(日期:][下一个日期][线程:][线程下][日期索引][线程索引]
再保险(建议):集群近三十- 17的候选人
- 来:“史蒂文·m·Christey " <coley@linus.mitre.org>
- 主题集群:再保险(建议):近三十- 17的候选人
- 从:aleph1@securityfocus.com
- 日期:结婚,2 2000年8月21:02:59 -0700
- Cc:cve-editorial-board-list@lists.mitre.org
- 交货日期:2000年8月3 00:02:23星期四
- 在回复:<200008030256. waa05696@basie.mitre.org>;从coley@LINUS.MITRE。ORG上结婚,2000年8月2日在10:56:27PM -0400
- 引用:<200008030256. waa05696@basie.mitre.org>
* Steven m . Christey (coley@LINUS.MITRE.ORG)[000803 02:59]: >以下集群包含17候选人宣布> 7/21/2000和7/27/2000之间。> >中所列出的候选人优先秩序。优先级1和优先级> 2的候选人都应对不同层次的供应商>确认,所以他们应该易于检查和可以信任的>,问题是真实的。> >如果你发现任何RECENT-XX集群与尊重>是不完整的过程中发现的问题相关的时间框架,请>信息发送给我,这样候选人可以转让。> > -史蒂夫> > > >总结的选票使用(“严重程度”的按升序)> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > >接受——选民接受候选人提出>等待-选民对候选人没有意见>修改-选民想要改变一些小细节(例如参考/描述)>回顾-选民正在审查/研究候选人,或需要更多信息>重塑-候选人必须大幅修改,如分割或合并>拒绝候选人不是“漏洞”,或重复等。> > 1)请写你的投票在直线上,从“投票:”开始。如果>你想添加评论或细节,将它们添加到行>后投票:行。> > 2)如果你看到任何失踪的引用,请提及他们,使他们>可以包括在内。在映射引用帮助极大。> > 3)请注意,“修改”被视为一个“接受”当计算选票。>如果你没有足够的信息对候选人但你>不想等待,使用一个回顾。 > > ********** NOTE ********** NOTE ********** NOTE ********** NOTE ********** > > Please keep in mind that your vote and comments will be recorded and > publicly viewable in the mailing list archives or in other formats. > > ================================= > Candidate: CAN-2000-0621 > Published: > Final-Decision: > Interim-Decision: > Modified: > Proposed: 20000803 > Assigned: 20000726 > Category: SF > Reference: MS:MS00-046 > Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00 - 046. - asp>参考:CERT: ca - 2000 - 14 >参考:网址:http://www.cert.org/advisories/ca - 2000 - 14. - html>参考:报价:1501 >参考:网址:http://www.securityfocus.com/bid/1501> > Microsoft Outlook 98年和2000年,Outlook Express 4.0倍和5.0倍,>允许远程攻击者读取客户机的文件系统通过>畸形HTML消息存储文件缓存之外,又名>”缓存绕过“脆弱性。> > > ED_PRI - 2000 - 0621 1 > > >投票:接受> > = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = >候选人:- 2000 - 0655 >发表:>最终决定:>阶段性裁决::>修改>提出:20000803 >分配:20000802 >类别:科幻小说>参考:BUGTRAQ: 20000724 JPEG COM标记处理漏洞在网景浏览器>参考:网址:http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D200007242356.DAA01274%40false.com>参考:REDHAT: RHSA-2000:046-02 >参考:网址:http://www.redhat.com/support/errata/rhsa - 2000 - 046 - 02. - html>参考:报价:1503 >参考:网址:http://www.securityfocus.com/bid/1503> > Netscape 4.73和更早的沟通者允许远程攻击者>引起拒绝服务或执行任意命令通过一个JPEG图像>包含注释的非法字段长度1。> > > ED_PRI - 2000 - 0655 1 > > >投票:接受> > = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = >候选人:- 2000 - 0663 >发表:>最终决定:>阶段性裁决::>修改>提出:20000803 >分配:20000802 >类别:科幻小说>参考:女士:ms00 - 052 >参考:网址:http://www.microsoft.com/technet/security/bulletin/ms00 - 052. - asp>参考:MSKB: Q269049 >参考:网址:http://www.microsoft.com/technet/support/kb.asp?ID=269049>参考:报价:1507 >参考:网址:http://www.securityfocus.com/bid/1507> > Windows的注册表项壳可执行(资源管理器)> Windows NT和Windows 2000使用相对路径名>本地用户可以执行任意命令通过插入一个特洛伊木马>命名的探险家。exe到% Systemdrive %目录,又名“相对>壳路径”的弱点。> > > ED_PRI - 2000 - 0663 1 > > >投票:接受> > = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = >候选人:- 2000 - 0668 >发表:>最终决定:>阶段性裁决::>修改>提出:20000803 >分配:20000802 >类别:科幻小说>参考:REDHAT: RHSA-2000:044-02 >参考:网址:http://www.redhat.com/support/errata/rhsa - 2000 - 044 - 02. - html>参考:报价:1513 >参考:网址:http://www.securityfocus.com/bid/1513> > pam_console PAM模块在Linux系统允许用户访问>系统控制台和重新启动系统时显示经理如> gdm或kdm XDMCP启用。> > > ED_PRI - 2000 - 0668 1 > > >投票:接受> > = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = >候选人:- 2000 - 0673 >发表:>最终决定:>阶段性裁决::>修改>提出:20000803 >分配:20000802 >类别:科幻小说>参考:奈:20000727 Windows NetBIOS名称冲突>引用:女士:ms00 - 047 >参考:网址:http://www.microsoft.com/technet/security/bulletin/ms00 - 047. - asp>参考:报价:1514 >参考:网址:http://www.securityfocus.com/bid/1514>参考:报价:1515 >参考:网址:http://www.securityfocus.com/bid/1515> >的NetBIOS名称服务器(nbn公司禁止)协议不执行>认证,它允许远程攻击者导致拒绝>服务通过发送一个欺骗名称冲突或名称发布数据报,>又名“NetBIOS名称服务器协议欺骗”的弱点。> > > ED_PRI - 2000 - 0673 1 > > >投票:修改你似乎是结合这两个问题,因为他们有相同的根本问题:NetBIOS信任每个人都和它不经过身份验证的。但如果这是你的推理就可以把这作为一个软件故障(SF),它应该是一个设计缺陷。> = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = >候选人:- 2000 - 0664 >发表:>最终决定:>阶段性裁决::>修改>提出:20000803 >分配:20000802 >类别:科幻小说>参考:BUGTRAQ: 20000726 AnalogX SimpleServer: WWW“点点错误>参考:网址:http://archives.neohapsis.com/archives/bugtraq/2000-07/0374.html>参考:确认:http://www.analogx.com/contents/download/network/sswww.htm>参考:报价:1508 >参考:网址:http://www.securityfocus.com/bid/1508> > AnalogX SimpleServer: WWW 1.06和更早的允许远程攻击者读取>任意文件通过修改. .(点点)攻击,使用% 2 e > URL编码的点。> > > ED_PRI - 2000 - 0664 2 > > >投票:接受> > = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = >候选人:- 2000 - 0671 >发表:>最终决定:>阶段性裁决::>修改>提出:20000803 >分配:20000802 >类别:科幻小说>参考:BUGTRAQ: 20000721 Roxen安全警报:url包含空字符的问题。>参考:网址:http://archives.neohapsis.com/archives/bugtraq/2000-07/0321.html>参考:BUGTRAQ: 20000721 Roxen Web服务器漏洞>参考:网址:http://archives.neohapsis.com/archives/bugtraq/2000-07/0307.html>参考:报价:1510 >参考:网址:http://www.securityfocus.com/bid/1510> > Roxen web服务器比2.0.69允许允许远程攻击者>列出目录的内容,阅读源代码通过添加一个空>字符(% 00)的URL。> > > ED_PRI - 2000 - 0671 2 > > >投票:修改这个问题真的有比仅仅能够列出一个目录的内容。Roxen使用派克。派克可以处理与null字符串,但底层操作系统在第一个空的字符串截断。因此Roxen和操作系统不同意真正指向文件的字符串。症状是能够列出一个目录。更危险的是能够绕过访问限制通过发送一个查询,该查询将web服务器的acl但有效传递给底层操作系统。你也可以用它来下载源代码脚本发送请求web服务器不会认为是一种文件类型,应该解析或执行死刑的可能性,但这将使底层操作系统打开阅读脚本。> > = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = >候选人:- 2000 - 0644 >发表:>最终决定:>阶段性裁决::>修改>提出:20000803 >分配:20000802 >类别:科幻小说>参考:BUGTRAQ: 20000721 WFTPD / WFTPD Pro 2.41 RC11漏洞。>参考:网址:http://archives.neohapsis.com/archives/bugtraq/2000-07/0295.html>参考:报价:1506 >参考:网址:http://www.securityfocus.com/bid/1506> > WFTPD和WFTPD Pro 2.41允许远程攻击者导致拒绝>服务通过执行STAT命令在命令列表仍>执行。> > > ED_PRI - 2000 - 0644 3 > > >投票:接受> > = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = >候选人:- 2000 - 0645 >发表:>最终决定:>阶段性裁决::>修改>提出:20000803 >分配:20000802 >类别:科幻小说>参考:BUGTRAQ: 20000721 WFTPD / WFTPD Pro 2.41 RC11漏洞。>参考:网址:http://archives.neohapsis.com/archives/bugtraq/2000-07/0295.html>参考:报价:1506 >参考:网址:http://www.securityfocus.com/bid/1506> > WFTPD和WFTPD Pro 2.41允许远程攻击者导致拒绝>服务通过重启(REST)命令和写作结束>之外的一个文件,或者写文件不存在,通过命令等>商店独特的(STOU),存储(大的),或添加(APPE)。> > > ED_PRI - 2000 - 0645 3 > > >投票:接受> > = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = >候选人:- 2000 - 0646 >发表:>最终决定:>阶段性裁决::>修改>提出:20000803 >分配:20000802 >类别:科幻小说>参考:BUGTRAQ: 20000721 WFTPD / WFTPD Pro 2.41 RC11漏洞。>参考:网址:http://archives.neohapsis.com/archives/bugtraq/2000-07/0295.html>参考:报价:1506 >参考:网址:http://www.securityfocus.com/bid/1506> > WFTPD和WFTPD Pro 2.41允许远程攻击者获得真正的>一个文件的路径名执行状态(STAT)命令而>文件被转移。> > > ED_PRI - 2000 - 0646 3 > > >投票:接受> > = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = >候选人:- 2000 - 0647 >发表:>最终决定:>阶段性裁决::>修改>提出:20000803 >分配:20000802 >类别:科幻小说>参考:BUGTRAQ: 20000721 WFTPD / WFTPD Pro 2.41 RC11漏洞。>参考:网址:http://archives.neohapsis.com/archives/bugtraq/2000-07/0295.html>参考:报价:1506 >参考:网址:http://www.securityfocus.com/bid/1506> > WFTPD和WFTPD Pro 2.41允许远程攻击者引起的否定>服务通过执行一个MLST命令登录到服务器之前。> > > ED_PRI - 2000 - 0647 3 > > >投票:接受> > = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = >候选人:- 2000 - 0652 >发表:>最终决定:>阶段性裁决::>修改>提出:20000803 >分配:20000802 >类别:科幻小说>参考:BUGTRAQ: 20000723 IBM WebSphere缺省servlet处理程序showcode脆弱性>参考:网址:http://archives.neohapsis.com/archives/bugtraq/2000-07/0342.html>参考:报价:1500 >参考:网址:http://www.securityfocus.com/bid/1500> > IBM WebSphere允许远程攻击者读取源代码>执行web文件通过直接调用默认InvokerServlet >使用URL包含“/ servlet /文件”字符串。> > > ED_PRI - 2000 - 0652 3 > > >投票:接受> > = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = >候选人:- 2000 - 0656 >发表:>最终决定:>阶段性裁决::>修改>提出:20000803 >分配:20000802 >类别:科幻小说>参考:BUGTRAQ: 20000724 AnalogX代理DoS >参考:网址:http://archives.neohapsis.com/archives/bugtraq/2000-07/0360.html>参考:确认:http://www.analogx.com/contents/download/network/proxy.htm>参考:报价:1504 >参考:网址:http://www.securityfocus.com/bid/1504> >缓冲区溢出AnalogX代理服务器4.04和更早的允许远程攻击者>引起拒绝服务通过一个长期用户命令> FTP协议。> > > ED_PRI - 2000 - 0656 3 > > >投票:接受> > = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = >候选人:- 2000 - 0657 >发表:>最终决定:>阶段性裁决::>修改>提出:20000803 >分配:20000802 >类别:科幻小说>参考:BUGTRAQ: 20000724 AnalogX代理DoS >参考:网址:http://archives.neohapsis.com/archives/bugtraq/2000-07/0360.html>参考:确认:http://www.analogx.com/contents/download/network/proxy.htm>参考:报价:1504 >参考:网址:http://www.securityfocus.com/bid/1504> >缓冲区溢出AnalogX代理服务器4.04和更早的允许远程攻击者>引起拒绝服务通过一个长直升机命令> SMTP协议。> > > ED_PRI - 2000 - 0657 3 > > >投票:接受> > = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = >候选人:- 2000 - 0658 >发表:>最终决定:>阶段性裁决::>修改>提出:20000803 >分配:20000802 >类别:科幻小说>参考:BUGTRAQ: 20000724 AnalogX代理DoS >参考:网址:http://archives.neohapsis.com/archives/bugtraq/2000-07/0360.html>参考:确认:http://www.analogx.com/contents/download/network/proxy.htm>参考:报价:1504 >参考:网址:http://www.securityfocus.com/bid/1504> >缓冲区溢出AnalogX代理服务器4.04和更早的允许远程攻击者>引起拒绝服务通过一个长期用户命令> POP3协议。> > > ED_PRI - 2000 - 0658 3 > > >投票:接受> > = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = >候选人:- 2000 - 0659 >发表:>最终决定:>阶段性裁决::>修改>提出:20000803 >分配:20000802 >类别:科幻小说>参考:BUGTRAQ: 20000724 AnalogX代理DoS >参考:网址:http://archives.neohapsis.com/archives/bugtraq/2000-07/0360.html>参考:报价:1504 >参考:网址:http://www.securityfocus.com/bid/1504> >缓冲区溢出AnalogX代理服务器4.04和更早的允许远程攻击者>引起拒绝服务通过一个长期用户ID在SOCKS4 >连接请求。> > > ED_PRI - 2000 - 0659 3 > > >投票:接受> > = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = >候选人:- 2000 - 0672 >发表:>最终决定:>阶段性裁决::>修改>提出:20000803 >分配:20000802 >类别:科幻小说>参考:BUGTRAQ: 20000721 jakarta tomcat……/管理>参考:网址:http://archives.neohapsis.com/archives/bugtraq/2000-07/0309.html> > Jakarta Tomcat的默认配置不限制访问> /管理上下文,它允许远程攻击者读取任意>文件通过直接调用管理> servlet添加上下文根目录。> > > ED_PRI - 2000 - 0672 3 > > >投票:回顾,以利亚利维SecurityFocus.comhttp://www.securityfocus.com/如果那么,对位小独木船
- 引用:
- (提案)集群近三十- 17的候选人
- 来自:“Steven m . Christey”< coley@linus.mitre.org >
- (提案)集群近三十- 17的候选人
- 上一页的日期:再保险(建议):集群RECENT-29 - 20的候选人
- 下一个按日期:(CVEPRI)编委会会议在丹佛的更多细节
- Prev线程:(提案)集群近三十- 17的候选人
- 下一个线程:(CVEPRI)编委会会议在丹佛的更多细节
- 指数(es):
