[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[INTERIM] ACCEPT 191 candidates (Final June 21)
- To: cve-editorial-board-list@lists.mitre.org
- Subject: [INTERIM] ACCEPT 191 candidates (Final June 21)
- From: "Steven M. Christey" <coley@linus.mitre.org>
- Date: Mon, 17 Jun 2002 18:02:49 -0400 (EDT)
- Delivery-Date: Mon Jun 17 18:03:01 2002
- Sender: owner-cve-editorial-board-list@lists.mitre.org
I have made an Interim Decision to ACCEPT the following 191 candidates. I will make a Final Decision on June 21. The candidates came from the following clusters: 1 RECENT-66 1 RECENT-68 1 LEGACY-MS-ADV 1 LEGACY-MISC-1999-B 1 OLD-2000-A 2 RECENT-69 12 RECENT-75 5 RECENT-76 5 RECENT-77 15 RECENT-78 20 RECENT-79 20 RECENT-80 17 RECENT-81 7 RECENT-82 11 RECENT-83 21 RECENT-84 7 MISC-2001-001 5 MISC-2001-002 7 MISC-2001-003 7 RECENT-85 2 RECENT-86 18 RECENT-88 3 RECENT-05 1 RECENT-41 1 RECENT-46 Voters: Green ACCEPT(159) NOOP(3) Cole ACCEPT(172) NOOP(16) Balinsky NOOP(2) Foat ACCEPT(48) NOOP(138) Cox ACCEPT(10) MODIFY(3) NOOP(27) Williams ACCEPT(3) MODIFY(1) Christey MODIFY(1) NOOP(60) Wall ACCEPT(75) NOOP(112) Ziese ACCEPT(72) NOOP(4) Dik ACCEPT(2) Frech ACCEPT(70) MODIFY(44) Mell ACCEPT(1) Stracener ACCEPT(1) NOOP(1) Bollinger ACCEPT(2) MODIFY(1) Baker ACCEPT(79) Bishop ACCEPT(1) Armstrong ACCEPT(63) NOOP(9) ====================================================== Candidate: CAN-1999-1080 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1080 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20010912 Assigned: 20010831 Category: SF Reference: BUGTRAQ:19990510 SunOS 5.7 rmmount, no nosuid. Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92633694100270&w=2 Reference: BUGTRAQ:19991011 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93971288323395&w=2 Reference: BID:250 Reference: URL:http://www.securityfocus.com/bid/250 Reference: SUNBUG:4205437 Reference: XF:solaris-rmmount-gain-root(8350) rmmount in SunOS 5.7 may mount file systems without the nosuid flag set, contrary to the documentation and its use in previous versions of SunOS, which could allow local users with physical access to gain root privileges by mounting a floppy or CD-ROM that contains a setuid program and running volcheck, when the file systems do not have the nosuid option specified in rmmount.conf. Modifications: ADDREF SUNBUG:4205437 ADDREF XF:solaris-rmmount-gain-root(8350) Analysis -------- Vendor Acknowledgement: yes INFERRED ACTION: CAN-1999-1080 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Cole, Dik MODIFY(1) Frech NOOP(2) Wall, Foat Voter Comments: Dik> sun bug: 4205437 Frech> XF:solaris-rmmount-gain-root(8350) ====================================================== Candidate: CAN-1999-1362 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1362 Final-Decision: Interim-Decision: 20020617 Modified: 20020218-01 Proposed: 20010912 Assigned: 20010831 Category: SF Reference: MSKB:Q160601 Reference: URL:http://support.microsoft.com/support/kb/articles/q160/6/01.asp Reference: XF:nt-win32k-dos(7403) Reference: URL:http://www.iss.net/security_center/static/7403.php Win32k.sys in Windows NT 4.0 before SP2 allows local users to cause a denial of service (crash) by calling certain WIN32K functions with incorrect parameters. Modifications: ADDREF XF:nt-win32k-dos(7403) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-1999-1362 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Wall, Foat, Cole MODIFY(1) Frech Voter Comments: Frech> XF:nt-win32k-dos(7403) ====================================================== Candidate: CAN-2000-0060 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0060 Final-Decision: Interim-Decision: 20020617 Modified: 20020218-01 Proposed: 20000125 Assigned: 20000122 Category: SF Reference: NTBUGTRAQ:19991227 Local / Remote Remote DoS Attack in Rover POP3 Server V1.1 NT From aVirt Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=94647711311057&w=2 Reference: BUGTRAQ:19991227 Local / Remote Remote DoS Attack in Rover POP3 Server V1.1 NT From aVirt Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94633851427858&w=2 Reference: BID:894 Reference: URL:http://www.securityfocus.com/bid/894 Reference: XF:avirt-rover-pop3-dos(3765) Reference: URL:http://www.iss.net/security_center/static/3765.php Buffer overflow in aVirt Rover POP3 server 1.1 allows remote attackers to cause a denial of service via a long user name. Modifications: ADDREF XF:avirt-rover-pop3-dos DESC add version ADDREF NTBUGTRAQ:19991227 Local / Remote Remote DoS Attack in Rover POP3 Server V1.1 NT From aVirt Analysis -------- Vendor Acknowledgement: unknown INFERRED ACTION: CAN-2000-0060 ACCEPT (3 accept, 0 ack, 0 review) Current Votes: ACCEPT(2) Williams, Baker MODIFY(1) Frech NOOP(1) Balinsky Voter Comments: Frech> XF:avirt-rover-pop3-dos Balinsky> No mention of the problem or relevant patch on vendor website. Williams> Balinsky - this product is no longer supported by vendor. should include v1.1 for NT in title ====================================================== Candidate: CAN-2000-0072 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0072 Final-Decision: Interim-Decision: 20020617 Modified: 20020218-01 Proposed: 20000125 Assigned: 20000122 Category: SF Reference: BUGTRAQ:20000118 Warning: VCasel security hole. Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94823061421676&w=2 Reference: BID:937 Reference: URL:http://www.securityfocus.com/bid/937 Reference: XF:vcasel-filename-trusting(3867) Reference: URL:http://www.iss.net/security_center/static/3867.php Visual Casel (Vcasel) does not properly prevent users from executing files, which allows local users to use a relative pathname to specify an alternate file which has an approved name and possibly gain privileges. Modifications: ADDREF XF:vcasel-filename-trusting(3867) Analysis -------- Vendor Acknowledgement: unknown INFERRED ACTION: CAN-2000-0072 ACCEPT (3 accept, 0 ack, 0 review) Current Votes: ACCEPT(2) Williams, Baker MODIFY(1) Frech Voter Comments: Frech> XF:vcasel-filename-trusting(3867) ====================================================== Candidate: CAN-2000-0087 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0087 Final-Decision: Interim-Decision: 20020617 Modified: 20020218-01 Proposed: 20000125 Assigned: 20000122 Category: SF Reference: BUGTRAQ:20000113 Misleading sense of security in Netscape Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94790377622943&w=2 Reference: XF:netscape-mail-notify-plaintext(4385) Reference: URL:http://www.iss.net/security_center/static/4385.php Netscape Mail Notification (nsnotify) utility in Netscape Communicator uses IMAP without SSL, even if the user has set a preference for Communicator to use an SSL connection, allowing a remote attacker to sniff usernames and passwords in plaintext. Modifications: ADDREF XF:netscape-mail-notify-plaintext(4385) Analysis -------- Vendor Acknowledgement: unknown INFERRED ACTION: CAN-2000-0087 ACCEPT (3 accept, 0 ack, 0 review) Current Votes: ACCEPT(2) Williams, Baker MODIFY(1) Frech Voter Comments: Frech> XF:netscape-mail-notify-plaintext ====================================================== Candidate: CAN-2000-0976 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0976 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20001129 Assigned: 20001124 Category: SF Reference: BUGTRAQ:20001012 another Xlib buffer overflow Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-10/0211.html Reference: SGI:20020502-01-I Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020502-01-I Reference: BID:1805 Reference: URL:http://www.securityfocus.com/bid/1805 Reference: XF:xfree-xlib-bo(5751) Reference: URL:http://www.iss.net/security_center/static/5751.php Buffer overflow in xlib in XFree 3.3.x possibly allows local users to execute arbitrary commands via a long DISPLAY environment variable or a -display command line parameter. Modifications: ADDREF XF:xfree-xlib-bo(5751) ADDREF SGI:20020502-01-I Analysis -------- Vendor Acknowledgement: yes advisory INCLUSION: This might not be exploitable, as a post by Robert van der Meulen says that "the display number can only contain numeric values." See http://archives.neohapsis.com/archives/bugtraq/2000-10/0237.html INFERRED ACTION: CAN-2000-0976 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Mell, Baker MODIFY(1) Frech NOOP(2) Christey, Cole Voter Comments: Frech> XF:xfree-xlib-bo(5751) Christey> This might not be exploitable; see followups CHANGE> [Christey changed vote from REVIEWING to NOOP] Christey> SGI:20020502-01-I ====================================================== Candidate: CAN-2000-1166 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1166 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20001219 Assigned: 20001214 Category: SF Reference: BUGTRAQ:20001124 Security problems with TWIG webmail system Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0351.html Reference: CONFIRM:http://twig.screwdriver.net/file.php3?file=CHANGELOG Reference: BID:1998 Reference: URL:http://www.securityfocus.com/bid/1998 Reference: XF:twig-php3-script-execute(5581) Twig webmail system does not properly set the "vhosts" variable if it is not configured on the site, which allows remote attackers to insert arbitrary PHP (PHP3) code by specifying an alternate vhosts as an argument to the index.php3 program. Modifications: ADDREF XF:twig-php3-script-execute(5581) ADDREF CONFIRM:http://twig.screwdriver.net/file.php3?file=CHANGELOG Analysis -------- Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: The entry in the vendor changelog dated December 18, 2000, says ""Fixed security hole with respect to vhosts." INFERRED ACTION: CAN-2000-1166 ACCEPT_ACK (2 accept, 1 ack, 0 review) Current Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(3) Wall, Cole, Christey Voter Comments: Frech> XF:twig-php3-script-execute(5581) Christey> CONFIRM:http://twig.screwdriver.net/file.php3?file=CHANGELOG Dated December 18, 2000: "Fixed security hole with respect to vhosts." ====================================================== Candidate: CAN-2000-1193 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1193 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20010912 Assigned: 20010831 Category: SF Reference: BUGTRAQ:20000412 Performance Copilot for IRIX 6.5 Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-04/0056.html Reference: XF:irix-pcp-pmcd-dos(4284) Reference: URL:http://xforce.iss.net/static/4284.php Reference: SGI:20020407-01-I Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020407-01-I Performance Metrics Collector Daemon (PMCD) in Performance Copilot in IRIX 6.x allows remote attackers to cause a denial of service (resource exhaustion) via an extremely long string to the PMCD port. Modifications: CHANGEREF XF:irix-pcp-pmcd-dos(4284) ADDREF SGI:20020407-01-I Analysis -------- Vendor Acknowledgement: yes advisory CVE-2000-0283 is a different bug that was discovered and announced at the same time. INFERRED ACTION: CAN-2000-1193 ACCEPT_ACK (2 accept, 1 ack, 0 review) Current Votes: MODIFY(2) Frech, Williams NOOP(5) Wall, Foat, Cole, Stracener, Christey Voter Comments: Frech> XF:irix-pcp-pmcd-dos(4284) (same XF:ID number, but slightly different name) Williams> not just a DoS. also involves information gathering vuln. Christey> ADDREF SGI:20020407-01-I ====================================================== Candidate: CAN-2001-0508 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0508 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20010829 Assigned: 20010608 Category: SF Reference: BUGTRAQ:20010506 IIS 5.0 PROPFIND DOS #2 Reference: URL:http://online.securityfocus.com/archive/1/182579 Reference: MS:MS01-044 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms01-044.asp Reference: XF:iis-webdav-long-request-dos(6982) Reference: URL:http://www.iss.net/security_center/static/6982.php Reference: BID:2690 Reference: URL:http://www.securityfocus.com/bid/2690 Vulnerability in IIS 5.0 allows remote attackers to cause a denial of service (restart) via a long, invalid WebDAV request. Modifications: ADDREF XF:iis-webdav-long-request-dos(6982) ADDREF BUGTRAQ:20010506 IIS 5.0 PROPFIND DOS #2 ADDREF BID:2690 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0508 ACCEPT (8 accept, 1 ack, 0 review) Current Votes: ACCEPT(7) Wall, Baker, Foat, Cole, Armstrong, Bishop, Ziese MODIFY(1) Frech NOOP(1) Christey Voter Comments: Frech> XF:iis-webdav-long-request-dos(6982) Christey> Need to determine whether this CAN is fixing this problem: BUGTRAQ:20010506 IIS 5.0 PROPFIND DOS #2 URL:http://www.securityfocus.com/archive/1/3AF56057.1CB06CBC@guninski.com If so, then ADDREF BID:2690 as well. Christey> Yes, these are the same issue Christey> BUGTRAQ:20010506 IIS 5.0 PROPFIND DOS #2 URL:http://online.securityfocus.com/archive/1/182579 (confirmed w/Microsoft) ====================================================== Candidate: CAN-2001-0550 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0550 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20010718 Category: SF Reference: VULN-DEV:20010430 some ftpd implementations mishandle CWD ~{ Reference: URL:http://www.securityfocus.com/archive/82/180823 Reference: BUGTRAQ:20011128 CORE-20011001: Wu-FTP glob heap corruption vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100700363414799&w=2 Reference: CERT:CA-2001-33 Reference: URL:http://www.cert.org/advisories/CA-2001-33.html Reference: CERT-VN:VU#886083 Reference: URL:http://www.kb.cert.org/vuls/id/886083 Reference: REDHAT:RHSA-2001-157 Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-157.html Reference: CALDERA:CSSA-2001-041.0 Reference: URL:http://www.caldera.com/support/security/advisories/CSSA-2001-041.0.txt Reference: CALDERA:CSSA-2001-SCO.36 Reference: MANDRAKE:MDKSA-2001:090 Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-090.php3 Reference: HP:HPSBUX0107-162 Reference: ISS:20011129 WU-FTPD Heap Corruption Vulnerability Reference: BID:3581 Reference: URL:http://www.securityfocus.com/bid/3581 Reference: XF:wuftp-glob-heap-corruption(7611) wu-ftpd 2.6.1 allows remote attackers to execute arbitrary commands via a "~{" argument to commands such as CWD, which is not properly handled by the glob function (ftpglob). Modifications: ADDREF XF:wuftp-glob-heap-corruption(7611) ADDREF CALDERA:CSSA-2001-SCO.36 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0550 ACCEPT (5 accept, 6 ack, 0 review) Current Votes: ACCEPT(5) Wall, Baker, Cole, Armstrong, Green MODIFY(1) Frech NOOP(2) Christey, Foat Voter Comments: Frech> XF:wuftp-glob-heap-corruption(7611) Christey> CALDERA:CSSA-2001-SCO.36 ====================================================== Candidate: CAN-2001-0553 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0553 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20010727 Assigned: 20010724 Category: SF Reference: BUGTRAQ:20010720 URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-07/0486.html Reference: CONFIRM:http://www.ssh.com/products/ssh/exploit.cfm Reference: CERT-VN:VU#737451 Reference: URL:http://www.kb.cert.org/vuls/id/737451 Reference: CIAC:L-121 Reference: URL:http://www.ciac.org/ciac/bulletins/l-121.shtml Reference: BID:3078 Reference: URL:http://www.securityfocus.com/bid/3078 Reference: XF:ssh-password-length-unauth-access(6868) SSH Secure Shell 3.0.0 on Unix systems does not properly perform password authentication to the sshd2 daemon, which allows local users to gain access to accounts with short password fields, such as locked accounts that use "NP" in the password field. Modifications: ADDREF XF:ssh-password-length-unauth-access(6868) ADDREF CONFIRM:http://www.ssh.com/products/ssh/exploit.cfm ADDREF CERT-VN:VU#737451 ADDREF BID:3078 ADDREF CIAC:L-121 Analysis -------- Vendor Acknowledgement: yes INFERRED ACTION: CAN-2001-0553 ACCEPT_ACK (2 accept, 3 ack, 0 review) Current Votes: ACCEPT(1) Stracener MODIFY(1) Frech NOOP(5) Christey, Wall, Foat, Cole, Ziese Voter Comments: Frech> XF:ssh-password-length-unauth-access(6868) Christey> CONFIRM:http://www.ssh.com/products/ssh/exploit.cfm CERT-VN:VU#737451 URL:http://www.kb.cert.org/vuls/id/737451 BID:3078 URL:http://www.securityfocus.com/bid/3078 CIAC:L-121 URL:http://www.ciac.org/ciac/bulletins/l-121.shtml ====================================================== Candidate: CAN-2001-0726 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0726 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20010927 Category: SF Reference: MS:MS01-057 Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS01-057.asp Reference: XF:exchange-owa-embedded-script-execution(7663) Reference: BID:3650 Reference: URL:http://online.securityfocus.com/bid/3650 Outlook Web Access (OWA) in Microsoft Exchange 5.5 Server, when used with Internet Explorer, does not properly detect certain inline script, which can allow remote attackers to perform arbitrary actions on a user's Exchange mailbox via an HTML e-mail message. Modifications: ADDREF XF:exchange-owa-embedded-script-execution(7663) ADDREF BID:3650 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0726 ACCEPT (6 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Wall, Baker, Foat, Cole, Green MODIFY(1) Frech NOOP(1) Christey Voter Comments: Frech> XF:exchange-owa-embedded-script-execution(7663) Christey> Consider adding BID:3650 ====================================================== Candidate: CAN-2001-0727 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0727 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20010927 Category: SF Reference: BUGTRAQ:20011214 MSIE may download and run progams automatically Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100835204509262&w=2 Reference: BUGTRAQ:20011216 Re: MSIE may download and run progams automatically - NOT SO FAST Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100861273114437&w=2 Reference: MS:MS01-058 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms01-058.asp Reference: CERT:CA-2001-36 Reference: URL:http://www.cert.org/advisories/CA-2001-36.html Reference: XF:ie-file-download-execution(7703) Reference: BID:3578 Internet Explorer 6.0 allows remote attackers to execute arbitrary code by modifying the Content-Disposition and Content-Type header fields in a way that causes Internet Explorer to believe that the file is safe to open without prompting the user, aka the "File Execution Vulnerability." Modifications: ADDREF XF:ie-file-download-execution(7703) ADDREF BID:3578 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0727 ACCEPT (6 accept, 2 ack, 0 review) Current Votes: ACCEPT(5) Wall, Baker, Foat, Cole, Green MODIFY(1) Frech NOOP(1) Christey Voter Comments: Frech> XF:ie-file-download-execution(7703) Christey> Consider adding BID:3578 ====================================================== Candidate: CAN-2001-0731 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0731 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020315 Assigned: 20011008 Category: SF Reference: BUGTRAQ:20010709 How Google indexed a file with no external link Reference: URL:http://www.securityfocus.com/archive/1/20010709214744.A28765@brasscannon.net Reference: CONFIRM:http://www.apacheweek.com/issues/01-10-05#security Reference: MANDRAKE:MDKSA-2001:077 Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-077-1.php3 Reference: BID:3009 Reference: URL:http://www.securityfocus.com/bid/3009 Reference: XF:apache-multiviews-directory-listing(8275) Reference: SGI:20020301-01-P Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020301-01-P Apache 1.3.20 with Multiviews enabled allows remote attackers to view directory contents and bypass the index page via a URL containing the "M=D" query string. Modifications: ADDREF XF:apache-multiviews-directory-listing(8275) ADDREF SGI:20020301-01-P Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0731 ACCEPT (8 accept, 2 ack, 0 review) Current Votes: ACCEPT(7) Wall, Baker, Foat, Cole, Armstrong, Ziese, Green MODIFY(1) Frech NOOP(1) Christey Voter Comments: Christey> SGI:20020301-01-P URL:ftp://patches.sgi.com/support/free/security/advisories/20020301-01-P Frech> XF:apache-multiviews-directory-listing(8275) ====================================================== Candidate: CAN-2001-0769 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0769 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20011012 Assigned: 20011012 Category: SF Reference: BUGTRAQ:20010527 def-2001-27: GuildFTPD Buffer Overflow and Memory Leak DoS Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-05/0254.html Reference: XF:guildftpd-null-memory-leak(6613) Reference: URL:http://xforce.iss.net/static/6613.php Memory leak in GuildFTPd Server 0.97 allows remote attackers to cause a denial of service via a request containing a null character. Analysis -------- Vendor Acknowledgement: yes via-email ACKNOWLEDGEMENT: the vendor acknowledged the problem via email on 3/8/2002. INFERRED ACTION: CAN-2001-0769 ACCEPT_ACK (2 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Foat, Frech NOOP(4) Christey, Wall, Cole, Armstrong Voter Comments: Christey> Email ack received from guildftpd@nitrolic.com on 3/8/2002 ====================================================== Candidate: CAN-2001-0770 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0770 Final-Decision: Interim-Decision: 20020617 Modified: 20020308-01 Proposed: 20011012 Assigned: 20011012 Category: SF Reference: BUGTRAQ:20010527 def-2001-27: GuildFTPD Buffer Overflow and Memory Leak DoS Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-05/0254.html Reference: XF:guildftpd-site-bo(6612) Reference: URL:http://xforce.iss.net/static/6612.php Reference: CONFIRM:http://www.nitrolic.com/help/history.htm Buffer overflow in GuildFTPd Server 0.97 allows remote attacker to execute arbitrary code via a long SITE command. Modifications: ADDREF CONFIRM:http://www.nitrolic.com/help/history.htm Analysis -------- Vendor Acknowledgement: yes via-email ACKNOWLEDGEMENT: The history file says "Fixed some problems with the SITE commands." This by itself is not sufficient to prove acknowledgement of *this* issue, but the vendor verified this via email on 3/8/2002. INFERRED ACTION: CAN-2001-0770 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Foat, Armstrong, Frech NOOP(3) Christey, Wall, Cole Voter Comments: Christey> Possible ACK at http://www.nitrolic.com/help/history.htm Inquiry sent to guildftpd@nitrolic.com on 2/25/2002 Christey> Email ack received from guildftpd@nitrolic.com on 3/8/2002 ====================================================== Candidate: CAN-2001-0797 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0797 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20011024 Category: SF Reference: ISS:20011212 Buffer Overflow in /bin/login Reference: URL:http://xforce.iss.net/alerts/advise105.php Reference: BUGTRAQ:20011219 Linux distributions and /bin/login overflow Reference: URL:http://www.securityfocus.com/archive/1/246487 Reference: CERT:CA-2001-34 Reference: URL:http://www.cert.org/advisories/CA-2001-34.html Reference: CERT-VN:VU#569272 Reference: URL:http://www.kb.cert.org/vuls/id/569272 Reference: CALDERA:CSSA-2001-SCO.40 Reference: URL:ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.40/CSSA-2001-SCO.40.txt Reference: SUN:00213 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/213 Reference: AIXAPAR:IY26221 Reference: SGI:20011201-01-I Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20011201-01-I Reference: SUNBUG:4516885 Reference: BUGTRAQ:20011214 Sun Solaris login bug patches out Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100844757228307&w=2 Reference: XF:telnet-tab-bo(7284) Reference: URL:http://xforce.iss.net/static/7284.php Reference: BID:3681 Reference: URL:http://www.securityfocus.com/bid/3681 Buffer overflow in login in various System V based operating systems allows remote attackers to execute arbitrary commands via a large number of arguments through services such as telnet and rlogin. Modifications: ADDREF SUNBUG:4516885 ADDREF BUGTRAQ:20011214 Sun Solaris login bug patches out Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0797 ACCEPT (3 accept, 8 ack, 0 review) Current Votes: ACCEPT(5) Baker, Cole, Frech, Dik, Green NOOP(3) Christey, Wall, Foat Voter Comments: Dik> Sun bugid: 4516885 Christey> BUGTRAQ:20011214 Sun Solaris login bug patches out URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100844757228307&w=2 ====================================================== Candidate: CAN-2001-0869 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0869 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20011129 Category: SF Reference: SUSE:SuSE-SA:2001:042 Reference: URL:http://lwn.net/alerts/SuSE/SuSE-SA%3A2001%3A042.php3 Reference: CALDERA:CSSA-2001-040.0 Reference: URL:http://www.caldera.com/support/security/advisories/CSSA-2001-040.0.txt Reference: REDHAT:RHSA-2001-150 Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-150.html Reference: REDHAT:RHSA-2001-151 Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-151.html Reference: MANDRAKE:MDKSA-2002:018 Reference: XF:cyrus-sasl-format-string(7443) Reference: URL:http://xforce.iss.net/static/7443.php Reference: FREEBSD:FreeBSD-SA-02:15 Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:15.cyrus-sasl.asc Format string vulnerability in the default logging callback function in Cyrus SASL library (cyrus-sasl) may allow remote attackers to execute arbitrary commands. Modifications: ADDREF MANDRAKE:MDKSA-2002:018 ADDREF FREEBSD:FreeBSD-SA-02:15 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0869 ACCEPT (5 accept, 4 ack, 0 review) Current Votes: ACCEPT(5) Baker, Foat, Cole, Armstrong, Frech NOOP(2) Christey, Wall Voter Comments: Christey> MANDRAKE:MDKSA-2002:018 Christey> ADDREF FREEBSD:FreeBSD-SA-02:15 URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:15.cyrus-sasl.asc ====================================================== Candidate: CAN-2001-0872 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0872 Final-Decision: Interim-Decision: 20020617 Modified: 20020228-01 Proposed: 20020131 Assigned: 20011203 Category: SF Reference: BUGTRAQ:20011204 [Fwd: OpenSSH 3.0.2 fixes UseLogin vulnerability] Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100749779131514&w=2 Reference: CONFIRM:http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=100747128105913&w=2 Reference: REDHAT:RHSA-2001:161 Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-161.html Reference: SUSE:SuSE-SA:2001:045 Reference: URL:http://lists.suse.com/archives/suse-security-announce/2001-Dec/0001.html Reference: DEBIAN:DSA-091 Reference: URL:http://www.debian.org/security/2001/dsa-091 Reference: XF:openssh-uselogin-execute-code(7647) Reference: URL:http://xforce.iss.net/static/7647.php OpenSSH 3.0.1 and earlier with UseLogin enabled does not properly cleanse critical environment variables such as LD_PRELOAD, which allows local users to gain root privileges. Modifications: ADDREF DEBIAN:DSA-091 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0872 ACCEPT (6 accept, 4 ack, 0 review) Current Votes: ACCEPT(6) Green, Wall, Baker, Foat, Cole, Frech ====================================================== Candidate: CAN-2001-0884 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0884 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020131 Assigned: 20011213 Category: SF Reference: BUGTRAQ:20011128 Cgisecurity.com Advisory #7: Mailman Email Archive Cross Site Scripting Reference: URL:http://www.securityfocus.com/archive/1/242839 Reference: CONECTIVA:CLA-2001:445 Reference: URL:http://www.securityfocus.com/advisories/3721 Reference: REDHAT:RHSA-2001:168 Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-168.html Reference: REDHAT:RHSA-2001:170 Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-170.html Reference: XF:mailman-java-css(7617) Reference: URL:http://xforce.iss.net/static/7617.php Reference: BID:3602 Reference: URL:http://www.securityfocus.com/bid/3602 Cross-site scripting vulnerability in Mailman email archiver before 2.08 allows attackers to obtain sensitive information or authentication credentials via a malicious link that is accessed by other web users. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0884 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Cole, Armstrong, Frech NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2001-0886 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0886 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020131 Assigned: 20011214 Category: SF Reference: MISC:http://sources.redhat.com/ml/bug-glibc/2001-11/msg00109.html Reference: BUGTRAQ:20011217 [Global InterSec 2001121001] glibc globbing issues. Reference: URL:http://www.securityfocus.com/archive/1/245956 Reference: REDHAT:RHSA-2001-160 Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-160.html Reference: MANDRAKE:MDKSA-2001:095 Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-095.php3 Reference: ENGARDE:ESA-20011217-01 Reference: URL:http://www.linuxsecurity.com/advisories/other_advisory-1752.html Reference: XF:glibc-glob-bo(7705) Reference: URL:http://xforce.iss.net/static/7705.php Reference: BID:3707 Reference: URL:http://www.securityfocus.com/bid/3707 Buffer overflow in glob function of glibc allows attackers to cause a denial of service (crash) and possibly execute arbitrary code via a glob pattern that ends in a brace "{" character. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0886 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Green, Wall, Baker, Cole, Frech NOOP(1) Foat ====================================================== Candidate: CAN-2001-0887 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0887 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020131 Assigned: 20011219 Category: SF Reference: FREEBSD:FreeBSD-SA-01:68 Reference: URL:http://www.securityfocus.com/advisories/3734 Reference: BID:3700 Reference: URL:http://www.securityfocus.com/bid/3700 Reference: XF:xsane-temp-symlink(7714) Reference: URL:http://xforce.iss.net/static/7714.php xSANE 0.81 and earlier allows local users to modify files of other xSANE users via a symlink attack on temporary files. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0887 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Green, Baker, Cole, Frech NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2001-0888 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0888 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020131 Assigned: 20011219 Category: SF Reference: BUGTRAQ:20011221 VIGILANTe advisory 2001003 : Atmel SNMP Non Public Community String DoS Vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100895903202798&w=2 Reference: XF:atmel-snmp-community-dos(7734) Reference: URL:http://xforce.iss.net/static/7734.php Reference: BID:3734 Reference: URL:http://www.securityfocus.com/bid/3734 Atmel Firmware 1.3 Wireless Access Point (WAP) allows remote attackers to cause a denial of service via a SNMP request with (1) a community string other than "public" or (2) an unknown OID, which causes the WAP to deny subsequent SNMP requests. Analysis -------- Vendor Acknowledgement: yes advisory/yes followup/yes changelog/yes/unknown discloser-claimed/unknown vague/unknown/no disputed/no INFERRED ACTION: CAN-2001-0888 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Green, Baker, Cole, Frech NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2001-0889 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0889 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20011221 Category: SF Reference: BUGTRAQ:20011219 [ph10@cus.cam.ac.uk: [Exim] Potential security problem] Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100877978506387&w=2 Reference: REDHAT:RHSA-2001:176 Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-176.html Reference: XF:exim-pipe-hostname-commands(7738) Exim 3.22 and earlier, in some configurations, does not properly verify the local part of an address when redirecting the address to a pipe, which could allow remote attackers to execute arbitrary commands via shell metacharacters. Modifications: ADDREF XF:exim-pipe-hostname-commands(7738) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0889 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Green, Baker, Cole MODIFY(1) Frech NOOP(2) Wall, Foat Voter Comments: Frech> XF:exim-pipe-hostname-commands(7738) ====================================================== Candidate: CAN-2001-0894 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0894 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20011115 Postfix session log memory exhaustion bugfix Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100584160110303&w=2 Reference: MANDRAKE:MDKSA-2001:089 Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-089.php3?dis=8.1 Reference: DEBIAN:DSA-093 Reference: URL:http://www.debian.org/security/2001/dsa-093 Reference: REDHAT:RHSA-2001:156 Reference: BID:3544 Reference: URL:http://www.securityfocus.com/bid/3544 Reference: XF:postfix-smtp-log-dos(7568) Reference: URL:http://xforce.iss.net/static/7568.php Vulnerability in Postfix SMTP server before 20010228-pl07, when configured to email the postmaster when SMTP errors cause the session to terminate, allows remote attackers to cause a denial of service (memory exhaustion) by generating a large number of SMTP errors, which forces the SMTP session log to grow too large. Modifications: ADDREF REDHAT:RHSA-2001:156 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0894 ACCEPT (6 accept, 2 ack, 0 review) Current Votes: ACCEPT(5) Baker, Foat, Cole, Armstrong, Frech MODIFY(1) Cox NOOP(1) Wall Voter Comments: Cox> ADDREF REDHAT:RHSA-2001:156 ====================================================== Candidate: CAN-2001-0895 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0895 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20020131 Category: SF Reference: CISCO:20011115 Cisco IOS ARP Table Overwrite Vulnerability Reference: URL:http://www.cisco.com/warp/public/707/IOS-arp-overwrite-vuln-pub.shtml Reference: XF:cisco-arp-overwrite-table(7547) Multiple Cisco networking products allow remote attackers to cause a denial of service on the local network via a series of ARP packets sent to the router's interface that contains a different MAC address for the router, which eventually causes the router to overwrite the MAC address in its ARP table. Modifications: ADDREF XF:cisco-arp-overwrite-table(7547) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0895 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Foat, Cole, Armstrong MODIFY(1) Frech NOOP(1) Wall Voter Comments: Frech> XF:cisco-arp-overwrite-table(7547) ====================================================== Candidate: CAN-2001-0896 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0896 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20020131 Category: SF Reference: CALDERA:CSSA-2001-SCO.33 Reference: URL:ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.33/CSSA-2001-SCO.33.txt Reference: BUGTRAQ:20020201 RE: DoS bug on Tru64 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101284101228656&w=2 Reference: BUGTRAQ:20020205 nmap vs. inetd on Caldera (ex-SCO) OpenServer, Re: DoS bug on Tru64 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101303877215098&w=2 Reference: XF:openserver-nmap-po-option(7571) Inetd in OpenServer 5.0.5 allows remote attackers to cause a denial of service (crash) via a port scan, e.g. with nmap -PO. Modifications: ADDREF BUGTRAQ:20020205 nmap vs. inetd on Caldera (ex-SCO) OpenServer, Re: DoS bug on Tru64 ADDREF BUGTRAQ:20020201 RE: DoS bug on Tru64 ADDREF XF:openserver-nmap-po-option(7571) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0896 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Cole, Armstrong MODIFY(1) Frech NOOP(3) Christey, Wall, Foat Voter Comments: Christey> A rediscovery of this issue was reported in: BUGTRAQ:20020205 nmap vs. inetd on Caldera (ex-SCO) OpenServer, Re: DoS bug on Tru64 URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101303877215098&w=2 BUGTRAQ:20020201 RE: DoS bug on Tru64 URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101284101228656&w=2 Frech> XF:openserver-nmap-po-option(7571) ====================================================== Candidate: CAN-2001-0899 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0899 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20011116 Network Tool 0.2 Addon for PHPNuke vulnerable to remote command execution Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100593523104176&w=2 Reference: CONFIRM:http://phpnukerz.org/modules.php?name=Downloads&d_op=viewsdownload&sid=32 Reference: XF:phpnuke-nettools-command-execution(7578) Network Tools 0.2 for PHP-Nuke allows remote attackers to execute commands on the server via shell metacharacters in the $hostinput variable. Modifications: ADDREF XF:phpnuke-nettools-command-execution(7578) Analysis -------- Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: The comment for version 0.3, dated November 26, says "This version is a bug fix to the remote command execution security hole in version 0.2" A look at the source code shows that all calls to system() are now quoted. INFERRED ACTION: CAN-2001-0899 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Cole, Armstrong MODIFY(1) Frech NOOP(2) Wall, Foat Voter Comments: Frech> XF:phpnuke-nettools-command-execution(7578) ====================================================== Candidate: CAN-2001-0900 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0900 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20011118 Gallery Addon for PhpNuke remote file viewing vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100619599000590&w=2 Reference: CONFIRM:http://www.menalto.com/projects/gallery/article.php?sid=33&mode=&order= Reference: XF:phpnuke-gallery-directory-traversal(7580) Directory traversal vulnerability in modules.php in Gallery before 1.2.3 allows remote attackers to read arbitrary files via a .. (dot dot) in the include parameter. Modifications: ADDREF XF:phpnuke-gallery-directory-traversal(7580) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0900 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Cole, Armstrong MODIFY(1) Frech NOOP(2) Wall, Foat Voter Comments: Frech> XF:phpnuke-gallery-directory-traversal(7580) ====================================================== Candidate: CAN-2001-0901 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0901 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20011119 Hypermail SSI Vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100626603407639&w=2 Reference: CONFIRM:http://www.hypermail.org/dist/hypermail-2.1.4.tar.gz Reference: XF:hypermail-ssi-execute-commands(7576) Hypermail allows remote attackers to execute arbitrary commands on a server supporting SSI via an attachment with a .shtml extension, which is archived on the server and can then be executed by requesting the URL for the attachment. Modifications: ADDREF XF:hypermail-ssi-execute-commands(7576) Analysis -------- Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: In the ChangeLog in HyperMail 2.1.4, the entry for Nov 14, 2001 says "Changes relevant to security... attachment filenames ending in .shtml get changed to .html." INFERRED ACTION: CAN-2001-0901 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Cole, Armstrong MODIFY(1) Frech NOOP(2) Wall, Foat Voter Comments: Frech> XF:hypermail-ssi-execute-commands(7576) ====================================================== Candidate: CAN-2001-0905 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0905 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20020131 Category: SF Reference: DEBIAN:DSA-083 Reference: URL:http://www.debian.org/security/2001/dsa-083 Reference: REDHAT:RHSA-2001:093 Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-093.html Reference: MANDRAKE:MDKSA-2001:085 Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-085.php3 Reference: FREEBSD:FreeBSD-SA-01:60 Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:60.procmail.asc Reference: CONECTIVA:CLA-2001:433 Reference: BID:3071 Reference: URL:http://www.securityfocus.com/bid/3071 Reference: XF:procmail-signal-handling-race(6872) Race condition in signal handling of procmail 3.20 and earlier, when running setuid, allows local users to cause a denial of service or gain root privileges by sending a signal while a signal handling routine is already running. Modifications: ADDREF CONECTIVA:CLA-2001:433 ADDREF XF:procmail-signal-handling-race(6872) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0905 ACCEPT (6 accept, 3 ack, 0 review) Current Votes: ACCEPT(5) Green, Wall, Baker, Cole, Armstrong MODIFY(2) Christey, Frech NOOP(1) Foat Voter Comments: Frech> XF:procmail-signal-handling-race(6872) Christey> ADDREF CONECTIVA:CLA-2001:433 ====================================================== Candidate: CAN-2001-0906 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0906 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20010622 LPRng + tetex tmpfile race - uid lp exploit Reference: URL:http://www.securityfocus.com/archive/1/192647 Reference: REDHAT:RHSA-2001:102 Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-102.html Reference: MANDRAKE:MDKSA-2001:086 Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-086.php3 Reference: IMMUNIX:IMNX-2001-70-030-01 Reference: URL:http://download.immunix.org/ImmunixOS/7.0/updates/IMNX-2001-70-030-01 Reference: BID:2974 Reference: URL:http://www.securityfocus.com/bid/2974 Reference: XF:tetex-lprng-tmp-race(6785) Reference: URL:http://xforce.iss.net/static/6785.php teTeX filter before 1.0.7 allows local users to gain privileges via a symlink attack on temporary files that are produced when printing .dvi files using lpr. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0906 ACCEPT (6 accept, 1 ack, 0 review) Current Votes: ACCEPT(6) Green, Wall, Baker, Cole, Armstrong, Frech NOOP(1) Foat ====================================================== Candidate: CAN-2001-0912 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0912 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020131 Assigned: 20020131 Category: CF Reference: MANDRAKE:MDKSA-2001:087 Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-087.php3?dis=8.1 Reference: XF:linux-expect-unauth-root(7604) Reference: URL:http://xforce.iss.net/static/7604.php Packaging error for expect 8.3.3 in Mandrake Linux 8.1 causes expect to search for its libraries in the /home/snailtalk directory before other directories, which could allow a local user to gain root privileges. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0912 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Cole, Armstrong, Frech NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2001-0917 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0917 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20011122 Hi Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100654722925155&w=2 Reference: CONFIRM:http://marc.theaimsgroup.com/?l=tomcat-dev&m=100658457507305&w=2 Reference: XF:tomcat-reveal-install-path(7599) Jakarta Tomcat 4.0.1 allows remote attackers to reveal physical path information by requesting a long URL with a .JSP extension. Modifications: ADDREF XF:tomcat-reveal-install-path(7599) Analysis -------- Vendor Acknowledgement: yes followup INFERRED ACTION: CAN-2001-0917 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Cole, Armstrong MODIFY(1) Frech NOOP(2) Wall, Foat Voter Comments: Frech> XF:tomcat-reveal-install-path(7599) ====================================================== Candidate: CAN-2001-0918 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0918 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020131 Assigned: 20020131 Category: SF Reference: SUSE:SuSE-SA:2001:041 Reference: URL:http://www.suse.de/de/support/security/2001_041_susehelp_txt.txt Reference: XF:susehelp-cgi-command-execution(7583) Reference: URL:http://xforce.iss.net/static/7583.php Reference: BID:3576 Reference: URL:http://www.securityfocus.com/bid/3576 Vulnerabilities in CGI scripts in susehelp in SuSE 7.2 and 7.3 allow remote attackers to execute arbitrary commands by not opening files securely. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0918 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Cole, Armstrong, Frech NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2001-0920 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0920 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20011126 [CERT-intexxia] Auto Nice Daemon Format String Vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100680319004162&w=2 Reference: CONFIRM:http://and.sourceforge.net/ Reference: XF:and-format-string(7606) Reference: URL:http://xforce.iss.net/static/7606.php Reference: BID:3580 Reference: URL:http://www.securityfocus.com/bid/3580 Format string vulnerability in auto nice daemon (AND) 1.0.4 and earlier allows a local user to possibly execute arbitrary code via a process name containing a format string. Analysis -------- Vendor Acknowledgement: yes advisory The home page for AND states "Security Alert! A format string vulnerability has been found in AND 1.0.4 and before. Update to 1.0.5 or newer NOW!" and references the author of the Bugtraq post. INFERRED ACTION: CAN-2001-0920 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Cole, Armstrong, Frech NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2001-0929 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0929 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20020131 Category: SF Reference: CISCO:20011128 A Vulnerability in IOS Firewall Feature Set Reference: URL:http://www.cisco.com/warp/public/707/IOS-cbac-dynacl-pub.shtml Reference: XF:ios-cbac-bypass-acl(7614) Cisco IOS Firewall Feature set, aka Context Based Access Control (CBAC) or Cisco Secure Integrated Software, for IOS 11.2P through 12.2T does not properly check the IP protocol type, which could allow remote attackers to bypass access control lists. Modifications: ADDREF XF:ios-cbac-bypass-acl(7614) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0929 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Cole, Armstrong MODIFY(1) Frech NOOP(2) Wall, Foat Voter Comments: Frech> XF:ios-cbac-bypass-acl(7614) ====================================================== Candidate: CAN-2001-0936 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0936 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020131 Assigned: 20020131 Category: CF Reference: BUGTRAQ:20011130 Alert: Vulnerability in frox transparent ftp proxy. Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100713367307799&w=2 Reference: CONFIRM:http://frox.sourceforge.net/security.txt Reference: XF:frox-ftp-proxy-bo(7632) Reference: URL:http://xforce.iss.net/static/7632.php Reference: BID:3606 Reference: URL:http://www.securityfocus.com/bid/3606 Buffer overflow in Frox transparent FTP proxy 0.6.6 and earlier, with the local caching method selected, allows remote FTP servers to run arbitrary code via a long response to an MDTM request. Analysis -------- Vendor Acknowledgement: yes advisory ACKNOWLEDGEMENT: The vendor advisory is a verbatim copy of the advisory that was sent to Bugtraq. INFERRED ACTION: CAN-2001-0936 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Cole, Armstrong, Frech NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2001-0939 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0939 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20020131 Category: CF Reference: BUGTRAQ:20011130 Denial of Service in Lotus Domino 5.08 and earlier HTTP Server Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100715316426817&w=2 Reference: CONFIRM:http://www-1.ibm.com/support/manager.wss?rs=0&rt=0&org=sims&doc=4C8E450DBF2E7F1885256B200079FA88 Reference: BID:3607 Reference: URL:http://www.securityfocus.com/bid/3607 Reference: XF:lotus-domino-nhttp-dos(7631) Lotus Domino 5.08 and earlier allows remote attackers to cause a denial of service (crash) via a SunRPC NULL command to port 443. Modifications: ADDREF XF:lotus-domino-nhttp-dos(7631) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0939 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Baker, Foat, Cole, Armstrong, Frech NOOP(1) Wall Voter Comments: Frech> XF:lotus-domino-nhttp-dos(7631) CHANGE> [Frech changed vote from MODIFY to ACCEPT] ====================================================== Candidate: CAN-2001-0940 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0940 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20020131 Category: SF Reference: WIN2KSEC:20010921 Check Point FireWall-1 GUI Buffer Overflow Reference: URL:http://archives.neohapsis.com/archives/win2ksecadvice/2001-q3/0151.html Reference: BUGTRAQ:20011128 Firewall-1 remote SYSTEM shell buffer overflow Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100698954308436&w=2 Reference: BUGTRAQ:20010919 Check Point FireWall-1 GUI Log Viewer vulnerability (vuldb 3336) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100094268017271&w=2 Reference: BUGTRAQ:20011130 Fw: Firewall-1 remote SYSTEM shell buffer overflow Reference: URL:http://cert.uni-stuttgart.de/archive/bugtraq/2001/11/msg00291.html Reference: CHECKPOINT:20010919 GUI Buffer Overflow Reference: URL:http://www.checkpoint.com/techsupport/alerts/buffer_overflow.html Reference: BID:3336 Reference: URL:http://www.securityfocus.com/bid/3336 Reference: XF:fw1-log-viewer-bo(7145) Reference: URL:http://xforce.iss.net/static/7145.php Buffer overflow in the GUI authentication code of Check Point VPN-1/FireWall-1 Management Server 4.0 and 4.1 allows remote attackers to execute arbitrary code via a long user name. Modifications: ADDREF BUGTRAQ:20010919 Check Point FireWall-1 GUI Log Viewer vulnerability (vuldb 3336) ADDREF BID:3336 ADDREF XF:fw1-log-viewer-bo(7145) ADDREF BUGTRAQ:20011130 Fw: Firewall-1 remote SYSTEM shell buffer overflow Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0940 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Green, Baker, Cole MODIFY(1) Frech NOOP(3) Christey, Wall, Foat Voter Comments: Christey> BUGTRAQ:20010919 Check Point FireWall-1 GUI Log Viewer vulnerability (vuldb 3336) URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100094268017271&w=2 BID:3336 URL:http://www.securityfocus.com/bid/3336 XF:fw1-log-viewer-bo(7145) URL:http://xforce.iss.net/static/7145.php BUGTRAQ:20011130 Fw: Firewall-1 remote SYSTEM shell buffer overflow URL:http://cert.uni-stuttgart.de/archive/bugtraq/2001/11/msg00291.html Frech> XF:fw1-log-viewer-bo(7145) ====================================================== Candidate: CAN-2001-0946 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0946 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20011204 Symlink attack with apmd of RH 7.2 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100743394701962&w=2 Reference: MISC:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=56389 Reference: XF:apmd-apmscript-symlink(8268) apmscript in Apmd in Red Hat 7.2 "Enigma" allows local users to create or change the modification dates of arbitrary files via a symlink attack on the LOW_POWER temporary file, which could be used to cause a denial of service, e.g. by creating /etc/nologin and disabling logins. Modifications: ADDREF XF:apmd-apmscript-symlink(8268) Analysis -------- Vendor Acknowledgement: yes changelog INFERRED ACTION: CAN-2001-0946 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Green, Wall, Baker, Cole MODIFY(1) Frech NOOP(1) Foat Voter Comments: CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:apmd-apmscript-symlink(8268) ====================================================== Candidate: CAN-2001-0961 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0961 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020131 Assigned: 20020131 Category: SF Reference: DEBIAN:DSA-076 Reference: URL:http://www.debian.org/security/2001/dsa-076 Reference: XF:most-file-create-bo(7149) Reference: URL:http://xforce.iss.net/static/7149.php Reference: BID:3347 Reference: URL:http://www.securityfocus.com/bid/3347 Buffer overflow in tab expansion capability of the most program allows local or remote attackers to execute arbitrary code via a malformed file that is viewed with most. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0961 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Green, Baker, Cole, Frech NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2001-0962 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0962 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20010919 Websphere cookie/sessionid predictable Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-09/0234.html Reference: BUGTRAQ:20010928 Re: Websphere cookie/sessionid predictable Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-09/0234.html Reference: CONFIRM:http://www14.software.ibm.com/webapp/download/postconfig.jsp?id=4000805&pf=Multi-Platform&v=3.0.2&e=Standard+%26+Advanced+Editions&cat=&s=p Reference: XF:ibm-websphere-seq-predict(7153) Reference: URL:http://xforce.iss.net/static/7153.php IBM WebSphere Application Server 3.02 through 3.53 uses predictable session IDs for cookies, which allows remote attackers to gain privileges of WebSphere users via brute force guessing. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0962 ACCEPT_ACK (2 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Green, Frech NOOP(3) Wall, Foat, Cole ====================================================== Candidate: CAN-2001-0977 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0977 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020131 Assigned: 20020131 Category: SF Reference: CERT:CA-2001-18 Reference: URL:http://www.cert.org/advisories/CA-2001-18.html Reference: CERT-VN:VU#935800 Reference: URL:http://www.kb.cert.org/vuls/id/935800 Reference: DEBIAN:DSA-068 Reference: URL:http://www.debian.org/security/2001/dsa-068 Reference: REDHAT:RHSA-2001:098 Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-098.html Reference: CONECTIVA:CLA-2001:417 Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000417 Reference: MANDRAKE:MDKSA-2001:069 Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-069.php3 Reference: BID:3049 Reference: URL:http://www.securityfocus.com/bid/3049 Reference: XF:openldap-ldap-protos-dos(6904) Reference: URL:http://xforce.iss.net/static/6904.php slapd in OpenLDAP 1.x before 1.2.12, and 2.x before 2.0.8, allows remote attackers to cause a denial of service (crash) via an invalid Basic Encoding Rules (BER) length field. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0977 ACCEPT (6 accept, 4 ack, 0 review) Current Votes: ACCEPT(6) Green, Wall, Baker, Cole, Armstrong, Frech NOOP(1) Foat ====================================================== Candidate: CAN-2001-0981 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0981 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20020131 Category: SF Reference: HP:HPSBUX0108-164 Reference: URL:http://archives.neohapsis.com/archives/hp/2001-q3/0048.html Reference: XF:hp-cifs-change-passwords(7051) HP CIFS/9000 Server (SAMBA) A.01.07 and earlier with the "unix password sync" option enabled calls the passwd program without specifying the username of the user making the request, which could cause the server to change the password of a different user. Modifications: ADDREF XF:hp-cifs-change-passwords(7051) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-0981 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Green, Baker, Cole, Armstrong MODIFY(1) Frech NOOP(2) Wall, Foat Voter Comments: Frech> XF:hp-cifs-change-passwords(7051) ====================================================== Candidate: CAN-2001-1002 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1002 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20010827 LPRng/rhs-printfilters - remote execution of commands Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=99892644616749&w=2 Reference: REDHAT:RHSA-2001:102 Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-102.html Reference: BID:3241 Reference: URL:http://www.securityfocus.com/bid/3241 Reference: XF:tetex-lprng-tmp-race(6785) The default configuration of the DVI print filter (dvips) in Red Hat Linux 7.0 and earlier does not run dvips in secure mode when dvips is executed by lpd, which could allow remote attackers to gain privileges by printing a DVI file that contains malicious commands. Modifications: ADDREF XF:tetex-lprng-tmp-race(6785) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1002 ACCEPT (6 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Wall, Baker, Cole, Armstrong, Green MODIFY(1) Frech NOOP(2) Foat, Christey Voter Comments: Frech> XF:tetex-lprng-tmp-race(6785) Similar to CAN-2001-0906? Christey> Similar in the sense that lprng/lpd uses Tetex, or something like that. ====================================================== Candidate: CAN-2001-1022 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1022 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20010727 ADV/EXP:pic/lpd remote exploit - RH 7.0 Reference: URL:http://www.securityfocus.com/archive/1/199706 Reference: DEBIAN:DSA-072 Reference: URL:http://www.debian.org/security/2001/dsa-072 Reference: CONECTIVA:CLA-2001:428 Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000428 Reference: XF:linux-groff-format-string(6918) Reference: URL:http://xforce.iss.net/static/6918.php Reference: BID:3103 Reference: URL:http://www.securityfocus.com/bid/3103 Format string vulnerability in pic utility in groff 1.16.1 and other versions allows remote attackers to bypass the -S option and execute arbitrary commands via format string specifiers in the plot command. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1022 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Baker, Cole, Armstrong, Frech, Green NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2001-1027 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1027 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20020131 Category: SF Reference: CONFIRM:http://www.windowmaker.org/src/ChangeLog Reference: DEBIAN:DSA-074 Reference: URL:http://www.debian.org/security/2001/dsa-074 Reference: CONECTIVA:CLA-2001:411 Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000411 Reference: SUSE:SuSE-SA:2001:032 Reference: URL:http://www.suse.de/de/support/security/2001_032_wmaker_txt.txt Reference: MANDRAKE:MDKSA-2001:074 Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-074.php3 Reference: BID:3177 Reference: URL:http://www.securityfocus.com/bid/3177 Reference: XF:windowmaker-title-bo(6969) Buffer overflow in WindowMaker (aka wmaker) 0.64 and earlier allows remote attackers to execute arbitrary code via a long window title. Modifications: ADDREF XF:windowmaker-title-bo(6969) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1027 ACCEPT (5 accept, 3 ack, 0 review) Current Votes: ACCEPT(4) Baker, Cole, Armstrong, Green MODIFY(1) Frech NOOP(2) Wall, Foat Voter Comments: Frech> XF:windowmaker-title-bo(6969) ====================================================== Candidate: CAN-2001-1030 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1030 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20010718 Squid httpd acceleration acl bug enables portscanning Reference: URL:http://www.securityfocus.com/archive/1/197727 Reference: BUGTRAQ:20010719 TSLSA-2001-0013 - Squid Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-07/0362.html Reference: IMMUNIX:IMNX-2001-70-031-01 Reference: URL:http://download.immunix.org/ImmunixOS/7.0/updates/IMNX-2001-70-031-01 Reference: CALDERA:CSSA-2001-029.0 Reference: URL:http://www.calderasystems.com/support/security/advisories/CSSA-2001-029.0.txt Reference: MANDRAKE:MDKSA-2001:066 Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-066.php3 Reference: REDHAT:RHSA-2001:097 Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-097.html Reference: XF:squid-http-accelerator-portscanning(6862) Reference: URL:http://xforce.iss.net/static/6862.php Squid before 2.3STABLE5 in HTTP accelerator mode does not enable access control lists (ACLs) when the httpd_accel_host and http_accel_with_proxy off settings are used, which allows attackers to bypass the ACLs and conduct unauthorized activities such as port scanning. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1030 ACCEPT (5 accept, 2 ack, 0 review) Current Votes: ACCEPT(5) Baker, Cole, Armstrong, Frech, Green NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2001-1032 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1032 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20010924 twlc advisory: all versions of php nuke are vulnerable... Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-09/0203.html Reference: CONFIRM:http://sourceforge.net/forum/forum.php?forum_id=113892 Reference: XF:php-nuke-admin-file-overwrite(7170) Reference: URL:http://xforce.iss.net/static/7170.php Reference: BID:3361 Reference: URL:http://www.securityfocus.com/bid/3361 admin.php in PHP-Nuke 5.2 and earlier, except 5.0RC1, does not check login credentials for upload operations, which allows remote attackers to copy and upload arbitrary files and read the PHP-Nuke configuration file by directly calling admin.php with an upload parameter and specifying the file to copy. Modifications: ADDREF CONFIRM:http://sourceforge.net/forum/forum.php?forum_id=113892 ADDREF BID:3361 Analysis -------- Vendor Acknowledgement: yes INFERRED ACTION: CAN-2001-1032 ACCEPT_ACK (2 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Frech, Green NOOP(4) Wall, Foat, Cole, Christey Voter Comments: Christey> CONFIRM:http://sourceforge.net/forum/forum.php?forum_id=113892 BID:3361 URL:http://www.securityfocus.com/bid/3361 ====================================================== Candidate: CAN-2001-1043 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1043 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20010701 ArGoSoft 1.2.2.2 *.lnk upload Directory Traversal Reference: URL:http://www.securityfocus.com/archive/1/194445 Reference: BID:2961 Reference: URL:http://www.securityfocus.com/bid/2961 Reference: XF:ftp-lnk-directory-traversal(6760) Reference: URL:http://xforce.iss.net/static/6760.php ArGoSoft FTP Server 1.2.2.2 allows remote attackers to read arbitrary files and directories by uploading a .lnk (link) file that points to the target file. Analysis -------- Vendor Acknowledgement: yes via-email INFERRED ACTION: CAN-2001-1043 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Cole, Frech, Green NOOP(4) Wall, Foat, Armstrong, Christey Voter Comments: CHANGE> [Green changed vote from REVIEWING to ACCEPT] Christey> Acknowledged by the vendor in an email to Dave Baker, May 9. ====================================================== Candidate: CAN-2001-1046 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1046 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20010602 Qpopper 4.0.3 **** Fixes Buffer Overflow **** (fwd) Reference: URL:http://www.securityfocus.com/archive/1/188267 Reference: VULN-DEV:20010420 Qpopper 4.0 Buffer Overflow Reference: URL:http://marc.theaimsgroup.com/?l=vuln-dev&m=98777649031406&w=2 Reference: CALDERA:CSSA-2001-SCO.8 Reference: URL:http://archives.neohapsis.com/archives/linux/caldera/2001-q3/0006.html Reference: BID:2811 Reference: URL:http://www.securityfocus.com/bid/2811 Reference: XF:qpopper-username-bo(6647) Reference: URL:http://xforce.iss.net/static/6647.php Buffer overflow in qpopper (aka qpop or popper) 4.0 through 4.0.2 allows remote attackers gain privileges via a long username. Analysis -------- Vendor Acknowledgement: yes advisory ACKNOWLEDGEMENT: The Caldera advisory does not provide enough details to be certain that it fixes the reported problem, but it is released a month after the initial announcement, and it provides credits to the same people who are credited in the initial announcement, so there is enough evidence to determine that the Caldera advisory is addressing this problem. INFERRED ACTION: CAN-2001-1046 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Baker, Cole, Armstrong, Frech, Green NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2001-1053 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1053 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20010713 AdCycle SQL Command Insertion Vulnerability - qDefense Advisory Number QDAV-2001-7-2 Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-07/0249.html Reference: CONFIRM:http://www.adcycle.com/cgi-bin/download.cgi?type=UNIX&version=1.17 Reference: XF:adcycle-insert-sql-command(6837) Reference: URL:http://xforce.iss.net/static/6837.php Reference: BID:3032 Reference: URL:http://www.securityfocus.com/bid/3032 AdLogin.pm in AdCycle 1.15 and earlier allows remote attackers to bypass authentication and gain privileges by injecting SQL code in the $password argument. Modifications: DELREF XF:php-includedir-code-execution(7215) Analysis -------- Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: In the README.txt file bundled with the software, the "[v1.16] July 5, 2001" entry states "fixed security hole (with help from qDefense.com)." INFERRED ACTION: CAN-2001-1053 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Cole, Armstrong, Green MODIFY(1) Frech NOOP(2) Wall, Foat Voter Comments: Frech> DELREF XF:php-includedir-code-execution(7215) ====================================================== Candidate: CAN-2001-1062 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1062 Final-Decision: Interim-Decision: 20020617 Modified: 20020228-01 Proposed: 20020131 Assigned: 20020131 Category: SF Reference: CALDERA:CSSA-2001-SCO.12 Reference: URL:ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.12/CSSA-2001-SCO.12.txt Reference: XF:openserver-mana-bo(7034) Reference: URL:http://www.iss.net/security_center/static/7034.php Buffer overflow in mana in OpenServer 5.0.6a and earlier allows local users to execute arbitrary code. Modifications: ADDREF XF:openserver-mana-bo(7034) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1062 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Cole, Armstrong, Green MODIFY(1) Frech NOOP(2) Wall, Foat Voter Comments: Frech> XF:openserver-mana-bo(7034) ====================================================== Candidate: CAN-2001-1071 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1071 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20011009 Cisco CDP attacks Reference: URL:http://www.securityfocus.com/archive/1/219257 Reference: BUGTRAQ:20011009 Cisco Systems - Vulnerability in CDP Reference: URL:http://www.securityfocus.com/archive/1/219305 Reference: BID:3412 Reference: URL:http://www.securityfocus.com/bid/3412 Reference: XF:cisco-ios-cdp-dos(7242) Reference: URL:http://xforce.iss.net/static/7242.php Cisco IOS 12.2 and earlier running Cisco Discovery Protocol (CDP) allows remote attackers to cause a denial of service (memory consumption) via a flood of CDP neighbor announcements. Analysis -------- Vendor Acknowledgement: yes followup INFERRED ACTION: CAN-2001-1071 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Cole, Frech, Green NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2001-1072 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1072 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20010812 Are your mod_rewrite rules doing what you expect? Reference: URL:http://www.securityfocus.com/archive/1/203955 Reference: CONFIRM:http://www.apacheweek.com/issues/02-02-01#security Reference: BID:3176 Reference: URL:http://www.securityfocus.com/bid/3176 Reference: XF:apache-rewrite-bypass-directives(8633) Apache with mod_rewrite enabled on most UNIX systems allows remote attackers to bypass RewriteRules by inserting extra / (slash) characters into the requested path, which causes the regular expression in the RewriteRule to fail Modifications: ADDREF CONFIRM:http://www.apacheweek.com/issues/02-02-01#security ADDREF XF:apache-rewrite-bypass-directives(8633) Analysis -------- Vendor Acknowledgement: yes via-email ABSTRACTION: This problem is similar to CAN-2000-0913, but different. INFERRED ACTION: CAN-2001-1072 ACCEPT (6 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Baker, Foat, Cole, Armstrong, Green MODIFY(1) Frech NOOP(2) Wall, Christey Voter Comments: Christey> ADDREF CONFIRM:http://www.apacheweek.com/issues/02-02-01#security Christey> CONFIRM:http://www.apacheweek.com/issues/02-02-01#security Frech> Not apache-rewrite-view-files(5310). CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:apache-rewrite-bypass-directives(8633) ====================================================== Candidate: CAN-2001-1074 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1074 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20010526 Webmin Doesn't Clean Env (root exploit) Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-05/0262.html Reference: CALDERA:CSSA-2001-019.1 Reference: URL:http://www.calderasystems.com/support/security/advisories/CSSA-2001-019.1.txt Reference: MANDRAKE:MDKSA-2001:059 Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-059.php3 Reference: XF:webmin-gain-information(6627) Reference: URL:http://xforce.iss.net/static/6627.php Reference: BID:2795 Reference: URL:http://www.securityfocus.com/bid/2795 Webmin 0.84 and earlier does not properly clear the HTTP_AUTHORIZATION environment variable when the web server is restarted, which makes authentication information available to all CGI programs and allows local users to gain privileges. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1074 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Baker, Cole, Armstrong, Frech, Green NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2001-1079 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1079 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20020131 Category: CF Reference: AIXAPAR:IY19069 Reference: URL:http://archives.neohapsis.com/archives/aix/2001-q3/0000.html Reference: XF:aix-keyfile-world-writable(8923) create_keyfiles in PSSP 3.2 with DCE 3.1 authentication on AIX creates keyfile directories with world-writable permissions, which could allow a local user to delete key files and cause a denial of service. Modifications: DESC Remove 3.2.0 from AIX version number ADDREF XF:aix-keyfile-world-writable(8923) Analysis -------- Vendor Acknowledgement: yes INFERRED ACTION: CAN-2001-1079 ACCEPT (6 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Baker, Cole, Armstrong, Green MODIFY(2) Bollinger, Frech NOOP(2) Wall, Foat Voter Comments: Bollinger> incorrect. The "REL: 320" in the aixserv email refers to the PSSP version, not the AIX version. Frech> XF: aix-keyfile-world-writable(8923) ====================================================== Candidate: CAN-2001-1083 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1083 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-02 Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20010626 Advisory Reference: URL:http://www.securityfocus.com/archive/1/193516 Reference: MISC:http://www.icecast.org/index.html Reference: CONFIRM:http://www.icecast.org/releases/icecast-1.3.11.tar.gz Reference: DEBIAN:DSA-089 Reference: URL:http://www.debian.org/security/2001/dsa-089 Reference: CALDERA:CSSA-2002-020.0 Reference: BID:2933 Reference: URL:http://www.securityfocus.com/bid/2933 Reference: XF:icecast-http-remote-dos(6751) Reference: URL:http://xforce.iss.net/static/6751.php Icecast 1.3.7, and other versions before 1.3.11 with HTTP server file streaming support enabled allows remote attackers to cause a denial of service (crash) via a URL that ends in . (dot), / (forward slash), or \ (backward slash). Modifications: ADDREF CONFIRM:http://www.icecast.org/releases/icecast-1.3.11.tar.gz DESC update versions. ADDREF DEBIAN:DSA-089 ADDREF CALDERA:CSSA-2002-020.0 Analysis -------- Vendor Acknowledgement: yes patch ACKNOWLEDGEMENT: On August 7, 2001 (more than a month after the initial disclosure), the news page states "contains a couple security updates." There is insufficient information to be confident whether the vendor is fixing the DoS or directory traversal problems identified on Bugtraq. However, a diff of source.c between 1.3.10 and 1.3.11 indicates that for 1.3.11, the vendor inserted a check for the / character, which is sufficient acknowledgement. INFERRED ACTION: CAN-2001-1083 ACCEPT_ACK (2 accept, 3 ack, 0 review) Current Votes: ACCEPT(2) Frech, Green NOOP(5) Wall, Foat, Cole, Armstrong, Christey Voter Comments: CHANGE> [Green changed vote from REVIEWING to ACCEPT] Christey> CALDERA:CSSA-2002-020.0 ====================================================== Candidate: CAN-2001-1084 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1084 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: BUGTRAQ:20010702 Multiple Vendor Java Servlet Container Cross-Site Scripting Vulnerability Reference: URL:http://www.securityfocus.com/archive/1/194464 Reference: ALLAIRE:MPSB01-06 Reference: URL:http://www.macromedia.com/v1/handlers/index.cfm?ID=21498&Method=Full Reference: BID:2983 Reference: URL:http://www.securityfocus.com/bid/2983 Reference: XF:java-servlet-crosssite-scripting(6793) Reference: URL:http://www.iss.net/security_center/static/6793.php Cross-site scripting vulnerability in Allaire JRun 3.1 and earlier allows a malicious webmaster to embed Javascript in a request for a .JSP, .shtml, .jsp10, .jrun, or .thtml file that does not exist, which causes the Javascript to be inserted into an error message. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1084 ACCEPT (7 accept, 1 ack, 0 review) Current Votes: ACCEPT(7) Wall, Baker, Cole, Armstrong, Frech, Ziese, Green NOOP(1) Foat ====================================================== Candidate: CAN-2001-1085 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1085 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: BUGTRAQ:20010705 lmail local root exploit Reference: URL:http://www.securityfocus.com/archive/1/195022 Reference: XF:lmail-tmpfile-symlink(6809) Reference: URL:http://xforce.iss.net/static/6809.php Reference: BID:2984 Reference: URL:http://www.securityfocus.com/bid/2984 Lmail 2.7 and earlier allows local users to overwrite arbitrary files via a symlink attack on a temporary file. Analysis -------- Vendor Acknowledgement: unknown INFERRED ACTION: CAN-2001-1085 ACCEPT (3 accept, 0 ack, 0 review) Current Votes: ACCEPT(3) Baker, Frech, Ziese NOOP(5) Wall, Foat, Cole, Armstrong, Green ====================================================== Candidate: CAN-2001-1088 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1088 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: CF Reference: BUGTRAQ:20010605 SECURITY.NNOV: Outlook Express address book spoofing Reference: URL:http://www.securityfocus.com/archive/1/188752 Reference: CONFIRM:http://support.microsoft.com/default.aspx?scid=kb;EN-US;q234241 Reference: XF:outlook-address-book-spoofing(6655) Reference: URL:http://xforce.iss.net/static/6655.php Reference: BID:2823 Reference: URL:http://www.securityfocus.com/bid/2823 Microsoft Outlook 8.5 and earlier, and Outlook Express 5 and earlier, with the "Automatically put people I reply to in my address book" option enabled, do not notify the user when the "Reply-To" address is different than the "From" address, which could allow an untrusted remote attacker to spoof legitimate addresses and intercept email from the client that is intended for another user. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1088 ACCEPT (8 accept, 1 ack, 0 review) Current Votes: ACCEPT(8) Wall, Baker, Foat, Cole, Armstrong, Frech, Ziese, Green ====================================================== Candidate: CAN-2001-1089 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1089 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: BUGTRAQ:20010910 RUS-CERT Advisory 2001-09:01 Reference: URL:http://www.securityfocus.com/archive/1/213331 Reference: BID:3314 Reference: URL:http://www.securityfocus.com/bid/3314 Reference: XF:postgresql-nss-authentication-modules(7111) Reference: URL:http://xforce.iss.net/static/7111.php libnss-pgsql in nss-pgsql 0.9.0 and earlier allows remote attackers to execute arbitrary SQL queries by inserting SQL code into an HTTP request. Analysis -------- Vendor Acknowledgement: yes INFERRED ACTION: CAN-2001-1089 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Cole, Armstrong, Ziese, Green NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2001-1095 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1095 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: AIXAPAR:IY23401 Reference: URL:http://archives.neohapsis.com/archives/aix/2001-q4/0000.html Buffer overflow in uuq in AIX 4 could alllow local users to execute arbitrary code via a long -r parameter. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1095 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Bollinger, Cole, Armstrong, Ziese, Green NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2001-1096 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1096 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: AIXAPAR:IY23402 Reference: URL:http://archives.neohapsis.com/archives/aix/2001-q4/0000.html Buffer overflows in muxatmd in AIX 4 allows an attacker to cause a core dump and possibly execute code. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1096 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Bollinger, Cole, Armstrong, Ziese, Green NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2001-1099 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1099 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: CF Reference: BUGTRAQ:20010907 Microsoft Exchange + Norton AntiVirus leak local information Reference: URL:http://www.securityfocus.com/archive/1/212724 Reference: BUGTRAQ:20010912 Re: Microsoft Exchange + Norton AntiVirus leak local information Reference: URL:http://www.securityfocus.com/archive/1/213762 Reference: XF:nav-exchange-reveal-information(7093) Reference: URL:http://xforce.iss.net/static/7093.php Reference: BID:3305 Reference: URL:http://www.securityfocus.com/bid/3305 The default configuration of Norton AntiVirus for Microsoft Exchange 2000 2.x allows remote attackers to identify the recipient's INBOX file path by sending an email with an attachment containing malicious content, which includes the path in the rejection notice. Analysis -------- Vendor Acknowledgement: yes followup INFERRED ACTION: CAN-2001-1099 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Wall, Cole, Armstrong, Ziese, Green NOOP(1) Foat ====================================================== Candidate: CAN-2001-1100 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1100 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: BUGTRAQ:20011007 Bug found at W3Mail Webmail Reference: URL:http://www.securityfocus.com/archive/1/218921 Reference: CONFIRM:http://www.w3mail.org/ChangeLog Reference: BID:3673 Reference: URL:http://www.securityfocus.com/bid/3673 Reference: XF:w3mail-metacharacters-command-execution(7230) Reference: URL:http://xforce.iss.net/static/7230.php sendmessage.cgi in W3Mail 1.0.2, and possibly other CGI programs, allows remote attackers to execute arbitrary commands via shell metacharacters in any field of the 'Compose Message' page. Analysis -------- Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: in Version 1.0.3 of the ChangeLog, dated December 4, 2001, the vendor says "Fixed potential security exploit by filtering special metacharacters." INFERRED ACTION: CAN-2001-1100 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Cole, Armstrong, Ziese, Green NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2001-1108 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1108 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: BUGTRAQ:20010726 Snapstream PVS vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-07/0606.html Reference: CONFIRM:http://discuss.snapstream.com/ubb/Forum1/HTML/000216.html Reference: XF:snapstream-dot-directory-traversal(6917) Reference: URL:http://xforce.iss.net/static/6917.php Reference: BID:3100 Reference: URL:http://www.securityfocus.com/bid/3100 Directory traversal vulnerability in SnapStream PVS 1.2a allows remote attackers to read arbitrary files via a .. (dot dot) attack in the requested URL. Analysis -------- Vendor Acknowledgement: yes ACKNOWLEDGEMENT: The online bulletin board includes a query about whether SnapStream fixed certain bugs, which included a URL to the problem description which indicates that it's the same as the Bugtraq post. "rakeshagrawal," whose email address is from SnapStream, said "issue 1 has been corrected," and issue 1 is the directory traversal problem identified in the Bugtraq post. INFERRED ACTION: CAN-2001-1108 ACCEPT (6 accept, 1 ack, 0 review) Current Votes: ACCEPT(6) Baker, Cole, Armstrong, Frech, Ziese, Green NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2001-1113 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1113 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: BUGTRAQ:20010813 Local exploit for TrollFTPD-1.26 Reference: URL:http://www.securityfocus.com/archive/1/203874 Reference: CONFIRM:ftp://ftp.trolltech.com/freebies/ftpd/troll-ftpd-1.27.tar.gz Reference: XF:trollftpd-long-path-bo(6974) Reference: URL:http://xforce.iss.net/static/6974.php Reference: BID:3174 Reference: URL:http://www.securityfocus.com/bid/3174 Buffer overflow in TrollFTPD 1.26 and earlier allows local users to execute arbitrary code by creating a series of deeply nested directories with long names, then running the ls -R (recursive) command. Analysis -------- Vendor Acknowledgement: yes patch ACKNOWLEDGEMENT: the discloser says that a fixed version is at ftp://ftp.trolltech.com/freebies/ftpd/troll-ftpd-1.27.tar.gz. There is no clear acknowledgement on the web site or in the README file. A look at listdir() in ls.c indicates that snprintf is being used to copy pathnmes. So the question is, was this fix *always* there, or was it just added? Fortunately we can download troll-ftpd-1.26.tar.gz and do a diff between the ls.c files from 1.26 and 1.27... Sure enough, 1.26 used sprintf whereas 1.27 used snprintf. So we have indirect vendor acknowledgement through creation of a patch. QED. INFERRED ACTION: CAN-2001-1113 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Cole, Armstrong, Ziese, Green NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2001-1116 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1116 Final-Decision: Interim-Decision: 20020617 Modified: 20020320-01 Proposed: 20020315 Assigned: 20020315 Category: SF Reference: NTBUGTRAQ:20010802 Identix BioLogon Client security bug Reference: URL:http://ntbugtraq.ntadvice.com/default.asp?pid=36&sid=1&A2=IND0108&L=NTBUGTRAQ&F=P&S=&P=71 Reference: NTBUGTRAQ:20010808 Response to Identix BioLogon Client security bug Reference: URL:http://ntbugtraq.ntadvice.com/default.asp?pid=36&sid=1&A2=ind0108&L=ntbugtraq&F=P&S=&P=724 Reference: XF:identix-biologon-auth-bypass(6948) Reference: URL:http://xforce.iss.net/static/6948.php Reference: BID:3140 Reference: URL:http://www.securityfocus.com/bid/3140 Identix BioLogon 2.03 and earlier does not lock secondary displays on a multi-monitor system running Windows 98 or ME, which allows an attacker with physical access to the system to bypass authentication through a secondary display. Modifications: CHANGEREF XF [fix typo in tagname] Analysis -------- Vendor Acknowledgement: yes followup INFERRED ACTION: CAN-2001-1116 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Foat, Cole, Ziese, Green NOOP(2) Wall, Armstrong ====================================================== Candidate: CAN-2001-1117 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1117 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: BUGTRAQ:20010810 Linksys router security fix Reference: URL:http://www.securityfocus.com/archive/1/203302 Reference: BUGTRAQ:20010802 Advisory Update: Design Flaw in Linksys EtherFast 4-Port Reference: URL:http://www.securityfocus.com/archive/1/201390 Reference: CONFIRM:ftp://ftp.linksys.com/pub/befsr41/befsr-fw1402.zip Reference: XF:linksys-etherfast-reveal-passwords(6949) Reference: URL:http://xforce.iss.net/static/6949.php Reference: BID:3141 Reference: URL:http://www.securityfocus.com/bid/3141 LinkSys EtherFast BEFSR41 Cable/DSL routers running firmware before 1.39.3 Beta allows a remote attacker to view administration and user passwords by connecting to the router and viewing the HTML source for (1) index.htm and (2) Password.htm. Analysis -------- Vendor Acknowledgement: yes ACKNOWLEDGEMENT: In befsr-fw1402.zip available from the vendor, the notes for version 4.40.2 in ver.txt, dated October 24 2001, says "5. Fixed some time user can see the UI page without password problem" INFERRED ACTION: CAN-2001-1117 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Foat, Cole, Armstrong, Ziese, Green NOOP(1) Wall ====================================================== Candidate: CAN-2001-1118 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1118 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: BUGTRAQ:20010802 Roxen security alert: URL decoding vulnerable Reference: URL:http://www.securityfocus.com/archive/1/201476 Reference: BUGTRAQ:20010802 FW: Security alert: Remote user can access any file Reference: URL:http://www.securityfocus.com/archive/1/201499 Reference: CONFIRM:http://download.roxen.com/2.0/patch/security-notice.html Reference: BID:3145 Reference: URL:http://www.securityfocus.com/bid/3145 Reference: XF:roxen-urlrectifier-retrieve-files(6937) Reference: URL:http://xforce.iss.net/static/6937.php A module in Roxen 2.0 before 2.0.92, and 2.1 before 2.1.264, does not properly decode UTF-8, Mac and ISO-2202 encoded URLs, which could allow a remote attacker to execute arbitrary commands or view arbitrary files via an encoded URL. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1118 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Cole, Armstrong, Ziese, Green NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2001-1119 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1119 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: CERT-VN:VU#105347 Reference: URL:http://www.kb.cert.org/vuls/id/105347 Reference: SUSE:SuSE-SA:2001:025 Reference: URL:http://www.suse.de/de/support/security/2001_025_xmcd_txt.html Reference: BID:3148 Reference: URL:http://www.securityfocus.com/bid/3148 Reference: XF:xmcd-cda-symlink(6941) Reference: URL:http://xforce.iss.net/static/6941.php cda in xmcd 3.0.2 and 2.6 in SuSE Linux allows local users to overwrite arbitrary files via a symlink attack. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1119 ACCEPT (4 accept, 2 ack, 0 review) Current Votes: ACCEPT(4) Cole, Armstrong, Ziese, Green NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2001-1121 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1121 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: BUGTRAQ:20010702 Multiple Vendor Java Servlet Container Cross-Site Scripting Vulnerability Reference: URL:http://www.securityfocus.com/archive/1/194464 Reference: CONFIRM:http://www.macromedia.com/v1/handlers/index.cfm?ID=21498&Method=Full Reference: XF:java-servlet-crosssite-scripting(6793) Reference: URL:http://xforce.iss.net/static/6793.php Reference: BID:2983 Reference: URL:http://www.securityfocus.com/bid/2983 Cross-site scripting (CSS) vulnerability in JRun 3.0 and 2.3.3 allows remote attackers to execute JavaScript on other clients via a web page URL that references a non-existent JSP file or Servlet, which causes the script to be returned in an error message. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1121 ACCEPT (7 accept, 1 ack, 0 review) Current Votes: ACCEPT(7) Wall, Baker, Cole, Armstrong, Frech, Ziese, Green NOOP(1) Foat ====================================================== Candidate: CAN-2001-1130 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1130 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: BUGTRAQ:20010802 suse: sdbsearch.cgi vulnerability Reference: URL:http://www.securityfocus.com/archive/1/201216 Reference: SUSE:SuSE-SA:2001:027 Reference: URL:http://www.suse.de/de/support/security/2001_027_sdb_txt.txt Reference: XF:sdbsearch-cgi-command-execution(7003) Reference: URL:http://xforce.iss.net/static/7003.php Sdbsearch.cgi in SuSE Linux 6.0-7.2 could allow remote attackers to execute arbitrary commands by uploading a keylist.txt file that contains filenames with shell metacharacters, then causing the file to be searched using a .. in the HTTP referer (from the HTTP_REFERER variable) to point to the directory that contains the keylist.txt file. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1130 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Cole, Armstrong, Ziese, Green NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2001-1132 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1132 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: CF Reference: CONECTIVA:CLA-2001:420 Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000420 Reference: XF:mailman-blank-passwords(7091) Reference: URL:http://xforce.iss.net/static/7091.php Mailman 2.0.x before 2.0.6 allows remote attackers to gain access to list administrative pages when there is an empty site or list password, which is not properly handled during the call to the crypt function during authentication. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1132 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Cole, Ziese, Green NOOP(3) Wall, Foat, Armstrong ====================================================== Candidate: CAN-2001-1141 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1141 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020315 Assigned: 20020315 Category: SF Reference: BUGTRAQ:20010710 OpenSSL Security Advisory: PRNG weakness in versions up to 0.9.6a Reference: URL:http://www.securityfocus.com/archive/1/195829 Reference: FREEBSD:FreeBSD-SA-01:51 Reference: URL:http://www.securityfocus.com/advisories/3475 Reference: NETBSD:NetBSD-SA2001-013 Reference: URL:http://www.securityfocus.com/advisories/3512 Reference: CONECTIVA:CLA-2001:418 Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000418 Reference: MANDRAKE:MDKSA-2001:065 Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-065.php3?dis=8.0 Reference: REDHAT:RHSA-2001:051 Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-051.html Reference: ENGARDE:ESA-20010709-01 Reference: URL:http://www.linuxsecurity.com/advisories/other_advisory-1483.html Reference: BID:3004 Reference: URL:http://www.securityfocus.com/bid/3004 Reference: XF:openssl-prng-brute-force(6823) Reference: URL:http://xforce.iss.net/static/6823.php The Pseudo-Random Number Generator (PRNG) in SSLeay and OpenSSL before 0.9.6b allows attackers to use the output of small PRNG requests to determine the internal state information, which could be used by attackers to predict future pseudo-random numbers. Modifications: CHANGEREF REDHAT [normalize] Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1141 ACCEPT (7 accept, 3 ack, 0 review) Current Votes: ACCEPT(7) Wall, Baker, Cole, Armstrong, Frech, Ziese, Green NOOP(2) Christey, Foat Voter Comments: Christey> Remove version number from REDHAT reference. ====================================================== Candidate: CAN-2001-1144 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1144 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: BUGTRAQ:20010711 McAfee ASaP Virusscan - myCIO HTTP Server Directory Traversal Vulnerabilty Reference: URL:http://www.securityfocus.com/archive/1/196272 Reference: NTBUGTRAQ:20010716 McAfee ASaP Virusscan - MyCIO HTTP Server Directory Traversal Vul nerability Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0107&L=ntbugtraq&F=P&S=&P=1558 Reference: CERT-VN:VU#190267 Reference: URL:http://www.kb.cert.org/vuls/id/190267 Reference: BID:3020 Reference: URL:http://www.securityfocus.com/bid/3020 Reference: XF:mcafee-mycio-directory-traversal(6834) Reference: URL:http://www.iss.net/security_center/static/6834.php Directory traversal vulnerability in McAfee ASaP VirusScan agent 1.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the HTTP request. Analysis -------- Vendor Acknowledgement: yes followup INFERRED ACTION: CAN-2001-1144 ACCEPT (7 accept, 1 ack, 0 review) Current Votes: ACCEPT(7) Wall, Baker, Cole, Armstrong, Frech, Ziese, Green NOOP(1) Foat ====================================================== Candidate: CAN-2001-1146 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1146 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020315 Assigned: 20020315 Category: SF Reference: ENGARDE:ESA-20010711-01 Reference: URL:http://www.linuxsecurity.com/advisories/other_advisory-1492.html Reference: XF:allcommerce-temp-symlink(6830) Reference: URL:http://xforce.iss.net/static/6830.php Reference: BID:3016 Reference: URL:http://online.securityfocus.com/bid/3016 AllCommerce with debugging enabled in EnGarde Secure Linux 1.0.1 creates temporary files with predictable names, which allows local users to modify files via a symlink attack. Modifications: DESC fix typo: "teporary" Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1146 ACCEPT (6 accept, 1 ack, 0 review) Current Votes: ACCEPT(6) Baker, Cole, Armstrong, Frech, Ziese, Green NOOP(2) Wall, Foat Voter Comments: Frech> In description, 'teporary' should be 'temporary'. ====================================================== Candidate: CAN-2001-1147 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1147 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: BUGTRAQ:20011008 pam_limits.so Bug!! Reference: URL:http://www.securityfocus.com/archive/1/219175 Reference: REDHAT:RHSA-2001:132 Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-132.html Reference: MANDRAKE:MDKSA-2001:084 Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-084.php3 Reference: SUSE:SuSE-SA:2001:034 Reference: URL:http://www.suse.de/de/support/security/2001_034_shadow_txt.txt Reference: CIAC:M-009 Reference: URL:http://www.ciac.org/ciac/bulletins/m-009.shtml Reference: BID:3415 Reference: URL:URL:http://www.securityfocus.com/bid/3415 Reference: XF:utillinux-pamlimits-gain-privileges(7266) Reference: URL:http://www.iss.net/security_center/static/7266.php The PAM implementation in /bin/login of the util-linux package before 2.11 causes a password entry to be rewritten across multiple PAM calls, which could provide the credentials of one user to a different user, when used in certain PAM modules such as pam_limits. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1147 ACCEPT (5 accept, 3 ack, 0 review) Current Votes: ACCEPT(5) Wall, Cole, Armstrong, Ziese, Green NOOP(1) Foat ====================================================== Candidate: CAN-2001-1149 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1149 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: VULN-DEV:20010821 RE: Bug report -- Incident number 240649 Reference: URL:http://www.securityfocus.com/archive/82/209328 Panda Antivirus Platinum before 6.23.00 allows a remore attacker to cause a denial of service (crash) when a user selects an action for a malformed UPX packed executable file. Analysis -------- Vendor Acknowledgement: yes followup INFERRED ACTION: CAN-2001-1149 ACCEPT_ACK (2 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Ziese, Green NOOP(4) Wall, Foat, Cole, Armstrong ====================================================== Candidate: CAN-2001-1153 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1153 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: CALDERA:CSSA-2001-SCO.15 Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-08/0391.html Reference: XF:openunix-lpsystem-bo(7041) Reference: URL:http://www.iss.net/security_center/static/7041.php Reference: BID:3248 Reference: URL:http://online.securityfocus.com/bid/3248 lpsystem in OpenUnix 8.0.0 allows local users to cause a denial of service and possibly execute arbitrary code via a long command line argument. Analysis -------- Vendor Acknowledgement: yes advisory The advisory describes behavior indicating a buffer overflow; hence, my choice given our limited time constraints. A long argument causes lpsystem to have a segmentation violation. Unfortunately this url does not get me there: ftp://stage.caldera.com/pub/security/openunix/CSSA-2001-SCO.15/, so I contented myself with the neohapsis archive reference. INFERRED ACTION: CAN-2001-1153 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Cole, Armstrong, Ziese, Green NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2001-1155 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1155 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: FREEBSD:FreeBSD-SA-01:56 Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:56.tcp_wrappers.asc TCP Wrappers (tcp_wrappers) in FreeBSD 4.1.1 through 4.3 with the PARANOID ACL option enabled does not properly check the result of a reverse DNS lookup, which could allow remote attackers to bypass intended access restrictions via DNS spoofing. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1155 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Foat, Cole, Armstrong, Ziese, Green NOOP(1) Wall ====================================================== Candidate: CAN-2001-1158 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1158 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: CF Reference: BUGTRAQ:20010709 Check Point FireWall-1 RDP Bypass Vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-07/0128.html Reference: BUGTRAQ:20010709 Check Point response to RDP Bypass Reference: URL:http://online.securityfocus.com/cgi-bin/archive.pl?id=1&start=2002-03-11&end=2002-03-17&mid=195647&threads=1 Reference: CHECKPOINT:20010712 RDP Bypass workaround for VPN-1/FireWall 4.1 SPx Reference: URL:http://www.checkpoint.com/techsupport/alerts/rdp.html Reference: CERT:CA-2001-17 Reference: URL:http://www.cert.org/advisories/CA-2001-17.html Reference: CERT-VN:VU#310295 Reference: URL:http://www.kb.cert.org/vuls/id/310295 Reference: CIAC:L-109 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/l-109.shtml Reference: XF:fw1-rdp-bypass(6815) Reference: URL:http://xforce.iss.net/static/6815.php Reference: BID:2952 Reference: URL:http://www.securityfocus.com/bid/2952 Check Point VPN-1/FireWall-1 4.1 base.def contains a default macro, accept_fw1_rdp, which can allow remote attackers to bypass intended restrictions with forged RDP (internal protocol) headers to UDP port 259 of arbitrary hosts. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1158 ACCEPT (6 accept, 3 ack, 0 review) Current Votes: ACCEPT(6) Baker, Cole, Armstrong, Frech, Ziese, Green NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2001-1160 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1160 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: BUGTRAQ:20010618 udirectory from Microburst Technologies remote command execution Reference: URL:http://www.securityfocus.com/archive/1/191829 Reference: BID:2884 Reference: URL:http://www.securityfocus.com/bid/2884 Reference: XF:udirectory-remote-command-execution(6706) Reference: URL:http://xforce.iss.net/static/6706.php udirectory.pl in Microburst Technologies uDirectory 2.0 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the category_file field. Analysis -------- Vendor Acknowledgement: yes via-email ACKNOWLEDGEMENT: confirmed via email to David Baker on May 20, 2002 "I just wanted to follow up with you in regard to [the Bugtraq post]... the $category_file parameter was not being validated, so to correct any possible security problems, the call to the 'validate_category_filename' was moved up to the top of the script - directly after the parameters are parsed - to make sure that it is called regardless of the command being processed." INFERRED ACTION: CAN-2001-1160 ACCEPT_ACK (2 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Baker, Frech NOOP(6) Wall, Foat, Cole, Armstrong, Ziese, Green Voter Comments: CHANGE> [Baker changed vote from REVIEWING to ACCEPT] Baker> I received confirmation in an email message from the vendor. RE: uDirectory Date: Mon, 20 May 2002 07:52:59 -0400 From: "Bill Weiner" <bweiner@uburst.com> Hello David, I just wanted to follow up with you in regard to: http://online.securityfocus.com/archive/1/191829 ... Again, in that particular scenerio, the $category_file parameter was not being validated, so to correct any possible security problems, the call to the "validate_category_filename" was moved up to the top of the script - directly after the parameters are parsed - to make sure that it is called regardless of the command being processed. FYI: The commented version of the "validate_category_filename" subroutine looks like this: #--------------------------------------------------------------------------- # validate_category_filename() # Subroutine to remove/replace all special characters from the category # file name. # @param $vstring - The string to be validated. # @return Returns the validated string. #--------------------------------------------------------------------------- sub validate_category_filename ====================================================== Candidate: CAN-2001-1161 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1161 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: BUGTRAQ:20010702 Lotus Domino Server Cross-Site Scripting Vulnerability Reference: URL:http://www.securityfocus.com/archive/1/194465 Reference: BUGTRAQ:20010702 Re: Lotus Domino Server Cross-Site Scripting Vulnerability Reference: URL:http://www.securityfocus.com/archive/1/194609 Reference: CERT-VN:VU#642239 Reference: URL:http://www.kb.cert.org/vuls/id/642239 Reference: BID:2962 Reference: URL:http://www.securityfocus.com/bid/2962 Reference: XF:lotus-domino-css(6789) Reference: URL:http://www.iss.net/security_center/static/6789.php Cross-site scripting (CSS) vulnerability in Lotus Domino 5.0.6 allows remote attackers to execute script on other web clients via a URL that ends in Javascript, which generates an error message that does not quote the resulting script. Analysis -------- Vendor Acknowledgement: yes followup INFERRED ACTION: CAN-2001-1161 ACCEPT (7 accept, 1 ack, 0 review) Current Votes: ACCEPT(7) Wall, Baker, Cole, Armstrong, Frech, Ziese, Green NOOP(1) Foat ====================================================== Candidate: CAN-2001-1162 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1162 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: BUGTRAQ:20010623 smbd remote file creation vulnerability Reference: URL:http://www.securityfocus.com/archive/1/193027 Reference: CONFIRM:http://us1.samba.org/samba/whatsnew/macroexploit.html Reference: MANDRAKE:MDKSA-2001-062 Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-062.php3 Reference: HP:HPSBUX0107-157 Reference: URL:http://www.securityfocus.com/advisories/3423 Reference: SGI:20011002-01-P Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20011002-01-P Reference: CIAC:L-105 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/l-105.shtml Reference: IMMUNIX:IMNX-2001-70-027-01 Reference: URL:http://download.immunix.org/ImmunixOS/7.0/updates/IMNX-2001-70-027-01 Reference: CALDERA:CSSA-2001-024.0 Reference: URL:http://www.calderasystems.com/support/security/advisories/CSSA-2001-024.0.txt Reference: CONECTIVA:CLA-2001:405 Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000405 Reference: REDHAT:RHSA-2001:086 Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-086.html Reference: DEBIAN:DSA-065 Reference: URL:http://www.debian.org/security/2001/dsa-065 Reference: BID:2928 Reference: URL:http://www.securityfocus.com/bid/2928 Reference: XF:samba-netbios-file-creation(6731) Reference: URL:http://xforce.iss.net/static/6731.php Directory traversal vulnerability in the %m macro in the smb.conf configuration file in Samba before 2.2.0a allows remote attackers to overwrite certain files via a .. in a NETBIOS name, which is used as the name for a .log file. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1162 ACCEPT (7 accept, 7 ack, 0 review) Current Votes: ACCEPT(7) Wall, Baker, Cole, Armstrong, Frech, Ziese, Green NOOP(1) Foat ====================================================== Candidate: CAN-2001-1166 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1166 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: FREEBSD:FreeBSD-SA-01:55 Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:55.procfs.asc Reference: XF:linprocfs-process-memory-leak(7017) Reference: URL:http://www.iss.net/security_center/static/7017.php Reference: BID:3217 Reference: URL:http://www.securityfocus.com/bid/3217 linprocfs on FreeBSD 4.3 and earlier does not properly restrict access to kernel memory, which allows one process with debugging rights on a privileged process to read restricted memory from that process. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1166 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Cole, Armstrong, Ziese, Green NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2001-1172 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1172 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: BUGTRAQ:20010719 [SNS Advisory No.37] HTTProtect allows attackers to change the protected file using a symlink Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-07/0357.html Reference: CONFIRM:http://www.omnisecure.com/security-alert.html Reference: XF:httprotect-protected-file-symlink(6880) Reference: URL:http://xforce.iss.net/static/6880.php OmniSecure HTTProtect 1.1.1 allows a superuser without omnish privileges to modify a protected file by creating a symbolic link to that file. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1172 ACCEPT (6 accept, 1 ack, 0 review) Current Votes: ACCEPT(6) Baker, Cole, Armstrong, Frech, Ziese, Green NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2001-1174 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1174 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: REDHAT:RHSA-2001:091 Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-091.html Reference: MANDRAKE:MDKSA-2001:067 Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-067.php Reference: XF:elm-messageid-bo(6852) Reference: URL:http://xforce.iss.net/static/6852.php Buffer overflow in Elm 2.5.5 and earlier allows remote attackers to execute arbitrary code via a long Message-ID header. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1174 ACCEPT (7 accept, 1 ack, 0 review) Current Votes: ACCEPT(7) Wall, Baker, Cole, Armstrong, Frech, Ziese, Green NOOP(1) Foat ====================================================== Candidate: CAN-2001-1175 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1175 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: REDHAT:RHSA-2001:095 Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-095.html Reference: XF:vipw-world-readable-files(6851) Reference: URL:http://xforce.iss.net/static/6851.php Reference: BID:3036 Reference: URL:http://www.securityfocus.com/bid/3036 vipw in the util-linux package before 2.10 causes /etc/shadow to be world-readable in some cases, which would make it easier for local users to perform brute force password guessing. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1175 ACCEPT (8 accept, 1 ack, 0 review) Current Votes: ACCEPT(8) Wall, Baker, Foat, Cole, Armstrong, Frech, Ziese, Green ====================================================== Candidate: CAN-2001-1176 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1176 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: BUGTRAQ:20010712 VPN-1/FireWall-1 Format Strings Vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-07/0209.html Reference: CONFIRM:http://www.checkpoint.com/techsupport/alerts/format_strings.html Reference: BID:3021 Reference: URL:http://www.securityfocus.com/bid/3021 Reference: XF:fw1-management-format-string(6849) Reference: URL:http://xforce.iss.net/static/6849.php Format string vulnerability in Check Point VPN-1/FireWall-1 4.1 allows a remote authenticated firewall administrator to execute arbitrary code via format strings in the control connection. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1176 ACCEPT (6 accept, 1 ack, 0 review) Current Votes: ACCEPT(6) Baker, Cole, Armstrong, Frech, Ziese, Green NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2001-1177 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1177 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020315 Assigned: 20020315 Category: SF Reference: BUGTRAQ:20010717 Samsung ML-85G Printer Linux Helper/Driver Binary Exploit (Mandrake: ghostscript package) Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-07/0284.html Reference: BID:3008 Reference: URL:http://www.securityfocus.com/bid/3008 Reference: XF:samsung-printer-temp-symlink(6845) Reference: URL:http://xforce.iss.net/static/6845.php ml85p in Samsung ML-85G GDI printer driver before 0.2.0 allows local users to overwrite arbitrary files via a symlink attack on temporary files. Modifications: DESC add version number Analysis -------- Vendor Acknowledgement: yes via-email ACKNOWLEDGEMENT: acknowledged by vendor via e-mail to Dave Baker on May 9, 2002: "This issue was solved at the release 0.2.0, available at Ibiblio" INFERRED ACTION: CAN-2001-1177 ACCEPT_ACK (2 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Baker, Frech NOOP(7) Christey, Wall, Foat, Cole, Armstrong, Ziese, Green Voter Comments: Christey> Fixed by vendor in release 0.2.0 (acknowledged via e-mail) CHANGE> [Baker changed vote from REVIEWING to ACCEPT] Baker> Vendor acknowledged via email. Subject: Re: Samsung ML-85G Driver Issue Date: Mon, 13 May 2002 20:11:14 -0300 (GMT+3) From: Rildo Pragana <rildo@pragana.net> To: David Baker <bakerd@mitre.org> Hi David, On Thu, 9 May 2002, David Baker wrote: > I am a security researcher working for CVE (Common > Vulnerabilities and Exposures) project. I am researching a > vulnerability in the ml85p printer driver. I have been > looking to determine if the driver was fixed to correct a > flaw in the way it allowed a symlink attack via temporary > files. The vulnerability was reported on Bugtraq in Jul > 2001, BUGTRAQ:20010717 Samsung ML-85G Printer Linux > Helper/Driver Binary Exploit (Mandrake: ghostscript > package) at > http://archives.neohapsis.com/archives/bugtraq/2001-07/0284.html > and is listed in the Security Focus DB at BID 3008 > http://www.securityfocus.com/bid/3008 and as CVE candidate > CAN-2001-1177. I contacted Mandrake, who referred me to > you, as the author of the driver. > > Can you shed any light on whether this was fixed or not? -- This issue was solved at the release 0.2.0, available at Ibiblio: http://ibiblio.org/pub/Linux/hardware/drivers/ml85p-0.2.0.tar.gz If there is something I can do, please let me know. best regards, Rildo ====================================================== Candidate: CAN-2001-1180 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1180 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: BUGTRAQ:20010710 FreeBSD 4.3 local root, yet Linux and *BSD much better than Windows Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-07/0179.html Reference: CIAC:L-111 Reference: URL:http://ciac.llnl.gov/ciac/bulletins/l-111.shtml Reference: CERT-VN:VU#943633 Reference: URL:http://www.kb.cert.org/vuls/id/943633 Reference: FREEBSD:FreeBSD-SA-01:42 Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:42.signal.v1.1.asc Reference: XF:bsd-rfork-signal-handlers(6829) Reference: URL:http://xforce.iss.net/static/6829.php Reference: BID:3007 Reference: URL:http://www.securityfocus.com/bid/3007 FreeBSD 4.3 does not properly clear shared signal handlers when executing a process, which allows local users to gain privileges by calling rfork with a shared signal handler, having the child process execute a setuid program, and sending a signal to the child. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1180 ACCEPT (6 accept, 3 ack, 0 review) Current Votes: ACCEPT(6) Baker, Cole, Armstrong, Frech, Ziese, Green NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2001-1183 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1183 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: CISCO:20010712 Cisco IOS PPTP Vulnerability Reference: URL:http://www.cisco.com/warp/public/707/PPTP-vulnerability-pub.html Reference: CERT-VN:VU#656315 Reference: URL:http://www.kb.cert.org/vuls/id/656315 Reference: BID:3022 Reference: URL:http://www.securityfocus.com/bid/3022 Reference: XF:cisco-ios-pptp-dos(6835) Reference: URL:http://xforce.iss.net/static/6835.php PPTP implementation in Cisco IOS 12.1 and 12.2 allows remote attackers to cause a denial of service (crash) via a malformed packet. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1183 ACCEPT (7 accept, 2 ack, 0 review) Current Votes: ACCEPT(7) Wall, Baker, Cole, Armstrong, Frech, Ziese, Green NOOP(1) Foat ====================================================== Candidate: CAN-2001-1185 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1185 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: BUGTRAQ:20011210 AIO vulnerability Reference: URL:http://www.securityfocus.com/archive/1/244583 Reference: XF:bsd-aio-overwrite-memory(7693) Reference: URL:http://www.iss.net/security_center/static/7693.php Reference: BID:3661 Reference: URL:http://www.securityfocus.com/bid/3661 Some AIO operations in FreeBSD 4.4 may be delayed until after a call to execve, which could allow a local user to overwrite memory of the new process and gain privileges. Analysis -------- Vendor Acknowledgement: INFERRED ACTION: CAN-2001-1185 ACCEPT (4 accept, 0 ack, 0 review) Current Votes: ACCEPT(4) Foat, Cole, Frech, Green NOOP(2) Wall, Ziese ====================================================== Candidate: CAN-2001-1193 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1193 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020315 Assigned: 20020315 Category: SF Reference: BUGTRAQ:20011213 EFTP 2.0.8.346 directory content disclosure Reference: URL:http://www.securityfocus.com/archive/1/245393 Reference: CONFIRM:http://www.eftp.org/releasehistory.html Reference: BID:3691 Reference: URL:http://www.securityfocus.com/bid/3691 Reference: XF:eftp-dot-directory-traversal(7699) Directory traversal vulnerability in EFTP 2.0.8.346 allows local users to read directories via a ... (modified dot dot) in the CWD command. Modifications: ADDREF XF:eftp-dot-directory-traversal(7699) Analysis -------- Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: In the release history, the entry for version 2.0.8.347, dated December 12, says "Fixed a security flaw where users could inadvertantly change directory by changing to '...'" INFERRED ACTION: CAN-2001-1193 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Cole, Ziese, Green MODIFY(1) Frech NOOP(2) Wall, Foat Voter Comments: Frech> XF:eftp-dot-directory-traversal(7699) ====================================================== Candidate: CAN-2001-1199 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1199 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: BUGTRAQ:20011217 Agoracgi v3.3e Cross Site Scripting Vulnerability Reference: URL:http://www.securityfocus.com/archive/1/246044 Reference: CONFIRM:http://www.agoracgi.com/security.html Reference: BID:3702 Reference: URL:http://www.securityfocus.com/bid/3702 Reference: XF:agora-cgi-css(7708) Reference: URL:http://www.iss.net/security_center/static/7708.php Cross-site scripting vulnerability in agora.cgi for Agora 3.0a through 4.0g, when debug mode is enabled, allows remote attackers to execute Javascript on other clients via the cart_id parameter. Analysis -------- Vendor Acknowledgement: yes advisory ACKNOWLEDGEMENT: The Agoracgi security page says "The Cross-Site Scripting vulnerability demonstrations (erroneously described as running on 3.x stores) don't work with this patch installed... No store version 3.0a through 4.0g should run without [this patch]" INFERRED ACTION: CAN-2001-1199 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Cole, Frech, Ziese, Green NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2001-1201 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1201 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: BUGTRAQ:20011217 New Advisory + Exploit Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100863301405266&w=2 Reference: BUGTRAQ:20011218 wmcube-gdk is vulnerable to a local exploit Reference: URL:http://online.securityfocus.com/archive/1/246273 Reference: CONFIRM:http://www.ne.jp/asahi/linux/timecop/software/wmcube-gdk-0.98p2.tar.gz Reference: BID:3706 Reference: URL:http://www.securityfocus.com/cgi-bin/vulns-item.pl?section=info&id=3706 Reference: XF:wmcubegdk-object-file-bo(7720) Reference: URL:http://www.iss.net/security_center/static/7720.php Buffer overflow in wmcube-gdk for WMCube/GDK 0.98 allows local users to execute arbitrary code via long lines in the object description file. Analysis -------- Vendor Acknowledgement: yes ACKNOWLEDGEMENT: the CHANGES file in wmcube-gdk-0.98p2.tar.gz includes an entry dated 20011218, stating "drop kmem priviliges on FreeBSD after opening kvm." Given the timing of this file relative to the Bugtraq announcement, and the fact that it would fix the issue being discussed in this item, there is sufficient acknowledgement. INFERRED ACTION: CAN-2001-1201 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Cole, Frech, Ziese, Green NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2001-1203 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1203 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020315 Assigned: 20020315 Category: SF Reference: DEBIAN:DSA-095 Reference: URL:http://www.debian.org/security/2001/dsa-095 Reference: XF:linux-gpm-format-string(7748) Reference: BID:3750 Reference: URL:http://online.securityfocus.com/bid/3750 Format string vulnerability in gpm-root in gpm 1.17.8 through 1.17.18 allows local users to gain root privileges. Modifications: ADDREF XF:linux-gpm-format-string(7748) ADDREF BID:3750 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1203 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Foat, Cole, Ziese, Green MODIFY(1) Frech NOOP(1) Wall Voter Comments: Frech> XF:linux-gpm-format-string(7748) http://online.securityfocus.com/bid/3750 ====================================================== Candidate: CAN-2001-1215 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1215 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: BUGTRAQ:20011220 [CERT-intexxia] pfinger Format String Vulnerability Reference: URL:http://www.securityfocus.com/archive/1/246656 Reference: CONFIRM:http://www.xelia.ch/unix/pfinger/ChangeLog Reference: XF:pfinger-plan-format-string(7742) Reference: URL:http://www.iss.net/security_center/static/7742.php Reference: BID:3725 Reference: URL:http://online.securityfocus.com/bid/3725 Format string vulnerability in PFinger 0.7.5 through 0.7.7 allows remote attackers to execute arbitrary code via format string specifiers in a .plan file. Analysis -------- Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: in the Change Log, the entry dated 2001-12-19 says "Security Fix: Malicious local user could induce a bad format string" and credits the disclosers. INFERRED ACTION: CAN-2001-1215 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Cole, Frech, Ziese, Green NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2001-1227 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1227 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020502 Assigned: 20020411 Category: SF Reference: REDHAT:RHSA-2001:115 Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-115.html Reference: MANDRAKE:MDKSA-2001:080 Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-080.php3 Reference: BID:3425 Reference: URL:http://online.securityfocus.com/bid/3425 Reference: XF:zope-fmt-access-methods(7271) Zope before 2.2.4 allows partially trusted users to bypass security controls for certain methods by accessing the methods through the fmt attribute of dtml-var tags. Modifications: ADDREF XF:zope-fmt-access-methods(7271) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1227 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Wall, Cole, Cox, Green MODIFY(1) Frech NOOP(1) Foat Voter Comments: Frech> XF:zope-fmt-access-methods(7271) ====================================================== Candidate: CAN-2001-1231 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1231 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020502 Assigned: 20020501 Category: SF Reference: BUGTRAQ:20010814 Fwd: Security Alert: Groupwise - Action Required Reference: URL:http://www.securityfocus.com/archive/1/204672 Reference: CONFIRM:http://support.novell.com/padlock/details.htm Reference: XF:novell-groupwise-admin-privileges(6998) Reference: URL:http://xforce.iss.net/static/6998.php Reference: BID:3189 Reference: URL:http://www.securityfocus.com/bid/3189 GroupWise 5.5 and 6 running in live remove or smart caching mode allows remote attackers to read arbitrary users' mailboxes by extracting usernames and passwords from sniffed network traffic, as addressed by the "Padlock" fix. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1231 ACCEPT_ACK (2 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Frech, Green NOOP(4) Wall, Foat, Cole, Cox ====================================================== Candidate: CAN-2001-1234 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1234 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020502 Assigned: 20020501 Category: SF Reference: BUGTRAQ:20011002 results of semi-automatic source code audit Reference: URL:http://www.securityfocus.com/archive/1/218000 Reference: CONFIRM:http://prdownloads.sourceforge.net/gallery/gallery-1.2.5.tar.gz Reference: BID:3397 Reference: URL:http://www.securityfocus.com/bid/3397 Reference: XF:php-includedir-code-execution(7215) Reference: URL:http://www.iss.net/security_center/static/7215.php Bharat Mediratta Gallery PHP script before 1.2.1 allows remote attackers to execute arbitrary code by including files from remote web sites via an HTTP request that modifies the includedir variable. Analysis -------- Vendor Acknowledgement: yes patch ACKNOWLEDGEMENT: The UPGRADING file in the distribution of 1.2.5 says: "Due to a security fix, you now have to modify index.php if you want to use the Gallery random photo block for Nuke... The file you tried to include is not on the approved file list. To include this file you must edit Gallery's index.php and add XXX to the $safe_to_include array." This clearly addresses the problem that was reported. INFERRED ACTION: CAN-2001-1234 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Cole, Frech, Green NOOP(3) Wall, Foat, Cox ====================================================== Candidate: CAN-2001-1235 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1235 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020502 Assigned: 20020501 Category: SF Reference: BUGTRAQ:20011002 results of semi-automatic source code audit Reference: URL:http://www.securityfocus.com/archive/1/21800 Reference: CERT-VN:VU#847803 Reference: URL:http://www.kb.cert.org/vuls/id/847803 Reference: XF:php-includedir-code-execution(7215) Reference: URL:http://xforce.iss.net/static/7215.php Reference: BID:3395 Reference: URL:http://www.securityfocus.com/bid/3395 pSlash PHP script 0.7 and earlier allows remote attackers to execute arbitrary code by including files from remote web sites, using an HTTP request that modifies the includedir variable. Analysis -------- Vendor Acknowledgement: unknown ACKNOWLEDGEMENT: Could not find ACK and the software has not been updated on sourceforge since Jun 05, 2001, 5 months before this vulnerability was announced. INFERRED ACTION: CAN-2001-1235 ACCEPT_ACK (2 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Cole, Green NOOP(3) Wall, Foat, Cox ====================================================== Candidate: CAN-2001-1236 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1236 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020502 Assigned: 20020501 Category: SF Reference: BUGTRAQ:20011002 results of semi-automatic source code audit Reference: URL:http://www.securityfocus.com/archive/1/218000 Reference: CERT-VN:VU#847803 Reference: URL:http://www.kb.cert.org/vuls/id/847803 Reference: BID:3394 Reference: URL:http://www.securityfocus.com/bid/3394 Reference: XF:php-includedir-code-execution(7215) Reference: URL:http://xforce.iss.net/static/7215.php myphpPagetool PHP script 0.4.3-1 and earlier allows remote attackers to execute arbitrary code by including files from remote web sites, using an HTTP request that modifies the includedir variable. Analysis -------- Vendor Acknowledgement: unknown INFERRED ACTION: CAN-2001-1236 ACCEPT_ACK (2 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Cole, Green NOOP(3) Wall, Foat, Cox ====================================================== Candidate: CAN-2001-1237 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1237 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020502 Assigned: 20020501 Category: SF Reference: BUGTRAQ:20011002 results of semi-automatic source code audit Reference: URL:http://www.securityfocus.com/archive/1/218000 Reference: CONFIRM:http://www.peaceworks.ca/phormation/phormation-0.9.2.tar.gz Reference: BID:3393 Reference: URL:http://www.securityfocus.com/bid/3393 Reference: XF:php-includedir-code-execution(7215) Reference: URL:http://xforce.iss.net/static/7215.php Reference: CERT-VN:VU#847803 Reference: URL:http://www.kb.cert.org/vuls/id/847803 Phormation PHP script 0.9.1 and earlier allows remote attackers to execute arbitrary code by including files from remote web sites, using an HTTP request that modifies the phormationdir variable. Analysis -------- Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: Ack is in /phormation-0.9.2/phormation/CHANGELOG: - "changed the $phormationdir variable to be a constant. This closes a huge security hole: The client could set the variable to something like 'http://his_site.com'. Then your script would include http://his_site.com/form.php and execute his code! (assuming you haven't turned off certain php options)" INFERRED ACTION: CAN-2001-1237 ACCEPT_ACK (2 accept, 2 ack, 0 review) Current Votes: ACCEPT(2) Cole, Green NOOP(3) Wall, Foat, Cox ====================================================== Candidate: CAN-2001-1240 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1240 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020502 Assigned: 20020501 Category: CF Reference: ENGARDE:ESA-20010711-02 Reference: URL:http://www.linuxsecurity.com/advisories/other_advisory-1493.html The default configuration of sudo in Engarde Secure Linux 1.0.1 allows any user in the admin group to run certain commands that could be leveraged to gain full root access. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1240 ACCEPT_ACK (2 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Cole, Green NOOP(3) Wall, Foat, Cox ====================================================== Candidate: CAN-2001-1246 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1246 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020502 Assigned: 20020501 Category: SF Reference: BUGTRAQ:20010630 php breaks safe mode Reference: URL:http://online.securityfocus.com/archive/1/194425 Reference: CONFIRM:http://www.php.net/do_download.php?download_file=php-4.1.2.tar.gz Reference: BID:2954 Reference: URL:http://online.securityfocus.com/bid/2954 Reference: XF:php-safemode-elevate-privileges(6787) Reference: URL:http://www.iss.net/security_center/static/6787.php PHP 4.0.5 through 4.1.0 in safe mode does not properly cleanse the 5th parameter to the mail() function, which allows local users and possibly remote attackers to execute arbitrary commands via shell metacharacters. Analysis -------- Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: php-4.1.2 source, NEWS file, 10 Dec 2001, Version 4.1.0 states: "Fixed a bug that allowed users to spawn processes while using the 5th parameter to mail()" The 5th param to mail was added in version 4.0.5. INFERRED ACTION: CAN-2001-1246 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Cole, Cox, Green NOOP(2) Wall, Foat Voter Comments: CHANGE> [Cox changed vote from REVIEWING to ACCEPT] ====================================================== Candidate: CAN-2001-1247 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1247 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020502 Assigned: 20020501 Category: SF Reference: BUGTRAQ:20010630 php breaks safe mode Reference: URL:http://online.securityfocus.com/archive/1/194425 Reference: CONFIRM:http://www.php.net/do_download.php?download_file=php-4.1.2.tar.gz Reference: REDHAT:RHSA-2002:035 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-035.html PHP 4.0.4pl1 and 4.0.5 in safe mode allows remote attackers to read and write files owned by the web server UID by uploading a PHP script that uses the error_log function to access the files. Modifications: ADDREF REDHAT:RHSA-2002:035 Analysis -------- Vendor Acknowledgement: unknown INFERRED ACTION: CAN-2001-1247 ACCEPT (3 accept, 2 ack, 0 review) Current Votes: ACCEPT(3) Cole, Cox, Green NOOP(2) Wall, Foat Voter Comments: CHANGE> [Cox changed vote from REVIEWING to ACCEPT] Cox> ADDREF: RHSA-2002:035 ====================================================== Candidate: CAN-2001-1252 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1252 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020502 Assigned: 20020501 Category: CF Reference: BUGTRAQ:20010928 SNS-43: PGP Keyserver Permissions Misconfiguration Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-09/0230.html Reference: CONFIRM:http://www.pgp.com/support/product-advisories/keyserver.asp Reference: XF:pgp-keyserver-http-dos(7203) Reference: URL:http://www.iss.net/security_center/static/7203.php Reference: BID:3375 Reference: URL:http://online.securityfocus.com/bid/3375 Network Associates PGP Keyserver 7.0 allows remote attackers to bypass authentication and access the administrative web interface via URLs that directly access cgi-bin instead of keyserver/cgi-bin for the programs (1) console, (2) cs, (3) multi_config and (4) directory. Analysis -------- Vendor Acknowledgement: unknown discloser-claimed ACKNOWLEDGEMENT: the PGP advisory is referenced by the discloser. While it does not provide quite enough details to be certain that it's addressing the same problem, and advisory has no date to "line up" with the Bugtraq post, the poster is credited at the end of the advisory. INFERRED ACTION: CAN-2001-1252 ACCEPT_ACK (2 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Frech, Green NOOP(4) Wall, Foat, Cole, Cox ====================================================== Candidate: CAN-2001-1266 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1266 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020502 Assigned: 20020501 Category: SF Reference: CONFIRM:http://dnhttpd.sourceforge.net/changelog.html Reference: MISC:http://archives.neohapsis.com/archives/apps/freshmeat/2001-07/0002.html Directory traversal vulnerability in Doug Neal's HTTPD Daemon (DNHTTPD) before 0.4.1 allows remote attackers to view arbitrary files via a .. (dot dot) attack using the dot hex code '%2E'. Analysis -------- Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: the change log for version 0.4.1 says: "Just a bug/security fix. I mistakenly put the bit that checked for '..' in the URL *before* the bit that translated hex codes in URLs to ASCII, so you could use %2E%2E in place of '..' and view any directory listing or file in the filesystem that the server has read access to." INFERRED ACTION: CAN-2001-1266 ACCEPT_ACK (2 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Cole, Green NOOP(3) Wall, Foat, Cox ====================================================== Candidate: CAN-2001-1276 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1276 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020502 Assigned: 20020501 Category: SF Reference: BUGTRAQ:20010621 ispell update -- Immunix OS 6.2 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=99317439131174&w=2 Reference: IMMUNIX:IMNX-2001-62-004-01 Reference: URL:http://download.immunix.org/ImmunixOS/6.2/updates/IMNX-2001-62-004-01 Reference: MANDRAKE:MDKSA-2001:058 Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-058.php3 Reference: REDHAT:RHSA-2001:074 Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-074.html ispell before 3.1.20 allows local users to overwrite files of other users via a symlink attack on a temporary file. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1276 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Wall, Cole, Cox, Green NOOP(1) Foat ====================================================== Candidate: CAN-2001-1277 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1277 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020502 Assigned: 20020501 Category: SF Reference: BUGTRAQ:20010611 man 1.5h10 + man 1.5i-4 exploits Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=99227597227747&w=2 Reference: REDHAT:RHSA-2001:072 Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-072.html Reference: MISC:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=41805 makewhatis in the man package before 1.5i2 allows an attacker in group man to overwrite arbitrary files via a man page whose name contains shell metacharacters. Modifications: DESC say "in group man" Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1277 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Wall, Cole, Green MODIFY(1) Cox NOOP(1) Foat Voter Comments: Cox> "in group man" rather than "with man privileges" is more precise ====================================================== Candidate: CAN-2001-1295 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1295 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020502 Assigned: 20020501 Category: SF Reference: CONFIRM:http://www.greenepa.net/~averett/cerberus-releasenotes.htm#ReleaseNotes Reference: MISC:http://www.securiteam.com/windowsntfocus/5SP0M0055W.html Reference: XF:cerberus-ftp-directory-traversal(7004) Reference: URL:http://www.iss.net/security_center/static/7004.php Directory traversal vulnerability in Cerberus FTP Server 1.5 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the CD command. Analysis -------- Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: the release notes for version 1.6 beta, dated August 29, 2001, say "Fixed a major security bug that allowed unrestricted access to the server machine by using periods in the change directory path." INFERRED ACTION: CAN-2001-1295 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Wall, Cole, Frech, Green NOOP(2) Foat, Cox ====================================================== Candidate: CAN-2001-1297 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1297 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020502 Assigned: 20020501 Category: SF Reference: BUGTRAQ:20011002 results of semi-automatic source code audit Reference: URL:http://www.securityfocus.com/archive/1/218000 Reference: CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=58331 Reference: BID:3384 Reference: URL:http://www.securityfocus.com/bid/3384 Reference: XF:php-includedir-code-execution(7215) Reference: URL:http://www.iss.net/security_center/static/7215.php Actionpoll PHP script before 1.1.2 allows remote attackers to include arbitrary files from remote web sites via an HTTP request that sets the includedir variable. Analysis -------- Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: The change log for 1.1.2 says "Fixed Security Bug" and references BID:3384, i.e. this item. INFERRED ACTION: CAN-2001-1297 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Cole, Frech, Green NOOP(3) Wall, Foat, Cox ====================================================== Candidate: CAN-2001-1299 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1299 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020502 Assigned: 20020501 Category: SF Reference: BUGTRAQ:20011002 results of semi-automatic source code audit Reference: URL:http://www.securityfocus.com/archive/1/218000 Reference: CERT-VN:VU#847803 Reference: URL:http://www.kb.cert.org/vuls/id/847803 Reference: CONFIRM:http://www.come.to/zorbat/ Reference: CONFIRM:http://www.kb.cert.org/vuls/id/JARL-53RJKV Reference: BID:3386 Reference: URL:http://www.securityfocus.com/bid/3386 Reference: XF:php-includedir-code-execution(7215) Reference: URL:http://www.iss.net/security_center/static/7215.php Zorbat Zorbstats PHP script before 0.9 allows remote attackers to include arbitrary files from remote web sites via an HTTP request that sets the includedir variable. Analysis -------- Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: On the vendor's home page, an announcement for Zorbstats 0.9, dated October 21, 2001, says "Security problem corrected." Normally this is insufficient to be certain that the vendor is acknowledging *this* problem, but the vendor is also said to have fixed the issue in a CERT vuilnerability note. INFERRED ACTION: CAN-2001-1299 ACCEPT (3 accept, 2 ack, 0 review) Current Votes: ACCEPT(3) Cole, Frech, Green NOOP(3) Wall, Foat, Cox ====================================================== Candidate: CAN-2001-1322 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1322 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020502 Assigned: 20020501 Category: SF Reference: REDHAT:RHSA-2001:075 Reference: URL:http://www.redhat.com/support/errata/RHSA-2001-075.html Reference: DEBIAN:DSA-063 Reference: URL:http://www.debian.org/security/2001/dsa-063 Reference: ENGARDE:ESA-20010621-01 Reference: URL:http://www.linuxsecurity.com/advisories/other_advisory-1469.html Reference: FREEBSD:FreeBSD-SA-01:47 Reference: URL:http://online.securityfocus.com/advisories/3446 Reference: SUSE:SuSE-SA:2001:022 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=99384417013990&w=2 Reference: CONECTIVA:CLA-2001:404 Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000404 Reference: MANDRAKE:MDKSA-2001:055 Reference: URL:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-055.php3 Reference: IMMUNIX:IMNX-2001-70-024-01 Reference: URL:http://download.immunix.org/ImmunixOS/7.0/updates/IMNX-2001-70-024-01 Reference: XF:xinetd-insecure-permissions(6657) Reference: URL:http://www.iss.net/security_center/static/6657.php Reference: BID:2826 Reference: URL:http://online.securityfocus.com/bid/2826 xinetd 2.1.8 and earlier runs with a default umask of 0, which could allow local users to read or modify files that are created by an application that runs under xinetd but does not set its own safe umask. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1322 ACCEPT (4 accept, 4 ack, 0 review) Current Votes: ACCEPT(4) Wall, Cole, Cox, Green NOOP(1) Foat ====================================================== Candidate: CAN-2001-1342 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1342 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020502 Assigned: 20020501 Category: SF Reference: BUGTRAQ:20010412 Apache Win32 8192 chars string bug Reference: URL:http://online.securityfocus.com/archive/1/176144 Reference: BUGTRAQ:20010522 [Announce] Apache 1.3.20 Released Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=99054258728748&w=2 Reference: CONFIRM:http://www.apacheweek.com/issues/01-05-25 Reference: CONFIRM:http://bugs.apache.org/index.cgi/full/7522 Reference: XF:apache-server-dos(6527) Reference: URL:http://www.iss.net/security_center/static/6527.php Reference: BID:2740 Reference: URL:http://online.securityfocus.com/bid/2740 Apache before 1.3.20 on Windows and OS/2 systems allows remote attackers to cause a denial of service (GPF) via an HTTP request for a URI that contains a large number of / (slash) or other characters, which causes certain functions to dereference a null pointer. Modifications: DESC Change DoS expansion Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2001-1342 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Wall, Foat, Cole, Green MODIFY(1) Cox Voter Comments: Cox> ADDREF http://www.apacheweek.com/issues/01-05-25 The DOS here isn't the crash, it's the fact that the crash causes a GPF fault message box that has to be cleared by the operator ====================================================== Candidate: CAN-2001-1345 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1345 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020502 Assigned: 20020501 Category: SF Reference: BUGTRAQ:20010604 Fatal flaw in BestCrypt <= v0.7 (Linux) Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-06/0005.html Reference: CONFIRM:http://www.jetico.com/index.htm#/linux.htm Reference: XF:bestcrypt-bctool-gain-privileges(6648) Reference: URL:http://xforce.iss.net/static/6648.php Reference: BID:2820 Reference: URL:http://www.securityfocus.com/bid/2820 bctool in Jetico BestCrypt 0.7 and earlier trusts the user-supplied PATH to find and execute an fsck utility program, which allows local users to gain privileges by modifying the PATH to point to a Trojan horse program. Analysis -------- Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: The change log includes an entry for version 0.8-2, dated 04-June-2001, which states "root access bug fixed" and credits the person who reported the problem to Bugtraq. INFERRED ACTION: CAN-2001-1345 ACCEPT_ACK (2 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Cole, Green NOOP(3) Wall, Foat, Cox ====================================================== Candidate: CAN-2002-0002 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0002 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20020102 Category: SF Reference: MISC:http://marc.theaimsgroup.com/?l=stunnel-users&m=100869449828705&w=2 Reference: BUGTRAQ:20011227 Stunnel: Format String Bug in versions <3.22 Reference: URL:http://online.securityfocus.com/archive/1/247427 Reference: BUGTRAQ:20020102 Stunnel: Format String Bug update Reference: URL:http://online.securityfocus.com/archive/1/248149 Reference: CONFIRM:http://stunnel.mirt.net/news.html Reference: REDHAT:RHSA-2002:002 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-002.html Reference: MANDRAKE:MDKSA-2002:004 Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-004.php3 Reference: XF:stunnel-client-format-string(7741) Reference: BID:3748 Reference: URL:http://online.securityfocus.com/bid/3748 Format string vulnerability in stunnel before 3.22 when used in client mode for (1) smtp, (2) pop, or (3) nntp allows remote malicious servers to execute arbitrary code. Modifications: ADDREF XF:stunnel-client-format-string(7741) ADDREF MANDRAKE:MDKSA-2002:004 ADDREF BID:3748 ADDREF BUGTRAQ:20011227 Stunnel: Format String Bug in versions <3.22 ADDREF BUGTRAQ:20020102 Stunnel: Format String Bug update Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0002 ACCEPT (5 accept, 2 ack, 0 review) Current Votes: ACCEPT(4) Wall, Baker, Cole, Green MODIFY(1) Frech NOOP(2) Foat, Christey Voter Comments: Frech> XF:stunnel-client-format-string(7741) Christey> Consider adding BID:3748 ====================================================== Candidate: CAN-2002-0003 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0003 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20020102 Category: SF Reference: REDHAT:RHSA-2002:004 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-004.html Reference: MANDRAKE:MDKSA-2002:012 Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-012.php Reference: HP:HPSBTL0201-014 Reference: URL:http://online.securityfocus.com/advisories/3793 Reference: XF:linux-groff-preprocessor-bo(7881) Reference: BID:3869 Reference: URL:http://www.securityfocus.com/bid/3869 Buffer overflow in the preprocessor in groff 1.16 and earlier allows remote attackers to gain privileges via lpd in the LPRng printing system. Modifications: ADDREF MANDRAKE:MDKSA-2002:012 ADDREF XF:linux-groff-preprocessor-bo(7881) ADDREF BID:3869 ADDREF HP:HPSBTL0201-014 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0003 ACCEPT (5 accept, 2 ack, 0 review) Current Votes: ACCEPT(4) Wall, Baker, Cole, Green MODIFY(1) Frech NOOP(2) Foat, Christey Voter Comments: Christey> ADDREF MANDRAKE:MDKSA-2002:012 URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-012.php Frech> XF:linux-groff-preprocessor-bo(7881) Christey> MANDRAKE:MDKSA-2002:012 http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-012.php3 Christey> Consider adding BID:3869 ====================================================== Candidate: CAN-2002-0004 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0004 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20020102 Category: SF Reference: BUGTRAQ:20020117 '/usr/bin/at 31337 + vuln' problem + exploit Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101128661602088&w=2 Reference: DEBIAN:DSA-102 Reference: URL:http://www.debian.org/security/2002/dsa-102 Reference: SUSE:SuSE-SA:2002:003 Reference: URL:http://www.suse.de/de/support/security/2002_003_at_txt.txt Reference: MANDRAKE:MDKSA-2002:007 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101147632721031&w=2 Reference: REDHAT:RHSA-2002:015 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-015.html Reference: HP:HPSBTL0201-021 Reference: URL:http://online.securityfocus.com/advisories/3833 Reference: HP:HPSBTL0302-034 Reference: URL:http://online.securityfocus.com/advisories/3969 Reference: XF:linux-at-exetime-heap-corruption(7909) Reference: BID:3886 Reference: URL:http://www.securityfocus.com/bid/3886 Heap corruption vulnerability in the "at" program allows local users to execute arbitrary code via a malformed execution time, which causes at to free the same memory twice. Modifications: ADDREF XF:linux-at-exetime-heap-corruption(7909) ADDREF HP:HPSBTL0201-021 ADDREF HP:HPSBTL0302-034 ADDREF BID:3886 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0004 ACCEPT (5 accept, 4 ack, 0 review) Current Votes: ACCEPT(4) Wall, Baker, Cole, Green MODIFY(1) Frech NOOP(2) Foat, Christey Voter Comments: Frech> XF:linux-at-exetime-heap-corruption(7909) Christey> Consider adding BID:3886 ====================================================== Candidate: CAN-2002-0007 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0007 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20020109 Category: SF Reference: BUGTRAQ:20020105 Security Advisory for Bugzilla v2.15 (cvs20020103) and older Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-01/0034.html Reference: CONFIRM:http://www.bugzilla.org/security2_14_1.html Reference: MISC:http://bugzilla.mozilla.org/show_bug.cgi?id=54901 Reference: XF:bugzilla-ldap-auth-bypass(7812) CGI.pl in Bugzilla before 2.14.1, when using LDAP, allows remote attackers to obtain an anonymous bind to the LDAP server via a request that does not include a password, which causes a null password to be sent to the LDAP server. Modifications: ADDREF XF:bugzilla-ldap-auth-bypass(7812) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0007 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Cole, Green MODIFY(1) Frech NOOP(2) Wall, Foat Voter Comments: Frech> XF:bugzilla-ldap-auth-bypass(7812) ====================================================== Candidate: CAN-2002-0018 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0018 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020315 Assigned: 20020114 Category: SF Reference: MS:MS02-001 Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS02-001.asp Reference: BID:3997 Reference: URL:http://www.securityfocus.com/bid/3997 In Microsoft Windows NT and Windows 2000, a trusting domain that receives authorization information from a trusted domain does not verify that the trusted domain is authoritative for all listed SIDs, which could allows remote attackers to gain Domain Administrator privileges on the trusting domain by injecting SIDs from untrusted domains into the authorization data that comes from from the trusted domain. Modifications: ADDREF BID:3997 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0018 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Wall, Foat, Cole, Ziese, Green NOOP(1) Christey Voter Comments: Christey> Consider adding BID:3997 ====================================================== Candidate: CAN-2002-0020 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0020 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020114 Category: SF Reference: MS:MS02-004 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-004.asp Reference: BID:4061 Reference: URL:http://www.securityfocus.com/bid/4061 Reference: XF:ms-telnet-option-bo(8094) Reference: URL:http://www.iss.net/security_center/static/8094.php Buffer overflow in telnet server in Windows 2000 and Interix 2.2 allows remote attackers to execute arbitrary code via malformed protocol options. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0020 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Wall, Foat, Cole, Ziese, Green ====================================================== Candidate: CAN-2002-0021 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0021 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020315 Assigned: 20020114 Category: SF Reference: MS:MS02-002 Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS02-002.asp Reference: BID:4045 Reference: URL:http://www.securityfocus.com/bid/4045 Network Product Identification (PID) Checker in Microsoft Office v. X for Mac allows remote attackers to cause a denial of service (crash) via a malformed product announcement. Modifications: ADDREF BID:4045 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0021 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Wall, Foat, Cole, Ziese, Green NOOP(1) Christey Voter Comments: Christey> Consider adding BID:4045 ====================================================== Candidate: CAN-2002-0022 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0022 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020315 Assigned: 20020114 Category: SF Reference: BUGTRAQ:20020213 dH & SECURITY.NNOV: buffer overflow in mshtml.dll Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101362984930597&w=2 Reference: BUGTRAQ:20020227 Details and exploitation of buffer overflow in mshtml.dll (and few sidenotes on Unicode overflows in general) Reference: URL:http://online.securityfocus.com/archive/1/258614 Reference: MS:MS02-005 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-005.asp Reference: CERT:CA-2002-04 Reference: URL:http://www.cert.org/advisories/CA-2002-04.html Reference: XF:ie-html-directive-bo(8116) Reference: URL:http://www.iss.net/security_center/static/8116.php Reference: BID:4080 Reference: URL:http://www.securityfocus.com/bid/4080 Buffer overflow in the implementation of an HTML directive in mshtml.dll in Internet Explorer 5.5 and 6.0 allows remote attackers to execute arbitrary code via a web page that specifies embedded ActiveX controls in a way that causes 2 Unicode strings to be concatenated. Modifications: ADDREF BID:4080 ADDREF BUGTRAQ:20020227 Details and exploitation of buffer overflow in mshtml.dll (and few sidenotes on Unicode overflows in general) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0022 ACCEPT (5 accept, 2 ack, 0 review) Current Votes: ACCEPT(5) Wall, Foat, Cole, Ziese, Green NOOP(1) Christey Voter Comments: Christey> Consider adding BID:4080 ====================================================== Candidate: CAN-2002-0023 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0023 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020114 Category: SF Reference: BUGTRAQ:20020101 IE GetObject() problems Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-01/0000.html Reference: MS:MS02-005 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-005.asp Reference: BID:3767 Reference: URL:http://www.securityfocus.com/bid/3767 Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to read arbitrary files via malformed requests to the GetObject function, which bypass some of GetObject's security checks. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0023 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Wall, Foat, Cole, Ziese, Green ====================================================== Candidate: CAN-2002-0025 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0025 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020315 Assigned: 20020114 Category: SF Reference: MS:MS02-005 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-005.asp Reference: BUGTRAQ:20020212 [ GFISEC04102001 ] Internet Explorer and Access allow macros to be executed automatically Reference: URL:http://online.securityfocus.com/archive/1/255767 Reference: BID:4085 Reference: URL:http://online.securityfocus.com/bid/4085 Internet Explorer 5.01, 5.5 and 6.0 does not properly handle the Content-Type HTML header field, which allows remote attackers to modify which application is used to process a document. Modifications: ADDREF BUGTRAQ:20020212 [ GFISEC04102001 ] Internet Explorer and Access allow macros to be executed automatically ADDREF BID:4085 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0025 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Wall, Foat, Cole, Ziese, Green NOOP(1) Christey Voter Comments: Christey> BUGTRAQ:20020212 [ GFISEC04102001 ] Internet Explorer and Access allow macros to be executed automatically URL:http://online.securityfocus.com/archive/1/255767 BID:4085 URL:http://online.securityfocus.com/bid/4085 ====================================================== Candidate: CAN-2002-0026 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0026 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020315 Assigned: 20020114 Category: SF Reference: MS:MS02-005 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-005.asp Reference: BID:4082 Reference: URL:http://online.securityfocus.com/bid/4082 Internet Explorer 5.5 and 6.0 allows remote attackers to bypass restrictions for executing scripts via an object that processes asynchronous events after the initial security checks have been made. Modifications: ADDREF BID:4082 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0026 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Wall, Foat, Cole, Ziese, Green NOOP(1) Christey Voter Comments: Christey> Consider adding BID:4082 ====================================================== Candidate: CAN-2002-0027 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0027 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020114 Category: SF Reference: BUGTRAQ:20011219 Internet Explorer Document.Open() Without Close() Cookie Stealing, File Reading, Site Spoofing Bug Reference: URL:http://www.securityfocus.com/archive/1/246522 Reference: MS:MS02-005 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-005.asp Reference: BID:3721 Reference: URL:http://www.securityfocus.com/bid/3721 Internet Explorer 5.5 and 6.0 allows remote attackers to read certain files and spoof the URL in the address bar by using the Document.open function to pass information between two frames from different domains, a new variant of the "Frame Domain Verification" vulnerability described in MS:MS01-058/CAN-2001-0874. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0027 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Wall, Foat, Cole, Ziese, Green ====================================================== Candidate: CAN-2002-0028 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0028 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20020116 Category: SF Reference: BUGTRAQ:20020106 ICQ remote buffer overflow vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101043894627851&w=2 Reference: VULN-DEV:20020107 ICQ remote buffer overflow vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=vuln-dev&m=101043076806401&w=2 Reference: CERT:CA-2002-02 Reference: URL:http://www.cert.org/advisories/CA-2002-02.html Reference: CERT-VN:VU#570167 Reference: URL:http://www.kb.cert.org/vuls/id/570167 Reference: BID:3813 Reference: URL:http://www.securityfocus.com/bid/3813 Reference: XF:aim-game-overflow(7743) Buffer overflow in ICQ before 2001B Beta v5.18 Build #3659 allows remote attackers to execute arbitrary code via a Voice Video & Games request. Modifications: ADDREF XF:aim-game-overflow(7743) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0028 ACCEPT (5 accept, 2 ack, 0 review) Current Votes: ACCEPT(4) Wall, Baker, Cole, Green MODIFY(1) Frech NOOP(1) Foat Voter Comments: Frech> (Review whether issue is misassigned.) CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:aim-game-overflow(7743) ====================================================== Candidate: CAN-2002-0038 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0038 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20020116 Category: SF Reference: SGI:20020102-01-I Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020102-01-I Reference: SGI:20020102-02-I Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020102-02-I Reference: SGI:20020102-03-P Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020102-03-P Reference: XF:irix-nsd-cache-dos(7907) Reference: BID:3882 Vulnerability in the cache-limiting function of the unified name service daemon (nsd) in IRIX 6.5.4 through 6.5.11 allows remote attackers to cause a denial of service by forcing the cache to fill the disk. Modifications: ADDREF XF:irix-nsd-cache-dos(7907) ADDREF BID:3882 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0038 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Baker, Cole, Green MODIFY(1) Frech NOOP(3) Wall, Foat, Christey Voter Comments: Frech> XF:irix-nsd-cache-dos(7907) Christey> Consider adding BID:3882 Christey> BID:3882 ====================================================== Candidate: CAN-2002-0040 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0040 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020502 Assigned: 20020116 Category: SF Reference: SGI:20020306-01-P Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20020306-01-P Reference: XF:irix-hostaliases-gain-privileges(8669) Reference: URL:http://www.iss.net/security_center/static/8669.php Reference: BID:4388 Reference: URL:http://www.securityfocus.com/bid/4388 Vulnerability in SGI IRIX 6.5.11 through 6.5.15f allows local users to cause privileged applications to dump core via the HOSTALIASES environment variable, which might allow the users to gain privileges. Modifications: ADDREF XF:irix-hostaliases-gain-privileges(8669) ADDREF BID:4388 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0040 ACCEPT_ACK (2 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Cole, Green NOOP(4) Wall, Foat, Cox, Christey Voter Comments: Christey> Consider adding BID:4388 Christey> XF:irix-hostaliases-gain-privileges(8669) URL:http://www.iss.net/security_center/static/8669.php BID:4388 URL:http://www.securityfocus.com/bid/4388 ====================================================== Candidate: CAN-2002-0043 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0043 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20020122 Category: SF Reference: BUGTRAQ:20020114 Sudo version 1.6.4 now available (fwd) Reference: URL:http://www.securityfocus.com/archive/1/250168 Reference: REDHAT:RHSA-2002:013 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-013.html Reference: REDHAT:RHSA-2002:011 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-011.html Reference: CONECTIVA:CLA-2002:451 Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000451 Reference: ENGARDE:ESA-20020114-001 Reference: SUSE:SuSE-SA:2002:002 Reference: URL:http://www.suse.de/de/support/security/2002_002_sudo_txt.txt Reference: MANDRAKE:MDKSA-2002:003 Reference: DEBIAN:DSA-101 Reference: IMMUNIX:IMNX-2002-70-001-01 Reference: URL:http://www.securityfocus.com/advisories/3800 Reference: FREEBSD:FreeBSD-SA-02:06 Reference: BUGTRAQ:20020116 Sudo +Postfix Exploit Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101120193627756&w=2 Reference: MISC:http://www.sudo.ws/sudo/alerts/postfix.html Reference: XF:sudo-unclean-env-root(7891) Reference: URL:http://xforce.iss.net/static/7891.php Reference: BID:3871 Reference: URL:http://www.securityfocus.com/bid/3871 sudo 1.6.0 through 1.6.3p7 does not properly clear the environment before calling the mail program, which could allow local users to gain root privileges by modifying environment variables and changing how the mail program is invoked. Modifications: ADDREF MANDRAKE:MDKSA-2002:003 ADDREF DEBIAN:DSA-101 ADDREF IMMUNIX:IMNX-2002-70-001-01 ADDREF FREEBSD:FreeBSD-SA-02:06 CHANGEREF REDHAT [normalize] Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0043 ACCEPT (5 accept, 4 ack, 0 review) Current Votes: ACCEPT(5) Wall, Baker, Cole, Frech, Green NOOP(2) Foat, Christey Voter Comments: Christey> MANDRAKE:MDKSA-2002:003 DEBIAN:DSA-101 IMMUNIX:IMNX-2002-70-001-01 URL:http://www.securityfocus.com/advisories/3800 FREEBSD:FreeBSD-SA-02:06 Normalize refs: REDHAT:RHSA-2002-011, REDHAT:RHSA-2002-013 ====================================================== Candidate: CAN-2002-0044 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0044 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020131 Assigned: 20020122 Category: SF Reference: REDHAT:RHSA-2002-012 Reference: URL:https://www.redhat.com/support/errata/RHSA-2002-012.html Reference: HP:HPSBTL0201-019 Reference: URL:http://www.securityfocus.com/advisories/3818 Reference: MANDRAKE:MDKSA-2002:010 Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-010.php3 Reference: DEBIAN:DSA-105 Reference: URL:http://www.debian.org/security/2002/dsa-105 Reference: XF:gnu-enscript-tmpfile-symlink(7932) Reference: URL:http://xforce.iss.net/static/7932.php Reference: BID:3920 Reference: URL:http://www.securityfocus.com/bid/3920 GNU Enscript 1.6.1 and earlier allows local users to overwrite arbitrary files of the Enscript user via a symlink attack on temporary files. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0044 ACCEPT (5 accept, 3 ack, 0 review) Current Votes: ACCEPT(5) Wall, Baker, Cole, Frech, Green NOOP(1) Foat ====================================================== Candidate: CAN-2002-0045 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0045 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20020122 Category: SF Reference: CONFIRM:http://www.openldap.org/lists/openldap-announce/200201/msg00002.html Reference: CALDERA:CSSA-2002-001.0 Reference: MANDRAKE:MDKSA-2002:013 Reference: REDHAT:RHSA-2002:014 Reference: XF:openldap-slapd-delete-attributes(7978) slapd in OpenLDAP 2.0 through 2.0.19 allows local users, and anonymous users before 2.0.8, to conduct a "replace" action on access controls without any values, which causes OpenLDAP to delete non-mandatory attributes which would otherwise be protected by ACLs. Modifications: ADDREF XF:openldap-slapd-delete-attributes(7978) ADDREF CALDERA:CSSA-2002-001.0 ADDREF MANDRAKE:MDKSA-2002:013 ADDREF REDHAT:RHSA-2002:014 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0045 ACCEPT (4 accept, 3 ack, 0 review) Current Votes: ACCEPT(3) Baker, Cole, Green MODIFY(1) Frech NOOP(3) Wall, Foat, Christey Voter Comments: Frech> XF:openldap-slapd-delete-attributes(7978) Christey> CALDERA:CSSA-2002-001.0 MANDRAKE:MDKSA-2002:013 ====================================================== Candidate: CAN-2002-0046 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0046 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020131 Assigned: 20020122 Category: SF Reference: BUGTRAQ:20020120 remote memory reading through tcp/icmp Reference: URL:http://www.securityfocus.com/archive/1/251418 Reference: REDHAT:RHSA-2002-007 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-007.html Reference: XF:icmp-read-memory(7998) Linux kernel, and possibly other operating systems, allows remote attackers to read portions of memory via a series of fragmented ICMP packets that generate an ICMP TTL Exceeded response, which includes portions of the memory in the response packet. Modifications: ADDREF XF:icmp-read-memory(7998) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0046 ACCEPT (6 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Wall, Baker, Foat, Cole, Green MODIFY(1) Frech Voter Comments: Frech> XF:icmp-read-memory(7998) ====================================================== Candidate: CAN-2002-0047 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0047 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020131 Assigned: 20020122 Category: SF Reference: DEBIAN:DSA-104 Reference: URL:http://www.debian.org/security/2002/dsa-104 Reference: REDHAT:RHSA-2002:007 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-007.html Reference: XF:cipe-packet-handling-dos(7883) Reference: URL:http://xforce.iss.net/static/7883.php CIPE VPN package before 1.3.0-3 allows remote attackers to cause a denial of service (crash) via a short malformed packet. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0047 ACCEPT (5 accept, 2 ack, 0 review) Current Votes: ACCEPT(5) Wall, Baker, Cole, Frech, Green NOOP(1) Foat ====================================================== Candidate: CAN-2002-0049 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0049 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020202 Category: CF Reference: MS:MS02-003 Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS02-003.asp Reference: BID:4053 Reference: URL:http://www.securityfocus.com/bid/4053 Microsoft Exchange Server 2000 System Attendant gives "Everyone" group privileges to the WinReg key, which could allow remote attackers to read or modify registry keys. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0049 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Wall, Foat, Cole, Ziese, Green ====================================================== Candidate: CAN-2002-0050 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0050 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020202 Category: SF Reference: MS:MS02-010 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-010.asp Reference: BID:4157 Reference: URL:http://online.securityfocus.com/bid/4157 Buffer overflow in AuthFilter ISAPI filter on Microsoft Commerce Server 2000 allows remote attackers to execute arbitrary code via long authentication data. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0050 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Wall, Foat, Cole, Ziese, Green ====================================================== Candidate: CAN-2002-0051 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0051 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020502 Assigned: 20020202 Category: SF Reference: BUGTRAQ:20011205 SECURITY.NNOV: file locking and security (group policy DoS on Windows 2000 domain) Reference: URL:http://online.securityfocus.com/archive/1/244329 Reference: MS:MS02-016 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-016.asp Reference: BID:4438 Reference: URL:http://online.securityfocus.com/bid/4438 Windows 2000 allows local users to prevent the application of new group policy settings by opening Group Policy files with exclusive-read access. Modifications: ADDREF BID:4438 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0051 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Wall, Foat, Cole, Green NOOP(2) Cox, Christey Voter Comments: Christey> Consider adding BID:4438 Christey> XF:win2k-group-policy-block(8759) URL:http://www.iss.net/security_center/static/8759.php ====================================================== Candidate: CAN-2002-0052 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0052 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020202 Category: SF Reference: MS:MS02-009 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-009.asp Reference: BID:4158 Reference: URL:http://online.securityfocus.com/bid/4158 Internet Explorer 6.0 and earlier does not properly handle VBScript in certain domain security checks, which allows remote attackers to read arbitrary files. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0052 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Wall, Foat, Cole, Ziese, Green ====================================================== Candidate: CAN-2002-0055 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0055 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020315 Assigned: 20020202 Category: SF Reference: BUGTRAQ:20020306 Vulnerability Details for MS02-012 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101558498401274&w=2 Reference: MS:MS02-012 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-012.asp Reference: XF:ms-smtp-data-transfer-dos(8307) Reference: URL:http://www.iss.net/security_center/static/8307.php Reference: BID:4204 Reference: URL:http://www.securityfocus.com/bid/4204 SMTP service in Microsoft Windows 2000, Windows XP Professional, and Exchange 2000 to cause a denial of service via a command with a malformed data transfer (BDAT) request. Modifications: ADDREF XF:ms-smtp-data-transfer-dos(8307) ADDREF BID:4204 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0055 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Wall, Foat, Cole, Ziese, Green NOOP(1) Christey Voter Comments: Christey> Consider adding BID:4204 Christey> XF:ms-smtp-data-transfer-dos(8307) URL:http://www.iss.net/security_center/static/8307.php BID:4204 URL:http://www.securityfocus.com/bid/4204 ====================================================== Candidate: CAN-2002-0057 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0057 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020315 Assigned: 20020202 Category: SF Reference: BUGTRAQ:20011214 MSIE6 can read local files Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-12/0152.html Reference: BUGTRAQ:20020212 Update on the MS02-005 patch, holes still remain Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101366383408821&w=2 Reference: MS:MS02-008 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-008.asp Reference: BID:3699 Reference: URL:http://online.securityfocus.com/bid/3699 Reference: XF:ie-xmlhttp-redirect(7712) XMLHTTP control in Microsoft XML Core Services 2.6 and later does not properly handle IE Security Zone settings, which allows remote attackers to read arbitrary files by specifying a local file as an XML Data Source. Modifications: ADDREF XF:ie-xmlhttp-redirect(7712) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0057 ACCEPT (6 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Wall, Foat, Cole, Ziese, Green MODIFY(1) Frech Voter Comments: Frech> XF:ie-xmlhttp-redirect(7712) ====================================================== Candidate: CAN-2002-0059 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0059 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020315 Assigned: 20020207 Category: SF Reference: BUGTRAQ:20020311 security problem fixed in zlib 1.1.4 Reference: BUGTRAQ:20020312 exploiting the zlib bug in openssh Reference: VULNWATCH:20020312 exploiting the zlib bug in openssh Reference: VULNWATCH:20020311 [VulnWatch] zlibscan : script to find suid binaries possibly affected by zlib vulnerability Reference: BUGTRAQ:20020312 [OpenPKG-SA-2002.003] OpenPKG Security Advisory (zlib) Reference: BUGTRAQ:20020312 Re: [VulnWatch] exploiting the zlib bug in openssh Reference: BUGTRAQ:20020312 zlib & java Reference: BUGTRAQ:20020312 zlibscan : script to find suid binaries possibly affected by zlib vulnerability Reference: BUGTRAQ:20020313 OpenSSH rebuild warning: problems avoiding zlib problems in Solaris Reference: BUGTRAQ:20020314 about zlib vulnerability Reference: BUGTRAQ:20020314 ZLib double free bug: Windows NT potentially unaffected Reference: BUGTRAQ:20020314 Re: about zlib vulnerability - Microsoft products Reference: BUGTRAQ:20020315 RE: [Whitehat] about zlib vulnerability Reference: CERT:CA-2002-07 Reference: CERT-VN:VU#368819 Reference: URL:http://www.kb.cert.org/vuls/id/368819 Reference: DEBIAN:DSA-122 Reference: REDHAT:RHSA-2002:026 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-026.html Reference: REDHAT:RHSA-2002:027 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-027.html Reference: SUSE:SuSE-SA:2002:010 Reference: SUSE:SuSE-SA:2002:011 Reference: ENGARDE:ESA-20020311-008 Reference: MANDRAKE:MDKSA-2002:022 Reference: MANDRAKE:MDKSA-2002:023 Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-023.php Reference: CALDERA:CSSA-2002-014.1 Reference: CALDERA:CSSA-2002-015.1 Reference: CONECTIVA:CLA-2002:469 Reference: HP:HPSBTL0204-030 Reference: HP:HPSBTL0204-036 Reference: HP:HPSBTL0204-037 Reference: MANDRAKE:MDKSA-2002:024 Reference: CISCO:20020403 Vulnerability in the zlib Compression Library Reference: OPENBSD:20020313 015: RELIABILITY FIX: March 13, 2002 Reference: FREEBSD:FreeBSD-SA-02:18 Reference: BUGTRAQ:20020318 TSLSA-2002-0040 - zlib Reference: BUGTRAQ:20020402 VNC Security Bulletin - zlib double free issue (multiple vendors and versions) Reference: BID:4267 Reference: URL:http://online.securityfocus.com/bid/4267 Reference: XF:zlib-doublefree-memory-corruption(8427) The decompression algorithm in zlib 1.1.3 and earlier, as used in many different utilities and packages, causes inflateEnd to release certain memory more than once (a "double free"), which may allow local and remote attackers to execute arbitrary code via a block of malformed compression data. Modifications: CHANGEREF BUGTRAQ change some dates from 20020212 to 20020312 ADDREF BUGTRAQ:20020312 [OpenPKG-SA-2002.003] OpenPKG Security Advisory (zlib) ADDREF BUGTRAQ:20020312 Re: [VulnWatch] exploiting the zlib bug in openssh ADDREF BUGTRAQ:20020312 zlib & java ADDREF BUGTRAQ:20020312 zlibscan : script to find suid binaries possibly affected by zlib vulnerability ADDREF BUGTRAQ:20020313 OpenSSH rebuild warning: problems avoiding zlib problems in Solaris ADDREF BUGTRAQ:20020314 about zlib vulnerability ADDREF BUGTRAQ:20020315 RE: [Whitehat] about zlib vulnerability ADDREF BUGTRAQ:20020314 Re: about zlib vulnerability - Microsoft products ADDREF FREEBSD:FreeBSD-SA-02:18 ADDREF BUGTRAQ:20020318 TSLSA-2002-0040 - zlib ADDREF BUGTRAQ:20020402 VNC Security Bulletin - zlib double free issue (multiple vendors and versions) ADDREF CALDERA:CSSA-2002-014.1 ADDREF CALDERA:CSSA-2002-015.1 ADDREF CONECTIVA:CLA-2002:469 ADDREF HP:HPSBTL0204-030 ADDREF HP:HPSBTL0204-036 ADDREF HP:HPSBTL0204-037 ADDREF MANDRAKE:MDKSA-2002:024 ADDREF CISCO:20020403 Vulnerability in the zlib Compression Library ADDREF OPENBSD:20020313 015: RELIABILITY FIX: March 13, 2002 ADDREF XF:zlib-doublefree-memory-corruption(8427) ADDREF BUGTRAQ:20020314 ZLib double free bug: Windows NT potentially unaffected Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0059 ACCEPT (5 accept, 10 ack, 0 review) Current Votes: ACCEPT(5) Wall, Foat, Cole, Ziese, Green NOOP(1) Christey Voter Comments: Christey> Need to change dates of Bugtraq and Vulnwatch posts from 20020212 to 20020312 for "exploiting the zlib bug in openssh" BUGTRAQ:20020312 [OpenPKG-SA-2002.003] OpenPKG Security Advisory (zlib) BUGTRAQ:20020312 Re: [VulnWatch] exploiting the zlib bug in openssh BUGTRAQ:20020312 zlib & java BUGTRAQ:20020312 zlibscan : script to find suid binaries possibly affected by zlib vulnerability BUGTRAQ:20020313 OpenSSH rebuild warning: problems avoiding zlib problems in Solaris BUGTRAQ:20020314 about zlib vulnerability BUGTRAQ:20020315 RE: [Whitehat] about zlib vulnerability BUGTRAQ:20020314 Re: about zlib vulnerability - Microsoft products FREEBSD:FreeBSD-SA-02:18 BUGTRAQ:20020318 TSLSA-2002-0040 - zlib BUGTRAQ:20020402 VNC Security Bulletin - zlib double free issue (multiple vendors and versions) CALDERA:CSSA-2002-014.1 CALDERA:CSSA-2002-015.1 CONECTIVA:CLA-2002:469 HP:HPSBTL0204-030 HP:HPSBTL0204-036 HP:HPSBTL0204-037 MANDRAKE:MDKSA-2002:024 CISCO:20020403 Vulnerability in the zlib Compression Library OPENBSD:20020313 015: RELIABILITY FIX: March 13, 2002 XF:zlib-doublefree-memory-corruption(8427) BUGTRAQ:20020314 ZLib double free bug: Windows NT potentially unaffected ====================================================== Candidate: CAN-2002-0060 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0060 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020213 Category: SF Reference: BUGTRAQ:20020227 security advisory linux 2.4.x ip_conntrack_irc Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101483396412051&w=2 Reference: VULN-DEV:20020227 Fwd: [ANNOUNCE] Security Advisory about IRC DCC connection tracking Reference: URL:http://marc.theaimsgroup.com/?l=vuln-dev&m=101486352429653&w=2 Reference: CONFIRM:http://www.netfilter.org/security/2002-02-25-irc-dcc-mask.html Reference: REDHAT:RHSA-2002:028 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-028.html IRC connection tracking helper module in the netfilter subsystem for Linux 2.4.18-pre9 and earlier does not properly set the mask for conntrack expectations for incoming DCC connections, which could allow remote attackers to bypass intended firewall restrictions. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0060 ACCEPT (4 accept, 2 ack, 0 review) Current Votes: ACCEPT(4) Wall, Cole, Ziese, Green NOOP(1) Foat ====================================================== Candidate: CAN-2002-0063 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0063 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020315 Assigned: 20020217 Category: SF Reference: CONFIRM:http://www.cups.org/relnotes.html Reference: DEBIAN:DSA-110 Reference: URL:http://www.debian.org/security/2002/dsa-110 Reference: MANDRAKE:MDKSA-2002:015 Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-015.php Reference: REDHAT:RHSA-2002:032 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-032.html Reference: SUSE:SuSE-SA:2002:005 Reference: SUSE:SuSE-SA:2002:006 Reference: CALDERA:CSSA-2002-008.0 Reference: CONECTIVA:CLA-2002:471 Reference: XF:cups-ippread-bo(8192) Reference: BID:4100 Buffer overflow in ippRead function of CUPS before 1.1.14 may allow attackers to execute arbitrary code via long attribute names or language values. Modifications: ADDREF REDHAT:RHSA-2002:032 ADDREF SUSE:SuSE-SA:2002:005 ADDREF SUSE:SuSE-SA:2002:006 ADDREF CALDERA:CSSA-2002-008.0 ADDREF XF:cups-ippread-bo(8192) ADDREF BID:4100 ADDREF CONECTIVA:CLA-2002:471 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0063 ACCEPT (4 accept, 5 ack, 0 review) Current Votes: ACCEPT(4) Wall, Cole, Ziese, Green NOOP(2) Foat, Christey Voter Comments: Christey> REDHAT:RHSA-2002:032 URL:http://www.redhat.com/support/errata/RHSA-2002-032.html SUSE:SuSE-SA:2002:005 SUSE:SuSE-SA:2002:006 Christey> SUSE:SuSE-SA:2002:005 Christey> REDHAT:RHSA-2002:032 CALDERA:CSSA-2002-008.0 XF:cups-ippread-bo(8192) BID:4100 SUSE:SuSE-SA:2002:006 SUSE:SuSE-SA:2002:005 CONECTIVA:CLA-2002:471 ====================================================== Candidate: CAN-2002-0064 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0064 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020502 Assigned: 20020219 Category: CF Reference: BINDVIEW:20020408 Unauthorized remote control access to systems running Funk Software's Proxy v3.x Reference: URL:http://razor.bindview.com/publish/advisories/adv_FunkProxy.html Reference: XF:funk-proxy-insecure-permissions(8791) Reference: URL:http://www.iss.net/security_center/static/8791.php Reference: BID:4458 Reference: URL:http://www.securityfocus.com/bid/4458 Funk Software Proxy Host 3.x is installed with insecure permissions for the registry and the file system. Modifications: ADDREF XF:funk-proxy-insecure-permissions(8791) ADDREF BID:4458 Analysis -------- Vendor Acknowledgement: yes INFERRED ACTION: CAN-2002-0064 ACCEPT_ACK (2 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Cole, Green NOOP(4) Wall, Foat, Cox, Christey Voter Comments: Christey> XF:funk-proxy-insecure-permissions(8791) URL:http://www.iss.net/security_center/static/8791.php BID:4458 URL:http://www.securityfocus.com/bid/4458 ====================================================== Candidate: CAN-2002-0065 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0065 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020502 Assigned: 20020219 Category: SF Reference: BINDVIEW:20020408 Unauthorized remote control access to systems running Funk Software's Proxy v3.x Reference: URL:http://razor.bindview.com/publish/advisories/adv_FunkProxy.html Reference: XF:funk-proxy-weak-password(8792) Reference: URL:http://www.iss.net/security_center/static/8792.php Reference: BID:4459 Reference: URL:http://www.securityfocus.com/bid/4459 Funk Software Proxy Host 3.x uses weak encryption for the Proxy Host password, which allows local users to gain privileges by recovering the passwords from the PHOST.INI file or the Windows registry. Modifications: ADDREF XF:funk-proxy-weak-password(8792) ADDREF BID:4459 Analysis -------- Vendor Acknowledgement: yes INFERRED ACTION: CAN-2002-0065 ACCEPT_ACK (2 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Cole, Green NOOP(4) Wall, Foat, Cox, Christey Voter Comments: Christey> XF:funk-proxy-weak-password(8792) URL:http://www.iss.net/security_center/static/8792.php BID:4459 URL:http://www.securityfocus.com/bid/4459 ====================================================== Candidate: CAN-2002-0066 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0066 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020502 Assigned: 20020219 Category: SF Reference: BINDVIEW:20020408 Unauthorized remote control access to systems running Funk Software's Proxy v3.x Reference: URL:http://razor.bindview.com/publish/advisories/adv_FunkProxy.html Reference: XF:funk-proxy-named-pipe(8793) Reference: URL:http://www.iss.net/security_center/static/8793.php Reference: BID:4460 Reference: URL:http://www.securityfocus.com/bid/4460 Funk Software Proxy Host 3.x before 3.09A creates a Named Pipe that does not require authentication and is installed with insecure access control, which allows local and possibly remote users to use the Proxy Host's configuration utilities and gain privileges. Modifications: ADDREF XF:funk-proxy-named-pipe(8793) ADDREF BID:4460 Analysis -------- Vendor Acknowledgement: yes INFERRED ACTION: CAN-2002-0066 ACCEPT_ACK (2 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Cole, Green NOOP(4) Wall, Foat, Cox, Christey Voter Comments: Christey> XF:funk-proxy-named-pipe(8793) URL:http://www.iss.net/security_center/static/8793.php BID:4460 URL:http://www.securityfocus.com/bid/4460 ====================================================== Candidate: CAN-2002-0070 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0070 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020315 Assigned: 20020221 Category: SF Reference: BUGTRAQ:20020312 ADVISORY: Windows Shell Overflow Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101594127017290&w=2 Reference: VULNWATCH:20020311 [VulnWatch] ADVISORY: Windows Shell Overflow Reference: NTBUGTRAQ:20020311 ADVISORY: Windows Shell Overflow Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0203&L=ntbugtraq&F=P&S=&P=2404 Reference: MS:MS02-014 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-014.asp Reference: XF:win-shell-bo(8384) Reference: URL:http://www.iss.net/security_center/static/8384.php Reference: BID:4248 Reference: URL:http://www.securityfocus.com/bid/4248 Buffer overflow in Windows Shell (used as the Windows Desktop) allows local and possibly remote attackers to execute arbitrary code via a custom URL handler that has not been removed for an application that has been improperly uninstalled. Modifications: ADDREF XF:win-shell-bo(8384) ADDREF BID:4248 ADDREF BUGTRAQ:20020312 ADVISORY: Windows Shell Overflow Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0070 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Wall, Foat, Cole, Ziese, Green NOOP(1) Christey Voter Comments: Christey> XF:win-shell-bo(8384) URL:http://www.iss.net/security_center/static/8384.php BID:4248 URL:http://www.securityfocus.com/bid/4248 BUGTRAQ:20020312 ADVISORY: Windows Shell Overflow URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101594127017290&w=2 ====================================================== Candidate: CAN-2002-0078 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0078 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020502 Assigned: 20020221 Category: SF Reference: BUGTRAQ:20020330 IE: Remote webpage can script in local zone Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101781180528301&w=2 Reference: MS:MS02-015 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-015.asp Reference: BID:4392 Reference: URL:http://www.securityfocus.com/bid/4392 Reference: XF:ie-cookie-local-zone(8701) Reference: URL:http://www.iss.net/security_center/static/8701.php The zone determination function in Microsoft Internet Explorer 5.5 and 6.0 allows remote attackers to run scripts in the Local Computer zone by embedding the script in a cookie, aka the "Cookie-based Script Execution" vulnerability. Modifications: ADDREF BID:4392 ADDREF XF:ie-cookie-local-zone(8701) ADDREF BUGTRAQ:20020330 IE: Remote webpage can script in local zone Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0078 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Wall, Foat, Cole, Green NOOP(2) Cox, Christey Voter Comments: Christey> Consider adding BID:4392 Christey> BUGTRAQ:20020330 IE: Remote webpage can script in local zone URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101781180528301&w=2 XF:ie-cookie-local-zone(8701) URL:http://www.iss.net/security_center/static/8701.php BID:4392 URL:http://www.securityfocus.com/bid/4392 ====================================================== Candidate: CAN-2002-0080 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0080 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020315 Assigned: 20020221 Category: SF Reference: REDHAT:RHSA-2002:026 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-026.html Reference: MANDRAKE:MDKSA-2002:024 Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-024.php3 Reference: CALDERA:CSSA-2002-014.1 Reference: URL:http://www.caldera.com/support/security/advisories/CSSA-2002-014.1.txt Reference: XF:linux-rsync-inherit-privileges(8463) Reference: URL:http://www.iss.net/security_center/static/8463.php Reference: BID:4285 Reference: URL:http://www.securityfocus.com/bid/4285 rsync, when running in daemon mode, does not properly call setgroups before dropping privileges, which could provide supplemental group privileges to local users, who could then read certain files that would otherwise be disallowed. Modifications: DESC Add "when running in daemon mode" ADDREF CALDERA:CSSA-2002-014.1 ADDREF XF:linux-rsync-inherit-privileges(8463) ADDREF BID:4285 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0080 ACCEPT (4 accept, 2 ack, 0 review) Current Votes: ACCEPT(4) Wall, Cole, Ziese, Green NOOP(2) Foat, Christey Voter Comments: Christey> CALDERA:CSSA-2002-014.1 URL:http://www.caldera.com/support/security/advisories/CSSA-2002-014.1.txt XF:linux-rsync-inherit-privileges(8463) URL:http://www.iss.net/security_center/static/8463.php BID:4285 URL:http://www.securityfocus.com/bid/4285 Add "when running in daemon mode" to description. ====================================================== Candidate: CAN-2002-0081 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0081 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020315 Assigned: 20020227 Category: SF Reference: VULN-DEV:20020225 Re: Rumours about Apache 1.3.22 exploits Reference: URL:http://marc.theaimsgroup.com/?l=vuln-dev&m=101468694824998&w=2 Reference: BUGTRAQ:20020227 Advisory 012002: PHP remote vulnerabilities Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101484705523351&w=2 Reference: NTBUGTRAQ:20020227 PHP remote vulnerabilities Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=101484975231922&w=2 Reference: CONFIRM:http://www.php.net/downloads.php Reference: MISC:http://security.e-matters.de/advisories/012002.html Reference: REDHAT:RHSA-2002:035 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-035.html Reference: DEBIAN:DSA-115 Reference: URL:http://www.debian.org/security/2002/dsa-115 Reference: CERT:CA-2002-05 Reference: URL:http://www.cert.org/advisories/CA-2002-05.html Reference: CERT-VN:VU#297363 Reference: URL:http://www.kb.cert.org/vuls/id/297363 Reference: ENGARDE:ESA-20020301-006 Reference: URL:http://www.linuxsecurity.com/advisories/other_advisory-1924.html Reference: HP:HPSBTL0203-028 Reference: URL:http://online.securityfocus.com/advisories/3911 Reference: CONECTIVA:CLA-2002:468 Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000468 Reference: XF:php-file-upload-overflow(8281) Reference: URL:http://www.iss.net/security_center/static/8281.php Reference: BID:4183 Reference: URL:http://www.securityfocus.com/bid/4183 Reference: BUGTRAQ:20020304 Apache+php Proof of Concept Exploit Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101537076619812&w=2 Reference: BUGTRAQ:20020228 TSLSA-2002-0033 - mod_php Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101497256024338&w=2 Reference: SUSE:SuSE-SA:2002:007 Reference: URL:http://www.suse.com/de/support/security/2002_007_mod_php4_txt.html Reference: MANDRAKE:MDKSA-2002:017 Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-017.php Buffer overflows in (1) php_mime_split in PHP 4.1.0, 4.1.1, and 4.0.6 and earlier, and (2) php3_mime_split in PHP 3.0.x allows remote attackers to execute arbitrary code via a multipart/form-data HTTP POST request when file_uploads is enabled. Modifications: ADDREF BUGTRAQ:20020304 Apache+php Proof of Concept Exploit ADDREF BUGTRAQ:20020228 TSLSA-2002-0033 - mod_php ADDREF SUSE:SuSE-SA:2002:007 ADDREF MANDRAKE:MDKSA-2002:017 Analysis -------- Vendor Acknowledgement: yes advisory ABSTRACTION: there is mixed overlap between these different versions, in terms of the fixes provided. One could argue that these are different bugs in different versions, thus CD:SF-LOC would state that these should be separated. However, these clearly stem from the same codebase. INFERRED ACTION: CAN-2002-0081 ACCEPT (4 accept, 7 ack, 0 review) Current Votes: ACCEPT(4) Wall, Cole, Ziese, Green NOOP(2) Foat, Christey Voter Comments: Christey> BUGTRAQ:20020304 Apache+php Proof of Concept Exploit URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101537076619812&w=2 Christey> ADDREF BUGTRAQ:20020228 TSLSA-2002-0033 - mod_php URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101497256024338&w=2 SUSE:SuSE-SA:2002:007 MANDRAKE:MDKSA-2002:017 Christey> SUSE:SuSE-SA:2002:007 URL:http://www.suse.com/de/support/security/2002_007_mod_php4_txt.html MANDRAKE:MDKSA-2002:017 URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-017.php BUGTRAQ:20020228 TSLSA-2002-0033 - mod_php URL:http://archives.neohapsis.com/archives/bugtraq/2002-02/0362.html BUGTRAQ:20020304 Apache+php Proof of Concept Exploit URL:http://online.securityfocus.com/archive/1/259821 ====================================================== Candidate: CAN-2002-0082 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0082 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020315 Assigned: 20020301 Category: SF Reference: BUGTRAQ:20020227 mod_ssl Buffer Overflow Condition (Update Available) Reference: URL:http://online.securityfocus.com/archive/1/258646 Reference: BUGTRAQ:20020301 Apache-SSL buffer overflow (fix available) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101518491916936&w=2 Reference: BUGTRAQ:20020304 Apache-SSL 1.3.22+1.47 - update to security fix Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101528358424306&w=2 Reference: CONFIRM:http://www.apacheweek.com/issues/02-03-01#security Reference: BUGTRAQ:20020228 TSLSA-2002-0034 - apache Reference: ENGARDE:ESA-20020301-005 Reference: URL:http://www.linuxsecurity.com/advisories/other_advisory-1923.html Reference: CONECTIVA:CLA-2002:465 Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000465 Reference: REDHAT:RHSA-2002:041 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-041.html Reference: MANDRAKE:MDKSA-2002:020 Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-020.php Reference: REDHAT:RHSA-2002:042 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-042.html Reference: DEBIAN:DSA-120 Reference: URL:http://www.debian.org/security/2002/dsa-120 Reference: HP:HPSBTL0203-031 Reference: URL:http://www.securityfocus.com/advisories/3965 Reference: HP:HPSBUX0204-190 Reference: URL:http://www.securityfocus.com/advisories/4008 Reference: CALDERA:CSSA-2002-011.0 Reference: URL:http://www.calderasystems.com/support/security/advisories/CSSA-2002-011.0.txt Reference: COMPAQ:SSRT0817 Reference: URL:http://ftp.support.compaq.com/patches/.new/html/SSRT0817.shtml Reference: BID:4189 Reference: URL:http://online.securityfocus.com/bid/4189 Reference: XF:apache-modssl-bo(8308) Reference: URL:http://www.iss.net/security_center/static/8308.php The dbm and shm session cache code in mod_ssl before 2.8.7-1.3.23, and Apache-SSL before 1.3.22+1.46, does not properly initialize memory using the i2d_SSL_SESSION function, which allows remote attackers to use a buffer overflow to execute arbitrary code via a large client certificate that is signed by a trusted Certificate Authority (CA), which produces a large serialized session. Modifications: ADDREF DEBIAN:DSA-120 ADDREF HP:HPSBTL0203-031 ADDREF HP:HPSBUX0204-190 ADDREF CALDERA:CSSA-2002-011.0 ADDREF COMPAQ:SSRT0817 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0082 ACCEPT (5 accept, 6 ack, 0 review) Current Votes: ACCEPT(5) Wall, Foat, Cole, Ziese, Green NOOP(1) Christey Voter Comments: Christey> DEBIAN:DSA-120 URL:http://www.debian.org/security/2002/dsa-120 HP:HPSBTL0203-031 URL:http://www.securityfocus.com/advisories/3965 HP:HPSBUX0204-190 URL:http://www.securityfocus.com/advisories/4008 CALDERA:CSSA-2002-011.0 URL:http://www.calderasystems.com/support/security/advisories/CSSA-2002-011.0.txt COMPAQ:SSRT0817 http://ftp.support.compaq.com/patches/.new/html/SSRT0817.shtml ====================================================== Candidate: CAN-2002-0083 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0083 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020315 Assigned: 20020306 Category: SF Reference: VULNWATCH:20020307 [VulnWatch] [PINE-CERT-20020301] OpenSSH off-by-one Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0060.html Reference: BUGTRAQ:20020307 OpenSSH Security Advisory (adv.channelalloc) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101553908201861&w=2 Reference: BUGTRAQ:20020307 [PINE-CERT-20020301] OpenSSH off-by-one Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101552065005254&w=2 Reference: BUGTRAQ:20020308 [OpenPKG-SA-2002.002] OpenPKG Security Advisory (openssh) Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101561384821761&w=2 Reference: BUGTRAQ:20020311 TSLSA-2002-0039 - openssh Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2002-03/0108.html Reference: BUGTRAQ:20020310 OpenSSH 2.9.9p2 packages for Immunix 6.2 with latest fix Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101586991827622&w=2 Reference: BUGTRAQ:20020328 OpenSSH channel_lookup() off by one exploit Reference: URL:http://online.securityfocus.com/archive/1/264657 Reference: CONFIRM:http://www.openbsd.org/advisories/ssh_channelalloc.txt Reference: ENGARDE:ESA-20020307-007 Reference: URL:http://www.linuxsecurity.com/advisories/other_advisory-1937.html Reference: SUSE:SuSE-SA:2002:009 Reference: URL:http://www.suse.de/de/support/security/2002_009_openssh_txt.html Reference: CONECTIVA:CLA-2002:467 Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000467 Reference: DEBIAN:DSA-119 Reference: URL:http://www.debian.org/security/2002/dsa-119 Reference: REDHAT:RHSA-2002:043 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-043.html Reference: MANDRAKE:MDKSA-2002:019 Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-019.php Reference: NETBSD:NetBSD-SA2002-004 Reference: URL:ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-004.txt.asc Reference: CALDERA:CSSA-2002-SCO.10 Reference: URL:ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.10/CSSA-2002-SCO.10.txt Reference: CALDERA:CSSA-2002-SCO.11 Reference: URL:ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.11/CSSA-2002-SCO.11.txt Reference: CALDERA:CSSA-2002-012.0 Reference: URL:http://www.calderasystems.com/support/security/advisories/CSSA-2002-012.0.txt Reference: FREEBSD:FreeBSD-SA-02:13 Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:13.openssh.asc Reference: HP:HPSBTL0203-029 Reference: URL:http://online.securityfocus.com/advisories/3960 Reference: XF:openssh-channel-error(8383) Reference: URL:http://www.iss.net/security_center/static/8383.php Reference: BID:4241 Reference: URL:http://www.securityfocus.com/bid/4241 Off-by-one error in the channel code of OpenSSH 2.0 through 3.0.2 allows local users or remote malicious servers to gain privileges. Modifications: ADDREF BUGTRAQ:20020310 OpenSSH 2.9.9p2 packages for Immunix 6.2 with latest fix ADDREF BUGTRAQ:20020328 OpenSSH channel_lookup() off by one exploit ADDREF BID:4241 ADDREF MANDRAKE:MDKSA-2002:019 ADDREF BUGTRAQ:20020311 TSLSA-2002-0039 - openssh ADDREF NETBSD:NetBSD-SA2002-004 ADDREF CALDERA:CSSA-2002-SCO.10 ADDREF CALDERA:CSSA-2002-SCO.11 ADDREF CALDERA:CSSA-2002-012.0 ADDREF FREEBSD:FreeBSD-SA-02:13 ADDREF XF:openssh-channel-error(8383) ADDREF HP:HPSBTL0203-029 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0083 ACCEPT (5 accept, 8 ack, 0 review) Current Votes: ACCEPT(5) Wall, Foat, Cole, Ziese, Green NOOP(1) Christey Voter Comments: Christey> Consider adding BID:4241 Christey> BUGTRAQ:20020310 OpenSSH 2.9.9p2 packages for Immunix 6.2 with latest fix URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101586991827622&w=2 Christey> BUGTRAQ:20020328 OpenSSH channel_lookup() off by one exploit URL:http://online.securityfocus.com/archive/1/264657 BID:4241 URL:http://www.securityfocus.com/bid/4241 MANDRAKE:MDKSA-2002:019 URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-019.php BUGTRAQ:20020311 TSLSA-2002-0039 - openssh URL:http://archives.neohapsis.com/archives/bugtraq/2002-03/0108.html BUGTRAQ:20020310 OpenSSH 2.9.9p2 packages for Immunix 6.2 with latest fix URL:http://online.securityfocus.com/archive/1/260958 NETBSD:NetBSD-SA2002-004 URL:ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-004.txt.asc CALDERA:CSSA-2002-SCO.10 URL:ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.10/CSSA-2002-SCO.10.txt CALDERA:CSSA-2002-SCO.11 URL:ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.11/CSSA-2002-SCO.11.txt CALDERA:CSSA-2002-012.0 URL:http://www.calderasystems.com/support/security/advisories/CSSA-2002-012.0.txt FREEBSD:FreeBSD-SA-02:13 URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:13.openssh.asc XF:openssh-channel-error(8383) URL:http://www.iss.net/security_center/static/8383.php HP:HPSBTL0203-029 URL:http://online.securityfocus.com/advisories/3960 ====================================================== Candidate: CAN-2002-0092 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0092 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020315 Assigned: 20020308 Category: SF Reference: VULN-DEV:20020220 Help needed with bufferoverflow in cvs Reference: URL:http://marc.theaimsgroup.com/?l=vuln-dev&m=101422243817321&w=2 Reference: VULN-DEV:20020220 Re: [Fwd: Help needed with bufferoverflow in cvs] Reference: URL:http://marc.theaimsgroup.com/?l=vuln-dev&m=101433077724524&w=2 Reference: DEBIAN:DSA-117 Reference: URL:http://www.debian.org/security/2002/dsa-117 Reference: REDHAT:RHSA-2002-026 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-026.html Reference: BID:4234 Reference: URL:http://www.securityfocus.com/bid/4234 Reference: XF:cvs-global-var-dos(8366) Reference: URL:http://www.iss.net/security_center/static/8366.php CVS before 1.10.8 does not properly initialize a global variable, which allows remote attackers to cause a denial of service (server crash) via the diff capability. Modifications: ADDREF BID:4234 ADDREF XF:cvs-global-var-dos(8366) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0092 ACCEPT (4 accept, 2 ack, 0 review) Current Votes: ACCEPT(4) Wall, Cole, Ziese, Green NOOP(2) Foat, Christey Voter Comments: Christey> Consider adding BID:4234 Christey> BID:4234 URL:http://www.securityfocus.com/bid/4234 XF:cvs-global-var-dos(8366) URL:http://www.iss.net/security_center/static/8366.php ====================================================== Candidate: CAN-2002-0096 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0096 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: BUGTRAQ:20020103 Vulnerability in new user creation in Geeklog 1.3 Reference: URL:http://www.securityfocus.com/archive/1/248367 Reference: CONFIRM:http://geeklog.sourceforge.net/index.php?topic=Security Reference: BID:3783 Reference: URL:http://www.securityfocus.com/bid/3783 Reference: XF:geeklog-default-admin-privileges(7780) Reference: URL:http://www.iss.net/security_center/static/7780.php The installation of Geeklog 1.3 creates an extra group_assignments record which is not properly deleted, which causes the first newly created user to be added to the GroupAdmin and UserAdmin groups, which could provide that user with administrative privileges that were not intended. Analysis -------- Vendor Acknowledgement: yes advisory ACKNOWLEDGEMENT: The "Security" page for the geeklog project site includes an entry dated January 3, 2002, which states "Security Fix! ... the first user that creates an account has access to the GroupAdmin Group and, subsequently, the UserAdmin Group." INFERRED ACTION: CAN-2002-0096 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Cole, Frech, Ziese, Green NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2002-0097 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0097 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: BUGTRAQ:20020110 Cookie modification allows unauthenticated user login in Geeklog 1.3 Reference: URL:http://online.securityfocus.com/archive/1/249443 Reference: CONFIRM:http://geeklog.sourceforge.net/index.php?topic=Security Reference: BID:3844 Reference: URL:http://online.securityfocus.com/bid/3844 Reference: XF:geeklog-modify-auth-cookie(7869) Reference: URL:http://www.iss.net/security_center/static/7869.php Geeklog 1.3 allows remote attackers to hijack user accounts, including the administrator account, by modifying the UID of a user's permanent cookie to the target account. Analysis -------- Vendor Acknowledgement: unknown ACKNOWLEDGEMENT: In an item dated January 9, 2002, the geeklog vendor states: "Major Security Hole Fixed! ... it is possible to have your Geeklog 1.3 system compromised by simply editing the cookie and changing the user ID to that of a Geeklog admin." INFERRED ACTION: CAN-2002-0097 ACCEPT (5 accept, 1 ack, 0 review) Current Votes: ACCEPT(5) Foat, Cole, Frech, Ziese, Green NOOP(1) Wall Voter Comments: CHANGE> [Green changed vote from REVIEWING to ACCEPT] Green> The security page at geeklog.sourceforge.net indicates acknowledgement of the vulnerability and it's resolution ====================================================== Candidate: CAN-2002-0098 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0098 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: BUGTRAQ:20020105 BOOZT! Standard 's administration cgi vulnerable to buffer overflow Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101027773404836&w=2 Reference: BUGTRAQ:20020109 BOOZT! Standard CGI Vulnerability : Exploit Released Reference: URL:http://online.securityfocus.com/archive/1/249219 Reference: CONFIRM:http://www.boozt.com/news_detail.php?id=3 Reference: BID:3787 Reference: URL:http://online.securityfocus.com/cgi-bin/vulns-item.pl?section=info&id=3787 Reference: XF:boozt-long-name-bo(7790) Reference: URL:http://www.iss.net/security_center/static/7790.php Buffer overflow in index.cgi administration interface for Boozt! Standard 0.9.8 allows local users to execute arbitrary code via a long name field when creating a new banner. Analysis -------- Vendor Acknowledgement: yes INFERRED ACTION: CAN-2002-0098 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Cole, Frech, Ziese, Green NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2002-0107 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0107 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: BUGTRAQ:20020108 svindel.net security advisory - web admin vulnerability in CacheOS Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101052887431488&w=2 Reference: BID:3841 Reference: URL:http://www.securityfocus.com/bid/3841 Reference: BUGTRAQ:20020205 RE: svindel.net security advisory - web admin vulnerability in Ca cheOS Reference: URL:http://online.securityfocus.com/archive/1/254167 Reference: XF:cachos-insecure-web-interface(7835) Reference: URL:http://www.iss.net/security_center/static/7835.php Web administration interface in CacheFlow CacheOS 4.0.13 and earlier allows remote attackers to obtain sensitive information via a series of GET requests that do not end in with HTTP/1.0 or another version string, which causes the information to be leaked in the error message. Analysis -------- Vendor Acknowledgement: yes followup INFERRED ACTION: CAN-2002-0107 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Cole, Frech, Ziese, Green NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2002-0111 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0111 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: BUGTRAQ:20020109 File Transversal Vulnerability in Dino's WebServer Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101062213627501&w=2 Reference: BID:3861 Reference: URL:http://online.securityfocus.com/cgi-bin/vulns-item.pl?section=info&id=3861 Reference: XF:dinos-webserver-directory-traversal(7853) Reference: URL:http://www.iss.net/security_center/static/7853.php Directory traversal vulnerability in Funsoft Dino's Webserver 1.2 and earlier allows remote attackers to read files or execute arbitrary commands via a .. (dot dot) in the URL. Analysis -------- Vendor Acknowledgement: yes via-email ACKNOWLEDGEMENT: email inquiry sent to andgjens@online.no (subject "Dino's FunSoft") on 3/11/2002, acknowledgement received on 3/12/2002. INFERRED ACTION: CAN-2002-0111 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Cole, Frech, Ziese, Green NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2002-0115 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0115 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: BUGTRAQ:20020110 Snort core dumped Reference: URL:http://online.securityfocus.com/archive/1/249340 Reference: BUGTRAQ:20020110 Re: Snort core dumped Reference: URL:http://online.securityfocus.com/cgi-bin/archive.pl?id=1&start=2002-03-08&end=2002-03-14&mid=249623&threads=1 Reference: BID:3849 Reference: URL:http://online.securityfocus.com/bid/3849 Reference: XF:snort-icmp-dos(7874) Reference: URL:http://www.iss.net/security_center/static/7874.php Snort 1.8.3 does not properly define the minimum ICMP header size, which allows remote attackers to cause a denial of service (crash and core dump) via a malformed ICMP packet. Analysis -------- Vendor Acknowledgement: yes followup INFERRED ACTION: CAN-2002-0115 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Cole, Frech, Ziese, Green NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2002-0117 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0117 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020315 Assigned: 20020315 Category: SF Reference: BUGTRAQ:20020108 CSS vulnerabilities in YaBB and UBB allow account hijack [Multiple Vendor] Reference: URL:http://online.securityfocus.com/archive/1/249031 Reference: CONFIRM:http://www.yabbforum.com/ Reference: BID:3828 Reference: URL:http://online.securityfocus.com/cgi-bin/vulns-item.pl?section=info&id=3828 Reference: XF:yabb-encoded-css(7840) Reference: URL:http://www.iss.net/security_center/static/7840.php Cross-site scripting vulnerability in Yet Another Bulletin Board (YaBB) 1 Gold SP 1 and earlier allows remote attackers to execute arbitrary script and steal cookies via a message containing encoded Javascript in an IMG tag. Modifications: ADDREF CONFIRM:http://www.yabbforum.com/ Analysis -------- Vendor Acknowledgement: yes ACKNOWLEDGEMENT: The "Latest News" section has an entry for SP1 dated 4/11/02, which states: "New javascript in image tags vulnerability fixed" INFERRED ACTION: CAN-2002-0117 ACCEPT_ACK (2 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Frech, Green NOOP(4) Christey, Wall, Foat, Cole Voter Comments: Christey> CONFIRM:http://www.yabbforum.com/ The "Latest News" section has an entry for SP1 dated 4/11/02, which states: "New javascript in image tags vulnerability fixed" ====================================================== Candidate: CAN-2002-0121 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0121 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: BUGTRAQ:20020113 PHP 4.x session spoofing Reference: URL:http://online.securityfocus.com/archive/1/250196 Reference: BID:3873 Reference: URL:http://online.securityfocus.com/bid/3873 Reference: XF:php-session-temp-disclosure(7908) Reference: URL:http://www.iss.net/security_center/static/7908.php PHP 4.0 through 4.1.1 stores session IDs in temporary files whose name contains the session ID, which allows local users to hijack web connections. Analysis -------- Vendor Acknowledgement: unknown INFERRED ACTION: CAN-2002-0121 ACCEPT (4 accept, 0 ack, 0 review) Current Votes: ACCEPT(4) Foat, Cole, Frech, Green NOOP(2) Wall, Balinsky ====================================================== Candidate: CAN-2002-0128 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0128 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: BUGTRAQ:20020116 Sambar Webserver v5.1 DoS Vulnerability Reference: URL:http://www.securityfocus.com/archive/1/250545 Reference: BUGTRAQ:20020206 Sambar Webserver Sample Script v5.1 DoS Vulnerability Exploit Reference: URL:http://www.der-keiler.de/Mailing-Lists/securityfocus/bugtraq/2002-02/0083.html Reference: CONFIRM:http://www.sambar.com/security.htm Reference: BID:3885 Reference: URL:http://www.securityfocus.com/bid/3885 Reference: XF:sambar-cgitest-dos(7894) Reference: URL:http://www.iss.net/security_center/static/7894.php cgitest.exe in Sambar Server 5.1 before Beta 4 allows remote attackers to cause a denial of service, and possibly execute arbitrary code, via a long argument. Analysis -------- Vendor Acknowledgement: yes advisory ACKNOWLEDGEMENT: The Sambar security page says "All versions of the Sambar WWW Server prior to the 5.1 Beta 4 release are vulnerable to a reported DoS attack against the /cgi-win/cgitest.exe sample application" and credits the Bugtraq poster. INFERRED ACTION: CAN-2002-0128 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Cole, Frech, Ziese, Green NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2002-0139 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0139 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: BUGTRAQ:20020120 Bounce vulnerability in SpoonFTP 1.1.0.1 Reference: URL:http://online.securityfocus.com/archive/1/251422 Reference: CONFIRM:http://www.pi-soft.com/spoonftp/index.shtml Reference: BID:3910 Reference: URL:http://online.securityfocus.com/bid/3910 Reference: XF:spoonftp-ftp-bounce(7943) Reference: URL:http://www.iss.net/security_center/static/7943.php Pi-Soft SpoonFTP 1.1 and earlier allows remote attackers to redirect traffic to other sites (aka FTP bounce) via the PORT command. Analysis -------- Vendor Acknowledgement: yes ACKNOWLEDGEMENT: the home page for SpoonFTP states that "A fix to prevent a potential 'bounce attack' against SpoonFTP was added in version 1.2." INFERRED ACTION: CAN-2002-0139 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Cole, Frech, Ziese, Green NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2002-0143 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0143 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020315 Assigned: 20020315 Category: SF Reference: BUGTRAQ:20020113 Eterm SGID utmp Buffer Overflow (Local) Reference: URL:http://online.securityfocus.com/archive/1/250145 Reference: BUGTRAQ:20020121 Re: Eterm SGID utmp Buffer Overflow (Local) Reference: URL:http://online.securityfocus.com/archive/1/251597 Reference: BID:3868 Reference: URL:http://online.securityfocus.com/bid/3868 Reference: XF:eterm-home-bo(7896) Reference: URL:http://www.iss.net/security_center/static/7896.php Buffer overflow in Eterm of Enlightenment Imlib2 1.0.4 and earlier allows local users to execute arbitrary code via a long HOME environment variable. Analysis -------- Vendor Acknowledgement: yes followup INFERRED ACTION: CAN-2002-0143 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Cole, Frech, Ziese, Green NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2002-0151 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0151 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020502 Assigned: 20020319 Category: SF Reference: BUGTRAQ:20020404 NSFOCUS SA2002-02 : Microsoft Windows MUP overlong request kernel overflow Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101793727306282&w=2 Reference: VULNWATCH:20020404 NSFOCUS SA2002-02 : Microsoft Windows MUP overlong request kernel overflow Reference: MS:MS02-017 Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS02-017.asp Reference: XF:win-mup-bo(8752) Reference: URL:http://www.iss.net/security_center/static/8752.php Reference: BID:4426 Reference: URL:http://www.securityfocus.com/bid/4426 Buffer overflow in Multiple UNC Provider (MUP) in Microsoft Windows operating systems allows local users to cause a denial of service or possibly gain SYSTEM privileges via a long UNC request. Modifications: ADDREF XF:win-mup-bo(8752) ADDREF BID:4426 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0151 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Wall, Foat, Cole, Green NOOP(2) Christey, Cox Voter Comments: Christey> Consider adding BID:4426 Christey> XF:win-mup-bo(8752) URL:http://www.iss.net/security_center/static/8752.php BID:4426 URL:http://www.securityfocus.com/bid/4426 ====================================================== Candidate: CAN-2002-0152 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0152 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020502 Assigned: 20020319 Category: SF Reference: BUGTRAQ:20020416 w00w00 on Microsoft IE/Office for Mac OS Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101897994314015&w=2 Reference: MS:MS02-019 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-019.asp Reference: XF:ms-mac-html-file-bo(8850) Reference: URL:http://www.iss.net/security_center/static/8850.php Reference: BID:4517 Reference: URL:http://www.securityfocus.com/bid/4517 Buffer overflow in various Microsoft applications for Macintosh allows remote attackers to cause a denial of service (crash) or execute arbitrary code by invoking the file:// directive with a large number of / characters, which affects Internet Explorer 5.1, Outlook Express 5.0 through 5.0.2, Entourage v. X and 2001, PowerPoint v. X, 2001, and 98, and Excel v. X and 2001 for Macintosh. Modifications: ADDREF XF:ms-mac-html-file-bo(8850) ADDREF BID:4517 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0152 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Wall, Cole, Green NOOP(3) Christey, Foat, Cox Voter Comments: Christey> XF:ms-mac-html-file-bo(8850) URL:http://www.iss.net/security_center/static/8850.php BID:4517 URL:http://www.securityfocus.com/bid/4517 ====================================================== Candidate: CAN-2002-0153 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0153 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020502 Assigned: 20020319 Category: SF Reference: BUGTRAQ:20020122 Macinosh IE file execuion Reference: URL:http://www.securityfocus.com/archive/1/251805 Reference: MS:MS02-019 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-019.asp Reference: XF:ie-mac-applescript-execution(8851) Reference: URL:http://www.iss.net/security_center/static/8851.php Reference: BID:3935 Reference: URL:http://www.securityfocus.com/bid/3935 Internet Explorer 5.1 for Macintosh allows remote attackers to bypass security checks and invoke local AppleScripts within a specific HTML element, aka the "Local Applescript Invocation" vulnerability. Modifications: ADDREF BUGTRAQ:20020122 Macinosh IE file execuion ADDREF XF:ie-mac-applescript-execution(8851) ADDREF BID:3935 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0153 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Wall, Foat, Cole, Green NOOP(2) Christey, Cox Voter Comments: Christey> XF:ie-mac-applescript-execution(8851) URL:http://www.iss.net/security_center/static/8851.php BID:3935 BUGTRAQ:20020122 Macinosh IE file execuion URL:http://www.securityfocus.com/archive/1/251805 ====================================================== Candidate: CAN-2002-0159 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0159 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020502 Assigned: 20020327 Category: SF Reference: BUGTRAQ:20020403 iXsecurity.20020314.csadmin_fmt.a Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101787248913611&w=2 Reference: CISCO:20020403 Web Interface Vulnerabilities in Cisco Secure ACS for Windows Reference: URL:http://www.cisco.com/warp/public/707/ACS-Win-Web.shtml Reference: XF:ciscosecure-acs-format-string(8742) Reference: URL:http://www.iss.net/security_center/static/8742.php Reference: BID:4416 Reference: URL:http://www.securityfocus.com/bid/4416 Format string vulnerability in the administration function in Cisco Secure Access Control Server (ACS) for Windows, 2.6.x and earlier and 3.x through 3.01 (build 40), allows remote attackers to crash the CSADMIN module only (denial of service of administration function) or execute arbitrary code via format strings in the URL to port 2002 Modifications: ADDREF XF:ciscosecure-acs-format-string(8742) ADDREF BID:4416 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0159 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Foat, Cole, Green NOOP(3) Christey, Wall, Cox Voter Comments: Christey> XF:ciscosecure-acs-format-string(8742) URL:http://www.iss.net/security_center/static/8742.php BID:4416 URL:http://www.securityfocus.com/bid/4416 ====================================================== Candidate: CAN-2002-0160 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0160 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020502 Assigned: 20020327 Category: SF Reference: BUGTRAQ:20020403 iXsecurity.20020316.csadmin_dir.a Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101786689128667&w=2 Reference: CISCO:20020403 Web Interface Vulnerabilities in Cisco Secure ACS for Windows Reference: URL:http://www.cisco.com/warp/public/707/ACS-Win-Web.shtml The administration function in Cisco Secure Access Control Server (ACS) for Windows, 2.6.x and earlier and 3.x through 3.01 (build 40), allows remote attackers to read HTML, Java class, and image files outside the web root via a ..\.. (modified ..) in the URL to port 2002. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0160 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Foat, Cole, Green NOOP(2) Wall, Cox ====================================================== Candidate: CAN-2002-0166 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0166 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020502 Assigned: 20020409 Category: SF Reference: DEBIAN:DSA-125 Reference: URL:http://www.debian.org/security/2002/dsa-125 Reference: FREEBSD:FreeBSD-SN-02:02 Reference: URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SN-02:02.asc Reference: XF:analog-logfile-css(8656) Reference: URL:http://www.iss.net/security_center/static/8656.php Reference: BID:4389 Reference: URL:http://www.securityfocus.com/bid/4389 Cross-site scripting vulnerability in analog before 5.22 allows remote attackers to execute Javascript via an HTTP request containing the script, which is entered into a web logfile and not properly filtered by analog during display. Modifications: ADDREF XF:analog-logfile-css(8656) ADDREF BID:4389 ADDREF FREEBSD:FreeBSD-SN-02:02 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0166 ACCEPT (4 accept, 2 ack, 0 review) Current Votes: ACCEPT(4) Wall, Cole, Cox, Green NOOP(2) Christey, Foat Voter Comments: Christey> XF:analog-logfile-css(8656) URL:http://www.iss.net/security_center/static/8656.php BID:4389 URL:http://www.securityfocus.com/bid/4389 FREEBSD:FreeBSD-SN-02:02 URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SN-02:02.asc ====================================================== Candidate: CAN-2002-0167 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0167 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020502 Assigned: 20020410 Category: SF Reference: REDHAT:RHSA-2002:048 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-048.html Reference: CONECTIVA:CLA-2002:470 Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000470 Reference: CALDERA:CSSA-2002-019.0 Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-019.0.txt Reference: MANDRAKE:MDKSA-2002:029 Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-029.php Reference: SUSE:SuSE-SA:2002:015 Reference: URL:http://www.suse.de/de/support/security/2002_015_imlib_txt.html Reference: BID:4339 Reference: URL:http://online.securityfocus.com/bid/4339 Imlib before 1.9.13 sometimes uses the NetPBM package to load trusted images, which could allow attackers to cause a denial of service (crash) and possibly execute arbitrary code via certain weaknesses of NetPBM. Modifications: ADDREF CALDERA:CSSA-2002-019.0 ADDREF MANDRAKE:MDKSA-2002:029 ADDREF SUSE:SuSE-SA:2002:015 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0167 ACCEPT (4 accept, 3 ack, 0 review) Current Votes: ACCEPT(4) Wall, Cole, Cox, Green NOOP(2) Christey, Foat Voter Comments: Christey> CALDERA:CSSA-2002-019.0 URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-019.0.txt MANDRAKE:MDKSA-2002:029 URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-029.php SUSE:SuSE-SA:2002:015 URL:http://www.suse.de/de/support/security/2002_015_imlib_txt.html ====================================================== Candidate: CAN-2002-0168 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0168 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020502 Assigned: 20020410 Category: SF Reference: REDHAT:RHSA-2002:048 Reference: URL:http://www.redhat.com/support/errata/RHSA-2002-048.html Reference: CONECTIVA:CLA-2002:470 Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000470 Reference: CALDERA:CSSA-2002-019.0 Reference: URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-019.0.txt Reference: MANDRAKE:MDKSA-2002:029 Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-029.php Reference: SUSE:SuSE-SA:2002:015 Reference: URL:http://www.suse.de/de/support/security/2002_015_imlib_txt.html Reference: BID:4336 Reference: URL:http://online.securityfocus.com/bid/4336 Vulnerability in Imlib before 1.9.13 allows attackers to cause a denial of service (crash) and possibly execute arbitrary code by manipulating arguments that are passed to malloc, which results in a heap corruption. Modifications: ADDREF CALDERA:CSSA-2002-019.0 ADDREF MANDRAKE:MDKSA-2002:029 ADDREF SUSE:SuSE-SA:2002:015 Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0168 ACCEPT (4 accept, 3 ack, 0 review) Current Votes: ACCEPT(4) Wall, Cole, Cox, Green NOOP(2) Christey, Foat Voter Comments: Christey> CALDERA:CSSA-2002-019.0 URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-019.0.txt MANDRAKE:MDKSA-2002:029 URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-029.php SUSE:SuSE-SA:2002:015 URL:http://www.suse.de/de/support/security/2002_015_imlib_txt.html ====================================================== Candidate: CAN-2002-0175 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0175 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020502 Assigned: 20020415 Category: SF Reference: BUGTRAQ:20020320 Bypassing libsafe format string protection Reference: URL:http://online.securityfocus.com/archive/1/263121 Reference: VULNWATCH:20020320 [VulnWatch] Bypassing libsafe format string protection Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0070.html Reference: MANDRAKE:MDKSA-2002:026 Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-026.php Reference: BID:4326 Reference: URL:http://online.securityfocus.com/bid/4326 Reference: XF:libsafe-flagchar-protection-bypass(8593) Reference: URL:http://www.iss.net/security_center/static/8593.php libsafe 2.0-11 and earlier allows attackers to bypass protection against format string vulnerabilities via format strings that use the "'" and "I" characters, which are implemented in libc but not libsafe. Modifications: ADDREF VULNWATCH:20020320 [VulnWatch] Bypassing libsafe format string protection ADDREF XF:libsafe-flagchar-protection-bypass(8593) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0175 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Wall, Cole, Green NOOP(3) Christey, Foat, Cox Voter Comments: Christey> VULNWATCH:20020320 [VulnWatch] Bypassing libsafe format string protection URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0070.html XF:libsafe-flagchar-protection-bypass(8593) URL:http://www.iss.net/security_center/static/8593.php ====================================================== Candidate: CAN-2002-0176 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0176 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020502 Assigned: 20020415 Category: SF Reference: BUGTRAQ:20020320 Bypassing libsafe format string protection Reference: URL:http://online.securityfocus.com/archive/1/263121 Reference: VULNWATCH:20020320 [VulnWatch] Bypassing libsafe format string protection Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0070.html Reference: MANDRAKE:MDKSA-2002:026 Reference: URL:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-026.php Reference: BID:4327 Reference: URL:http://online.securityfocus.com/bid/4327 Reference: XF:libsafe-argnum-protection-bypass(8594) Reference: URL:http://www.iss.net/security_center/static/8594.php The printf wrappers in libsafe 2.0-11 and earlier do not properly handle argument indexing specifiers, which could allow attackers to exploit certain function calls through arguments that are not verified by libsafe. Modifications: ADDREF VULNWATCH:20020320 [VulnWatch] Bypassing libsafe format string protection ADDREF XF:libsafe-argnum-protection-bypass(8594) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0176 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Wall, Cole, Green NOOP(3) Christey, Foat, Cox Voter Comments: Christey> VULNWATCH:20020320 [VulnWatch] Bypassing libsafe format string protection URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0070.html XF:libsafe-argnum-protection-bypass(8594) URL:http://www.iss.net/security_center/static/8594.php ====================================================== Candidate: CAN-2002-0179 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0179 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020502 Assigned: 20020417 Category: SF Reference: DEBIAN:DSA-127 Reference: URL:http://www.debian.org/security/2002/dsa-127 Reference: BID:4534 Reference: URL:http://www.securityfocus.com/bid/4534 Reference: XF:xpilot-server-bo(8852) Reference: URL:http://www.iss.net/security_center/static/8852.php Buffer overflow in xpilot-server for XPilot 4.5.0 and earlier allows remote attackers to execute arbitrary code. Modifications: ADDREF BID:4534 ADDREF XF:xpilot-server-bo(8852) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0179 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Wall, Cole, Cox, Green NOOP(2) Christey, Foat Voter Comments: Christey> BID:4534 URL:http://www.securityfocus.com/bid/4534 XF:xpilot-server-bo(8852) URL:http://www.iss.net/security_center/static/8852.php ====================================================== Candidate: CAN-2002-0196 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0196 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020502 Assigned: 20020501 Category: SF Reference: BUGTRAQ:20020122 (Repost) CwpApi : GetRelativePath() returns invalid paths (security advisory) Reference: URL:http://online.securityfocus.com/archive/1/251699 Reference: CONFIRM:http://sourceforge.net/forum/forum.php?forum_id=144966 Reference: BID:3924 Reference: URL:http://online.securityfocus.com/bid/3924 Reference: XF:cwpapi-getrelativepath-view-files(7981) Reference: URL:http://www.iss.net/security_center/static/7981.php GetRelativePath in ACD Incorporated CwpAPI 1.1 only verifies if the server root is somewhere within the path, which could allow remote attackers to read or write files outside of the web root, in other directories whose path includes the web root. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0196 ACCEPT_ACK (2 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Cole, Green NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2002-0197 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0197 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020502 Assigned: 20020501 Category: SF Reference: BUGTRAQ:20020122 psyBNC 2.3 Beta - encrypted text "spoofable" in others' irc terminals Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101173478806580&w=2 Reference: BUGTRAQ:20020122 psyBNC2.3 Beta - encrypted text spoofable in others irc terminal Reference: URL:http://online.securityfocus.com/archive/1/251832 Reference: XF:psybnc-view-encrypted-messages(7985) Reference: URL:http://www.iss.net/security_center/static/7985.php Reference: BID:3931 Reference: URL:http://www.securityfocus.com/bid/3931 psyBNC 2.3 beta and earlier allows remote attackers to spoof encrypted, trusted messages by sending lines that begin with the "[B]" sequence, which makes the message appear legitimate. Analysis -------- Vendor Acknowledgement: yes followup INFERRED ACTION: CAN-2002-0197 ACCEPT_ACK (2 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Cole, Green NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2002-0207 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0207 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020502 Assigned: 20020501 Category: SF Reference: VULN-DEV:20020105 RealPlayer Buffer Problem Reference: URL:http://archives.neohapsis.com/archives/vuln-dev/2002-q1/0044.html Reference: BUGTRAQ:20020124 Potential RealPlayer 8 Vulnerability Reference: URL:http://online.securityfocus.com/archive/1/252414 Reference: BUGTRAQ:20020124 RealPlayer Buffer Overflow [Sentinel Chicken Networks Security Advisory #01] Reference: URL:http://online.securityfocus.com/archive/1/252425 Reference: MISC:http://sentinelchicken.com/advisories/realplayer/ Reference: BID:3809 Reference: URL:http://online.securityfocus.com/bid/3809 Reference: XF:realplayer-file-header-bo(7839) Reference: URL:http://www.iss.net/security_center/static/7839.php Buffer overflow in Real Networks RealPlayer 8.0 and earlier allows remote attackers to execute arbitrary code via a header length value that exceeds the actual length of the header. Analysis -------- Vendor Acknowledgement: yes followup INFERRED ACTION: CAN-2002-0207 ACCEPT_ACK (2 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Cole, Green NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2002-0209 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0209 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020502 Assigned: 20020501 Category: SF Reference: BUGTRAQ:20020125 Alteon ACEdirector signature/security bug Reference: URL:http://online.securityfocus.com/archive/1/252455 Reference: BUGTRAQ:20020312 Re: Alteon ACEdirector signature/security bug Reference: URL:http://online.securityfocus.com/archive/1/261548 Reference: BID:3964 Reference: URL:http://online.securityfocus.com/bid/3964 Reference: XF:acedirector-http-reveal-ip(8010) Reference: URL:http://www.iss.net/security_center/static/8010.php Nortel Alteon ACEdirector WebOS 9.0, with the Server Load Balancing (SLB) and Cookie-Based Persistence features enabled, allows remote attackers to determine the real IP address of a web server with a half-closed session, which causes ACEdirector to send packets from the server without changing the address to the virtual IP address. Analysis -------- Vendor Acknowledgement: yes followup INFERRED ACTION: CAN-2002-0209 ACCEPT_ACK (2 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Cole, Green NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2002-0211 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0211 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020502 Assigned: 20020501 Category: SF Reference: BUGTRAQ:20020126 Vulnerability report for Tarantella Enterprise 3. Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101208650722179&w=2 Reference: BUGTRAQ:20020404 Exploit for Tarantella Enterprise 3 installation (BID 3966) Reference: URL:http://online.securityfocus.com/archive/1/265845 Reference: CONFIRM:http://www.tarantella.com/security/bulletin-04.html Reference: BID:3966 Reference: URL:http://online.securityfocus.com/bid/3966 Reference: XF:tarantella-gunzip-tmp-race(7996) Reference: URL:http://www.iss.net/security_center/static/7996.php Race condition in the installation script for Tarantella Enterprise 3 3.01 through 3.20 creates a world-writeable temporary "gunzip" program before executing it, which could allow local users to execute arbitrary commands by modifying the program before it is executed. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0211 ACCEPT_ACK (2 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Cole, Green NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2002-0226 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0226 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020502 Assigned: 20020501 Category: SF Reference: BUGTRAQ:20020201 Vulnerability in all versions of DCForum from dcscripts.com Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101258311519504&w=2 Reference: CONFIRM:http://www.dcscripts.com/bugtrac/DCForumID7/3.html Reference: BID:4014 Reference: URL:http://www.securityfocus.com/bid/4014 Reference: XF:dcforum-cgi-recover-passwords(8044) Reference: URL:http://www.iss.net/security_center/static/8044.php retrieve_password.pl in DCForum 6.x and 2000 generates predictable new passwords based on a sessionID, which allows remote attackers to request a new password on behalf of another user and use the sessionID to calculate the new password for that user. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0226 ACCEPT_ACK (2 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Cole, Green NOOP(2) Wall, Foat ====================================================== Candidate: CAN-2002-0237 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0237 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020502 Assigned: 20020501 Category: SF Reference: BUGTRAQ:20020209 ALERT: ISS BlackICE Kernel Overflow Exploitable Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101321744807452&w=2 Reference: BUGTRAQ:20020204 Vulnerability in Black ICE Defender Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101286393404301&w=2 Reference: NTBUGTRAQ:20020209 ALERT: ISS BlackICE Kernel Overflow Exploitable Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=101353165915171&w=2 Reference: BUGTRAQ:20020206 Black ICE Ping Vulnerability Side Note Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101302424803268&w=2 Reference: ISS:20020204 DoS and Potential Overflow Vulnerability in BlackICE Products Reference: URL:http://www.iss.net/security_center/alerts/advise109.php Reference: BID:4025 Reference: URL:http://online.securityfocus.com/bid/4025 Reference: XF:blackice-ping-flood-dos(8058) Reference: URL:http://www.iss.net/security_center/static/8058.php Buffer overflow in ISS BlackICE Defender 2.9 and earlier, BlackICE Agent 3.0 and 3.1, and RealSecure Server Sensor 6.0.1 and 6.5 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a flood of large ICMP ping packets. Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-0237 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(3) Wall, Cole, Green NOOP(1) Foat ====================================================== Candidate: CAN-2002-0251 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0251 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020502 Assigned: 20020501 Category: SF Reference: BUGTRAQ:20020206 -Possible- licq D.o.S Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101301254432079&w=2 Reference: BUGTRAQ:20020208 RE: -Possible- licq D.o.S Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101318594420200&w=2 Reference: BID:4036 Reference: URL:http://www.securityfocus.com/bid/4036 Reference: XF:licq-static-bo(8107) Reference: URL:http://www.iss.net/security_center/static/8107.php Buffer overflow in licq 1.0.4 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string of format string characters such as "%d". Analysis -------- Vendor Acknowledgement: yes followup INFERRED ACTION: CAN-2002-0251 ACCEPT_ACK (2 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Cole, Cox NOOP(2) Wall, Foat Voter Comments: CHANGE> [Cox changed vote from REVIEWING to ACCEPT] ====================================================== Candidate: CAN-2002-0265 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0265 Final-Decision: Interim-Decision: 20020617 Modified: Proposed: 20020502 Assigned: 20020501 Category: SF Reference: BUGTRAQ:20020211 Vulnerability in Sawmill for Solaris v. 6.2.14 Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101346206921270&w=2 Reference: CONFIRM:http://www.sawmill.net/version_history.html Reference: BID:4077 Reference: URL:http://www.securityfocus.com/bid/4077 Reference: XF:sawmill-admin-password-insecure(8173) Reference: URL:http://www.iss.net/security_center/static/8173.php Sawmill for Solaris 6.2.14 and earlier creates the AdminPassword file with world-writable permissions, which allows local users to gain privileges by modifying the file. Analysis -------- Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: in the release notes, in the section titled "Version 6.2.15, shipped February 10, 2002," the vendor states: "Fixed a security flaw in which the AdminPassword file was created with incorrect permissions (666 instead of 600)" INFERRED ACTION: CAN-2002-0265 ACCEPT_ACK (2 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Wall, Cole NOOP(2) Foat, Cox ====================================================== Candidate: CAN-2002-1056 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1056 Final-Decision: Interim-Decision: 20020617 Modified: 20020616-01 Proposed: 20020502 Assigned: 20020426 Category: SF Reference: BUGTRAQ:20020331 More Office XP Problems Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101760380418890&w=2 Reference: BUGTRAQ:20020403 More Office XP problems (Version 2.0) Reference: URL:http://online.securityfocus.com/archive/1/265621 Reference: MS:MS02-021 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms02-021.asp Reference: BID:4397 Reference: URL:http://online.securityfocus.com/bid/4397 Reference: XF:outlook-object-execute-script(8708) Reference: URL:http://www.iss.net/security_center/static/8708.php Microsoft Outlook 2000 and 2002, when configured to use Microsoft Word as the email editor, does not block scripts that are used while editing email messages in HTML or Rich Text Format (RTF), which could allow remote attackers to execute arbitrary scripts via an email that the user forwards or replies to. Modifications: ADDREF BUGTRAQ:20020403 More Office XP problems (Version 2.0) ADDREF XF:outlook-object-execute-script(8708) Analysis -------- Vendor Acknowledgement: yes advisory INFERRED ACTION: CAN-2002-1056 ACCEPT (4 accept, 1 ack, 0 review) Current Votes: ACCEPT(4) Green, Wall, Foat, Cole NOOP(2) Christey, Cox Voter Comments: Christey> BUGTRAQ:20020403 More Office XP problems (Version 2.0) URL:http://online.securityfocus.com/archive/1/265621 XF:outlook-object-execute-script(8708) URL:http://www.iss.net/security_center/static/8708.php
- Prev by Date: [PROPOSAL] Cluster RECENT-93 - 45 candidates
- Next by Date: [FINAL] ACCEPT 191 candidates
- Prev by thread: [PROPOSAL] Cluster RECENT-93 - 45 candidates
- Next by thread: [FINAL] ACCEPT 191 candidates
- Index(es):
