Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 30 May 2017 09:29:08 -0600
From: "" <>
To:, Hanno Böck
Subject: Re: Qualys Security Advisory - CVE-2017-1000367 in
 Sudo's get_process_ttyname() for Linux

On 05/30/2017 09:25 AM, Hanno Böck wrote:
> On Tue, 30 May 2017 08:16:29 -0700
> Qualys Security Advisory <> wrote:
>> Qualys Security Advisory
>> CVE-2017-1000367 in Sudo's get_process_ttyname() for Linux
> Did Mitre really just add multiple new digits to CVEs or is this a typo?
> AFAIR they introduced 5-digit-CVEs relatively recently, going to
> 7-digit without any public announcement seems unlikely.

We did this 3 years ago:


Examples of identifiers in the new CVE ID syntax are included below.
There is no limit on the number of arbitrary digits. Leading 0’s will
only be used in IDs 1 to 999, as shown in column one below.

IDs with 4 digits	IDs with 5 digits	IDs with 6 digits	IDs with 7 digits
CVE-2014-0001	CVE-2014-10000	CVE-2014-100000	CVE-2014-1000000
CVE-2014-3127	CVE-2014-54321	CVE-2014-456132	CVE-2014-7654321
CVE-2014-9999	CVE-2014-99999	CVE-2014-999999	CVE-2014-9999999
NOTE: Some of the CVE ID examples above have not yet been assigned.

The DWF CNA has the block CVE-YEAR-1000000 through CVE-YEAR-1999999 so
yes, these are legitimate. E.g.:


Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact:

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.