[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PROPOSAL] Clusters RECENT-31 and RECENT-32 - 53 candidates



This message contains candidates from 2 clusters, due to the volume of
candidates being proposed this week.  The clusters are separated on
the voting web site.  Board members can use the voting web site
instead of this ballot, which is posted for other Board members and as
a part of the public record.

These voting ballots include the new Analysis field as discussed in a
previous post with explanations of applications of content decisions.
The degree of vendor acknowledgement is also made more prominent.
Finally, a new ACCEPT_REASON form has been added for Board members to
include the reason why they vote to ACCEPT or MODIFY an item.

RECENT-31 contains 20 problems that were announced between 7/10/2000
and 7/31/2000.  RECENT-32 contains 33 problems that were announced
between 8/1/2000 and 8/8/2000.

- Steve



Summary of votes to use (in ascending order of "severity")
----------------------------------------------------------

ACCEPT - voter accepts the candidate as proposed
NOOP - voter has no opinion on the candidate
MODIFY - voter wants to change some MINOR detail (e.g. reference/description)
REVIEWING - voter is reviewing/researching the candidate, or needs more info
RECAST - candidate must be significantly modified, e.g. split or merged
REJECT - candidate is "not a vulnerability", or a duplicate, etc.

1) Please write your vote on the line that starts with "VOTE: ".  If
   you want to add comments or details, add them to lines after the
   VOTE: line.

2) If you see any missing references, please mention them so that they
   can be included.  References help greatly during mapping.

3) Note that a "MODIFY" is treated as an "ACCEPT" when counting votes.
   So if you don't have sufficient information for a candidate but you
   don't want to NOOP, use a REVIEWING.

********** NOTE ********** NOTE ********** NOTE ********** NOTE **********

Please keep in mind that your vote and comments will be recorded and
publicly viewable in the mailing list archives or in other formats.

======================================================
Candidate: CAN-2000-0676
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000811
Category: SF
Reference: CERT:CA-2000-15
Reference: URL:http://www.cert.org/advisories/CA-2000-15.html
Reference: BID:1546
Reference: URL:http://www.securityfocus.com/bid/1546

Netscape Communicator and Navigator 4.04 through 4.74 allows remote
attackers to read arbitrary files by using a Java applet to open a
connection to a URL using the "file", "http", "https", and "ftp"
protocols, as demonstrated by Brown Orifice.

Analysis
----------------
ED_PRI CAN-2000-0676 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0696
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: SUN:00196
Reference: URL:http://archives.neohapsis.com/archives/sun/2000-q3/0001.html
Reference: BID:1554
Reference: URL:http://www.securityfocus.com/bid/1554

The administration interface for the dwhttpd web server in Solaris
AnswerBook2 does not properly authenticate requests to its supporting
CGi scripts, which allows remote attackers to add user accounts to the
interface by directly calling the admin CGI script.

Analysis
----------------
ED_PRI CAN-2000-0696 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0697
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: SUN:00196
Reference: URL:http://archives.neohapsis.com/archives/sun/2000-q3/0001.html
Reference: BID:1556
Reference: URL:http://www.securityfocus.com/bid/1556

The administration interface for the dwhttpd web server in Solaris
AnswerBook2 allows interface users to remotely execute commands via
shell metacharacters.

Analysis
----------------
ED_PRI CAN-2000-0697 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0700
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: CISCO:20000803 Possible Access Control Bypass and Denial of Service in Gigabit Switch Routers Using Gigabit Ethernet or Fast Ethernet Cards
Reference: URL:http://www.cisco.com/warp/public/707/gsraclbypassdos-pub.shtml
Reference: BID:1541
Reference: URL:http://www.securityfocus.com/bid/1541

Cisco Gigabit Switch Routers (GSR) with Fast Ethernet / Gigabit
Ethernet cards and versions IOS 11.2 or greater do not properly handle
line card failures, which allows remote attackers to bypass ACLs or
force the interface to stop forwarding packets.

Analysis
----------------
ED_PRI CAN-2000-0700 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0703
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000805 sperl 5.00503 (and newer ;) exploit
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0022.html
Reference: SUSE:20000810 Security Hole in perl, all versions
Reference: URL:http://www.suse.de/de/support/security/suse_security_announce_59.txt
Reference: CALDERA:CSSA-2000-026.0
Reference: URL:http://www.calderasystems.com/support/security/advisories/CSSA-2000-026.0.txt
Reference: DEBIAN:20000808 mailx: local exploit
Reference: URL:http://www.debian.org/security/2000/20000810
Reference: REDHAT:RHSA-2000:048-03
Reference: URL:http://www.redhat.com/support/errata/RHSA-2000-048-03.html
Reference: TURBO:TLSA2000018-1
Reference: URL:http://www.turbolinux.com/pipermail/tl-security-announce/2000-August/000017.html
Reference: BUGTRAQ:20000814 Trustix Security Advisory - perl and mailx
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0153.html
Reference: BUGTRAQ:20000808 MDKSA-2000:031 perl update
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0086.html
Reference: BUGTRAQ:20000810 Conectiva Linux security announcemente - PERL
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0113.html
Reference: BID:1547
Reference: URL:http://www.securityfocus.com/bid/1547

suidperl (aka sperl) does not properly cleanse the escape sequence
"~!" before calling /bin/mail to send an error report, which allows
local users to gain privileges by setting the "interactive"
environmental variable and calling suidperl with a filename that
contains the escape sequence.

Analysis
----------------
ED_PRI CAN-2000-0703 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0705
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000802 [ Hackerslab bug_paper ] ntop web mode vulnerabliity
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0459.html
Reference: REDHAT:RHSA-2000:049-02
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0065.html
Reference: BID:1550
Reference: URL:http://www.securityfocus.com/bid/1550

ntop running in web mode allows remote attackers to read arbitrary
files via a .. (dot dot) attack.

Analysis
----------------
ED_PRI CAN-2000-0705 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0711
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000816 JDK 1.1.x Listening Socket Vulnerability (was Re: BrownOrifice can break firewalls!)
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=3999922128E.EE84TAKAGI@java-house.etl.go.jp
Reference: BUGTRAQ:20000805 Dangerous Java/Netscape Security Hole
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000805020429.11774.qmail@securityfocus.com
Reference: CERT:CA-2000-15
Reference: URL:http://www.cert.org/advisories/CA-2000-15.html
Reference: BID:1545
Reference: URL:http://www.securityfocus.com/bid/1545

Netscape Communicator does not properly prevent a ServerSocket object
from being created by untrusted entities, which allows remote
attackers to create a server on the victim's system via a malicious
applet, as demonstrated by Brown Orifice.

Analysis
----------------
ED_PRI CAN-2000-0711 1
Vendor Acknowledgement: yes

This is very similar to CAN-2000-0676, which is the other
vulnerability that was described in the original posts that announced
Brown Orifice.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0737
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: MS:MS00-053
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-053.asp
Reference: BID:1535
Reference: URL:http://www.securityfocus.com/bid/1535

The Service Control Manager (SCM) in Windows 2000 creates predictable
named pipes, which allows a local user with console access to gain
administrator privileges, aka the "Service Control Manager Named Pipe
Impersonation" vulnerability.

Analysis
----------------
ED_PRI CAN-2000-0737 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0742
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000602 ipx storm
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&mid=63120
Reference: MS:MS00-054
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-054.asp
Reference: BID:1544
Reference: URL:http://www.securityfocus.com/bid/1544

The IPX protocol implementation in Microsoft Windows 95 and 98 allows
remote attackers to cause a denial of service by sending a ping packet
with a source IP address that is a broadcast address.

Analysis
----------------
ED_PRI CAN-2000-0742 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0750
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000808 OpenBSD 2.7 / NetBSD 1.4.2 mopd buffer overflow
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0064.html
Reference: FREEBSD:FreeBSD-SA-00:40
Reference: URL:http://archives.neohapsis.com/archives/freebsd/2000-08/0336.html
Reference: OPENBSD:20000705 Mopd contained a buffer overflow.
Reference: URL:http://www.openbsd.org/errata.html#mopd
Reference: REDHAT:RHSA-2000-050-01
Reference: URL:http://www.redhat.com/support/errata/powertools/RHSA-2000-050-01.html
Reference: MISC:http://cvsweb.netbsd.org/bsdweb.cgi/basesrc/usr.sbin/mopd/mopd/process.c.diff?r1=1.7&r2=1.8&f=h
Reference: BID:1558
Reference: URL:http://www.securityfocus.com/bid/1558

Buffer overflow in mopd (Maintenance Operations Protocol loader
daemon) allows remote attackers to execute arbitrary commands via a
long file name.

Analysis
----------------
ED_PRI CAN-2000-0750 1
Vendor Acknowledgement: yes advisory

ABSTRACTION:

This is a different type of bug than the format string problem, so
CD:SF-LOC suggests that there should be a separate entry for this.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0751
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000808 OpenBSD 2.7 / NetBSD 1.4.2 mopd buffer overflow
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0064.html
Reference: FREEBSD:FreeBSD-SA-00:40
Reference: URL:http://archives.neohapsis.com/archives/freebsd/2000-08/0336.html
Reference: OPENBSD:20000705 Mopd contained a buffer overflow.
Reference: URL:http://www.openbsd.org/errata.html#mopd
Reference: REDHAT:RHSA-2000-050-01
Reference: URL:http://www.redhat.com/support/errata/powertools/RHSA-2000-050-01.html
Reference: MISC:http://cvsweb.netbsd.org/bsdweb.cgi/basesrc/usr.sbin/mopd/mopd/process.c.diff?r1=1.7&r2=1.8&f=h
Reference: BID:1559
Reference: URL:http://www.securityfocus.com/bid/1559

mopd (Maintenance Operations Protocol loader daemon) does not properly
cleanse user-injected format strings, which allows remote attackers to
execute arbitrary commands.

Analysis
----------------
ED_PRI CAN-2000-0751 1
Vendor Acknowledgement: yes advisory

ABSTRACTION:

There are multiple format string vulnerabilities.  For example, see:

 ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.7/common/018_mopd.patch
 http://cvsweb.netbsd.org/bsdweb.cgi/basesrc/usr.sbin/mopd/mopd/process.c.diff?r1=1.7&r2=1.8&f=h

CD:SF-LOC suggests to create a separate entry for each one.

But how could these be reported?  The source code line numbers differ
between OpenBSD and NetBSD, for example.  Procedure names alone aren't
sufficient since there could be multiple vuln's in the same procedure.
The conditions that enable the bug may be appropriate, but I don't
have source code to examine.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0786
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000726 userv security boundary tool 1.0.1 (SECURITY FIX)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0389.html
Reference: DEBIAN:20000727 userv: local exploit
Reference: URL:http://www.debian.org/security/2000/20000727
Reference: CONFIRM:http://marc.theaimsgroup.com/?l=bugtraq&m=96473640717095&w=2
Reference: BID:1516
Reference: URL:http://www.securityfocus.com/bid/1516

GNU userv 1.0.0 and earlier does not properly perform file descriptor
swapping, which can corrupt the USERV_GROUPS and USERV_GIDS
environmental variables and allow local users to bypass some access
restrictions.

Analysis
----------------
ED_PRI CAN-2000-0786 1
Vendor Acknowledgement: yes post

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0681
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000815 BEA Weblogic server proxy library vulnerabilities
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0186.html
Reference: BID:1570
Reference: URL:http://www.securityfocus.com/bid/1570

Buffer overflow in BEA WebLogic server proxy plugin allows remote
attackers to execute arbitrary commands via a long URL with a .JSP
extension.

Analysis
----------------
ED_PRI CAN-2000-0681 2
Vendor Acknowledgement: yes advisory

ABSTRACTION:

Various sources report multiple overflows, so CD:SF-LOC would suggest
creating a separate entry for each one.  However, the BEA advisory
indicates that the problem is in a single location.  It may appear to
be multiple overflows because the proxy can be installed on many
different web servers.

In accordance with guidance by the Editorial Board that the vendor
should be the final authority, this should remain a single entry
unless it is conclusively proven that there were multiple overflows.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0682
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000728 BEA's WebLogic force handlers show code vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0410.html
Reference: CONFIRM:http://developer.bea.com/alerts/security_000731.html
Reference: BID:1518
Reference: URL:http://www.securityfocus.com/bid/1518

BEA WebLogic 5.1.x allows remote attackers to read source code for
parsed pages by inserting /ConsoleHelp/ into the URL, which invokes the
FileServlet.

Analysis
----------------
ED_PRI CAN-2000-0682 2
Vendor Acknowledgement: yes advisory

CD:SF-LOC applies to this and the SSIServlet /*.shtml/ problem too.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0683
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000728 BEA's WebLogic force handlers show code vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0410.html
Reference: CONFIRM:http://developer.bea.com/alerts/security_000728.html
Reference: BID:1517
Reference: URL:http://www.securityfocus.com/bid/1517

BEA WebLogic 5.1.x allows remote attackers to read source code for
parsed pages by inserting /*.shtml/ into the URL, which invokes the
SSIServlet.

Analysis
----------------
ED_PRI CAN-2000-0683 2
Vendor Acknowledgement: yes advisory

CD:SF-LOC applies to this and the ConsoleHelp problem too.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0684
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000731 BEA's WebLogic *.jsp/*.jhtml remote command execution
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0434.html
Reference: CONFIRM:http://developer.bea.com/alerts/security_000731.html
Reference: BID:1525
Reference: URL:http://www.securityfocus.com/bid/1525

BEA WebLogic 5.1.x does not properly restrict access to the
JSPServlet, which could allow remote attackers to compile and execute
Java JSP code by directly invoking the servlet on any source file.

Analysis
----------------
ED_PRI CAN-2000-0684 2
Vendor Acknowledgement: yes advisory

This and the PageCompileServlet bug are affected by CF:SF-LOC.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0685
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000731 BEA's WebLogic *.jsp/*.jhtml remote command execution
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0434.html
Reference: CONFIRM:http://developer.bea.com/alerts/security_000731.html
Reference: BID:1525
Reference: URL:http://www.securityfocus.com/bid/1525

BEA WebLogic 5.1.x does not properly restrict access to the
PageCompileServlet, which could allow remote attackers to compile and
execute Java JHTML code by directly invoking the servlet on any source
file.

Analysis
----------------
ED_PRI CAN-2000-0685 2
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0707
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000804 PCCS MySQL DB Admin Tool v1.2.3- Advisory
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0015.html
Reference: CONFIRM:http://pccs-linux.com/public/view.php3?bn=agora_pccslinux&key=965951324
Reference: BID:1557
Reference: URL:http://www.securityfocus.com/bid/1557

PCCS MySQLDatabase Admin Tool Manager 1.2.4 and earlier installs the
file dbconnect.inc within the web root, which allows remote attackers
to obtain sensitive information such as the administrative password.

Analysis
----------------
ED_PRI CAN-2000-0707 2
Vendor Acknowledgement: yes user-group

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0712
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: MISC:http://www.egroups.com/message/lids/1038
Reference: BUGTRAQ:2000803 LIDS severe bug
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0486.html
Reference: CONFIRM:http://www.lids.org/changelog.html
Reference: BID:1549
Reference: URL:http://www.securityfocus.com/bid/1549

Linux Intrusion Detection System (LIDS) 0.9.7 allows local users to
gain root privileges when LIDS is disabled via the security=0 boot
option.

Analysis
----------------
ED_PRI CAN-2000-0712 2
Vendor Acknowledgement: yes changelog

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0747
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000726 CONECTIVA LINUX SECURITY ANNOUNCEMENT - OPENLDAP
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0379.html

The logrotate script for openldap earlier than 1.2.11 in Conectiva
Linux sends an improper signal to the kernel log daemon (klogd) and
kills it.

Analysis
----------------
ED_PRI CAN-2000-0747 2
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0779
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: CONFIRM:http://www.checkpoint.com/techsupport/alerts/list_vun.html#Improper_stderr
Reference: BID:1534
Reference: URL:http://www.securityfocus.com/bid/1534

Checkpoint Firewall-1 with the RSH/REXEC setting enabled allows remote
attackers to bypass access restrictions and connect to a RSH/REXEC
client via malformed connection requests.

Analysis
----------------
ED_PRI CAN-2000-0779 2
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0679
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000728 cvs security problem
Reference: URL:http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3Dhvou2daoebb.fsf%40serein.m17n.org
Reference: BID:1523
Reference: URL:http://www.securityfocus.com/bid/1523

The CVS 1.10.8 client trusts pathnames that are provided by the CVS
server, which allows the server to force the client to create
arbitrary files.

Analysis
----------------
ED_PRI CAN-2000-0679 3
Vendor Acknowledgement: unknown

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0680
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000728 cvs security problem
Reference: URL:http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3Dhvou2daoebb.fsf%40serein.m17n.org
Reference: BID:1524
Reference: URL:http://www.securityfocus.com/bid/1524

The CVS 1.10.8 server does not properly restrict users from creating
arbitrary Checkin.prog or Update.prog programs, which allows remote
CVS committers to modify or create Trojan horse programs with the
Checkin.prog or Update.prog names, then performing a CVS commit
action.

Analysis
----------------
ED_PRI CAN-2000-0680 3
Vendor Acknowledgement: unknown
Content Decisions: SF-EXEC, SF-LOC

INCLUSION ISSUES:

Followups to the original post indicate that there is disagreement as
to whether this is a problem or not.  Some claim that CVS is designed
to be used by people with shell access, thus there is no additional
access granted to attackers who "exploit" this apparent bug.

ABSTRACTION ISSUES:

CD:SF-EXEC applies here because there are 2 binaries that could be
exploited, Checkin.prog and Update.prog.  Since both are critical
components of the same software package and they demonstrate the same
problem, CD:SF-EXEC says to keep them combined.

It could be argued that the problem is in the CVS commit process which
launches these binaries; in that case, CD:SF-EXEC does not apply, and
we would apply CD:SF-LOC to see if these 2 should be SPLIT.

The suggested patch indicates that the Checkin.prog and Update.prog
are treated as separate requests, and they exist in 2 separate lines
of code, thus CD:SF-LOC in this case might suggest SPLITTING them.
This could be viewed as analogous to different ActiveX controls being
marked as safe for scripting (scriptlet.typelib in CVE-1999-0668, and
Eyedog in CAN-1999-0669).  Decisions regarding those ActiveX controls
could thus apply in this case as well.  Also note that this affects
CAN-1999-0988 and CAN-1999-0828.  See the voting record for these
candidates for further discussion.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0693
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000802 Local root compromise in PGX Config Sun Sparc Solaris
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0463.html
Reference: BID:1563
Reference: URL:http://www.securityfocus.com/bid/1563

pgxconfig in the Raptor GFX configuration tool uses a relative path
name for a system call to the "cp" program, which allows local users
to execute arbitrary commands by modifying their path to point to an
alternate "cp" program.

Analysis
----------------
ED_PRI CAN-2000-0693 3
Vendor Acknowledgement: unknown

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0694
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000802 Local root compromise in PGX Config Sun Sparc Solaris
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0463.html

pgxconfig in the Raptor GFX configuration tool may allow local users
to gain privileges via a symlink attack.

Analysis
----------------
ED_PRI CAN-2000-0694 3
Vendor Acknowledgement: unknown

This issue was alluded to in the original Bugtraq post, but not
described in detail.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0695
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000802 Local root compromise in PGX Config Sun Sparc Solaris
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0463.html

pgxconfig in the Raptor GFX configuration tool may contain buffer
overflows that allow local users to gain privileges via command line
options.

Analysis
----------------
ED_PRI CAN-2000-0695 3
Vendor Acknowledgement: unknown

This issue was alluded to in the original Bugtraq post, but not
described in detail.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0699
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000806 HPUX FTPd vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0028.html
Reference: BID:1560
Reference: URL:http://www.securityfocus.com/bid/1560

HP-UX ftpd does not properly cleanse untrusted format strings, which
may allow remote attackers to cause a denial of service or execute
arbitrary commands via the PASS command.

Analysis
----------------
ED_PRI CAN-2000-0699 3
Vendor Acknowledgement: unknown

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0701
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000801 Advisory: mailman local compromise
Reference: URL:http://www.securityfocus.com/archive/1/73220
Reference: CONFIRM:http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000802105050.A11733@rak.isternet.sk
Reference: BUGTRAQ:20000802 CONECTIVA LINUX SECURITY ANNOUNCEMENT - mailman
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0474.html
Reference: BUGTRAQ:20000802 MDKSA-2000:030 - Linux-Mandrake not affected by mailman problem
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0479.html
Reference: REDHAT:RHSA-2000:030-03
Reference: URL:http://www.redhat.com/support/errata/secureserver/RHSA-2000-030-03.html
Reference: BID:1539
Reference: URL:http://www.securityfocus.com/bid/1539

The wrapper program in mailman 2.0beta3 and 2.0beta4 does not properly
cleanse untrusted format strings, which allows local users to gain
privileges.

Analysis
----------------
ED_PRI CAN-2000-0701 3
Vendor Acknowledgement: yes advisory
Content Decisions: EX-BETA

CD:EX-BETA suggests that this should not be included in CVE because it
is a beta version, unless this has been widely distributed.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0704
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: SGI:20000803-01-A
Reference: URL:ftp://sgigate.sgi.com/security/20000803-01-A
Reference: BID:1603
Reference: URL:http://www.securityfocus.com/bid/1603

Buffer overflow in SGI Omron WorldView Wnn allows remote attackers to
execute arbitrary commands via long JS_OPEN, JS_MKDIR, or JS_FILE_INFO
commands.

Analysis
----------------
ED_PRI CAN-2000-0704 3
Vendor Acknowledgement: yes advisory
Content Decisions: SF-LOC

CD:SF-LOC applies here, but more information is needed.  If each
command is handled by a single read/parse function, then these should
stay in a single CVE item.  If there is a different read/parse
function call for each command, then this should be SPLIT.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0713
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000726 [SPSadvisory#39]Adobe Acrobat Series PDF File Buffer Overflow
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0382.html
Reference: CONFIRM:http://www.adobe.com/misc/pdfsecurity.html
Reference: BID:1509
Reference: URL:http://www.securityfocus.com/bid/1509

Buffer overflow in Adobe Acrobat 4.05, Reader, Business Tools, and
Fill In products that handle PDF files allows attackers to execute
arbitrary commands via a long /Registry or /Ordering specifier.

Analysis
----------------
ED_PRI CAN-2000-0713 3
Vendor Acknowledgement: yes advisory
Content Decisions: SF-EXEC,SF-LOC

ABSTRACTION ISSUES:

CD:SF-EXEC may apply since there are multiple products/executables; it
would suggest MERGING these into a single CVE item since the products
are part of the same package.  However, these bugs may all originate
from a single "library," in which case CD:SF-LOC applies and might
suggest a MERGE.  But there might be a different line of code for
/Registry versus /Ordering, in which case CD:SF-LOC would suggest a
SPLIT.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0714
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: REDHAT:RHSA-2000:047-03
Reference: URL:http://www.redhat.com/support/errata/RHSA-2000-047-03.html
Reference: BID:1551
Reference: URL:http://www.securityfocus.com/bid/1551

umb-scheme 3.2-11 for Red Hat Linux is installed with world-writeable
files.

Analysis
----------------
ED_PRI CAN-2000-0714 3
Vendor Acknowledgement: yes advisory
Content Decisions: INSTALL-PERM

ABSTRACTION ISSUE:

Some problems like this one are related to installations of files that
set improper permissions.  Should each separate file get a separate
CVE entry?  Or should dot notation be used?  This question has been
labeled as CD:INSTALL-PERM.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0715
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000805 Diskcheck 3.1.1 Symlink Vulnerability
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=398BD1FD.BAEE3B70@chonnam.chonnam.ac.kr
Reference: BID:1552
Reference: URL:http://www.securityfocus.com/bid/1552

DiskCheck script diskcheck.pl in Red Hat Linux allows local users to
create or overwrite arbitrary files via a symlink attack.

Analysis
----------------
ED_PRI CAN-2000-0715 3
Vendor Acknowledgement: unknown

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0739
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000802 NAI Net Tools PKI Server vulnerabilities
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0473.html
Reference: BID:1537
Reference: URL:http://www.securityfocus.com/bid/1537

strong.exe program in NAI Net Tools PKI server allows remote
attackers to read arbitrary files via a .. (dot dot) attack.

Analysis
----------------
ED_PRI CAN-2000-0739 3
Vendor Acknowledgement: unknown

Various sources for this candidate include references to patches, but
there does not appear to be a way to obtain simple vendor
acknowledgement without registering and/or being a customer.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0740
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000802 NAI Net Tools PKI Server vulnerabilities
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0473.html
Reference: BID:1536
Reference: URL:http://www.securityfocus.com/bid/1536

Buffer overflow in strong.exe program in NAI Net Tools PKI server
allows remote attackers to execute arbitrary commands via a long URL
in the HTTPS port.

Analysis
----------------
ED_PRI CAN-2000-0740 3
Vendor Acknowledgement: unknown

Various sources for this item include references to patches, but there
does not appear to be a way to obtain simple vendor acknowledgement
without registering and/or being a customer.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0741
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000802 NAI Net Tools PKI Server vulnerabilities
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0473.html
Reference: BID:1538
Reference: URL:http://www.securityfocus.com/bid/1538

strong.exe program in NAI Net Tools PKI server does not properly
cleanse user-injected format strings, which allows remote attackers to
execute arbitrary commands via a URL with a .XUDA extension.

Analysis
----------------
ED_PRI CAN-2000-0741 3
Vendor Acknowledgement: unknown

Various sources for this item include references to patches, but there
does not appear to be a way to obtain simple vendor acknowledgement
without registering and/or being a customer.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0748
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000726 Group-writable executable in OpenLDAP
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0375.html
Reference: BID:1511
Reference: URL:http://www.securityfocus.com/bid/1511

OpenLDAP 1.2.11 and earlier improperly installs the ud binary with
group write permissions, which could allow any user in that group to
replace the binary with a Trojan horse.

Analysis
----------------
ED_PRI CAN-2000-0748 3
Vendor Acknowledgement: unknown

INCLUSION:

Mandrake MDKSA-2000:024 and a SUSE document say that they are not
vulnerable.  Followup posts were not able to duplicate the problem.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0757
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000808 Exploit for Totalbill...
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0074.html
Reference: BID:1555
Reference: URL:http://www.securityfocus.com/bid/1555

The sysgen service in Aptis Totalbill does not perform authentication,
which allows remote attackers to gain root privileges by connecting to
the service and specifying the commands to be executed.

Analysis
----------------
ED_PRI CAN-2000-0757 3
Vendor Acknowledgement: unknown

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0759
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000719 [LoWNOISE] Tomcat 3.1 Path Revealing Problem.
Reference: URL:http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26date%3D2000-07-15%26msg%3DPine.SUN.3.96.1000719184401.17782A-100000@grex.cyberspace.org
Reference: BID:1531
Reference: URL:http://www.securityfocus.com/bid/1531
Reference: XF:tomcat-error-path-reveal

Jakarta Tomcat 3.1 under Apache reveals physical path information when
a remote attacker requests a URL that does not exist, which generates
an error message that includes the physical path.

Analysis
----------------
ED_PRI CAN-2000-0759 3
Vendor Acknowledgement: unknown
Content Decisions: DESIGN-REAL-PATH

INCLUSION:

CD:DESIGN-REAL-PATH says that revealing physical path information to
remote attackers is an exposure, and thus should be included in CVE.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0760
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000719 [LoWNOISE] Snoop Servlet (Tomcat 3.1 and 3.0)
Reference: http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26date%3D2000-07-15%26msg%3DPine.SUN.3.96.1000719235404.24004A-100000@grex.cyberspace.org
Reference: XF:tomcat-snoop-info
Reference: BID:1532
Reference: URL:http://www.securityfocus.com/bid/1532

The Snoop servlet in Jakarta Tomcat 3.1 and 3.0 under Apache reveals
sensitive system information when a remote attacker requests a
nonexistent URL with a .snp extension.

Analysis
----------------
ED_PRI CAN-2000-0760 3
Vendor Acknowledgement: unknown

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0773
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000731 Two security flaws in Bajie Webserver
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0426.html
Reference: BID:1522
Reference: URL:http://www.securityfocus.com/bid/1522

Bajie HTTP web server 0.30a allows remote attackers to read arbitrary
files by requesting a URL that contains a "....", a variant of the dot
dot attack.

Analysis
----------------
ED_PRI CAN-2000-0773 3
Vendor Acknowledgement: unknown

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0774
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000731 Two security flaws in Bajie Webserver
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0426.html
Reference: BID:1521
Reference: URL:http://www.securityfocus.com/bid/1521

The sample Java servlet "test" in Bajie HTTP web server 0.30a reveals
the real pathname of the web document root.

Analysis
----------------
ED_PRI CAN-2000-0774 3
Vendor Acknowledgement: unknown
Content Decisions: DESIGN-REAL-PATH

INCLUSION:

CD:DESIGN-REAL-PATH says that revealing physical path information to
remote attackers is an exposure, and thus should be included in CVE.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0781
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000728 Client Agent 6.62 for Unix Vulnerability
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000728034420.A19824@sdf.freeshell.org
Reference: BID:1519
Reference: URL:http://www.securityfocus.com/bid/1519

uagentsetup in ARCServeIT Client Agent 6.62 does not properly check
for the existence or ownership of a temporary file which is moved to
the the agent.cfg configuration file, which allows local users to
execute arbitrary commands by modifying the temporary file before it
is moved.

Analysis
----------------
ED_PRI CAN-2000-0781 3
Vendor Acknowledgement: unknown

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0785
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000713 More wIRCSrv stupidity
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96353027909756&w=2

WircSrv IRC Server 5.07s allows IRC operators to read arbitrary files
via the importmotd command, which sets the Message of the Day (MOTD)
to the specified file.

Analysis
----------------
ED_PRI CAN-2000-0785 3
Vendor Acknowledgement: unknown

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0788
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000807 MS Word and MS Access vulnerability - executing arbitrary programs, may be exploited by IE/Outlook
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=398EB9CA.27E03A9C@nat.bg
Reference: BID:1566
Reference: URL:http://www.securityfocus.com/bid/1566

The Mail Merge tool in Microsoft Word does not prompt the user before
executing Visual Basic (VBA) scripts in an Access database, which
could allow an attacker to execute arbitrary commands.

Analysis
----------------
ED_PRI CAN-2000-0788 3
Vendor Acknowledgement: unknown

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0793
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000728 Norton Antivirus Protection Disabled under Novell Netware
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=398222C5@zathras.cc.vt.edu
Reference: BID:1533
Reference: URL:http://www.securityfocus.com/bid/1533

Norton AntiVirus 5.00.01C with the Novell Netware client does not
properly restart the auto-protection service after the first user has
logged off of the system.

Analysis
----------------
ED_PRI CAN-2000-0793 3
Vendor Acknowledgement: unknown

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0794
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000802 [LSD] some unpublished LSD exploit codes
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=200008021924.e72JOVs12558@ix.put.poznan.pl
Reference: BID:1527
Reference: URL:http://www.securityfocus.com/bid/1527

Buffer overflow in IRIX libgl.so library allows local users to gain
root privileges via a long HOME variable to programs such as gmemusage
and gr_osview.

Analysis
----------------
ED_PRI CAN-2000-0794 3
Vendor Acknowledgement: unknown

ABSTRACTION:

CD:SF-LOC says that since this is a bug in a library, a single entry
should be created, even if that library is used by multiple
executables.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0795
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000802 [LSD] some unpublished LSD exploit codes
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=200008021924.e72JOVs12558@ix.put.poznan.pl
Reference: BID:1529
Reference: URL:http://www.securityfocus.com/bid/1529

Buffer overflow in lpstat in IRIX 6.2 and 6.3 allows local users to
gain root privileges via a long -n option.

Analysis
----------------
ED_PRI CAN-2000-0795 3
Vendor Acknowledgement: unknown

This is probably a different bug than CAN-1999-0952, since -0952 is
in the -c option.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0796
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000802 [LSD] some unpublished LSD exploit codes
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=200008021924.e72JOVs12558@ix.put.poznan.pl
Reference: BID:1528
Reference: URL:http://www.securityfocus.com/bid/1528

Buffer overflow in dmplay in IRIX 6.2 and 6.3 allows local users to
gain root privileges via a long command line option.

Analysis
----------------
ED_PRI CAN-2000-0796 3
Vendor Acknowledgement: unknown

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0797
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000802 [LSD] some unpublished LSD exploit codes
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=200008021924.e72JOVs12558@ix.put.poznan.pl
Reference: BID:1526
Reference: URL:http://www.securityfocus.com/bid/1526

Buffer overflow in gr_osview in IRIX 6.2 and 6.3 allows local users to
gain privileges via a long -D option.

Analysis
----------------
ED_PRI CAN-2000-0797 3
Vendor Acknowledgement: unknown

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0798
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000802 [LSD] some unpublished LSD exploit codes
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=200008021924.e72JOVs12558@ix.put.poznan.pl
Reference: BID:1540
Reference: URL:http://www.securityfocus.com/bid/1540

The truncate function in IRIX 6.x does not properly check for
privileges when the file is in the xfs file system, which allows local
users to delete the contents of arbitrary files.

Analysis
----------------
ED_PRI CAN-2000-0798 3
Vendor Acknowledgement: unknown

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0799
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000802 [LSD] some unpublished LSD exploit codes
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=200008021924.e72JOVs12558@ix.put.poznan.pl
Reference: BID:1530
Reference: URL:http://www.securityfocus.com/bid/1530

inpview program in SGI IRIX allows local users to gain privileges via
a symlink attack.

Analysis
----------------
ED_PRI CAN-2000-0799 3
Vendor Acknowledgement: unknown

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0801
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000727 [ Hackerslab bug_paper ] HP-UX bdf -t option buffer overflow vul.
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0388.html
Reference: BID:1520
Reference: URL:http://www.securityfocus.com/bid/1520

Buffer overflow in bdf program in HP-UX 11.00 may allow local users to
gain root privileges via a long -t option.

Analysis
----------------
ED_PRI CAN-2000-0801 3
Vendor Acknowledgement: unknown

INCLUSION:

The initial announcement indicates that it is uncertain whether this
is exploitable.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-0802
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000921
Assigned: 20000919
Category: SF
Reference: BUGTRAQ:20000722 More bad censorware
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96430372326912&w=2
Reference: XF:bair-security-removal

The BAIR program does not properly restrict access to the Internet
Explorer Internet options menu, which allows local users to obtain
access to the menu by modifying the registry key that starts BAIR.

Analysis
----------------
ED_PRI CAN-2000-0802 3
Vendor Acknowledgement: unknown

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

Page Last Updated or Reviewed: May 22, 2007