Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 4 Jan 2015 18:04:19 -0500 (EST)
From: "Steven M. Christey" <coley@...re.org>
To: oss-security@...ts.openwall.com
cc: alan.coopersmith@...cle.com, gremlin@...mlin.ru, cve@...re.org
Subject: Assignment of CVE IDs with 5 or more digits by January 13, 2015


Based on recent discussion on oss-security and general interest, I thought 
it was important to clarify what is currently planned for issuing 5-digit 
CVE IDs by the dealine of January 13, 2015.

Currently, CVE-2014-9509 is our last allocated ID from 2014.  During 2015, 
we will continue to issue CVE-2014-xxxx IDs for other issues that were 
disclosed in 2014, but it is highly unlikely that we will cross the 
5-digit threshold by January 13.

We will still issue at least one valid 5-digit CVE-2014-xxxxx ID, and 
probably more, on January 13.  This is a one-time exception to our usual 
sequential allocation process.  We are doing this as a final "test" to 
ensure that CVE-using implementations can handle the syntax change.

We might also issue CVE IDs with more than 5 digits, since it is highly 
likely that some implementations will make a 5-digit assumption, even 
though an arbitrary number of digits is allowed by the syntax change, 
which went into effect more than a year ago.


Steve Christey Coley
CVE Editor

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.