(日期:][下一个日期][线程:][线程下][日期索引][线程索引]
(提案)集群最近40 - 80的候选人
- 来:cve-editorial-board-list@lists.mitre.org
- 主题(建议):集群最近40 - 80的候选人
- 从:“史蒂文·m·Christey " <coley@linus.mitre.org>
- 日期:2002年3月15日,星期五01:11:43 -0500(美国东部时间)
- 交货日期:2002年3月15日01:11:52星期五
- 发送方:owner-cve-editorial-board-list@lists.mitre.org
我最近提出集群——80年由编辑委员会审查和投票。名称:最近- 80描述:候选人宣布3/3/2001与7/26/2001大小:40通过修改这封邮件你可能投票的候选人投票,将它寄回给我,或通过使用CVE投票网站。中列出的候选人优先秩序。优先级1和优先级2的候选人都应对不同层次的供应商确认,所以他们应该易于检查和可以信任的,是真实的问题。如果你发现任何RECENT-XX集群是不完整的对过程中发现的问题相关的时间框架,请发送信息给我,这样候选人可以被指定。——史蒂夫总结的选票使用(“严重程度”的按升序)- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -接受——选民接受候选人提出等待——选民对候选人没有意见修改选民想要改变一些小细节(例如参考/描述)审查-选民正在审查/研究候选人,或需要更多的信息,重塑候选人必须大幅修改,如分割或合并拒绝候选人不是“漏洞”,或重复等。1)请写你的投票在直线上,从“投票:”开始。如果你想添加评论或细节,在投票后将它们添加到线:线。2)如果你看到任何失踪的引用,请提及他们,使他们可以包括在内。在映射引用帮助极大。3)请注意,“修改”被视为一个“接受”当计算选票。 So if you don't have sufficient information for a candidate but you don't want to NOOP, use a REVIEWING. ********** NOTE ********** NOTE ********** NOTE ********** NOTE ********** Please keep in mind that your vote and comments will be recorded and publicly viewable in the mailing list archives or in other formats. ====================================================== Candidate: CAN-2001-0731 URL:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 0731最终决定:阶段性裁决:修改:建议:20020315分配:20011008类别:科幻参考:BUGTRAQ: 20010709谷歌索引文件如何没有外部链接引用:网址:http://www.securityfocus.com/archive/1/20010709214744.A28765@brasscannon.net参考:确认:http://www.apacheweek.com/issues/01-10-05的安全参考:曼德拉草:MDKSA-2001:077参考:网址:http://www.linux mandrake.com/en/security/2001/mdksa - 2001 - 077 - 1. - php3参考:报价:3009参考:网址:http://www.securityfocus.com/bid/3009Apache 1.3.20启用了Multiviews方法允许远程攻击者查看目录内容和通过一个URL绕过索引页包含查询字符串“M = D”。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 0731 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1084网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1084最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20010702多个供应商Java Servlet容器跨站点脚本漏洞参考:网址:http://www.securityfocus.com/archive/1/194464参考:阿莱尔:MPSB01-06参考:网址:http://www.macromedia.com/v1/handlers/index.cfm?ID=21498&Method=Full参考:报价:2983参考:网址:http://www.securityfocus.com/bid/2983参考:XF: java-servlet-crosssite-scripting(6793)参考:网址:http://www.iss.net/security_center/static/6793.php跨站点脚本漏洞在阿莱尔JRun 3.1和更早的允许恶意网站管理员请求中嵌入Javascript . jsp, .shtml, .jsp10, .jrun,或.thtml文件不存在,导致Javascript插入一条错误消息。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1084 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1088网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1088最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:CF参考:BUGTRAQ: 20010605安全。NNOV: Outlook Express地址簿欺骗参考:网址:http://www.securityfocus.com/archive/1/188752参考:确认:http://support.microsoft.com/default.aspx?scid=kb; en - us; q234241参考:XF: outlook-address-book-spoofing(6655)参考:网址:http://xforce.iss.net/static/6655.php参考:报价:2823参考:网址:http://www.securityfocus.com/bid/28238.5和更早的Microsoft Outlook, Outlook Express 5和前,与“自动把我回复在我通讯录”选项启用,不通知用户,当“应答”比“从”地址地址是不同的,它可以让一个不可信的远程攻击者冒充合法地址和拦截邮件客户端是为另一个用户。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1088 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1108网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1108最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20010726 Snapstream pv脆弱性参考:网址:http://archives.neohapsis.com/archives/bugtraq/2001-07/0606.html参考:确认:http://discuss.snapstream.com/ubb/Forum1/HTML/000216.html参考:XF: snapstream-dot-directory-traversal(6917)参考:网址:http://xforce.iss.net/static/6917.php参考:报价:3100参考:网址:http://www.securityfocus.com/bid/3100目录遍历脆弱性SnapStream 1.2 pv允许远程攻击者读取任意文件通过一个. .在请求的URL(点点)攻击。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1108 1供应商确认:是的确认:在线公告牌包括查询是否SnapStream固定的某些缺陷,其中包括一个URL表明它的问题描述的一样Bugtraq职位。“rakeshagrawal”,其电子邮件地址来自SnapStream说“问题1已经纠正,”和问题1是目录遍历问题中确定Bugtraq职位。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1121网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1121最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20010702多个供应商Java Servlet容器跨站点脚本漏洞参考:网址:http://www.securityfocus.com/archive/1/194464参考:确认:http://www.macromedia.com/v1/handlers/index.cfm?ID=21498&Method=Full参考:XF: java-servlet-crosssite-scripting(6793)参考:网址:http://xforce.iss.net/static/6793.php参考:报价:2983参考:网址:http://www.securityfocus.com/bid/2983跨站点脚本(CSS)脆弱性在JRun 3.0和2.3.3允许远程攻击者执行其他客户通过web页面上的JavaScript URL引用不存在或Servlet的JSP文件,导致脚本返回的错误消息。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1121 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1141网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1141最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20010710 OpenSSL安全顾问:PRNG疲软版本0.9.6a参考:网址:http://www.securityfocus.com/archive/1/195829参考:FREEBSD: FreeBSD-SA-01:51参考:网址:http://www.securityfocus.com/advisories/3475参考:NETBSD: NETBSD - sa2001 - 013参考:网址:http://www.securityfocus.com/advisories/3512参考:CONECTIVA: CLA-2001:418参考:网址:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000418参考:曼德拉草:MDKSA-2001:065参考:网址:http://www.linux mandrake.com/en/security/2001/mdksa - 2001 - 065. - php3?dis=8.0参考:REDHAT: RHSA-2001:051-18参考:网址:http://www.redhat.com/support/errata/rhsa - 2001 - 051. - html参考:ENGARDE: esa - 20010709 - 01参考:网址:http://www.linuxsecurity.com/advisories/other_advisory - 1483. - html参考:报价:3004参考:网址:http://www.securityfocus.com/bid/3004参考:XF: openssl-prng-brute-force(6823)参考:网址:http://xforce.iss.net/static/6823.php伪随机数生成器(PRNG) SSLeay和OpenSSL 0.9.6b允许攻击者使用小的PRNG请求的输出来确定内部状态信息,这可能是攻击者用来预测未来的伪随机数。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1141 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1144网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1144最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20010711尽快McAfee Virusscan - myCIO HTTP服务器目录遍历Vulnerabilty参考:网址:http://www.securityfocus.com/archive/1/196272参考:NTBUGTRAQ: 20010716尽快McAfee Virusscan——MyCIO HTTP服务器目录遍历Vul nerability参考:网址:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0107&L=ntbugtraq&F=P&S=&P=1558参考:CERT-VN: VU # 190267参考:网址:http://www.kb.cert.org/vuls/id/190267参考:报价:3020参考:网址:http://www.securityfocus.com/bid/3020参考:XF: mcafee-mycio-directory-traversal(6834)参考:网址:http://www.iss.net/security_center/static/6834.php目录遍历脆弱性尽快McAfee VirusScan代理1.0允许远程攻击者读取任意文件通过一个. .(点点)在HTTP请求。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1144 1供应商确认:是的跟踪投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1145网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1145最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:NETBSD: NETBSD - sa2001 - 016参考:网址:http://archives.neohapsis.com/archives/netbsd/2001-q3/0204.html参考:FREEBSD: FreeBSD-SA-01:40参考:网址:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:40.fts.v1.1.asc参考:OPENBSD: 20010530 029:安全修复:2001参考:URL: 5月30日http://www.openbsd.org/errata28.html参考:报价:3205参考:网址:http://online.securityfocus.com/bid/3205fts早些时候在FreeBSD 4.3和例程,NetBSD 1.5.2之前,和OpenBSD 2.9和更早的可以被迫改变(目录)到另一个目录中比预期当前目录的上一级目录移动时,可能导致脚本执行危险操作错误的目录。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1145 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1146网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1146最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:ENGARDE: esa - 20010711 - 01参考:网址:http://www.linuxsecurity.com/advisories/other_advisory - 1492. - html参考:XF: allcommerce-temp-symlink(6830)参考:网址:http://xforce.iss.net/static/6830.php参考:报价:3016参考:网址:http://online.securityfocus.com/bid/3016AllCommerce启用了调试Linux 1.0.1 EnGarde安全创建teporary文件和可预测的名称,它允许本地用户修改文件通过一个符号链接攻击。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1146 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1158网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1158最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:CF参考:BUGTRAQ: 20010709检查防火墙1 RDP绕过漏洞参考点:网址:http://archives.neohapsis.com/archives/bugtraq/2001-07/0128.html参考:BUGTRAQ: 20010709检查应对RDP绕过参考点:网址:http://online.securityfocus.com/cgi-bin/archive.pl?id=1&start=2002-03-11&end=2002-03-17&mid=195647&threads=1参考:检查点:20010712 RDP绕过防火墙解决方案VPN-1 / 4.1 SPx参考:网址:http://www.checkpoint.com/techsupport/alerts/rdp.html参考:CERT: ca - 2001 - 17参考:网址:http://www.cert.org/advisories/ca - 2001 - 17. - html参考:CERT-VN: VU # 310295参考:网址:http://www.kb.cert.org/vuls/id/310295参考:CIAC: l - 109参考:网址:http://ciac.llnl.gov/ciac/bulletins/l - 109. shtml参考:XF: fw1-rdp-bypass(6815)参考:网址:http://xforce.iss.net/static/6815.php参考:报价:2952参考:网址:http://www.securityfocus.com/bid/2952检查站VPN-1 /防火墙1 4.1 base.def包含一个默认的宏,accept_fw1_rdp,允许远程攻击者绕过目的限制,伪造RDP(内部协议)头UDP端口259的任意主机。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1158 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1161网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1161最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20010702 Lotus Domino服务器跨站点脚本漏洞参考:网址:http://www.securityfocus.com/archive/1/194465参考:BUGTRAQ: 20010702 Re: Lotus Domino服务器跨站点脚本漏洞参考:网址:http://www.securityfocus.com/archive/1/194609参考:CERT-VN: VU # 642239参考:网址:http://www.kb.cert.org/vuls/id/642239参考:报价:2962参考:网址:http://www.securityfocus.com/bid/2962参考:XF: lotus-domino-css(6789)参考:网址:http://www.iss.net/security_center/static/6789.php跨站点脚本(CSS)脆弱性在Lotus Domino 5.0.6允许远程攻击者执行脚本在其他web客户端通过一个URL,在Javascript中,生成一个错误消息,不引用生成的脚本。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1161 1供应商确认:是的跟踪投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1162网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1162最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20010623 smbd远程文件创建脆弱性参考:网址:http://www.securityfocus.com/archive/1/193027参考:确认:http://us1.samba.org/samba/whatsnew/macroexploit.html参考:曼德拉草:mdksa - 2001 - 062参考:网址:http://www.linux mandrake.com/en/security/2001/mdksa - 2001 - 062. - php3参考:惠普:hpsbux0107 - 157参考:网址:http://www.securityfocus.com/advisories/3423参考:SGI: 20011002 - 01 - p参考:网址:ftp://patches.sgi.com/support/free/security/advisories/20011002-01-P参考:CIAC: l - 105参考:网址:http://ciac.llnl.gov/ciac/bulletins/l - 105. shtml参考:IMMUNIX: imnx - 2001 - 70 - 027 - 01参考:网址:http://download.immunix.org/immunixos/7.0/updates/imnx - 2001 - 70 - 027 - 01参考:火山口:综援- 2001 - 024.0参考:网址:http://www.calderasystems.com/support/security/advisories/cssa - 2001 024.0.txt参考:CONECTIVA: CLA-2001:405参考:网址:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000405参考:REDHAT: RHSA-2001:086参考:网址:http://www.redhat.com/support/errata/rhsa - 2001 - 086. - html参考:DEBIAN: dsa - 065参考:网址:http://www.debian.org/security/2001/dsa - 065参考:报价:2928参考:网址:http://www.securityfocus.com/bid/2928参考:XF: samba-netbios-file-creation(6731)参考:网址:http://xforce.iss.net/static/6731.php目录遍历漏洞在smb % m宏。conf配置文件在Samba 2.2.0a允许远程攻击者覆盖某些文件通过一个. .在NETBIOS名称用作. log文件的名称。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1162 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1172网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1172最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20010719 (SNS咨询No.37) HTTProtect允许攻击者改变受保护的文件使用符号链接引用:网址:http://archives.neohapsis.com/archives/bugtraq/2001-07/0357.html参考:确认:http://www.omnisecure.com/security-alert.html参考:XF: httprotect-protected-file-symlink(6880)参考:网址:http://xforce.iss.net/static/6880.php没有omnish OmniSecure HTTProtect 1.1.1允许超级用户权限来修改一个受保护的文件通过创建一个符号链接文件。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1172 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1174网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1174最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:REDHAT: RHSA-2001:091参考:网址:http://www.redhat.com/support/errata/rhsa - 2001 - 091. - html参考:曼德拉草:MDKSA-2001:067参考:网址:http://www.linux mandrake.com/en/security/2001/mdksa - 2001 - 067. - php参考:XF: elm-messageid-bo(6852)参考:网址:http://xforce.iss.net/static/6852.php缓冲区溢出在榆树2.5.5早些时候,允许远程攻击者通过长问题头执行任意代码。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1174 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1175网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1175最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:REDHAT: RHSA-2001:095参考:网址:http://www.redhat.com/support/errata/rhsa - 2001 - 095. - html参考:XF: vipw-world-readable-files(6851)参考:网址:http://xforce.iss.net/static/6851.php参考:报价:3036参考:网址:http://www.securityfocus.com/bid/3036vipw前util-linux包2.10导致/etc/shadow是公开在某些情况下,这将使本地用户更容易进行暴力破解密码猜测。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1175 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1176网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1176最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20010712 VPN-1 /防火墙1格式字符串漏洞参考:网址:http://archives.neohapsis.com/archives/bugtraq/2001-07/0209.html参考:确认:http://www.checkpoint.com/techsupport/alerts/format_strings.html参考:报价:3021参考:网址:http://www.securityfocus.com/bid/3021参考:XF: fw1-management-format-string(6849)参考:网址:http://xforce.iss.net/static/6849.php格式字符串漏洞在检查站VPN-1 /防火墙1 4.1允许远程验证防火墙管理员执行任意代码通过控制连接格式字符串。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1176 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1180网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1180最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20010710 FreeBSD 4.3本地根,但Linux和BSD比Windows参考:网址:http://archives.neohapsis.com/archives/bugtraq/2001-07/0179.html参考:CIAC: l - 111参考:网址:http://ciac.llnl.gov/ciac/bulletins/l - 111. shtml参考:CERT-VN: VU # 943633参考:网址:http://www.kb.cert.org/vuls/id/943633参考:FREEBSD: FreeBSD-SA-01:42参考:网址:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:42.signal.v1.1.asc参考:XF: bsd-rfork-signal-handlers(6829)参考:网址:http://xforce.iss.net/static/6829.php参考:报价:3007参考:网址:http://www.securityfocus.com/bid/3007FreeBSD 4.3不正确清楚共享信号处理程序在执行一个过程,它允许本地用户获得特权通过调用rfork共有一个信号处理程序、子进程执行一个setuid程序,发送一个信号到孩子。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1180 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1183网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1183最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:思科:20010712思科IOS PPTP脆弱性参考:网址:http://www.cisco.com/warp/public/707/PPTP-vulnerability-pub.html参考:CERT-VN: VU # 656315参考:网址:http://www.kb.cert.org/vuls/id/656315参考:报价:3022参考:网址:http://www.securityfocus.com/bid/3022参考:XF: cisco-ios-pptp-dos(6835)参考:网址:http://xforce.iss.net/static/6835.phpPPTP实现思科IOS 12.1和12.2允许远程攻击者造成拒绝服务(崩溃)通过一个畸形的包。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1183 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1103网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1103最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:CERT-VN: VU # 320944参考:网址:http://www.kb.cert.org/vuls/id/320944参考:XF: ftp-voyager-embedded-script-execution(7119)参考:网址:http://xforce.iss.net/static/7119.phpFTP旅行者ActiveX控制在8.0之前,当它被标记为安全的脚本(默认)或如果允许IObjectSafety接口,允许远程攻击者执行任意命令。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1103 2供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1085网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1085最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20010705 lmail本地根利用参考:网址:http://www.securityfocus.com/archive/1/195022参考:XF: lmail-tmpfile-symlink(6809)参考:网址:http://xforce.iss.net/static/6809.php参考:报价:2984参考:网址:http://www.securityfocus.com/bid/29842.7和更早的Lmail允许本地用户覆盖任意文件通过一个符号链接攻击一个临时文件。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1085 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1086网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1086最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20010704一棵树饼干快蛮力参考:网址:http://www.securityfocus.com/archive/1/194907参考:BUGTRAQ: 20010705 Re:一棵树饼干快蛮力参考:网址:http://online.securityfocus.com/archive/1/195008参考:报价:2985参考:网址:http://www.securityfocus.com/bid/2985参考:XF: xdm-cookie-brute-force(6808)参考:网址:http://xforce.iss.net/static/6808.php一棵树在XFree86 3.3和3.3.3生成编译时轻松地使用gettimeofday()可推测的饼干HasXdmXauth选项,它允许远程攻击者获得未授权访问X显示通过蛮力攻击。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1086 3供应商确认:是的后续内容决定:SF-EXEC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1087网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1087最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:CF参考:BUGTRAQ: 20010705 RE:隧道港口允许在NetApp NetCaches参考:网址:http://www.securityfocus.com/archive/1/195176参考:XF: netcache-tunnel-default-configuration(6807)参考:网址:http://xforce.iss.net/static/6807.php参考:报价:2990参考:网址:http://www.securityfocus.com/bid/2990config.http.tunnel的缺省配置。allow_ports NetCache设备上的选项设置为+,它允许远程攻击者连接到远程系统上的任意港口设备。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1087 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1097网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1097最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20010724 UDP数据包处理各种操作系统的怪异行为参考:网址:http://www.securityfocus.com/archive/1/199558参考:BUGTRAQ: 20010811 Re: UDP数据包处理各种操作系统的怪异行为参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=99749327219189&w=2参考:报价:3096参考:网址:http://www.securityfocus.com/bid/3096参考:XF: cisco-ios-udp-dos(6319)参考:网址:http://xforce.iss.net/static/6913.php思科路由器和交换机运行IOS 12.0通过12.2.1允许远程攻击者造成拒绝服务通过大量UDP数据包。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1097 3供应商确认:未知的模糊包含:原文不包括具体细节关于UDP数据包的性质。此外,供应商响应表示繁殖困难的问题,但这可能是由于缺乏详细的原创文章。最后,还有很长一段Bugtraq线程一些海报显示问题可能是由于硬件功能的变化与底层软件缺陷,但其他跟踪显示成功的攻击其他操作系统。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1104网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1104最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20010725 TCP序列号疲软Sonicwall SOHO防火墙参考:网址:http://www.securityfocus.com/archive/1/199632参考:报价:3098参考:网址:http://www.securityfocus.com/bid/3098SonicWALL SOHO使用容易预测的TCP序列号,它允许远程攻击者恶搞或劫持会话。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1104 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1106网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1106最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20010725水鹿服务器密码解密参考:网址:http://www.securityfocus.com/archive/1/199418参考:报价:3095参考:网址:http://www.securityfocus.com/bid/3095参考:XF: sambar-insecure-passwords(6909)参考:网址:http://xforce.iss.net/static/6909.php水鹿服务器的默认配置5和使用对称密钥,早些时候被编译成二进制程序加密密码,这可能允许本地用户打破所有用户密码被破解的关键或修改一个副本水鹿程序调用解密过程。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1106 3供应商确认:未知discloser-claimed投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1107网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1107最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20010726 Snapstream pv脆弱性参考:网址:http://archives.neohapsis.com/archives/bugtraq/2001-07/0606.html参考:确认:http://discuss.snapstream.com/ubb/Forum1/HTML/000216.html参考:XF: snapstream-dot-directory-traversal(6917)参考:网址:http://xforce.iss.net/static/6917.php参考:报价:3101参考:网址:http://www.securityfocus.com/bid/3101SnapStream 1.2 pv SSD存储密码的明文文件。ini,这可能允许远程攻击者获得服务器上的特权。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1107 3供应商确认:是的bboard内容决定:DESIGN-NO-ENCRYPTION确认:在线公告牌包括查询是否SnapStream固定的某些缺陷,其中包括一个URL表明它的问题描述的一样Bugtraq职位。“rakeshagrawal”,其电子邮件地址来自SnapStream说“密码仍然存储在明文SnapStream用户的机器上”这是承认的一项指标。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1120网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1120最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:确认:http://www.allaire.com/handlers/index.cfm?id=21566参考:CERT-VN: VU # 135531参考:网址:http://www.kb.cert.org/vuls/id/135531参考:BUGTRAQ: 20010712新冷聚变脆弱性参考:网址:http://www.securityfocus.com/archive/1/196452参考:XF: coldfusion-unauthorized-file-access(6839)参考:网址:http://xforce.iss.net/static/6839.php参考:报价:3018参考:网址:http://www.securityfocus.com/bid/3018漏洞在ColdFusion 2.0通过4.5.1 SP 2允许远程攻击者(1)读取或删除任意文件,或(2)覆盖ColdFusion服务器模板分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1120 3供应商确认:是的咨询内容决定:SF-LOC,模糊的抽象:CD: SF-LOC建议将不同类型的问题。然而,供应商咨询并没有提供足够的细节来确定,如果是这种情况。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1142网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1142最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20010712 ArGoSoft FTP服务器1.2.2.2弱密码加密参考:网址:http://www.securityfocus.com/archive/1/196968参考:报价:3029参考:网址:http://www.securityfocus.com/bid/3029参考:XF: argosoft-ftp-weak-encryption(6848)参考:网址:http://www.iss.net/security_center/static/6848.phpArGoSoft FTP服务器1.2.2.2使用弱对用户密码加密,它允许攻击者访问密码文件获得的特权。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1142 3供应商确认:没有投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1143网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1143最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20010711 IBM DB2 DoS窗口参考:网址:http://www.securityfocus.com/archive/1/196140参考:报价:3010参考:网址:http://www.securityfocus.com/bid/3010参考:XF: ibm-db2-ccs-dos(6832)参考:网址:http://www.iss.net/security_center/static/6832.php参考:XF: ibm-db2-jds-dos(6833)参考:网址:http://www.iss.net/security_center/static/6833.phpIBM DB2 7.0允许远程攻击者造成拒绝服务(崩溃)通过单个字节(1)db2ccs。exe在端口6790上,或(2)db2jds。exe在端口6789上。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1143 3供应商确认:未知discloser-claimed内容决定:SF-EXEC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1148网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1148最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:VULN-DEV: 20010613上海合作组织atcronsh auditsh termsh溢出参考:网址:http://www.securityfocus.com/archive/82/191216参考:火山口:综援- 2001上海合作组织。25参考:网址:http://www.securityfocus.com/archive/1/219966缓冲区溢出scoadmin所使用的程序和sysadmsh上海合作组织OpenServer 5.0.6a早些时候,允许本地用户获得特权通过长期的环境变量(1)atcronsh, auditsh (2), (3) authsh, backupsh (4), (5) lpsh, (6) sysadm。菜单或者termsh (7)。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1148 3供应商确认:对咨询内容的决定:SF-EXEC,模糊的上海合作组织咨询有点模糊,所以不能绝对肯定,所有提到的项目的影响通过一个溢出。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1159网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1159最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20010702 (SRADV00010)远程命令执行漏洞在SquirrelMail参考:网址:http://archives.neohapsis.com/archives/bugtraq/2001-07/0029.html参考:MISC:http://www.squirrelmail.org/changelog.php参考:报价:2968参考:网址:http://www.securityfocus.com/bid/2968参考:XF: squirrelmail-loadprefs-execute-code(6775)参考:网址:http://www.iss.net/security_center/static/6775.phpload_prefs。php和支持文件包括在SquirrelMail v1.0.4和不适当的初始化某些php变量早些时候,它允许远程攻击者(1)通过config_php和data_dir选项查看敏感文件,和(2)通过使用options_order执行任意代码。php上传信息,可以解释为php。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1159 3供应商确认:未知的模糊的内容决定:SF-LOC确认:版本的更改日志1.0.5说,“主要安全问题解决。”The change log for Version 1.0.6 says, "Reworked validation for each page. It's now standardized in validate.php... Added more security checking to preference saving/loading." One of these change log quotes may refer to fixes for the PHP input validation problems SquirrelMail suffered in earlier versions. Howeverm since the change log information is vague, it's not clear that the change log is addressing this specific vulnerability. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2001-1160 URL:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1160最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20010618 udirectory从微爆发技术远程命令执行参考:网址:http://www.securityfocus.com/archive/1/191829参考:报价:2884参考:网址:http://www.securityfocus.com/bid/2884参考:XF: udirectory-remote-command-execution(6706)参考:网址:http://xforce.iss.net/static/6706.phpudirectory。2.0和更早的pl微爆发技术uDirectory允许远程攻击者执行任意命令category_file领域通过shell元字符。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1160 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1163网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1163最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:报价:2885参考:网址:http://www.securityfocus.com/bid/2885缓冲区溢出Munica公司NetSQL 1.0允许远程攻击者执行任意代码通过一个长参数连接到端口6500。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1163 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1164网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1164最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:火山口:综援- 2001上海合作组织。4参考:网址:ftp://stage.caldera.com/pub/security/unixware/cssa - 2001 sco.4/cssa - 2001 sco.4.txt缓冲区溢出UnixWare 7 uucp实用程序允许本地用户执行任意代码通过长命令行参数(1)uucp, (2) uux, (3) bnuconvert, uucico (4), (5) uuxcmd,或(6)uuxqt。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1164 3供应商确认:对咨询内容的决定:SF-EXEC,模糊包含:- 2001 - 0873可以通过配置文件描述了溢出,而不是命令行参数。这个项目的顾问有点太模糊,无法确定它是解决一系列新的问题uucp公用事业、或发现的问题可以- 2001 - 0873。此外,咨询没有交叉引用,从而使其更容易判断它是解决可以- 2001 - 0873的问题。也有可能这是修复cve - 2001 - 0190。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1173网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1173最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:确认:ftp://innominate.org/oku/masqmail/ChangeLog-stable脆弱性在MasqMail 0.1.15允许本地用户获得特权通过管道别名。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1173 3供应商确认:是的更新日志内容决定:模糊的投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1177网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1177最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ:三星20010717毫升- 85 g打印机Linux辅助/驱动程序二进制利用(曼德拉草:内容包)参考:网址:http://archives.neohapsis.com/archives/bugtraq/2001-07/0284.html参考:报价:3008参考:网址:http://www.securityfocus.com/bid/3008参考:XF: samsung-printer-temp-symlink(6845)参考:网址:http://xforce.iss.net/static/6845.phpml85p三星ml - 85 g GDI打印机驱动程序允许本地用户覆盖任意文件通过一个符号链接攻击临时文件。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1177 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1178网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1178最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20010711 suid变种特工3.1.6溢出参考:网址:http://archives.neohapsis.com/archives/bugtraq/2001-07/0234.html参考:报价:3030参考:网址:http://www.securityfocus.com/bid/3030参考:XF: xfree86-xman-manpath-bo(6853)参考:网址:http://xforce.iss.net/static/6853.php缓冲区溢位变种特工允许本地用户获得特权通过长MANPATH环境变量。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1178 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1179网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1179最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20010717变种特工(suid)利用,更加容易。参考网址:http://www.securityfocus.com/archive/1/197498变种特工允许本地用户获得特权通过修改MANPATH指向一个页面的文件名包含shell元字符。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1179 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1181网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1181最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:CF参考:惠普:hpsbux0107 - 159参考:网址:http://archives.neohapsis.com/archives/hp/2001-q3/0013.html参考:CIAC: l - 115参考:网址:http://ciac.llnl.gov/ciac/bulletins/l - 115. shtml参考:XF: hpux-dlkm-gain-privileges(6861)参考:网址:http://xforce.iss.net/static/6861.php动态可加载内核模块(dlkm)静态内核符号表在hp - ux 11.11不正确配置,它允许本地用户获得特权。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1181 3供应商确认:对咨询内容的决定:模糊包含:CD:模糊的状态,如果供应商承认或宣传,说,这是安全相关的问题,但是供应商是模糊的细节,它仍然应该被包括在CVE。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1182网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1182最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:惠普:hpsbux0107 - 160参考:网址:http://archives.neohapsis.com/archives/hp/2001-q3/0014.html漏洞登录在hp - ux 11.00, 11.11,和10.20允许限制shell用户绕过某些安全检查和获得的特权。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1182 3供应商确认:对咨询内容的决定:模糊的CD:模糊的状态,如果供应商承认或宣传,说,这是安全相关的问题,但是供应商是模糊的细节,还应该包括在内。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:
- 上一页的日期:[CVEPRI] CVE版本发布的20020309(2032项)
- 下一个按日期:(提案)集群最近- 81 - 61的候选人
- Prev线程:[CVEPRI] CVE版本发布的20020309(2032项)
- 下一个线程:(提案)集群最近- 81 - 61的候选人
- 指数(es):
