Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 04 Jan 2015 18:36:41 -0700
From: Kurt Seifried <>
Subject: Re: Assignment of CVE IDs with 5 or more digits by
 January 13, 2015

Might I suggest we use a larger ID (e.g. 6 digit one) for the next
"major" issue in order to effectively force people into compliance? I
fear if it's only 5/6 digits for "minor" issues some orgs/vendors may
try to ignore the issue for a while longer. Alternatively maybe hand out
a few blocks of 5/6 digit ID's to vendors like RHT/MSFT/etc.

On 04/01/15 04:04 PM, Steven M. Christey wrote:
> Based on recent discussion on oss-security and general interest, I
> thought it was important to clarify what is currently planned for
> issuing 5-digit CVE IDs by the dealine of January 13, 2015.
> Currently, CVE-2014-9509 is our last allocated ID from 2014.  During
> 2015, we will continue to issue CVE-2014-xxxx IDs for other issues that
> were disclosed in 2014, but it is highly unlikely that we will cross the
> 5-digit threshold by January 13.
> We will still issue at least one valid 5-digit CVE-2014-xxxxx ID, and
> probably more, on January 13.  This is a one-time exception to our usual
> sequential allocation process.  We are doing this as a final "test" to
> ensure that CVE-using implementations can handle the syntax change.
> We might also issue CVE IDs with more than 5 digits, since it is highly
> likely that some implementations will make a 5-digit assumption, even
> though an arbitrary number of digits is allowed by the syntax change,
> which went into effect more than a year ago.
> Steve Christey Coley
> CVE Editor

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.