Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 04 Jan 2015 18:36:41 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: alan.coopersmith@...cle.com, gremlin@...mlin.ru, cve@...re.org
Subject: Re: Assignment of CVE IDs with 5 or more digits by
 January 13, 2015

Might I suggest we use a larger ID (e.g. 6 digit one) for the next
"major" issue in order to effectively force people into compliance? I
fear if it's only 5/6 digits for "minor" issues some orgs/vendors may
try to ignore the issue for a while longer. Alternatively maybe hand out
a few blocks of 5/6 digit ID's to vendors like RHT/MSFT/etc.

On 04/01/15 04:04 PM, Steven M. Christey wrote:
> 
> Based on recent discussion on oss-security and general interest, I
> thought it was important to clarify what is currently planned for
> issuing 5-digit CVE IDs by the dealine of January 13, 2015.
> 
> Currently, CVE-2014-9509 is our last allocated ID from 2014.  During
> 2015, we will continue to issue CVE-2014-xxxx IDs for other issues that
> were disclosed in 2014, but it is highly unlikely that we will cross the
> 5-digit threshold by January 13.
> 
> We will still issue at least one valid 5-digit CVE-2014-xxxxx ID, and
> probably more, on January 13.  This is a one-time exception to our usual
> sequential allocation process.  We are doing this as a final "test" to
> ensure that CVE-using implementations can handle the syntax change.
> 
> We might also issue CVE IDs with more than 5 digits, since it is highly
> likely that some implementations will make a 5-digit assumption, even
> though an arbitrary number of digits is allowed by the syntax change,
> which went into effect more than a year ago.
> 
> 
> Steve Christey Coley
> CVE Editor

-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993


Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.