Date: Wed, 17 Sep 2014 19:31:49 +0000 From: "Christey, Steven M." <coley@...re.org> To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com> Subject: CVE ID Syntax Change - Deadline Approaching As we approach the end of 2014, CVE identifiers are getting closer and closer to the magic CVE-2014-9999 mark, which means that MITRE will be issuing a 5-digit CVE ID within a matter of months, in accordance with the new syntax that was selected in 2013 (basically using 5, 6, or even more digits as needed). Some people are still unaware that this change has happened or have been slow to implement it. Once a CVE identifier is issued using the new syntax, some security products and processes could break or report incorrect vulnerability identifiers, making vulnerability management more difficult. Consider a product that stops processing an XML document because its validation step assumes that CVE IDs have only 4 digits. Perhaps worse, consider a critical vulnerability in a popular product that is given a 5-digit CVE ID, which is inadvertently and silently truncated to a 4-digit ID for a low-priority issue in a rarely-used product. We know of at least 5 different products or services that have had problems. Custom, in-house software is not necessarily immune, either. MITRE has been assigning CVE IDs faster than ever; we're up to CVE-2014-6446 even though it's only September, which puts us on pace to exceed 9000 for 2014 by the end of the year - and the rate of assignment could increase in the coming months. Even if we don't reach 10,000 CVE-2014-xxxx identifiers by the end of 2014, MITRE will be issuing at least one 5-digit identifier no later than January 13, 2015, to ensure that all software is tested for support of the new syntax. To help people address this problem, we have created a web page about the ID syntax change, including the product features most likely to be affected, along with some test data. http://cve.mitre.org/cve/identifiers/syntaxchange.html For a list of the 19 early adopters who have stated that they are compliant with the new syntax, see: http://cve.mitre.org/cve/identifiers/compliant_organizations.html The clock is ticking! You can reach us at cve-id-change@...re.org if you have any questions. Thank you, The MITRE CVE Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ