Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 17 Sep 2014 19:31:49 +0000
From: "Christey, Steven M." <coley@...re.org>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: CVE ID Syntax Change - Deadline Approaching


As we approach the end of 2014, CVE identifiers are getting closer and
closer to the magic CVE-2014-9999 mark, which means that MITRE will be
issuing a 5-digit CVE ID within a matter of months, in accordance with
the new syntax that was selected in 2013 (basically using 5, 6, or
even more digits as needed).  Some people are still unaware that this
change has happened or have been slow to implement it.

Once a CVE identifier is issued using the new syntax, some security
products and processes could break or report incorrect vulnerability
identifiers, making vulnerability management more difficult.  Consider
a product that stops processing an XML document because its validation
step assumes that CVE IDs have only 4 digits.  Perhaps worse, consider
a critical vulnerability in a popular product that is given a 5-digit
CVE ID, which is inadvertently and silently truncated to a 4-digit ID
for a low-priority issue in a rarely-used product.  We know of at
least 5 different products or services that have had problems.
Custom, in-house software is not necessarily immune, either.

MITRE has been assigning CVE IDs faster than ever; we're up to
CVE-2014-6446 even though it's only September, which puts us on pace
to exceed 9000 for 2014 by the end of the year - and the rate of
assignment could increase in the coming months.  Even if we don't
reach 10,000 CVE-2014-xxxx identifiers by the end of 2014, MITRE will
be issuing at least one 5-digit identifier no later than January 13,
2015, to ensure that all software is tested for support of the new
syntax.

To help people address this problem, we have created a web page about
the ID syntax change, including the product features most likely to be
affected, along with some test data.

  http://cve.mitre.org/cve/identifiers/syntaxchange.html

For a list of the 19 early adopters who have stated that they are
compliant with the new syntax, see:

  http://cve.mitre.org/cve/identifiers/compliant_organizations.html

The clock is ticking!  You can reach us at cve-id-change@...re.org if
you have any questions.


Thank you,
The MITRE CVE Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ