lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <FC72FC641B949240B947AC6F1F83FBAF4C54DF20@IMCMBX01.MITRE.ORG>
Date: Thu, 18 Sep 2014 17:09:21 +0000
From: "Christey, Steven M." <coley@...re.org>
To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Subject: CVE ID Syntax Change - Deadline Approaching


As we approach the end of 2014, CVE identifiers are getting closer and
closer to the magic CVE-2014-9999 mark, which means that MITRE will be
issuing a 5-digit CVE ID within a matter of months, in accordance with
the new syntax that was selected in 2013 (basically using 5, 6, or
even more digits as needed).  Some people are still unaware that this
change has happened or have been slow to implement it.

Once a CVE identifier is issued using the new syntax, some security
products and processes could break or report incorrect vulnerability
identifiers, making vulnerability management more difficult.  Consider
a product that stops processing an XML document because its validation
step assumes that CVE IDs have only 4 digits.  Perhaps worse, consider
a critical vulnerability in a popular product that is given a 5-digit
CVE ID, which is inadvertently and silently truncated to a 4-digit ID
for a low-priority issue in a rarely-used product.  We know of at
least 6 different products or services that have had problems.
Custom, in-house software is not necessarily immune, either.

MITRE has been assigning CVE IDs faster than ever; we're up to
CVE-2014-6446 even though it's only September, which puts us on pace
to exceed 9000 for 2014 by the end of the year - and the rate of
assignment could increase in the coming months.  Even if we don't
reach 10,000 CVE-2014-xxxx identifiers by the end of 2014, MITRE will
be issuing at least one 5-digit identifier no later than January 13,
2015, to ensure that all software is tested for support of the new
syntax.

To help people address this problem, we have created a web page about
the ID syntax change, including the product features most likely to be
affected, along with some test data.

  http://cve.mitre.org/cve/identifiers/syntaxchange.html

For a list of the 19 early adopters who have stated that they are
compliant with the new syntax, see:

  http://cve.mitre.org/cve/identifiers/compliant_organizations.html

The clock is ticking!  You can reach us at cve-id-change@...re.org if
you have any questions.


Thank you,
The MITRE CVE Team

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ