再保险:[VOTEPRI] 12 5/1/2000高优先级的候选人

以利亚利维和比尔墙长大许多不同的点与- 1999 - 0031,一个Javascript错误。下面是这个候选人的投票信息更新。它涉及很多问题,我认为CVE来说都非常重要,所以我强调它超过我通常会遗留的候选人。——史蒂夫= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:可以发表- 1999 - 0031:最终决定:阶段性裁决:修改:建议:19990728分配:19990607类别:科幻参考:CERT: ca - 97.20。javascript javascript允许远程攻击者监控用户的网络活动。推断行动:- 1999 - 0031能接受(3接受,1 ack, 0评论)目前投票:接受(2)墙,科尔修改(2)Christey利维等待(1)Northcutt评论:Christey > CERT咨询http://www.cert.org/advisories/CA-97.20.javascript.htmlChristey > Christey > ADDREF惠普:hpsbux9707 - 065 Christey >http://www.codetalker.com/advisories/vendor/hp/hpsbux9707 - 065. - htmlChristey > Christey >根据CERT咨询,这个问题影响互联网Christey > Explorer 3。x和4。x,网景2。x, 3。4. x, x。Christey >包含这个描述。利维>需要一个更好的描述漏洞有几个JS利维>漏洞在同一时间内,类似的结果但是利维>孔隙记录。贝尔实验室的漏洞,这就是其中之一。利维>这是一个其他的:征收>http://www.securityfocus.com/templates/archive.pike?list=1&msg=c%3dde%25a%3ddbp%25p%3dscn%25l%3dmchh9eea - 970711140700 - z - 970711140700 @de he01a.exchange.pn.siemens.de——妇幼保健墙>添加Internet Explorer 5还。看到墙>http://www.microsoft.com/technet/security/bulletin/ms99 - 043. - asp它允许墙> JavaScript阅读其他计算机上的文件。Christey >女士:ms99 - 043已经由cve - 1999 - 0793。这个是Christey >不同因为IE 3。x和4。x的影响;Christey > cve - 1999 - 0793,它影响4。倍和5.倍。同时,这个Christey >只允许某人读饼干,HTML表单数据,Christey > url访问。cve - 1999 - 0793允许攻击者Christey >阅读目标的计算机上的文件。因此这是Christey >不同cve - 1999 - 0793,和女士:ms99 - 043不应该Christey >补充道。Christey > Christey >描述提供的参考,以利亚2 bug,无论是Christey >的“贝尔实验室”的错误,即这个候选人(只是为了Christey >确认以利亚所说的话;CERT顾问明确由于Christey >贝尔实验室)。 The first bug *sounds* a lot like this candidate, but Christey> didn't need Javascript. Refer to this as the "Danish bug" Christey> since it was "discovered by a Danish IS consultant company." Christey> Christey> The second bug describes the same symptoms as CVE-1999-0793. Christey> However, this reference only describes the problem for Christey> Netscape Nagivator; CVE-1999-0793 only mentions IE. Christey> Thus it's possible that the problem was identified and fixed Christey> for Netscape, and later "rediscovered" by Microsoft and Christey> addressed for Internet Explorer. (The CD:DISCOVERY-DATE content Christey> decision, when reviewed by the Board, will dictate what to Christey> do in these sorts of cases). But then again, they could be Christey> different bugs entirely, but they just happen to have the same Christey> symptoms. If the bug is more in the Javascript model than in Christey> the implementation, then maybe CD:SF-CODEBASE won't apply. Christey> We might be able to roll this second bug in with Christey> CVE-1999-0793; thus we may need to REASSESS CVE-1999-0793 in Christey> the future. Christey> Christey> It is possible that this second bug is the same as the Christey> "Singapore privacy bug" described here: Christey>http://www.securityfocus.com/templates/archive.pike?list=1&date=1997 - 07 - 28 - &msg=pine.sun.3.94.970728112219.25473b - 100000 @dfw.dfw.netChristey >http://www.securityfocus.com/templates/archive.pike?list=1&date=1997 - 07 - 22 - &msg=pine.sun.3.94.970726193056.27668b - 100000 @dfw.dfw.netChristey > Christey >这些职位是7月22日和28日。新加坡是过时后Christey >初始CERT LiveConnect咨询和引用,这Christey >“支持JavaScript和Java applet之间的沟通”。Christey >Kuo Chiang, the person referenced in the above posts as the Christey> discovered, sent a followup a week later on August 1: Christey> Christey>http://marc.theaimsgroup.com/?l=bugtraq&m=87602746719458&w=2Christey >,但这只是一个澄清的问题,作为Christey >职务包括ZDNet的引用文章写于7月25日Christey >。Christey > Christey >海报被伊莱亚斯,马提亚多明尼克,Christey >跟踪发送到CERT咨询说丹麦bug Christey >似乎是固定的,但贝尔实验室错误不是。Christey > Christey >http://www.securityfocus.com/templates/archive.pike?list=1&date=1997 - 07 - 8 &msg=c%3dde%25a%3ddbp%25p%3dscn%25l%3dmchh9eea - 970710145437 - z - 970710145437 - @de妇幼保健he01a.exchange.pn.siemens.deChristey > Christey >两个遗留候选人最终将被创建来处理Christey >这两个其他昆虫,例如新加坡和丹麦。Christey > Christey >同时,描述这个可以扩展Christey >提到贝尔实验室错误,包括指针回到一些Christey >的相关职位。Christey > Christey >如果这个烂摊子命名标准不是一个论点,我Christey >不知道是什么:-):-)在一个更严重的注意,这是一个Christey > CVE为什么它可能是重要的指标提供一种Christey >区分不同缺陷的发现在相同Christey >软件大约在同一时间(CD: SF-LOC将解决这个问题,Christey >,是第一张CD的我们将讨论当我再次Christey >)。>接受——选民接受候选人提出>等待-选民对候选人没有意见>修改-选民想要改变一些小细节(例如参考/描述)>回顾-选民正在审查/研究候选人,或需要更多信息>重塑-候选人必须大幅修改,如分割或合并>拒绝候选人不是“漏洞”,或复制,等等。投票: