再保险:[VOTEPRI] 17 7/5/2000高优先级的候选人

* Steven m . Christey (coley@LINUS.MITRE.ORG)[000706 01:55]: >以下候选人供应商确认和需要接受一个>更多的投票。> > -史蒂夫> > > >总结的选票使用(“严重程度”的按升序)> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > >接受——选民接受候选人提出>等待-选民对候选人没有意见>修改-选民想要改变一些小细节(例如参考/描述)>回顾-选民正在审查/研究候选人,或需要更多信息>重塑-候选人必须大幅修改,如分割或合并>拒绝候选人不是“漏洞”,或重复等。> > 1)请写你的投票在直线上,从“投票:”开始。如果>你想添加评论或细节,将它们添加到行>后投票:行。> > 2)如果你看到任何失踪的引用,请提及他们,使他们>可以包括在内。在映射引用帮助极大。> > 3)请注意,“修改”被视为一个“接受”当计算选票。>如果你没有足够的信息对候选人但你>不想等待,使用一个回顾。> > * * * * * * * * * *注意* * * * * * * * * *注意* * * * * * * * * *注意* * * * * * * * * *注意* * * * * * * * * * > >请记住,你的投票和评论将被记录和邮件列表档案>公开可见的或其他格式。> >推断的关键行动> - - - - - - - - - - - - - - - - - - - - - - - - > >推断行为获取候选人的投票状态。他们可能>使用编辑器来确定候选人是否添加CVE >。 Where there is disagreement, the Editor must resolve the > issue and achieve consensus, or make the final decision if consensus > cannot be reached. > > - ACCEPT = 3 non-MITRE votes to ACCEPT/MODIFY, and no REVIEWING or REJECT > - ACCEPT_ACK = 2 non-MITRE ACCEPT/MODIFY, and vendor acknowledgement > - MOREVOTES = needs more votes > - ACCEPT_REV = 3 non-MITRE ACCEPT's but is delayed due to a REVIEWING > - SMC_REJECT = REJECT by Steve Christey; likely to be rejected outright > - SMC_REVIEW = REVIEWING by Steve Christey; likely related to CD's > - REVIEWING = at least one member is REVIEWING > - REJECT = at least one member REJECTed > - REVOTE = members should review their vote on this candidate > > ================================= > Candidate: CAN-1999-0247 > Published: > Final-Decision: > Interim-Decision: > Modified: 19991130-01 > Proposed: 19990728 > Assigned: 19990607 > Category: SF > Reference: NAI:17 > > Buffer overflow in nnrpd program in INN up to version 1.6 allows > remote users to execute arbitrary commands. > > Modifications: > ADDREF NAI:17 > add version number > > INFERRED ACTION: CAN-1999-0247 MOREVOTES-1 (1 accept, 1 ack, 0 review) > > Current Votes: > ACCEPT(1) Stracener > NOOP(1) Northcutt > > > VOTE: REVIEWING > > ================================= > Candidate: CAN-1999-0298 > Published: > Final-Decision: > Interim-Decision: > Modified: 20000524-01 > Proposed: 19990714 > Assigned: 19990607 > Category: SF > Reference: NAI:19970205 Vulnerabilities in Ypbind when run with -ypset/-ypsetme > Reference: URL:http://www.nai.com/nai_labs/asp_set/advisory/06_ypbindsetme_adv.asp> > ypbind -ypset和-ypsetme选项激活Slackware Linux >和SunOS允许本地和远程攻击者通过覆盖文件> . .(点点)攻击。> >修改> CHANGEREF奈:NAI-6 >添加细节描述。> >推断行动:- 1999 - 0298 MOREVOTES-1(1接受,1 ack, 1审查)> >当前投票:>接受(1)Northcutt >等待(1)Shostack弗伦奇> > > >回顾(1)投票:回顾> > = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = >候选人:- 2000 - 0045 >发表:>最终决定:>阶段性裁决::>修改>提出:20000125 >分配:20000122 >类别:科幻小说>参考:BUGTRAQ: 20000111严重bug在MySQL中密码处理。>参考:BUGTRAQ: 20000113新MySQL >参考:报价:926 >参考:网址:http://www.securityfocus.com/vdb/bottom.html?vid=926> > MySQL为任意的MySQL用户允许本地用户修改密码>通过授予特权。> >推断行动:- 2000 - 0045 MOREVOTES-1(1接受,1 ack, 0评论)> >当前投票:>接受(1)Stracener > > >投票:接受> > = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = >候选人:- 2000 - 0063 >发表:>最终决定:>阶段性裁决::>修改>提出:20000125 >分配:20000122 >类别:科幻小说>参考:BUGTRAQ: 20000118北电Contivity脆弱性>参考:报价:938 >参考:网址:http://www.securityfocus.com/vdb/bottom.html?vid=938> > cgiproc CGI脚本在北电Contivity HTTP服务器允许远程攻击者>读取任意文件指定文件名>参数的脚本。> >推断行动:- 2000 - 0063 MOREVOTES-1(1接受,1 ack, 0评论)> >当前投票:>接受(1)Stracener > > >投票:接受> > = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = >候选人:- 2000 - 0064 >发表:>最终决定:>阶段性裁决::>修改>提出:20000125 >分配:20000122 >类别:科幻小说>参考:BUGTRAQ: 20000118北电Contivity脆弱性>参考:报价:938 >参考:网址:http://www.securityfocus.com/vdb/bottom.html?vid=938> > cgiproc CGI脚本在北电Contivity HTTP服务器允许远程攻击者>引起拒绝服务通过一个畸形的URL >包括shell元字符。> >推断行动:- 2000 - 0064 MOREVOTES-1(1接受,1 ack, 0评论)> >当前投票:>接受(1)Stracener > > >投票:接受> > = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = >候选人:- 2000 - 0076 >发表:>最终决定:>阶段性裁决::>修改>提出:20000125 >分配:20000122 >类别:科幻小说>参考:BUGTRAQ: 19991230 vibackup。sh >参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=94709988232618&w=2>参考:DEBIAN: 20000109 nvi:不正确的文件启动脚本中删除>参考:网址:http://www.debian.org/security/2000/20000108> > nviboot引导脚本在Debian nvi包允许本地用户>删除文件通过在vi.recover畸形的条目。> >推断行动:- 2000 - 0076 MOREVOTES-1(1接受,1 ack, 0评论)> >当前投票:>接受(1)Stracener >无操作(3)征税,墙,科尔> > >投票:回顾> > = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = >候选人:- 2000 - 0094 >发表:>最终决定:>阶段性裁决::>修改>提出:20000208 >分配:20000202 >类别:科幻小说>参考:BUGTRAQ: 20000121 * BSD procfs脆弱性>参考:FREEBSD: FreeBSD-SA-00:02 >参考:报价:940 >参考:网址:http://www.securityfocus.com/vdb/bottom.html?vid=940> > procfs在BSD系统允许本地用户获得根权限>修改/proc/pid/mem接口通过修改文件描述符> stderr。> >推断行动:- 2000 - 0094 MOREVOTES-1(1接受,1 ack, 1审查)> >当前投票:弗伦奇> >修改(1)无操作(2)墙,Christey >回顾(1)科尔> >评论:> Christey >报价:987和NETBSD: 2000 - 001指NETBSD procfs mem >问题,可能是相同的问题。弗伦奇> > XF: netbsd-procfs > Christey >报价:987已经被删除,所以我猜他们同意;-)> > >投票:接受> > = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = >候选人:- 2000 - 0117 >发表:>最终决定:>阶段性裁决::>修改>提出:20000208 >分配:20000208 >类别:科幻>参考:BUGTRAQ: 20000127 RaQ2钴-用户我的改变了我的管理员密码. .>参考:BUGTRAQ: 20000131(钴)安全顾问——01.31.2000 siteUserMod > >。cgi程序在钴RaQ2服务器允许任何网站>管理员修改其他用户的密码,网站>管理员,可能管理(根)。> >推断行动:- 2000 - 0117 MOREVOTES-1(1接受,1 ack, 1审查)> >当前投票:弗伦奇> >修改(1)无操作(1)墙>回顾(1)科尔> >评论:弗伦奇> > XF: http-cgi-cobalt-passwords > > >投票:修改参考:出价951 > > = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = >候选人:- 2000 - 0120 >发表:>最终决定:>阶段性裁决::>修改>提出:20000208 >分配:20000208 >类别:科幻小说>参考:阿莱尔:ASB00-04 >参考:报价:955 >参考:网址:http://www.securityfocus.com/vdb/bottom.html?vid=955> >调用的远程访问服务。阿莱尔光谱1.0 cfm模板>允许用户绕过身份验证通过bAuthenticated >参数。> >推断行动:- 2000 - 0120 MOREVOTES-1(1接受,1 ack, 2检查)> >当前投票:弗伦奇> >修改(1)评论(2)墙,科尔> >评论:弗伦奇> > XF: allaire-spectra-ras-access > > >投票:接受> > = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = >候选人:- 2000 - 0264 >发表:>最终决定:>阶段性裁决::>修改>提出:20000426 >分配:20000426 >类别:科幻/ CF / MP / SA / /未知>参考:BUGTRAQ: 20000417错误在熊猫安全3.0 >参考:网址:http://www.securityfocus.com/templates/archive.pike?list=1&msg=38FB45F2.550EA000@teleline.es>参考:报价:1119 >参考:网址:http://www.securityfocus.com/bid/1119> >熊猫安全3.0禁用注册表编辑允许用户通过直接编辑>注册并获得特权执行.reg文件或使用其他方法>。> >推断行动:- 2000 - 0264 MOREVOTES-1(1接受,1 ack, 0评论)> >当前投票:>接受(1)Stracener >无操作(3)墙,科尔,Christey > >评论:> Christey >确认:http://updates.pandasoftware.com/docs/us/Avoidvulnerability.zip> > >投票:接受> > = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = >候选人:- 2000 - 0265 >发表:>最终决定:>阶段性裁决::>修改>提出:20000426 >分配:20000426 >类别:科幻小说>参考:BUGTRAQ: 20000417错误在熊猫安全3.0 >参考:网址:http://www.securityfocus.com/templates/archive.pike?list=1&msg=38FB45F2.550EA000@teleline.es>参考:报价:1119 >参考:网址:http://www.securityfocus.com/bid/1119> > 3.0允许用户卸载熊猫熊猫安全软件通过>添加/删除程序applet。> >推断行动:- 2000 - 0265 MOREVOTES-1(1接受,1 ack, 0评论)> >当前投票:>接受(1)Stracener >无操作(3)墙,科尔,Christey > >评论:> Christey >确认:http://updates.pandasoftware.com/docs/us/Avoidvulnerability.zip> > >投票:接受> > = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = >候选人:- 2000 - 0353 >发表:>最终决定:>阶段性裁决::>修改>提出:20000524 >分配:20000523 >类别:科幻小说>参考:MISC:http://www.securiteam.com/unixfocus/HHP-Pine_remote_exploit.html>参考:SUSE: 19990628松4中执行的命令。x >参考:网址:http://www.suse.de/de/support/security/suse_security_announce_6.txt>参考:SUSE: 19990911更新松(固定IMAP支持)>参考:网址:http://www.suse.de/de/support/security/pine_update_announcement.txt> >松4。x允许远程攻击者执行任意命令通过一个索引>。html文件,执行猞猁和uudecoded文件>一个恶意的web服务器,然后执行的松树。> >推断行动:- 2000 - 0353 MOREVOTES-1(1接受,1 ack, 1审查)> >当前投票:>接受(1)Stracener >等待(1)Christey弗伦奇> >评论>回顾(1):> Christey > ADDREF报价:1247 > > >投票:接受> > = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = >候选人:- 2000 - 0359 >发表:>最终决定:>阶段性裁决::>修改>提出:20000524 >分配:20000523 >类别:科幻小说>参考:BUGTRAQ: 19991113 thttpd 2.04堆栈溢出(VD # 6) >参考:网址:http://archives.neohapsis.com/archives/bugtraq/1626.html>参考:SUSE: 19991116安全漏洞thttpd 1.90 - 2.04 >引用:网址:http://www.suse.de/de/support/security/suse_security_announce_30.txt> >缓冲区溢出在琐碎的HTTP (THTTPd)允许远程攻击者>引起拒绝服务或执行任意命令通过一个长> if - modified - since头。> >推断行动:- 2000 - 0359 MOREVOTES-1(1接受,1 ack, 1审查)> >当前投票:>接受(1)Stracener >等待(1)Christey弗伦奇> >评论>回顾(1):> Christey > ADDREF报价:1248年弗伦奇>(不是thttpd-file-read) > > > >投票:接受> > = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = >候选人:- 2000 - 0366 >发表:>最终决定:>阶段性裁决::>修改>提出:20000524 >分配:20000523 >类别:科幻小说>参考:DEBIAN: 19991202问题恢复符号链接>参考:网址:http://www.debian.org/security/1999/19991202> >转储在Debian Linux 2.1不正确恢复符号链接,这>允许本地用户修改任意文件的所有权。> >推断行动:- 2000 - 0366 MOREVOTES-1(1接受,1 ack, 1审查)> >当前投票:>接受(1)Stracener弗伦奇> > > >回顾(1)投票:回顾> > = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = >候选人:- 2000 - 0369 >发表:>最终决定:>阶段性裁决::>修改>提出:20000524 >分配:20000523 >类别:科幻小说>参考:火山口:综援- 1999 - 029.1 >参考:网址:ftp://ftp.calderasystems.com/pub/openlinux/security/cssa - 1999 029.1.txt> >在火山口识别服务器的Linux 2.3为每个识别请求>创建多个线程,它允许远程攻击者造成拒绝服务>。> >推断行动:- 2000 - 0369 MOREVOTES-1(1接受,1 ack, 1审查)> >当前投票:>接受(1)Stracener >等待(1)Christey弗伦奇> >评论>回顾(1):> Christey > ADDREF报价:1266 > Christey > ADDREF报价:1266 > > >投票:接受> > = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = >候选人:- 2000 - 0370 >发表:>最终决定:>阶段性裁决::>修改>提出:20000524 >分配:20000523 >类别:科幻小说>参考:火山口:综援- 1999 - 001.0 >参考:网址:ftp://ftp.calderasystems.com/pub/openlinux/security/cssa - 1999 001.0.txt> > debug选项在火山口Linux简讯邮件允许远程攻击者通过shell元字符>执行命令的- d选项> rmail命令。> >推断行动:- 2000 - 0370 MOREVOTES-1(1接受,1 ack, 1审查)> >当前投票:>接受(1)Stracener >等待(1)Christey弗伦奇> >评论>回顾(1):> Christey > ADDREF报价:1268 > Christey > ADDREF报价:1268 >网址:http://www.securityfocus.com/bid/1268> > >投票:接受> > = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = >候选人:- 2000 - 0374 >发表:>最终决定:>阶段性裁决::>修改>提出:20000524 >分配:20000523 >类别:科幻小说>参考:火山口:综援- 1999 - 021.0 >参考:网址:ftp://ftp.calderasystems.com/pub/openlinux/security/cssa - 1999 021.0.txt> >在火山口的默认配置kdm Linux允许XDMCP >从任何主机连接,允许远程攻击者获得>敏感信息或绕过额外的访问限制。> >推断行动:- 2000 - 0374 MOREVOTES-1(1接受,1 ack, 1审查)> >当前投票:>接受(1)Stracener弗伦奇> > >回顾(1)评论:弗伦奇>(不是xdm-xdmcp-remote-bo) > > > >投票:回顾,以利亚利维SecurityFocus.comhttp://www.securityfocus.com/如果那么,对位小独木船