Date: Tue, 30 May 2017 09:29:08 -0600 From: "kseifried@...hat.com" <kseifried@...hat.com> To: oss-security@...ts.openwall.com, Hanno Böck <hanno@...eck.de> Subject: Re: Qualys Security Advisory - CVE-2017-1000367 in Sudo's get_process_ttyname() for Linux On 05/30/2017 09:25 AM, Hanno Böck wrote: > On Tue, 30 May 2017 08:16:29 -0700 > Qualys Security Advisory <qsa@...lys.com> wrote: > >> Qualys Security Advisory >> >> CVE-2017-1000367 in Sudo's get_process_ttyname() for Linux > > Did Mitre really just add multiple new digits to CVEs or is this a typo? > > AFAIR they introduced 5-digit-CVEs relatively recently, going to > 7-digit without any public announcement seems unlikely. We did this 3 years ago: https://cve.mitre.org/cve/identifiers/syntaxchange.html Examples Examples of identifiers in the new CVE ID syntax are included below. There is no limit on the number of arbitrary digits. Leading 0’s will only be used in IDs 1 to 999, as shown in column one below. IDs with 4 digits IDs with 5 digits IDs with 6 digits IDs with 7 digits CVE-2014-0001 CVE-2014-10000 CVE-2014-100000 CVE-2014-1000000 CVE-2014-3127 CVE-2014-54321 CVE-2014-456132 CVE-2014-7654321 CVE-2014-9999 CVE-2014-99999 CVE-2014-999999 CVE-2014-9999999 NOTE: Some of the CVE ID examples above have not yet been assigned. The DWF CNA has the block CVE-YEAR-1000000 through CVE-YEAR-1999999 so yes, these are legitimate. E.g.: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000001 -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security contact: secalert@...hat.com
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.