[日期上一页][下一个日期][线程上一页][线程下][日期索引][线程索引]
(提案)集群最近- 94 - 31的候选人
- 来:cve-editorial-board-list@lists.mitre.org
- 主题(建议):最近集群- 94 - 31的候选人
- 从:“史蒂文·m·Christey " <coley@linus.mitre.org>
- 日期-0400年:星期四,2002年7月25日22:15:37(美国东部时间)
- 交货日期:2002年7月25日22:15:50星期四
- 发送方:owner-cve-editorial-board-list@lists.mitre.org
我最近提出集群——94年由编辑委员会审查和投票。名称:最近- 94描述:混杂。候选人,一些从2001年最大小:2002年4月31日通过修改这封邮件你可能投票的候选人投票,将它寄回给我,或通过使用CVE投票网站。中列出的候选人优先秩序。优先级1和优先级2的候选人都应对不同层次的供应商确认,所以他们应该易于检查和可以信任的,是真实的问题。如果你发现任何RECENT-XX集群是不完整的对过程中发现的问题相关的时间框架,请发送信息给我,这样候选人可以被指定。——史蒂夫总结的选票使用(“严重程度”的按升序)- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -接受——选民接受候选人提出等待——选民对候选人没有意见修改选民想要改变一些小细节(例如参考/描述)审查-选民正在审查/研究候选人,或需要更多的信息,重塑候选人必须大幅修改,如分割或合并拒绝候选人不是“漏洞”,或重复等。1)请写你的投票在直线上,从“投票:”开始。如果你想添加评论或细节,在投票后将它们添加到线:线。2)如果你看到任何失踪的引用,请提及他们,使他们可以包括在内。在映射引用帮助极大。 3) Note that a "MODIFY" is treated as an "ACCEPT" when counting votes. So if you don't have sufficient information for a candidate but you don't want to NOOP, use a REVIEWING. ********** NOTE ********** NOTE ********** NOTE ********** NOTE ********** Please keep in mind that your vote and comments will be recorded and publicly viewable in the mailing list archives or in other formats. ====================================================== Candidate: CAN-2001-1378 URL:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1378最终决定:阶段性裁决:修改:建议:20020726分配:20020715类别:科幻参考:MISC:http://lists.ccil.org/pipermail/fetchmail-announce/2001-March/000015.html参考:REDHAT: RHSA-2001:103参考:网址:http://www.redhat.com/support/errata/rhsa - 2001 - 103. - htmlfetchmailconf在fetchmail 5.7.4允许本地用户覆盖文件的其他用户通过一个符号链接攻击临时文件。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1378 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1380网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1380最终决定:阶段性裁决:修改:建议:20020726分配:20020725类别:科幻参考:BUGTRAQ: 20011018 Immunix OpenSSH参考操作系统更新:BUGTRAQ: 20011017 tslsa - 2001 - 0023 - OpenSSH参考:BUGTRAQ: 20010926 OpenSSH安全顾问(adv.option)参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=100154541809940&w=2参考:BUGTRAQ: 20011019 tslsa - 2001 - 0026 - OpenSSH参考:REDHAT: RHSA-2001:114参考:网址:http://rhn.redhat.com/errata/rhsa - 2001 - 114. - html参考:曼德拉草:MDKSA-2001:081参考:网址:http://www.linux mandrake.com/en/security/2001/mdksa - 2001 - 081. - phpOpenSSH 2.9.9之前,在使用不同类型的密钥对和多个键~ /。ssh / authorized_keys2文件,不能妥善处理相关的“从”选项的一个关键,这可能允许远程攻击者从未经授权的IP地址登录。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1380 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1382网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1382最终决定:阶段性裁决:修改:建议:20020726分配:20020725类别:科幻参考:确认:http://www.openwall.com/Owl/CHANGES-stable.shtml回波模拟的流量分析对策在OpenSSH 2.9.9p2发送额外echo数据包输入密码,回车后,这可能允许远程攻击者决定对策。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1382 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1383网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1383最终决定:阶段性裁决:修改:建议:20020726分配:20020725类别:科幻参考:REDHAT: RHSA-2001:110参考:网址:http://rhn.redhat.com/errata/rhsa - 2001 - 110. - html参考:XF: linux-setserial-initscript-symlink(7177)参考:网址:http://www.iss.net/security_center/static/7177.php参考:报价:3367参考:网址:http://online.securityfocus.com/bid/3367initscript早些时候在一些2.17 4,使用可预测的临时文件名称,这将允许本地用户对文件进行未经授权的操作。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1383 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0014网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0014最终决定:阶段性裁决:修改:建议:20020726分配:20020110类别:科幻参考:BUGTRAQ: 20020105松4.33(至少)URL处理程序允许嵌入命令。参考网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101027841605918&w=2参考:REDHAT: RHSA-2002:009参考:网址:http://rhn.redhat.com/errata/rhsa - 2002 - 009. - html参考:ENGARDE: esa - 20020114 - 002参考:CONECTIVA: CLA-2002:460参考:FREEBSD: FreeBSD-SA-02:05参考:惠普:hpsbtl0201 - 015参考:报价:3815参考:网址:http://online.securityfocus.com/bid/3815URL处理方式代码松4.43和更早的允许远程攻击者执行任意命令通过一个URL包含在单引号和包含shell元字符(&)。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0014 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0687网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0687最终决定:阶段性裁决:修改:建议:20020726分配:20020712类别:科幻参考:确认:http://www.zope.org/Products/Zope/Hotfix_2002-04-15/security_alert“通过web代码”功能通过2.5.1 Zope 2.0 b1允许不可信用户关闭了Zope服务器通过特定的header。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0687 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0733网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0733最终决定:阶段性裁决:修改:建议:20020726分配:20020725类别:科幻参考:VULNWATCH: 20020417 Smalls洞5日产品# 1参考:网址:http://archives.neohapsis.com/archives/vuln-dev/2002-q2/0155.html参考:确认:http://www.acme.com/software/thttpd/ releasenotes参考:MISC:http://www.ifrance.com/kitetoua/tuto/5holes1.txt参考:XF: thttpd-error-page-css(9029)参考:网址:http://www.iss.net/security_center/static/9029.php参考:报价:4601参考:网址:http://www.securityfocus.com/bid/4601早些时候在thttpd 2.20和跨站点脚本漏洞允许远程攻击者通过一个URL执行任意脚本不存在的页面,从而导致thttpd脚本插入一个404错误消息。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0733 1供应商确认:是的、确认:在2.21发行说明,供应商州“固定跨站点脚本漏洞与内置的错误页面。”投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0736网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0736最终决定:阶段性裁决:修改:建议:20020726分配:20020725类别:科幻参考:BUGTRAQ: 20020416后台Web管理员身份验证旁路(# NISR17042002A)参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-04/0208.html参考:MSKB: Q316838参考:网址:http://support.microsoft.com/support/kb/articles/q316/8/38.asp参考:报价:4528参考:网址:http://www.securityfocus.com/bid/4528参考:XF: backoffice-bypass-authentication(8862)参考:网址:http://www.iss.net/security_center/static/8862.php微软BackOffice 4.0和4.5,当配置为访问其他系统,允许远程攻击者绕过身份验证和访问管理ASP页面通过HTTP请求的授权类型(auth_type)这不是空白。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0736 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0737网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0737最终决定:阶段性裁决:修改:建议:20020726分配:20020725类别:科幻参考:BUGTRAQ:毕马威20020417 - 2002012:水鹿网络服务器服务端Fileparse绕过参考:网址:http://online.securityfocus.com/archive/1/268121参考:VULNWATCH: 20020417 [VULNWATCH]毕马威- 2002012:水鹿网络服务器服务端Fileparse绕过参考:网址:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0026.html参考:确认:http://www.sambar.com/security.htm参考:XF: sambar-script-source-disclosure(8876)参考:网址:http://www.iss.net/security_center/static/8876.php参考:报价:4533参考:网址:http://www.securityfocus.com/bid/4533水鹿web服务器之前5.2 beta 1允许远程攻击者获得服务器端脚本的源代码,或引起拒绝服务(资源枯竭)通过DOS设备,使用一个URL,以空间和一个空字符结束。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0737 1供应商确认:是的确认:在安全页面,最后更新最初披露后的第二天,供应商指出,“所有版本5.2 beta 1版本之前很容易与CGI脚本相关的源代码和JSP文件通过一个URL序列。”投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0738网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0738最终决定:阶段性裁决:修改:建议:20020726分配:20020725类别:科幻参考:BUGTRAQ: 20020418 MHonArc v2.5.2脚本过滤绕过漏洞参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-04/0260.html参考:确认:http://www.mhonarc.org/MHonArc/CHANGES参考:XF: mhonarc-script-filtering-bypass(8894)参考:网址:http://www.iss.net/security_center/static/8894.php参考:报价:4546参考:网址:http://www.securityfocus.com/bid/4546MHonArc 2.5.2早些时候从归档电子邮件不正确过滤Javascript,这可能允许远程攻击者执行脚本的web客户端脚本标记(1)分裂成小块,(2)包括一个IMG SRC参数中的脚本标签,或(3)使用“& ={脚本}”语法。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0738 1供应商确认:是的、确认:在更新日志2002/04/18(2.5.3版),卖方国家”加强了HTML mhtxthtml过滤。pl消除一些安全漏洞”和学分Bugtraq研究者。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0748网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0748最终决定:阶段性裁决:修改:建议:20020726分配:20020725类别:科幻参考:BUGTRAQ: 20020423虚拟仪器Web服务器DoS脆弱性参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-04/0323.html参考:确认:http://digital.ni.com/public.nsf/websearch/4C3F86E655E5389886256BA00064B22F?OpenDocument参考:XF: labview-http-get-dos(8919)参考:网址:http://www.iss.net/security_center/static/8919.php参考:报价:4577参考:网址:http://www.securityfocus.com/bid/4577虚拟仪器通过Web服务器5.1.1 6.1允许远程攻击者造成拒绝服务(崩溃)通过一个HTTP GET请求,以两个换行符,而不是预期的回车/换行符的组合。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0748 1供应商确认:是的投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0754网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0754最终决定:阶段性裁决:修改:建议:20020726分配:20020725类别:科幻参考:FREEBSD: FreeBSD-SA-02:07参考:网址:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:07.k5su.asc参考:报价:3919参考:网址:http://www.securityfocus.com/bid/3919参考:XF: kerberos5-k5su-elevate-privileges(7956)参考:网址:http://www.iss.net/security_center/static/7956.phpKerberos 5 su (k5su)早些时候在FreeBSD 4.4和依赖于getlogin系统调用来确定用户运行k5su根,这可能允许非特权过程获得特权如果这一过程getlogin作为根。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0754 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0741网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0741最终决定:阶段性裁决:修改:建议:20020726分配:20020725类别:科幻参考:BUGTRAQ: 20020423 PsyBNC远程Dos POC参考:网址:http://online.securityfocus.com/archive/1/269131参考:BUGTRAQ: 20020422 Re: psyBNC 2.3 DoS /错误引用:网址:http://archives.neohapsis.com/archives/bugtraq/2002-04/0322.html参考:报价:4570参考:网址:http://www.securityfocus.com/bid/4570参考:XF: psybnc-long-password-dos(8912)参考:网址:http://www.iss.net/security_center/static/8912.phppsyBNC 2.3允许远程攻击者造成拒绝服务(CPU消耗和资源枯竭)通过发送通过命令长密码参数并迅速杀死连接,由psyBNC不正常终止。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0741 2供应商确认:是的跟踪投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 0890网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 0890最终决定:阶段性裁决:修改:建议:20020726分配:20011221类别:参考:REDHAT: RHSA-2001:171参考:网址:http://rhn.redhat.com/errata/rhsa - 2001 - 171. - html参考:报价:3987参考:网址:http://online.securityfocus.com/bid/3987参考:XF: xsane-temp-symlink(7714)参考:网址:http://www.iss.net/security_center/static/7714.php特定的后端驱动程序在理智的图书馆1.0.3,早些时候,作为用于前端等软件,允许本地用户修改文件通过一个符号链接攻击临时文件。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 0890 3供应商确认:对咨询内容的决定:SF-CODEBASE抽象/包含:这不是一个复制的cve - 2001 - 0887,虽然有密切的关系。理智比作为一个不同的代码库;作为一个理智的前端;但是他们是不同的产品提供不同的开发人员,所以这些问题是分裂。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1379网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1379最终决定:阶段性裁决:修改:建议:20020726分配:20020725类别:科幻参考:BUGTRAQ: 20010829 RUS-CERT咨询2001 - 08:01参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=99911895901812&w=2参考:VULNWATCH: 20010829 [VULNWATCH] RUS-CERT咨询2001 - 08:01参考:网址:http://archives.neohapsis.com/archives/vulnwatch/2001-q3/0040.html参考:FREEBSD: FreeBSD-SA-02:03参考:网址:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:03.mod_auth_pgsql.asc参考:CONECTIVA: CLA-2001:427参考:网址:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000427参考:REDHAT: RHSA-2001:124参考:网址:http://rhn.redhat.com/errata/rhsa - 2001 - 124. - html参考:XF: apache-postgresql-authentication-module(7054)参考:网址:http://www.iss.net/security_center/static/7054.php参考:报价:3251参考:网址:http://online.securityfocus.com/bid/3251参考报价:3253参考:XF: apache-postgresqlsys-authentication-module (7059) (1) mod_auth_pgsql 0.9.5 PostgreSQL身份验证模块,和(2)mod_auth_pgsql_sys 0.9.4,允许远程攻击者绕过身份验证和执行任意SQL通过SQL注入攻击的用户名。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1379 3供应商确认:对咨询内容的决定:SF-CODEBASE抽象:mod_auth_pgsql和mod_auth_pgsql_sys由同一作者,这表明一个通用的代码库。所以,CD: SF-CODEBASE建议合并。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0730网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0730最终决定:阶段性裁决:修改:建议:20020726分配:20020725类别:科幻参考:BUGTRAQ: 20020421菲利普Chinery留言板1.1不能过滤掉js / html引用:网址:http://archives.neohapsis.com/archives/bugtraq/2002-04/0309.html参考:XF: guestbook-pl-css(8916)参考:网址:http://www.iss.net/security_center/static/8916.php参考:报价:4566参考:网址:http://www.securityfocus.com/bid/4566跨站点脚本漏洞在留言板。pl对菲利普Chinery留言板1.1允许远程攻击者执行Javascript或HTML通过等领域(1)的名字,(2)电子邮件,或(3)主页。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0730 3供应商确认:未知的内容决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0731网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0731最终决定:阶段性裁决:修改:建议:20020726分配:20020725类别:科幻参考:BUGTRAQ: 20020421 vqServer演示文件跨站点脚本参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-04/0313.html参考:XF: vqserver-samples-css(8935)参考:网址:http://www.iss.net/security_center/static/8935.php参考:报价:4573参考:网址:http://www.securityfocus.com/bid/4573跨站点脚本漏洞为vqServer演示脚本允许远程攻击者执行任意脚本通过链接包含脚本参数如respond.pl演示脚本。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0731 3供应商确认:内容决定:SF-EXEC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0732网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0732最终决定:阶段性裁决:修改:建议:20020726分配:20020725类别:科幻参考:BUGTRAQ: 20020430 Levcgi.coms MyGuestbook JavaScript注入漏洞参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-04/0422.html参考:确认:http://www.levcgi.com/programs.cgi?program=myguestbook&action=history参考:XF: myguestbook-cgi-css(8968)参考:网址:http://www.iss.net/security_center/static/8968.php参考:报价:4651参考:网址:http://www.securityfocus.com/bid/4651跨站点脚本漏洞MyGuestbook 1.0允许远程攻击者执行任意脚本或HTML注入通过等领域(1)用户名或(2)评论。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0732 3供应商确认:是的更新日志内容决定:SF-LOC确认:在历史文件1.1发布5月03号,2002年,供应商指出,新版本“阻止任何javascript被发布”和“防止HTML名称字段中使用。”投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0739网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0739最终决定:阶段性裁决:修改:建议:20020726分配:20020725类别:科幻参考:BUGTRAQ: 20020420漏洞在PostCalendar参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-04/0288.html参考:报价:4563参考:网址:http://www.securityfocus.com/bid/4563参考:XF: postcalendar-calendar-event-css(8899)参考:网址:http://www.iss.net/security_center/static/8899.php跨站点脚本在PostCalendar 3.02允许远程攻击者插入任意HTML和脚本,来偷饼干,通过修改一个日程表条目的预览页面。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0739 3供应商确认:未知discloser-claimed投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0740网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0740最终决定:阶段性裁决:修改:建议:20020726分配:20020725类别:科幻参考:BUGTRAQ: 20020422 Slrnpull缓冲区溢出(- d参数)参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-04/0302.html参考:BUGTRAQ: 20020425 slrnpull - d PoC参考:网址:http://online.securityfocus.com/archive/1/269667参考:BUGTRAQ: 20020430 Re: Slrnpull缓冲区溢出(- d参数)参考:网址:http://online.securityfocus.com/archive/1/270235参考:XF: slrnpull-d-spooldir-bo(8910)参考:网址:http://www.iss.net/security_center/static/8910.php参考:报价:4569参考:网址:http://www.securityfocus.com/bid/4569缓冲区溢出的slrnpull SLRN包,安装后setuid和setgid,允许本地用户获得特权通过长- d (SPOOLDIR)参数。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0740 3供应商确认:没有争议的投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0742网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0742最终决定:阶段性裁决:修改:建议:20020726分配:20020725类别:科幻参考:AIXAPAR: IY28880参考:网址:http://archives.neohapsis.com/archives/aix/2002-q2/0005.html缓冲区溢出在pioout AIX 4.3.3。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0742 3供应商确认:是的内容决定:模糊包含:此APAR描述太模糊,无法完全确定,这是一个不同的问题比pioout缓冲区溢位标识的cve - 2000 - 1123;然而,这个问题都有自己的APAR,所以有足够的其他证据表明,问题是不同的。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0743网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0743最终决定:阶段性裁决:修改:建议:20020726分配:20020725类别:科幻参考:AIXAPAR: IY29516参考:网址:http://archives.neohapsis.com/archives/aix/2002-q2/0005.html邮件和mailx在AIX 4.3.3核心转储名为很长参数时,缓冲区溢出的象征。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0743 3供应商确认:是的内容决定:模糊包含:此APAR描述太模糊,无法绝对肯定它是一个缓冲区溢出。此外,没有足够的信息来知道它的解决之前发现漏洞等- 2002 - 0041,cve - 2001 - 0565,或0545 - 2000。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0744网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0744最终决定:阶段性裁决:修改:建议:20020726分配:20020725类别:科幻参考:AIXAPAR: IY29517参考:网址:http://archives.neohapsis.com/archives/aix/2002-q2/0005.htmlnamerslv在AIX 4.3.3核心转储当使用很长的参数调用时,可能导致缓冲区溢出。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0744 3供应商确认:是的内容决定:模糊这个APAR描述太模糊的绝对肯定它是缓冲区溢出。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0745网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0745最终决定:阶段性裁决:修改:建议:20020726分配:20020725类别:科幻参考:AIXAPAR: IY29518参考:网址:http://archives.neohapsis.com/archives/aix/2002-q2/0005.html缓冲区溢出在uucp AIX 4.3.3。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0745 3供应商确认:是的内容决定:模糊包含/抽象:没有足够的信息来知道这是同样的问题- 2001 - 1164,这本身就是一个模糊的咨询中描述。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0746网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0746最终决定:阶段性裁决:修改:建议:20020726分配:20020725类别:科幻参考:AIXAPAR: IY29583参考:网址:http://archives.neohapsis.com/archives/aix/2002-q2/0005.html脆弱的模板。dhcpo在AIX 4.3.3有关不安全链接器参数。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0746 3供应商确认:是的内容决定:模糊的投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0747网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0747最终决定:阶段性裁决:修改:建议:20020726分配:20020725类别:科幻参考:AIXAPAR: IY29589参考:网址:http://archives.neohapsis.com/archives/aix/2002-q2/0005.html缓冲区溢出在lsmcode AIX 4.3.3。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0747 3供应商确认:是的内容决定:模糊包含/抽象:由于模糊性的描述,特别是的描述可以- 2001 - 1061,它是不确定是否两个项目是一样的;然而,可以- 2001 - 1061有一个单独的APAR比这个项目,所以有足够的证据表明,他们以某种方式不同。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0749网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0749最终决定:阶段性裁决:修改:建议:20020726分配:20020725类别:科幻参考:BUGTRAQ: 20020423 CGIscript.net——csMailto。cgi -远程命令执行参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-04/0326.html参考:XF: cgiscript-csmailto-command-execution(8930)参考:网址:http://www.iss.net/security_center/static/8930.php参考:报价:4579参考:网址:http://www.securityfocus.com/bid/4579CGIscript.net csMailto。cgi允许远程攻击者通过执行任意命令shell元字符form-attachment领域。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0749 3供应商确认:内容决定:SF-LOC确认:csMailto版本2的更改报告说:“增加了安全性。表单选择存储在一个单独的文件。”This would address the specified problem, but is it sufficient to indicate vendor acknowledgement? Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0750 URL:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0750最终决定:阶段性裁决:修改:建议:20020726分配:20020725类别:科幻参考:BUGTRAQ: 20020423 CGIscript.net——csMailto。cgi -远程命令执行参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-04/0326.html参考:MISC:http://www.cgiscript.net/cgi-script/cs万博下载包News/csNews.cgi?database=cgi.db&command=viewone&id=5CGIscript.net csMailto。cgi程序允许远程攻击者读取任意文件通过指定目标文件名form-attachment领域。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0750 3供应商确认:未知的模糊的内容决定:SF-LOC确认:csMailto版本2的更改报告说:“增加了安全性。表单选择存储在一个单独的文件。”This would address the specified problem, but is it sufficient to indicate vendor acknowledgement? Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0751 URL:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0751最终决定:阶段性裁决:修改:建议:20020726分配:20020725类别:科幻参考:BUGTRAQ: 20020423 CGIscript.net——csMailto。cgi -远程命令执行参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-04/0326.html参考:MISC:http://www.cgiscript.net/cgi-script/cs万博下载包News/csNews.cgi?database=cgi.db&command=viewone&id=5参考:报价:4579参考:网址:http://www.securityfocus.com/bid/4579CGIscript.net csMailto。cgi程序允许远程攻击者使用csMailto作为“垃圾邮件代理”并将邮件发送给任意用户通过修改(1)的记事本,(2)表单,和(3)身体参数。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0751 3供应商确认:未知的模糊的内容决定:SF-LOC确认:csMailto版本2的更改报告说:“增加了安全性。表单选择存储在一个单独的文件。”This would address the specified problem, but is it sufficient to indicate vendor acknowledgement? Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0752 URL:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0752最终决定:阶段性裁决:修改:建议:20020726分配:20020725类别:CF参考:BUGTRAQ: 20020423 CGIscript.net——csMailto。cgi -远程命令执行参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-04/0326.htmlCGIscript.net csMailto。cgi程序出口反馈到一个文件中,可以从web文档根,这可能允许远程攻击者获取敏感信息通过直接访问该文件。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0752 3供应商确认:未知的内容决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0753网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0753最终决定:阶段性裁决:修改:建议:20020726分配:20020725类别:科幻参考:BUGTRAQ: 20020416 Talentsoft缓冲区溢出的Web + (3) (# NISR17042002B)参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-04/0210.html参考:XF: webplus-long-cookie-bop(8861)参考:网址:http://www.iss.net/security_center/static/8861.php参考:报价:4530参考:网址:http://www.securityfocus.com/bid/4530缓冲区溢出在Talentsoft Web + 5.0允许远程攻击者执行任意代码通过一个HTTP请求和饼干。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0753 3供应商确认:未知discloser-claimed投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:
- 下一个按日期:(提案)集群最近- 95 - 48的候选人
- 下一个线程:(提案)集群最近- 95 - 48的候选人
- 指数(es):
