer overflow in nfs server
Reference: URL:http://www.debian.org/security/1999/19991111
Reference: SUSE:19991110 Security hole in nfs-server < 2.2beta47 within nkita
Reference: URL:http://www.suse.de/de/support/security/suse_security_announce_29.txt
Reference: CALDERA:CSSA-1999-033.0
Reference: URL:ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-1999-033.0.txt
Reference: REDHAT:RHSA-1999:053-01
Reference: URL:http://www.redhat.com/support/errata/rh42-errata-general.html#NFS
Reference: BUGTRAQ:19991130 [david@slackware.com: New Patches for Slackware 4.0 Available]
Reference: XF:linux-nfs-maxpath-bo
Reference: BID:782
Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=782

Buffer overflow in NFS server on Linux allows attackers to execute
commands via a long pathname.

Modifications:
  ADDREF BUGTRAQ:19991109 undocumented bugs - nfsd
  ADDREF DEBIAN:19991111 buffer overflow in nfs server
  ADDREF SUSE:19991110 Security hole in nfs-server < 2.2beta47 within nkita
  ADDREF CALDERA:CSSA-1999-033.0
  ADDREF REDHAT:RHSA-1999:053-01
  ADDREF BID:782
  ADDREF XF:linux-nfs-maxpath-bo
  DESC Remove Slackware, say it's on Linux systems.

INFERRED ACTION: CAN-1999-0832 FINAL (Final Decision 20000602)

Current Votes:
   ACCEPT(3) Armstrong, Cole, Prosser
   MODIFY(2) Stracener, Frech
   NOOP(1) Christey

Comments:
 Stracener> Suggest removing "Slackware 7.0" from the description
 Stracener> Add Ref: CSSA-1999-033.0
 Stracener> Add Ref: DEBIAN: nfs-server: buffer overflow in nfs server 11/11/99
 Stracener> Add Ref: SuSE Security Announcement "nfs-server < 2.2beta47 within
 Stracener> nkita" 11/12/99
 Frech> XF:linux-nfs-maxpath-bo
 Christey> ADDREF DEBIAN:19991111 buffer overflow in nfs server
 Christey> ADDREF SUSE:19991110 Security hole in nfs-server < 2.2beta47 within nkita
 Christey> ADDREF CALDERA:CSSA-1999-033.0
 Christey> ADDREF RHSA-1999:053-01
 Christey> ADDREF? BID:782
 Christey> ADDREF? BUGTRAQ:19991109 undocumented bugs - nfsd
 Prosser> agree that description should be generic Linux vice Slackware
 Prosser> only since multiple versions affected


=================================
Candidate: CAN-1999-0836
Published:
Final-Decision: 20000602
Interim-Decision: 20000530
Modified: 20000501-01
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991202 UnixWare 7 uidadmin exploit + discussion
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=19991202160111.20553.qmail@nwcst282.netaddress.usa.net
Reference: SCO:SB-99.22a
Reference: URL:ftp://ftp.sco.com/SSE/security_bulletins/SB-99.22a
Reference: BID:842
Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=842
Reference: XF:unixware-uid-admin

UnixWare uidadmin allows local users to modify arbitrary files via
a symlink attack.

Modifications:
  ADDREF BID:842
  ADDREF XF:unixware-uid-admin
  ADDREF SCO:SB-99.22a

INFERRED ACTION: CAN-1999-0836 FINAL (Final Decision 20000602)

Current Votes:
   ACCEPT(3) Stracener, Armstrong, Prosser
   MODIFY(2) Cole, Frech
   NOOP(1) Christey

Comments:
 Cole> The BID is 842.
 Frech> unixware-uid-admin
 Christey> ADDREF ftp://ftp.sco.com/SSE/security_bulletins/SB-99.22a


=================================
Candidate: CAN-1999-0838
Published:
Final-Decision: 20000602
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991202 Remote DoS Attack in Serv-U FTP-Server v2.5a Vulnerability
Reference: XF:servu-ftp-site-bo

Buffer overflow in Serv-U FTP 2.5 allows remote users to conduct a
denial of service via the SITE command.

Modifications:
  ADDREF XF:servu-ftp-site-bo

INFERRED ACTION: CAN-1999-0838 FINAL (Final Decision 20000602)

Current Votes:
   ACCEPT(4) Armstrong, Cole, Stracener, Prosser
   MODIFY(1) Frech

Comments:
 Frech> XF:servu-ftp-site-bo


=================================
Candidate: CAN-1999-0842
Published:
Final-Decision: 20000602
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: NTBUGTRAQ:19991129 Symantec Mail-Gear 1.0 Web interface Server Directory Traversal Vulnerability
Reference: BUGTRAQ:19991129 Symantec Mail-Gear 1.0 Web interface Server Directory Traversal Vulnerability
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=NCBBKFKDOLAGKIAPMILPCEAFCBAA.labs@ussrback.com
Reference: BID:827
Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=827
Reference: XF:symantec-mail-dir-traversal

Symantec Mail-Gear 1.0 web interface server allows remote users to
read arbitrary files via a .. (dot dot) attack.

Modifications:
  ADDREF XF:symantec-mail-dir-traversal

INFERRED ACTION: CAN-1999-0842 FINAL (Final Decision 20000602)

Current Votes:
   ACCEPT(4) Armstrong, Cole, Stracener, Prosser
   MODIFY(1) Frech

Comments:
 Frech> XF:symantec-mail-dir-traversal


=================================
Candidate: CAN-1999-0854
Published:
Final-Decision: 20000602
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 19991208
Assigned: 19991207
Category: unknown
Reference: BUGTRAQ:19991130 Ultimate Bulletin Board v5.3x? Bug
Reference: BUGTRAQ:20000225 FW: Important UBB News For Licensed Users
Reference: CONFIRM:http://www.ultimatebb.com/home/versions.shtml
Reference: XF:http-ultimate-bbs

Ultimate Bulletin Board stores data files in the cgi-bin directory,
allowing remote attackers to view the data if an error occurs when the
HTTP server attempts to execute the file.

Modifications:
  ADDREF BUGTRAQ:20000225 FW: Important UBB News For Licensed Users
  ADDREF CONFIRM:http://www.ultimatebb.com/home/versions.shtml

INFERRED ACTION: CAN-1999-0854 FINAL (Final Decision 20000602)

Current Votes:
   ACCEPT(2) Armstrong, Cole
   MODIFY(1) Frech
   NOOP(3) Stracener, Christey, Prosser

Comments:
 Frech> XF:http-ultimate-bbs
 Christey> The following could be a confirmation by UBB:
 Christey> BUGTRAQ:20000225 FW: Important UBB News For Licensed Users
 Christey> Also see the entry for Version 5.44 on February 18, 2000
 Christey> at http://www.ultimatebb.com/home/versions.shtml


=================================
Candidate: CAN-1999-0856
Published:
Final-Decision: 20000602
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991202 Slackware 7.0 - login bug
Reference: XF:slackware-remote-login

login in Slackware 7.0 allows remote attackers to identify valid users
on the system by reporting an encryption error when an account is
locked or does not exist.

Modifications:
  ADDREF XF:slackware-remote-login

INFERRED ACTION: CAN-1999-0856 FINAL (Final Decision 20000602)

Current Votes:
   ACCEPT(3) Armstrong, Cole, Stracener
   MODIFY(1) Frech
   REVIEWING(1) Prosser

Comments:
 Frech> XF:slackware-remote-login


=================================
Candidate: CAN-1999-0859
Published:
Final-Decision: 20000602
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991130 Solaris 2.x chkperm/arp vulnerabilities
Reference: SUNBUG:4296166
Reference: BID:837
Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=837
Reference: XF:sol-arp-parse

Solaris arp allows local users to read files via the -f parameter,
which lists lines in the file that do not parse properly.

Modifications:
  ADDREF SUNBUG:4296166
  ADDREF XF:sol-arp-parse

INFERRED ACTION: CAN-1999-0859 FINAL (Final Decision 20000602)

Current Votes:
   ACCEPT(3) Armstrong, Stracener, Prosser
   MODIFY(3) Cole, Frech, Dik

Comments:
 Cole> This attack makes it possible to read bin and owned files to which
 Cole> read access is not permitted to local users through exploiting subtle
 Cole> vulenrabilties in arp and chkperm.
 Frech> XF:sol-arp-parse
 Dik> include reference to Sun bug 4296166


=================================
Candidate: CAN-1999-0864
Published:
Final-Decision: 20000602
Interim-Decision: 20000530
Modified: 20000526-02
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991202 UnixWare coredumps follow symlinks
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=19991203020720.13115.qmail@nwcst289.netaddress.usa.net
Reference: BUGTRAQ:19991215 Recent postings about SCO UnixWare 7
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94530783815434&w=2
Reference: BUGTRAQ:19991223 FYI, SCO Security patches available.
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94606167110764&w=2
Reference: BUGTRAQ:19991220 SCO OpenServer Security Status
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94581379905584&w=2
Reference: XF:sco-coredump-symlink
Reference: BID:851
Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=851

UnixWare programs that dump core allow a local user to
modify files via a symlink attack on the ./core.pid file.

Modifications:
  ADDREF BUGTRAQ:19991223 FYI, SCO Security patches available.
  ADDREF BUGTRAQ:19991220 SCO OpenServer Security Status
  ADDREF XF:sco-coredump-symlink

INFERRED ACTION: CAN-1999-0864 FINAL (Final Decision 20000602)

Current Votes:
   ACCEPT(4) Armstrong, Cole, Stracener, Prosser
   MODIFY(1) Frech

Comments:
 Frech> XF:sco-coredump-symlink
 Prosser> FYI, the ptf 7016m that fixes this problem in UnixWare 7.0 is
 Prosser> still available. However, it appears (at least I haven't been able to view
 Prosser> them) 7096n for 7.0.1, 7413j for 7.1.0, and 7626a for 7.1.1 are no longer
 Prosser> available from the SCO Security Site.  Don't know if they are fixing them
 Prosser> since they were pre-release or have included them in other SSEs or upgrades.


=================================
Candidate: CAN-1999-0865
Published:
Final-Decision: 20000602
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991203 CommuniGatePro 3.1 for NT DoS
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94426440413027&w=2
Reference: NTBUGTRAQ:19991203 CommuniGatePro 3.1 for NT Buffer Overflow
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=94454565726775&w=2
Reference: BID:860
Reference: XF:communigate-pro-bo

Buffer overflow in CommuniGatePro via a long string to the HTTP
configuration port.

Modifications:
  ADDREF BID:860
  ADDREF XF:communigate-pro-bo

INFERRED ACTION: CAN-1999-0865 FINAL (Final Decision 20000602)

Current Votes:
   ACCEPT(4) Armstrong, Cole, Stracener, Prosser
   MODIFY(1) Frech

Comments:
 Frech> XF:communigate-pro-bo
 Prosser> add BID 860, http://www.securityfocus.com/bid/860


=================================
Candidate: CAN-1999-0866
Published:
Final-Decision: 20000602
Interim-Decision: 20000530
Modified: 20000501-02
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991203 UnixWare gain root with non-su/gid binaries
Reference: BUGTRAQ:19991215 Recent postings about SCO UnixWare 7
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94530783815434&w=2
Reference: BUGTRAQ:19991223 FYI, SCO Security patches available.
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94606167110764&w=2
Reference: BUGTRAQ:19991220 SCO OpenServer Security Status
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94581379905584&w=2
Reference: SCO:SB-99.24a
Reference: URL:ftp://ftp.sco.com/SSE/security_bulletins/SB-99.24a
Reference: XF:sco-xauto-bo
Reference: BID:848
Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=848

Buffer overflow in UnixWare xauto program allows local users to gain
root privilege.

Modifications:
  ADDREF BUGTRAQ:19991223 FYI, SCO Security patches available.
  ADDREF BUGTRAQ:19991220 SCO OpenServer Security Status
  ADDREF XF:sco-xauto-bo
  ADDREF SCO:SB-99.24a

INFERRED ACTION: CAN-1999-0866 FINAL (Final Decision 20000602)

Current Votes:
   ACCEPT(3) Armstrong, Stracener, Prosser
   MODIFY(2) Cole, Frech
   NOOP(1) Christey

Comments:
 Cole> I would take out the word local.
 Frech> XF:sco-xauto-bo
 Christey> ADDREF ftp://ftp.sco.com/SSE/security_bulletins/SB-99.24a


=================================
Candidate: CAN-1999-0976
Published:
Final-Decision: 20000602
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 19991214
Assigned: 19991214
Category: SF
Reference: OPENBSD:19991204
Reference: BUGTRAQ:19991207 [Debian] New version of sendmail released
Reference: XF:sendmail-bi-alias
Reference: BID:857
Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=857

Sendmail allows local users to reinitialize the aliases database via
the newaliases command, then cause a denial of service by interrupting
Sendmail.

Modifications:
  ADDREF OPENBSD:19991204
  ADDREF XF:sendmail-bi-alias

INFERRED ACTION: CAN-1999-0976 FINAL (Final Decision 20000602)

Current Votes:
   ACCEPT(2) Cole, Stracener
   MODIFY(1) Frech
   NOOP(1) Christey
   RECAST(1) Blake

Comments:
 Blake> *This issue is insufficiently defined.  I can't see why it should be
 Blake> restricted to Debian, in fact, I just ran newaliases on FreeBSD-3.2 as a
 Blake> regular user and is ran.  Perhaps the entry can be broadened to include
 Blake> incorrect permissions on the newaliases binary...
 Frech> XF:sendmail-bi-alias
 Christey> ADDREF OPENBSD:19991204
 Christey> http://www.openbsd.org/errata.html#sendmail


=================================
Candidate: CAN-2000-0004
Published:
Final-Decision: 20000602
Interim-Decision: 20000530
Modified: 20000526-02
Proposed: 20000111
Assigned: 20000111
Category: SF
Reference: NTBUGTRAQ:19991223 Local / Remote GET Buffer Overflow Vulnerability in ZBServer 1.5 Pro Edition for Win98/NT
Reference: BUGTRAQ:19991223 Re: Local / Remote GET Buffer Overflow Vulnerability in ZBServer 1.5 Pro Edition for Win98/NT
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94606572912422&w=2
Reference: XF:zbserver-url-dot

ZBServer Pro allows remote attackers to read source code for
executable files by inserting a . (dot) into the URL.

Modifications:
  ADDREF XF:zbserver-url-dot

INFERRED ACTION: CAN-2000-0004 FINAL (Final Decision 20000602)

Current Votes:
   ACCEPT(1) Armstrong
   MODIFY(2) Stracener, Frech
   NOOP(1) Christey

Comments:
 Stracener> The references don't discuss the (dot) attack mentioned in the
 Stracener> description. Suggest changing the description or citing the relevant
 Stracener> sources.
 Christey> An email followup mentioned another possible bug.
 Christey> See http://marc.theaimsgroup.com/?l=bugtraq&m=94606572912422&w=2
 Christey>
 Frech> XF:zbserver-url-dot


=================================
Candidate: CAN-2000-0113
Published:
Final-Decision: 20000602
Interim-Decision: 20000530
Modified: 20000419-01
Proposed: 20000208
Assigned: 20000208
Category: SF
Reference: BUGTRAQ:20000128 SyGate 3.11 Port 7323 / Remote Admin hole
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94934808714972&w=2
Reference: BUGTRAQ:20000202 SV: SyGate 3.11 Port 7323 / Remote Admin hole
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94952641025328&w=2
Reference: BUGTRAQ:20000203 UPDATE: Sygate 3.11 Port 7323 Telnet Hole
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94973281714994&w=2
Reference: CONFIRM:http://www.sybergen.com/support/fix.htm
Reference: BID:952
Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=952

The SyGate Remote Management program does not properly restrict access
to its administration service, which allows remote attackers to
cause a denial of service, or access network traffic statistics.

INFERRED ACTION: CAN-2000-0113 FINAL (Final Decision 20000602)

Current Votes:
   ACCEPT(2) Cole, Levy
   NOOP(2) Christey, Wall

Comments:
 Christey> Sygate confirms this in 01/2000 - Build 563 (Beta) with
 Christey> the comment: "fix to block external telnet to port 7323
 Christey> without enhanced security."


=================================
Candidate: CAN-2000-0169
Published:
Final-Decision: 20000602
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 20000322
Assigned: 20000322
Category: SF
Reference: NTBUGTRAQ:20000314 Oracle Web Listener 4.0.x
Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/2000-q1/0211.html
Reference: BID:1053
Reference: URL:http://www.securityfocus.com/bid/1053
Reference: XF:oracle-weblistener-remote-attack

Batch files in the Oracle web listener ows-bin directory allow remote
attackers to execute commands via a malformed URL that includes '?&'.

Modifications:
  ADDREF XF:oracle-weblistener-remote-attack

INFERRED ACTION: CAN-2000-0169 FINAL (Final Decision 20000602)

Current Votes:
   ACCEPT(2) Ozancin, Cole
   MODIFY(1) Frech
   NOOP(3) Wall, Blake, LeBlanc

Comments:
 Frech> XF:oracle-weblistener-remote-attack


=================================
Candidate: CAN-2000-0171
Published:
Final-Decision: 20000602
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 20000322
Assigned: 20000322
Category: SF
Reference: BUGTRAQ:20000311 TESO advisory -- atsadc
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0102.html
Reference: XF:atsar-root-access
Reference: BID:1048
Reference: URL:http://www.securityfocus.com/bid/1048

atsadc in the atsar package for Linux does not properly check the
permissions of an output file, which allows local users to gain root
privileges.

Modifications:
  ADDREF XF:atsar-root-access

INFERRED ACTION: CAN-2000-0171 FINAL (Final Decision 20000602)

Current Votes:
   ACCEPT(2) Ozancin, Cole
   MODIFY(1) Frech
   NOOP(3) Wall, Blake, LeBlanc

Comments:
 Frech> XF:atsar-root-access


=================================
Candidate: CAN-2000-0226
Published:
Final-Decision: 20000602
Interim-Decision: 20000530
Modified:
Proposed: 20000412
Assigned: 20000412
Category: SF
Reference: MS:MS00-018
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-018.asp
Reference: BID:1066
Reference: URL:http://www.securityfocus.com/bid/1066
Reference: XF:iis-chunked-encoding-dos

IIS 4.0 allows attackers to cause a denial of service by requesting a
large buffer in a POST or PUT command which consumes memory, aka the
"Chunked Transfer Encoding Buffer Overflow Vulnerability."

INFERRED ACTION: CAN-2000-0226 FINAL (Final Decision 20000602)

Current Votes:
   ACCEPT(3) Frech, Cole, Wall


=================================
Candidate: CAN-2000-0228
Published:
Final-Decision: 20000602
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 20000412
Assigned: 20000412
Category: SF
Reference: MS:MS00-016
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-016.asp
Reference: BID:1058
Reference: URL:http://www.securityfocus.com/bid/1058
Reference: XF:mwmt-malformed-media-license

Microsoft Windows Media License Manager allows remote attackers to
cause a denial of service by sending a malformed request that causes
the manager to halt, aka the "Malformed Media License Request"
Vulnerability.

Modifications:
  ADDREF XF:mwmt-malformed-media-license

INFERRED ACTION: CAN-2000-0228 FINAL (Final Decision 20000602)

Current Votes:
   ACCEPT(2) Cole, Wall
   MODIFY(1) Frech

Comments:
 Frech> XF:mwmt-malformed-media-license


=================================
Candidate: CAN-2000-0229
Published:
Final-Decision: 20000602
Interim-Decision: 20000530
Modified: 20000424-01
Proposed: 20000412
Assigned: 20000412
Category: SF
Reference: BUGTRAQ:20000322 gpm-root
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000322182143.4498.qmail@securityfocus.com
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0242.html
Reference: SUSE:20000405 Security hole in gpm < 1.18.1
Reference: URL:http://www.suse.de/de/support/security/suse_security_announce_45.txt
Reference: REDHAT:RHSA-2000:009-02
Reference: URL:http://www.redhat.com/support/errata/RHSA-2000009-02.html
Reference: BID:1069
Reference: URL:http://www.securityfocus.com/bid/1069
Reference: XF:linux-gpm-root

gpm-root in the gpm package does not properly drop privileges, which
allows local users to gain privileges by starting a utility from
gpm-root.

Modifications:
  ADDREF SUSE:20000405 Security hole in gpm < 1.18.1
  ADDREF REDHAT:RHSA-2000:009-02

INFERRED ACTION: CAN-2000-0229 FINAL (Final Decision 20000602)

Current Votes:
   ACCEPT(2) Frech, Levy
   NOOP(2) Cole, Wall


=================================
Candidate: CAN-2000-0230
Published:
Final-Decision: 20000602
Interim-Decision: 20000530
Modified: 20000526-02
Proposed: 20000412
Assigned: 20000412
Category: SF
Reference: BUGTRAQ:20000316 TESO & C-Skills development advisory -- imwheel
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0168.html
Reference: REDHAT:RHSA-2000:016-02
Reference: URL:http://www.redhat.com/support/errata/RHSA-2000016-02.html
Reference: XF:linux-imwheel-bo
Reference: BID:1060
Reference: URL:http://www.securityfocus.com/bid/1060

Buffer overflow in imwheel allows local users to gain root privileges
via the imwheel-solo script and a long HOME environmental variable.

Modifications:
  ADDREF REDHAT:RHSA-2000:016-02
  ADDREF XF:linux-imwheel-bo

INFERRED ACTION: CAN-2000-0230 FINAL (Final Decision 20000602)

Current Votes:
   ACCEPT(1) Levy
   MODIFY(1) Frech
   NOOP(2) Cole, Wall

Comments:
 Frech> XF:linux-imwheel-bo


=================================
Candidate: CAN-2000-0231
Published:
Final-Decision: 20000602
Interim-Decision: 20000530
Modified: 20000421-01
Proposed: 20000412
Assigned: 20000412
Category: SF
Reference: BUGTRAQ:20000316 "TESO & C-Skills development advisory -- kreatecd" at:
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0162.html
Reference: SUSE:20000405 Security hole in kreatecd < 0.3.8b
Reference: URL:http://www.suse.de/de/support/security/suse_security_announce_46.txt
Reference: XF:linux-kreatecd-path
Reference: BID:1061
Reference: URL:http://www.securityfocus.com/bid/1061

Linux kreatecd trusts a user-supplied path that is used to find the
cdrecord program, allowing local users to gain root privileges.

Modifications:
  ADDREF SUSE:20000405 Security hole in kreatecd < 0.3.8b

INFERRED ACTION: CAN-2000-0231 FINAL (Final Decision 20000602)

Current Votes:
   ACCEPT(2) Frech, Cole


=================================
Candidate: CAN-2000-0232
Published:
Final-Decision: 20000602
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 20000412
Assigned: 20000412
Category: SF
Reference: MS:MS00-021
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-021.asp
Reference: BUGTRAQ:20000330 Remote DoS Attack in Windows 2000/NT 4.0 TCP/IP Print Request Server Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0306.html
Reference: BID:1082
Reference: URL:http://www.securityfocus.com/bid/1082
Reference: XF:win-tcpip-printing-dos

Microsoft TCP/IP Printing Services, aka Print Services for Unix,
allows an attacker to cause a denial of service via a malformed TCP/IP
print request.

Modifications:
  ADDREF XF:win-tcpip-printing-dos

INFERRED ACTION: CAN-2000-0232 FINAL (Final Decision 20000602)

Current Votes:
   ACCEPT(2) Cole, Wall
   MODIFY(1) Frech

Comments:
 Frech> XF:win-tcpip-printing-dos


=================================
Candidate: CAN-2000-0233
Published:
Final-Decision: 20000602
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 20000412
Assigned: 20000412
Category: SF
Reference: SUSE:20000327 Security hole in SuSE Linux IMAP Server
Reference: URL:http://archives.neohapsis.com/archives/vendor/2000-q1/0035.html
Reference: XF:linux-imap-remote-unauthorized-access

SuSE Linux IMAP server allows remote attackers to bypass IMAP
authentication and gain privileges.

Modifications:
  ADDREF XF:linux-imap-remote-unauthorized-access

INFERRED ACTION: CAN-2000-0233 FINAL (Final Decision 20000602)

Current Votes:
   ACCEPT(3) Stracener, Northcutt, Armstrong
   MODIFY(1) Frech
   NOOP(2) Cole, LeBlanc

Comments:
 Frech> XF:linux-imap-remote-unauthorized-access


=================================
Candidate: CAN-2000-0234
Published:
Final-Decision: 20000602
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 20000412
Assigned: 20000412
Category: CF
Reference: BUGTRAQ:20000330 Cobalt apache configuration exposes .htaccess
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000330220757.28456.qmail@securityfocus.com
Reference: CONFIRM:http://www.securityfocus.com/templates/advisory.html?id=2150
Reference: BID:1083
Reference: URL:http://www.securityfocus.com/bid/1083
Reference: XF:cobalt-raq-remote-access

The default configuration of Cobalt RaQ2 and RaQ3 as specified in
access.conf allows remote attackers to view sensitive contents of a
.htaccess file.

Modifications:
  ADDREF XF:cobalt-raq-remote-access

INFERRED ACTION: CAN-2000-0234 FINAL (Final Decision 20000602)

Current Votes:
   ACCEPT(2) Stracener, Northcutt
   MODIFY(1) Frech
   NOOP(3) Cole, LeBlanc, Armstrong

Comments:
 Frech> XF:cobalt-raq-remote-access


=================================
Candidate: CAN-2000-0235
Published:
Final-Decision: 20000602
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 20000412
Assigned: 20000412
Category: SF
Reference: FREEBSD:FreeBSD-SA-00:10
Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:10-orville-write.asc
Reference: BID:1070
Reference: URL:http://www.securityfocus.com/bid/1070
Reference: XF:freebsd-orvillewrite-bo

Buffer overflow in the huh program in the orville-write package allows
local users to gain root privileges.

Modifications:
  ADDREF XF:freebsd-orvillewrite-bo

INFERRED ACTION: CAN-2000-0235 FINAL (Final Decision 20000602)

Current Votes:
   ACCEPT(3) Stracener, Northcutt, Armstrong
   MODIFY(1) Frech
   NOOP(2) Cole, LeBlanc

Comments:
 Frech> XF:freebsd-orvillewrite-bo


=================================
Candidate: CAN-2000-0245
Published:
Final-Decision: 20000602
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 20000412
Assigned: 20000412
Category: SF
Reference: BUGTRAQ:20000328 Objectserver vulnerability
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=200003290852.aa27218@blaze.arl.mil
Reference: SGI:20000303-01-PX
Reference: URL:ftp://sgigate.sgi.com/security/20000303-01-PX
Reference: XF:irix-objectserver-create-accounts
Reference: BID:1079
Reference: URL:http://www.securityfocus.com/bid/1079

Vulnerability in SGI IRIX objectserver daemon allows remote attackers
to create user accounts.

Modifications:
  ADDREF XF:irix-objectserver-create-accounts

INFERRED ACTION: CAN-2000-0245 FINAL (Final Decision 20000602)

Current Votes:
   ACCEPT(1) Cole
   MODIFY(1) Frech

Comments:
 Frech> XF:irix-objectserver-create-accounts


=================================
Candidate: CAN-2000-0246
Published:
Final-Decision: 20000602
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 20000412
Assigned: 20000412
Category: SF
Reference: MS:MS00-019
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-019.asp
Reference: MSKB:Q249599
Reference: URL:http://www.microsoft.com/technet/support/kb.asp?ID=249599
Reference: BID:1081
Reference: URL:http://www.securityfocus.com/bid/1081
Reference: XF:iis-virtual-unc-share

IIS 4.0 and 5.0 does not properly perform ISAPI extension processing
if a virtual directory is mapped to a UNC share, which allows remote
attackers to read the source code of ASP and other files, aka the
"Virtualized UNC Share" vulnerability.

Modifications:
  ADDREF XF:iis-virtual-unc-share
  DESC include "Virtualized UNC Share" phrase.

INFERRED ACTION: CAN-2000-0246 FINAL (Final Decision 20000602)

Current Votes:
   ACCEPT(2) Cole, Wall
   MODIFY(1) Frech
   NOOP(1) Christey

Comments:
 Frech> XF:iis-virtual-unc-share
 Christey> Modify desc to include "Virtualized UNC Share" phrase.


=================================
Candidate: CAN-2000-0258
Published:
Final-Decision: 20000602
Interim-Decision: 20000530
Modified:
Proposed: 20000426
Assigned: 20000426
Category: SF
Reference: MS:MS00-023
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-023.asp
Reference: BID:1101
Reference: URL:http://www.securityfocus.com/bid/1101

IIS 4.0 and 5.0 allows remote attackers to cause a denial of service
by sending many URLs with a large number of escaped characters, aka
the "Myriad Escaped Characters" Vulnerability.

INFERRED ACTION: CAN-2000-0258 FINAL (Final Decision 20000602)

Current Votes:
   ACCEPT(2) Wall, Cole


=================================
Candidate: CAN-2000-0260
Published:
Final-Decision: 20000602
Interim-Decision: 20000530
Modified:
Proposed: 20000426
Assigned: 20000426
Category: SF
Reference: MS:MS00-025
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-025.asp
Reference: BID:1109
Reference: URL:http://www.securityfocus.com/bid/1109

Buffer overflow in the dvwssr.dll DLL in Microsoft Visual Interdev 1.0
allows users to cause a denial of service or execute commands, aka
the "Link View Server-Side Component" vulnerability.

INFERRED ACTION: CAN-2000-0260 FINAL (Final Decision 20000602)

Current Votes:
   ACCEPT(2) Wall, Cole


=================================
Candidate: CAN-2000-0267
Published:
Final-Decision: 20000602
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 20000426
Assigned: 20000426
Category: SF
Reference: CISCO:20000419 Cisco Catalyst Enable Password Bypass Vulnerability
Reference: URL:http://www.cisco.com/warp/public/707/catos-enable-bypass-pub.shtml
Reference: XF:cisco-catalyst-password-bypass
Reference: BID:1122
Reference: URL:http://www.securityfocus.com/bid/1122

Cisco Catalyst 5.4.x allows a user to gain access to the "enable" mode
without a password.

Modifications:
  ADDREF XF:cisco-catalyst-password-bypass

INFERRED ACTION: CAN-2000-0267 FINAL (Final Decision 20000602)

Current Votes:
   ACCEPT(3) Cole, Stracener, Northcutt
   MODIFY(1) Frech
   NOOP(3) Wall, LeBlanc, Armstrong

Comments:
 Frech> XF:cisco-catalyst-password-bypass


=================================
Candidate: CAN-2000-0268
Published:
Final-Decision: 20000602
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 20000426
Assigned: 20000426
Category: SF
Reference: CISCO:20000420 Cisco IOS Software TELNET Option Handling Vulnerability
Reference: URL:http://www.cisco.com/warp/public/707/iostelnetopt-pub.shtml
Reference: BID:1123
Reference: URL:http://www.securityfocus.com/bid/1123
Reference: XF:cisco-ios-option-handling

Cisco IOS 11.x and 12.x allows remote attackers to cause a denial of
service by sending the ENVIRON option to the Telnet daemon before it
is ready to accept it, which causes the system to reboot.

Modifications:
  ADDREF XF:cisco-ios-option-handling

INFERRED ACTION: CAN-2000-0268 FINAL (Final Decision 20000602)

Current Votes:
   ACCEPT(3) Cole, Stracener, Northcutt
   MODIFY(1) Frech
   NOOP(3) Wall, LeBlanc, Armstrong

Comments:
 Frech> ADDREF XF:cisco-ios-option-handling


=================================
Candidate: CAN-2000-0274
Published:
Final-Decision: 20000602
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 20000426
Assigned: 20000426
Category: SF
Reference: BUGTRAQ:20000410 linux trustees 1.5 long path name vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0035.html
Reference: CONFIRM:http://www.braysystems.com/linux/trustees.html
Reference: XF:linux-trustees-patch-dos
Reference: BID:1096
Reference: URL:http://www.securityfocus.com/bid/1096

The Linux trustees kernel patch allows attackers to cause a denial of
service by accessing a file or directory with a long name.

Modifications:
  ADDREF XF:linux-trustees-patch-dos

INFERRED ACTION: CAN-2000-0274 FINAL (Final Decision 20000602)

Current Votes:
   ACCEPT(3) Cole, Stracener, Northcutt
   MODIFY(1) Frech
   NOOP(4) Wall, Christey, LeBlanc, Armstrong

Comments:
 Christey> This problem is confirmed in the News section for Mar 31,2000,
 Christey> which mentions "a fix for the 'extra long directory name' problem."
 Frech> XF:linux-trustees-patch-dos


=================================
Candidate: CAN-2000-0277
Published:
Final-Decision: 20000602
Interim-Decision: 20000530
Modified:
Proposed: 20000426
Assigned: 20000426
Category: SF
Reference: MS:MS00-022
Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS00-022.asp
Reference: BID:1087
Reference: URL:http://www.securityfocus.com/bid/1087

Microsoft Excel 97 and 2000 does not warn the user when executing
Excel Macro Language (XLM) macros in external text files, which could
allow an attacker to execute a macro virus, aka the "XLM Text Macro"
vulnerability.

INFERRED ACTION: CAN-2000-0277 FINAL (Final Decision 20000602)

Current Votes:
   ACCEPT(2) Wall, Cole


=================================
Candidate: CAN-2000-0294
Published:
Final-Decision: 20000602
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 20000426
Assigned: 20000426
Category: SF
Reference: FREEBSD:FreeBSD-SA-00:12
Reference: URL:http://www.securityfocus.com/templates/advisory.html?id=2162
Reference: BID:1107
Reference: URL:http://www.securityfocus.com/bid/1107
Reference: XF:freebsd-healthd

Buffer overflow in healthd for FreeBSD allows local users to gain root
privileges.

Modifications:
  ADDREF XF:freebsd-healthd

INFERRED ACTION: CAN-2000-0294 FINAL (Final Decision 20000602)

Current Votes:
   ACCEPT(3) Cole, Stracener, Northcutt
   MODIFY(1) Frech
   NOOP(3) Wall, LeBlanc, Armstrong

Comments:
 Frech> XF:freebsd-healthd
Prev by Date: Re: [FINAL] ACCEPT 22 legacy candidates from various clusters
Next by Date: [CVEPRI] CVE version 20000602 to be released (700 entries)
Prev by thread: Re: [FINAL] ACCEPT 22 legacy candidates from various clusters
Next by thread: [CVEPRI] CVE version 20000602 to be released (700 entries)
Index(es):
- Date
- Thread