[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PROPOSAL] Cluster RECENT-25 - 16 candidates



The following cluster contains 16 candidates that were announced
between 6/19/2000 and 6/25/2000.

The candidates are listed in order of priority.  Priority 1 and
Priority 2 candidates both deal with varying levels of vendor
confirmation, so they should be easy to review and it can be trusted
that the problems are real.

If you discover that any RECENT-XX cluster is incomplete with respect
to the problems discovered during the associated time frame, please
send that information to me so that candidates can be assigned.

- Steve


Summary of votes to use (in ascending order of "severity")
----------------------------------------------------------

ACCEPT - voter accepts the candidate as proposed
NOOP - voter has no opinion on the candidate
MODIFY - voter wants to change some MINOR detail (e.g. reference/description)
REVIEWING - voter is reviewing/researching the candidate, or needs more info
RECAST - candidate must be significantly modified, e.g. split or merged
REJECT - candidate is "not a vulnerability", or a duplicate, etc.

1) Please write your vote on the line that starts with "VOTE: ".  If
   you want to add comments or details, add them to lines after the
   VOTE: line.

2) If you see any missing references, please mention them so that they
   can be included.  References help greatly during mapping.

3) Note that a "MODIFY" is treated as an "ACCEPT" when counting votes.
   So if you don't have sufficient information for a candidate but you
   don't want to NOOP, use a REVIEWING.

********** NOTE ********** NOTE ********** NOTE ********** NOTE **********

Please keep in mind that your vote and comments will be recorded and
publicly viewable in the mailing list archives or in other formats.

=================================
Candidate: CAN-2000-0573
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000719
Assigned: 20000719
Category: SF
Reference: BUGTRAQ:20000622 WuFTPD: Providing *remote* root since at least1994
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96171893218000&w=2
Reference: BUGTRAQ:20000623 WUFTPD 2.6.0 remote root exploit
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96179429114160&w=2
Reference: BUGTRAQ:20000707 New Released Version of the WuFTPD Sploit
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96299933720862&w=2
Reference: BUGTRAQ:20000623 ftpd: the advisory version
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000623091822.3321.qmail@fiver.freemessage.com
Reference: AUSCERT:AA-2000.02
Reference: URL:ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-2000.02
Reference: CERT:CA-2000-13
Reference: URL:http://www.cert.org/advisories/CA-2000-13.html
Reference: DEBIAN:20000622 wu-ftp: remote root exploit in wu-ftp
Reference: URL:http://www.debian.org/security/2000/20000623
Reference: CALDERA:CSSA-2000-020.0
Reference: URL:http://www.calderasystems.com/support/security/advisories/CSSA-2000-020.0.txt
Reference: REDHAT:RHSA-2000:039-02
Reference: URL:http://www.redhat.com/support/errata/RHSA-2000-039-02.html
Reference: BUGTRAQ:20000723 CONECTIVA LINUX SECURITY ANNOUNCEMENT - WU-FTPD (re-release)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0244.html
Reference: BUGTRAQ:20000702 [Security Announce] wu-ftpd update
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0017.html
Reference: FREEBSD:FreeBSD-SA-00:29
Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:29.wu-ftpd.asc.v1.1
Reference: NETBSD:NetBSD-SA2000-009
Reference: URL:ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-010.txt.asc
Reference: XF:wuftp-format-string-stack-overwrite
Reference: BID:1387
Reference: URL:http://www.securityfocus.com/bid/1387

The lreply function in wu-ftpd 2.6.0 and earlier does not properly
cleanse an untrusted format string, which allows remote attackers to
execute arbitrary commands via the SITE EXEC command.


ED_PRI CAN-2000-0573 1


VOTE:

=================================
Candidate: CAN-2000-0577
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000719
Assigned: 20000719
Category: SF
Reference: BUGTRAQ:20000621 Netscape FTP Server - "Professional" as hell :>
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.21.0006211351280.23780-100000@nimue.tpi.pl
Reference: BUGTRAQ:20000629 (forw) Re: Netscape ftp Server (fwd)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0345.html
Reference: BID:1411
Reference: URL:http://www.securityfocus.com/bid/1411
Reference: XF:netscape-ftpserver-chroot

Netscape Professional Services FTP Server 1.3.6 allows remote
attackers to read arbitrary files via a .. (dot dot) attack.


ED_PRI CAN-2000-0577 2


VOTE:

=================================
Candidate: CAN-2000-0578
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000719
Assigned: 20000719
Category: SF
Reference: BUGTRAQ:20000621 Predictability Problems in IRIX Cron and Compilers
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0204.html
Reference: BID:1412
Reference: URL:http://www.securityfocus.com/bid/1412

SGI MIPSPro compilers C, C++, F77 and F90 generate temporary files in
/tmp with predictable file names, which could allow local users to
insert malicious contents into these files as they are being compiled
by another user.


ED_PRI CAN-2000-0578 3


VOTE:

=================================
Candidate: CAN-2000-0579
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000719
Assigned: 20000719
Category: SF
Reference: BUGTRAQ:20000621 Predictability Problems in IRIX Cron and Compilers
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0204.html
Reference: BID:1413
Reference: URL:http://www.securityfocus.com/bid/1413

IRIX crontab creates temporary files with predictable file names and
with the umask of the user, which could allow local users to modify
another user's crontab file as it is being edited.


ED_PRI CAN-2000-0579 3


VOTE:

=================================
Candidate: CAN-2000-0601
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000719
Assigned: 20000719
Category: SF
Reference: BUGTRAQ:20000625 LeafChat Denial of Service
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.BSF.4.10.10006252056110.74551-100000@unix.za.net
Reference: XF:irc-leafchat-dos
Reference: BID:1396
Reference: URL:http://www.securityfocus.com/bid/1396

LeafChat 1.7 IRC client allows a remote IRC server to cause a denial
of service by rapidly sending a large amount of error messages.


ED_PRI CAN-2000-0601 3


VOTE:

=================================
Candidate: CAN-2000-0602
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000719
Assigned: 20000719
Category: SF
Reference: BUGTRAQ:20000621 rh 6.2 - gid compromises, etc
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.21.0006211209500.22969-100000@nimue.tpi.pl
Reference: XF:redhat-secure-locate-path
Reference: BID:1385
Reference: URL:http://www.securityfocus.com/bid/1385

Secure Locate (slocate) in Red Hat Linux allows local users to gain
privileges via a malformed configuration file that is specified in the
LOCATE_PATH environmental variable.


ED_PRI CAN-2000-0602 3


VOTE:

=================================
Candidate: CAN-2000-0604
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000719
Assigned: 20000719
Category: CF
Reference: BUGTRAQ:20000621 rh 6.2 - gid compromises, etc
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.21.0006211209500.22969-100000@nimue.tpi.pl
Reference: BID:1383
Reference: URL:http://www.securityfocus.com/bid/1383
Reference: XF:redhat-gkermit

gkermit in Red Hat Linux is improperly installed with setgid uucp,
which allows local users to modify files owned by uucp.


ED_PRI CAN-2000-0604 3


VOTE:

=================================
Candidate: CAN-2000-0606
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000719
Assigned: 20000719
Category: SF
Reference: BUGTRAQ:20000619 Problems with "kon2" package
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.21.0006192340340.19998-100000@ferret.lmh.ox.ac.uk
Reference: XF:linux-kon-bo
Reference: BID:1371
Reference: URL:http://www.securityfocus.com/bid/1371

Buffer overflow in kon program in Kanji on Console (KON) package on
Linux may allow local users to gain root privileges via a long
-StartupMessage parameter.


ED_PRI CAN-2000-0606 3


VOTE:

=================================
Candidate: CAN-2000-0607
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000719
Assigned: 20000719
Category: SF
Reference: BUGTRAQ:20000619 Problems with "kon2" package
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.21.0006192340340.19998-100000@ferret.lmh.ox.ac.uk
Reference: XF:linux-kon-bo
Reference: BID:1371
Reference: URL:http://www.securityfocus.com/bid/1371

Buffer overflow in fld program in Kanji on Console (KON) package on
Linux may allow local users to gain root privileges via an input file
containing long CHARSET_REGISTRY or CHARSET_ENCODING settings.


ED_PRI CAN-2000-0607 3


VOTE:

=================================
Candidate: CAN-2000-0608
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000719
Assigned: 20000719
Category: SF
Reference: BUGTRAQ:20000620 NetWin dMailWeb Denial of Service
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-06-15&msg=4.1.20000621113334.00996820@qlink.queensu.ca
Reference: BID:1376
Reference: URL:http://www.securityfocus.com/bid/1376
Reference: XF:dmailweb-long-pophost-dos

NetWin dMailWeb and cwMail 2.6i and earlier allows remote attackers to
cause a denial of service via a long POP parameter (pophost).


ED_PRI CAN-2000-0608 3


VOTE:

=================================
Candidate: CAN-2000-0609
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000719
Assigned: 20000719
Category: SF
Reference: BUGTRAQ:20000620 NetWin dMailWeb Denial of Service
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-06-15&msg=4.1.20000621113334.00996820@qlink.queensu.ca
Reference: XF:dmailweb-long-username-dos
Reference: BID:1376
Reference: URL:http://www.securityfocus.com/bid/1376

NetWin dMailWeb and cwMail 2.6g and earlier allows remote attackers to
cause a denial of service via a long username parameter.


ED_PRI CAN-2000-0609 3


VOTE:

=================================
Candidate: CAN-2000-0610
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000719
Assigned: 20000719
Category: SF
Reference: BUGTRAQ:20000623 NetWin dMailWeb Unrestricted Mail Relay
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=4.1.20000623203007.00944760@qlink.queensu.ca
Reference: BID:1390
Reference: URL:http://www.securityfocus.com/bid/1390

NetWin dMailWeb and cwMail 2.6g and earlier allows remote attackers to
bypass authentication and use the server for mail relay via a username
that contains a carriage return.


ED_PRI CAN-2000-0610 3


VOTE:

=================================
Candidate: CAN-2000-0611
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000719
Assigned: 20000719
Category: CF
Reference: BUGTRAQ:20000623 NetWin dMailWeb Unrestricted Mail Relay
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0243.html
Reference: BID:1391
Reference: URL:http://www.securityfocus.com/bid/1391

The default configuration of NetWin dMailWeb and cwMail trusts all POP
servers, which allows attackers to bypass normal authentication and
cause a denial of service.


ED_PRI CAN-2000-0611 3


VOTE:

=================================
Candidate: CAN-2000-0617
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000719
Assigned: 20000719
Category: SF
Reference: BUGTRAQ:20000622 RHL 6.2 xconq package - overflows yield gid games
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0222.html

Buffer overflow in xconq and cconq game programs on Red Hat Linux
allows local users to gain additional privileges via long USER
environmental variable.


ED_PRI CAN-2000-0617 3


VOTE:

=================================
Candidate: CAN-2000-0618
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000719
Assigned: 20000719
Category: SF
Reference: BUGTRAQ:20000622 RHL 6.2 xconq package - overflows yield gid games
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0222.html

Buffer overflow in xconq and cconq game programs on Red Hat Linux
allows local users to gain additional privileges via long DISPLAY
environmental variable.


ED_PRI CAN-2000-0618 3


VOTE:

=================================
Candidate: CAN-2000-0620
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000719
Assigned: 20000719
Category: SF
Reference: BID:1409
Reference: URL:http://www.securityfocus.com/bid/1409

libX11 X library allows remote attackers to cause a denial of service
via a resource mask of 0, which causes libX11 to go into an infinite
loop.


ED_PRI CAN-2000-0620 3


VOTE:

Page Last Updated or Reviewed: May 22, 2007