CVE Announce - December 10, 2008 (opt-in newsletter from the CVE Web site)

Welcome to the latest edition of the CVE-Announce e-newsletter.
This email newsletter is designed to bring recent news about CVE,
such as new versions, upcoming conferences, new Web site features,
etc. right to your emailbox. Common Vulnerabilities and Exposures
(CVE) is the standard for information security vulnerability
names. CVE content results from the collaborative efforts of the
CVE Editorial Board, which is comprised of leading representatives
from the information security community. Details on subscribing
(and unsubscribing) to the email newsletter are at the end. Please
feel free to pass this newsletter on to interested colleagues.

Comments: cve@mitre.org

-------------------------------------------------------
CVE-Announce e-newsletter/December 10, 2008
-------------------------------------------------------

Contents:

1. Feature Story
2. HOT TOPIC
3. Also in this Issue
4. Details/Credits + Subscribing and Unsubscribing

FEATURE STORY:

MITRE Presents Making Security Measurable White Paper at "MILCOM
2008"

MITRE Principal Engineer and CVE Adoption Lead Robert A. Martin
presented a white paper entitled "Making Security Measurable and
Manageable" at "MILCOM 2008" on November 19, 2008 in San Diego,
California, USA.

The paper introduces MITRE's Making Security Measurable effort by
explaining in detail how information security data standards such
as CVE, CCE, OVAL, CPE, CAPEC, CWE, and others facilitate both
effective security process coordination and the use of automation
to assess, manage, and improve the security posture of enterprise
security information infrastructures. The paper is available for
download on the Making Security Measurable Web site.

Visit the CVE Calendar page for information on this and other
upcoming events.

LINKS:

"Making Security Measurable and Manageable" White Paper -
http://msm.mitre.org/about/Making_Security_Measurable_and_Manageable.pdf

Making Security Measurable - http://measurablesecurity.mitre.org

MILCOM 2008 - http://www.milcom.org

CVE Calendar - http://cve.mitre.org/news/calendar.html

---------------------------------------------------------------
HOT TOPIC:

CVE Mentioned in MITRE News Release about Recommendation Tracker

CVE was mentioned in a December 1, 2008 MITRE news release
entitled "MITRE Releases New Security Software" about its new,
open source "Recommendation Tracker" software that "facilitates
development of automated security benchmarks." "System
administrators use benchmarks-essentially a set of
recommendations-to securely configure an operating system or
software application and then set up automatic testing to ensure
proper configuration."

CVE is mentioned when the release notes that Recommendation
Tracker is "the latest tool developed by MITRE in the last 10
years to help the security community produce automated,
standardized benchmarks" and that four MITRE-run information
security data standards -- CVE, CCE, CPE, and OVAL -- are among
the six existing standards in the U.S. National Institute of
Standards and Technology's (NIST) Security Content Automation
Protocol (SCAP) to enable automated vulnerability management,
measurement, and policy compliance evaluation.

The release also mentions MITRE's free one-day Benchmark
Development Course that instructs attendees how to use MITRE's
CCE, OVAL, Recommendation Tracker, and Benchmark Editor, as well
as other information assurance standards and tools, to help
vendors and security content developers produce good benchmarks
more efficiently.

LINKS:

MITRE news release -
http://www.mitre.org/news/releases/08/tracker_12_01_2008.html

Recommendation Tracker software -
http://sourceforge.net/projects/rectracker/

Security Content Automation Protocol (SCAP) -
http://nvd.nist.gov/scap.cfm

Benchmark Development Course -
http://www.mitre.org/register2/benchmark/

---------------------------------------------------------------
ALSO IN THIS ISSUE:

* CVE and NIST Partner to Create New CVE Adoption/Validation
Program

Read these stories and more news at http://cve.mitre.org/news

---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing

Managing Editor: David Mann, Information Security Technical
Center. Writer: Bob Roberge. The MITRE Corporation (www.mitre.org)
maintains CVE and provides impartial technical guidance to the CVE
Editorial Board on all matters related to ongoing development of
CVE.

To unsubscribe from the CVE-Announce e-newsletter, open a new
email message and copy the following text to the BODY of the
message "SIGNOFF CVE-Announce-list", then send the message to:
listserv@lists.mitre.org. To subscribe, send an email message to
listserv@lists.mitre.org with the following text in the BODY of
the message: "SUBSCRIBE CVE-Announce-List".

Copyright 2008, The MITRE Corporation. CVE and the CVE logo are
registered trademarks of The MITRE Corporation.

For more information about CVE, visit the CVE Web site at
http://cve.mitre.org or send an email to cve@mitre.org. Learn more
about Making Security Measurable at
http://measurablesecurity.mitre.org.

CVE Announce - November 25, 2008 (opt-in newsletter from the CVE Web site)

Welcome to the latest edition of the CVE-Announce e-newsletter.
This email newsletter is designed to bring recent news about CVE,
such as new versions, upcoming conferences, new Web site features,
etc. right to your emailbox. Common Vulnerabilities and Exposures
(CVE) is the standard for information security vulnerability
names. CVE content results from the collaborative efforts of the
CVE Editorial Board, which is comprised of leading representatives
from the information security community. Details on subscribing
(and unsubscribing) to the email newsletter are at the end. Please
feel free to pass this newsletter on to interested colleagues.

Comments: cve@mitre.org

-------------------------------------------------------
CVE-Announce e-newsletter/November 25, 2008
-------------------------------------------------------

Contents:

1. Feature Story
2. Also in this Issue
3. Details/Credits + Subscribing and Unsubscribing

FEATURE STORY:

CVE Compatibility Updates

Trustwave achieved the second phase of the CVE Compatibility
Process by submitting a CVE Compatibility Questionnaire for
TrustKeeper. In Phase 2 of the compatibility process, the
organization's completed compatibility requirements evaluation
questionnaire is posted on the CVE Web site while it is evaluated
by MITRE as the final step towards the product or service being
registered as "Officially CVE-Compatible."

In addition, SecurView Inc. declared that its risk management and
event monitoring service, CASPER, will be CVE-Compatible.

For additional information about these and other CVE-compatible
products, visit the CVE-Compatible Products and Services section
of the CVE Web site.

LINKS:

Trustwave - http://www.trustwave.com

SecurView Inc. - http://www.securview.com

CVE Compatibility - http://cve.mitre.org/compatible/index.html

CVE Adoption Program - http://cve.mitre.org/adoption

---------------------------------------------------------------
ALSO IN THIS ISSUE:

* CVE and NIST Partner to Create New CVE Adoption/Validation
Program

Read these stories and more news at http://cve.mitre.org/news

---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing

Managing Editor: David Mann, Information Security Technical
Center. Writer: Bob Roberge. The MITRE Corporation (www.mitre.org)
maintains CVE and provides impartial technical guidance to the CVE
Editorial Board on all matters related to ongoing development of
CVE.

To unsubscribe from the CVE-Announce e-newsletter, open a new
email message and copy the following text to the BODY of the
message "SIGNOFF CVE-Announce-list", then send the message to:
listserv@lists.mitre.org. To subscribe, send an email message to
listserv@lists.mitre.org with the following text in the BODY of
the message: "SUBSCRIBE CVE-Announce-List".

Copyright 2008, The MITRE Corporation. CVE and the CVE logo are
registered trademarks of The MITRE Corporation.

For more information about CVE, visit the CVE Web site at
http://cve.mitre.org or send an email to cve@mitre.org. Learn more
about Making Security Measurable at
http://measurablesecurity.mitre.org.

CVE Announce - October 10, 2008 (opt-in newsletter from the CVE Web site)

Welcome to the latest edition of the CVE-Announce e-newsletter.
This email newsletter is designed to bring recent news about CVE,
such as new versions, upcoming conferences, new Web site
features, etc. right to your emailbox. Common Vulnerabilities and
Exposures (CVE) is the standard for information security
vulnerability names. CVE content results from the collaborative
efforts of the CVE Editorial Board, which is comprised of leading
representatives from the information security community. Details
on subscribing (and unsubscribing) to the email newsletter are at
the end. Please feel free to pass this newsletter on to
interested colleagues.

Comments: cve@mitre.org

-------------------------------------------------------
CVE-Announce e-newsletter/October 10, 2008
-------------------------------------------------------

Contents:

1. Feature Story
2. HOT TOPIC
3. Also in this Issue
4. Details/Credits + Subscribing and Unsubscribing

FEATURE STORY:

CVE-Related Workshops and "Making Security Measurable" Table
Booth at "Security Automation Conference 2008," September 23-25

The CVE Team contributed to CVE-related workshops and MITRE
hosted a Making Security Measurable table booth at the U.S.
National Institute of Standards and Technology's (NIST) "Security
Automation Conference & Workshop 2008" on September 23-25, 2008
in Gaithersburg, Maryland, USA.

NIST's Security Content Automation Protocol (SCAP) employs
existing community standards to enable "automated vulnerability
management, measurement, and policy compliance evaluation (e.g.,
FISMA compliance)," and CVE is one of the six open standards SCAP
uses for enumerating, evaluating, and measuring the impact of
software problems and reporting results.

CVE and NIST also recently announced a partnership to replace the
CVE Compatibility program with two independent but complementary
efforts, a "CVE Adoption Program" managed by MITRE and a
"Security Content Automation Protocol (SCAP) Validation Program"
managed by NIST. Refer to the CVE Adoption Program page at
http://cve.mitre.org/adoption for additional information.

Visit the CVE Calendar for information on this and other events.

LINKS:

NIST - http://www.nist.gov

Security Automation Conference & Workshop 2008 -
http://www.nist.gov/public_affairs/confpage/080923.htm

SCAP Validation Program - http://nvd.nist.gov/validation.cfm

CVE Adoption Program - http://cve.mitre.org/adoption

CVE Calendar - http://cve.mitre.org/news/calendar.html

---------------------------------------------------------------
HOT TOPIC:

NSFocus Information Technology Makes Four Declarations of CVE
Compatibility

NSFocus Information Technology (Beijing) Co., Ltd. declared that
its ICEYE NIPS (Network Intrusion Prevention System), ICEYE SCM
(Security Content Management System), ICEYE SG (Security
Gateway), and ICEYE WAF (Web Application Firewall) are
CVE-Compatible.

For additional information about these and other CVE-compatible
products, visit the CVE-Compatible Products and Services section.

LINKS:

NSFocus Information Technology (Beijing) Co., Ltd. -
http://www.nsfocus.com

CVE Compatibility - http://cve.mitre.org/compatible/index.html

CVE Adoption Program - http://cve.mitre.org/adoption

---------------------------------------------------------------
ALSO IN THIS ISSUE:

* CVE and NIST Partner to Create New CVE Adoption/Validation
Program

Read these stories and more news at http://cve.mitre.org/news

---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing

Managing Editor: David Mann, Information Security Technical
Center. Writer: Bob Roberge. The MITRE Corporation
(www.mitre.org) maintains CVE and provides impartial technical
guidance to the CVE Editorial Board on all matters related to
ongoing development of CVE.

To unsubscribe from the CVE-Announce e-newsletter, open a new
email message and copy the following text to the BODY of the
message "SIGNOFF CVE-Announce-list", then send the message to:
listserv@lists.mitre.org. To subscribe, send an email message to
listserv@lists.mitre.org with the following text in the BODY of
the message: "SUBSCRIBE CVE-Announce-List".

Copyright 2008, The MITRE Corporation. CVE and the CVE logo are
registered trademarks of The MITRE Corporation.

For more information about CVE, visit the CVE Web site at
http://cve.mitre.org or send an email to cve@mitre.org. Learn
more about Making Security Measurable at
http://measurablesecurity.mitre.org.

CVE Announce - September 11, 2008 (opt-in newsletter from the CVE Web site)

Welcome to the latest edition of the CVE-Announce e-newsletter.
This email newsletter is designed to bring recent news about CVE,
such as new versions, upcoming conferences, new Web site features,
etc. right to your emailbox. Common Vulnerabilities and Exposures
(CVE) is the standard for information security vulnerability
names. CVE content results from the collaborative efforts of the
CVE Editorial Board, which is comprised of leading representatives
from the information security community. Details on subscribing
(and unsubscribing) to the email newsletter are at the end. Please
feel free to pass this newsletter on to interested colleagues.

Comments: cve@mitre.org

-------------------------------------------------------
CVE-Announce e-newsletter/September 11, 2008
-------------------------------------------------------

Contents:

1. Feature Story
2. UPCOMING EVENT
3. Also in this Issue
4. Details/Credits + Subscribing and Unsubscribing

FEATURE STORY:

CVE and NIST Partner to Create New CVE Adoption/Validation
Programs

CVE has partnered with the U.S. National Institute of Standards
and Technology (NIST) to replace the CVE Compatibility program
with two independent but complementary efforts, a "CVE Adoption
Program" managed by MITRE and the "Security Content Automation
Protocol (SCAP) Validation Program" managed by NIST.

NIST will provide additional details about the new programs at its
"Security Automation Conference & Workshop 2008" on September
23-24, 2008 in Gaithersburg, Maryland, USA.

During the coming months the CVE Web site will be updated to
reflect the new program. Products currently listed in the CVE
Compatibility section will be moved into a new CVE Adoption
section. Additional information is available on the CVE Adoption
Program page at http://cve.mitre.org/adoption/index.html.

LINKS:

NIST - http://www.nist.gov

Security Automation Conference & Workshop 2008 -
http://www.nist.gov/public_affairs/confpage/080923.htm

SCAP Validation Program - http://nvd.nist.gov/validation.cfm

CVE Adoption Program - http://cve.mitre.org/adoption

---------------------------------------------------------------
UPCOMING EVENT:

CVE Included as Topic at "Security Automation Conference 2008,"
September 23-25

CVE will be included as a topic at the U.S. National Institute of
Standards and Technology's (NIST) "Security Automation Conference
& Workshop 2008" on September 23-25, 2008 in Gaithersburg,
Maryland, USA. The CVE Team is also scheduled to contribute to the
CVE-related workshops.

NIST's Security Content Automation Protocol (SCAP) employs
existing community standards to enable "automated vulnerability
management, measurement, and policy compliance evaluation (e.g.,
FISMA compliance)," and CVE is one of the six open standards SCAP
uses for enumerating, evaluating, and measuring the impact of
software problems and reporting results. The other five standards
are Open Vulnerability and Assessment Language (OVAL), a standard
XML for security testing procedures and reporting; Common
Configuration Enumeration (CCE), standard identifiers and a
dictionary for system security configuration issues; Common
Platform Enumeration (CPE), standard identifiers and a dictionary
for platform and product naming; Extensible Configuration
Checklist Description Format (XCCDF), a standard for specifying
checklists and reporting results; and Common Vulnerability Scoring
System (CVSS), a standard for conveying and scoring the impact of
vulnerabilities.

Visit the CVE Calendar for information on this and other events.

LINKS:

Security Automation Conference 2008 -
http://www.nist.gov/public_affairs/confpage/080923.htm

SCAP - http://nvd.nist.gov/scap.cfm

CVE Calendar - http://cve.mitre.org/news/calendar.html

---------------------------------------------------------------
ALSO IN THIS ISSUE:

* Adoption of CVE by Oracle Announced on Oracle's Global Product
Security Blog

Read these stories and more news at http://cve.mitre.org/news

---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing

Managing Editor: David Mann, Information Security Technical
Center. Writer: Bob Roberge. The MITRE Corporation (www.mitre.org)
maintains CVE and provides impartial technical guidance to the CVE
Editorial Board on all matters related to ongoing development of
CVE.

To unsubscribe from the CVE-Announce e-newsletter, open a new
email message and copy the following text to the BODY of the
message "SIGNOFF CVE-Announce-list", then send the message to:
listserv@lists.mitre.org. To subscribe, send an email message to
listserv@lists.mitre.org with the following text in the BODY of
the message: "SUBSCRIBE CVE-Announce-List".

Copyright 2008, The MITRE Corporation. CVE and the CVE logo are
registered trademarks of The MITRE Corporation.

For more information about CVE, visit the CVE Web site at
http://cve.mitre.org or send an email to cve@mitre.org. Learn more
about Making Security Measurable at
http://measurablesecurity.mitre.org.

CVE Announce - August 27, 2008 (opt-in newsletter from the CVE Web site)

Welcome to the latest edition of the CVE-Announce e-newsletter.
This email newsletter is designed to bring recent news about CVE,
such as new versions, upcoming conferences, new Web site features,
etc. right to your emailbox. Common Vulnerabilities and Exposures
(CVE) is the standard for information security vulnerability
names. CVE content results from the collaborative efforts of the
CVE Editorial Board, which is comprised of leading representatives
from the information security community. Details on subscribing
(and unsubscribing) to the email newsletter are at the end. Please
feel free to pass this newsletter on to interested colleagues.

Comments: cve@mitre.org

-------------------------------------------------------
CVE-Announce e-newsletter/August 27, 2008
-------------------------------------------------------

Contents:

1. Feature Story
2. HOT TOPIC
3. Also in this Issue
4. Details/Credits + Subscribing and Unsubscribing

FEATURE STORY:

CVE Included as Topic at "Security Automation Conference 2008,"
September 23-25

CVE will be included as a topic at the U.S. National Institute of
Standards and Technology's (NIST) "Security Automation Conference
& Workshop 2008" on September 23-25, 2008 in Gaithersburg,
Maryland, USA. The CVE Team is also scheduled to contribute to the
CVE-related workshops.

NIST's Security Content Automation Protocol (SCAP) employs
existing community standards to enable "automated vulnerability
management, measurement, and policy compliance evaluation (e.g.,
FISMA compliance)," and CVE is one of the six open standards SCAP
uses for enumerating, evaluating, and measuring the impact of
software problems and reporting results. The other five standards
are Open Vulnerability and Assessment Language (OVAL), a standard
XML for security testing procedures and reporting; Common
Configuration Enumeration (CCE), standard identifiers and a
dictionary for system security configuration issues; Common
Platform Enumeration (CPE), standard identifiers and a dictionary
for platform and product naming; Extensible Configuration
Checklist Description Format (XCCDF), a standard for specifying
checklists and reporting results; and Common Vulnerability Scoring
System (CVSS), a standard for conveying and scoring the impact of
vulnerabilities.

Visit the CVE Calendar for information on this and other events.

LINKS:

Security Automation Conference 2008 -
http://www.nist.gov/public_affairs/confpage/080923.htm

SCAP - http://nvd.nist.gov/scap.cfm

CVE Calendar - http://cve.mitre.org/news/calendar.html

-------------------------------------------------------------
HOT TOPIC:

Adoption of CVE by Oracle Announced on Oracle's Global Product
Security Blog

On July 15, 2008 Oracle began including CVE Identifiers in its
quarterly Critical Patch Update (CPU) documentation and is now a
CVE Candidate Numbering Authority, joining other major software
companies (Cisco, Red Hat, Debian, HP, FreeBSD, Ubuntu Linux,
Microsoft, and Apple) already independently issuing CVE-IDs for
their products.

Oracle promoted their adoption of CVE-IDs in a July 15, 2008
posting on their "Oracle Global Product Security Blog" about the
July CPU in which the author states: "As mentioned earlier in this
blog, this CPU is also characterized by the adoption of the Common
Vulnerabilities and Exposure (CVE) system. As explained on the CVE
program web site, "CVE Identifiers (also called "CVE-IDs," "CVE
names," "CVE numbers," and "CVEs") are unique, common identifiers
for publicly known information security vulnerabilities." Starting
with the July 2008 Critical Patch Update, Oracle will use these
CVE identifiers to identify the vulnerabilities fixed in each new
CPU, and will no longer use the proprietary numbering convention
that was previously used in the CPU risk matrices. As a result,
each new vulnerability fixed in the CPU will be assigned a unique
CVE Identifier. This change was made possible because Oracle
became a 'Candidate Naming Authority' under the CVE program. Note
that while the CPU documentation is the only authoritative source
of information about vulnerabilities in Oracle products, and as
such should remain the primary source of information about such
vulnerabilities, the use of unique CVE identifiers should result
in simplifying how Oracle vulnerabilities are identified in
external security reports such as those produced by security
researchers and vulnerability management systems. The use in the
CPU documentation of CVE identifiers, along with the publication
of the Common Vulnerability Scoring System (CVSS) base scores, is
further evidence of Oracle's customer focus in its vulnerability
disclosure practices."

Oracle's "July 2008 Critical Patch Update" was released on July
15, 2008.

LINKS:

Oracle Global Product Security Blog -
http://blogs.oracle.com/security/2008/07/july_2008_critical_patch_updat.html

Oracle's July 2008 Critical Patch Update -
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuj
ul2008.html

Common Vulnerability Scoring System (CVSS) -
http://www.first.org/cvss/

Organizations Including CVE-IDs -
http://cve.mitre.org/compatible/alerts_announcements.html

CVE List - http://cve.mitre.org/cve

---------------------------------------------------------------
ALSO IN THIS ISSUE:

* Catbird Networks Inc. Posts CVE Compatibility Questionnaire

* TMC y Cia Posts CVE Compatibility Questionnaire

* Openware Posts CVE Compatibility Questionnaire

* Beijing Venus Information Security Technology, Inc. Makes
Declaration of CVE Compatibility

* CVE Participates in 'Making Security Measurable Booth' at "Black
Hat Briefings 2008"

* CVE Mentioned in Article about Oracle Patch Update on
"InternetNews.com"

* CVE Mentioned in Article about Oracle Patch Update on
"Government Computer News"

Read these stories and more news at http://cve.mitre.org/news

---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing

Managing Editor: David Mann, Information Security Technical
Center. Writer: Bob Roberge. The MITRE Corporation (www.mitre.org)
maintains CVE and provides impartial technical guidance to the CVE
Editorial Board on all matters related to ongoing development of
CVE.

To unsubscribe from the CVE-Announce e-newsletter, open a new
email message and copy the following text to the BODY of the
message "SIGNOFF CVE-Announce-list", then send the message to:
listserv@lists.mitre.org. To subscribe, send an email message to
listserv@lists.mitre.org with the following text in the BODY of
the message: "SUBSCRIBE CVE-Announce-List".

Copyright 2008, The MITRE Corporation. CVE and the CVE logo are
registered trademarks of The MITRE Corporation.

For more information about CVE, visit the CVE Web site at
http://cve.mitre.org or send an email to cve@mitre.org. Learn more
about Making Security Measurable at
http://measurablesecurity.mitre.org.

CVE Announce - July 16, 2008 (opt-in newsletter from the CVE Web site)

Welcome to the latest edition of the CVE-Announce e-newsletter.
This email newsletter is designed to bring recent news about CVE,
such as new versions, upcoming conferences, new Web site features,
etc. right to your emailbox. Common Vulnerabilities and Exposures
(CVE) is the standard for information security vulnerability
names. CVE content results from the collaborative efforts of the
CVE Editorial Board, which is comprised of leading representatives
from the information security community. Details on subscribing
(and unsubscribing) to the email newsletter are at the end. Please
feel free to pass this newsletter on to interested colleagues.

Comments: cve@mitre.org

-------------------------------------------------------
CVE-Announce e-newsletter/July 16, 2008
-------------------------------------------------------

Contents:

1. Feature Story
2. UPCOMING EVENT
3. Also in this Issue
4. Details/Credits + Subscribing and Unsubscribing

FEATURE STORY:

CVE Identifiers Now Included in Oracle's "Critical Patch Updates"

Oracle is now including CVE Identifiers (CVE-IDs) in its quarterly
Critical Patch Update (CPU) documentation. "The July 2008 Critical
Patch Update" was released on July 15, 2008.

"Oracle is delighted to become a Candidate Naming Authority under
CVE. The adoption of CVE, along with our use of CVSS is further
evidence of Oracle's desire to lead the industry in term of secure
development and remediation practices," said Mary Ann Davidson,
Oracle CSO. "While the CPU documentation will remain the main
source of information about vulnerabilities in Oracle products, we
believe that the use of unique CVE Identifiers should result in
helping to simplify how Oracle vulnerabilities are identified in
external security reports such as those produced by security
researchers and vulnerability management systems."

Over 70 organizations from around the world have included CVE-IDs
in their security advisories, ensuring that the community benefits
by having CVE-IDs as soon as the problem is announced.

"Including CVE-IDs in the initial public announcement of security
fixes is of great benefit to security managers of enterprises that
use Oracle software," said Robert Martin, CVE Outreach Lead. "This
will help those enterprises manage their Oracle patching effort in
the same manner as they manage their vulnerability and patching
efforts for the rest of their applications and operating systems
software. Including CVE-IDs is definitely something we encourage
of every software product vendor."

The other software companies independently issuing CVE-IDs for
their products include Cisco, Red Hat, Debian, HP, FreeBSD, Ubuntu
Linux, Microsoft, and Apple.

LINKS:

Oracle's July 2008 Critical Patch Update -
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuj
ul2008.html

Common Vulnerability Scoring System (CVSS) -
http://www.first.org/cvss/

Organizations Including CVE-IDs -
http://cve.mitre.org/compatible/alerts_announcements.html

CVE List - http://cve.mitre.org/cve

-------------------------------------------------------------
UPCOMING EVENT:

MITRE Scheduled to Host CVE/'Making Security Measurable' Booth at
"Black Hat Briefings 2008" on August 6-7

MITRE is scheduled to host a Making Security Measurable booth at
"Black Hat Briefings 2008" at Caesars Palace Las Vegas on August
6-7, 2008 in Las Vegas, Nevada, USA.

Visit us at Booth A and learn how information security data
standards facilitate both effective security process coordination
and the use of automation to assess, manage, and improve the
security posture of enterprise security information
infrastructures.

See the CVE Calendar on the CVE Web site for information on this
and other events.

LINKS:

Black Hat Briefings 2008 -
http://www.blackhat.com/html/bh-usa-08/bh-us-08-main.html

Making Security Measurable - http://measurablesecurity.mitre.org/

CVE Calendar - http://cve.mitre.org/news/calendar.html

---------------------------------------------------------------
ALSO IN THIS ISSUE:

* Gamasec Ltd. Makes Declaration of CVE Compatibility

Read these stories and more news at http://cve.mitre.org/news

---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing

Managing Editor: David Mann, Information Security Technical
Center. Writer: Bob Roberge. The MITRE Corporation (www.mitre.org)
maintains CVE and provides impartial technical guidance to the CVE
Editorial Board on all matters related to ongoing development of
CVE.

To unsubscribe from the CVE-Announce e-newsletter, open a new
email message and copy the following text to the BODY of the
message "SIGNOFF CVE-Announce-list", then send the message to:
listserv@lists.mitre.org. To subscribe, send an email message to
listserv@lists.mitre.org with the following text in the BODY of
the message: "SUBSCRIBE CVE-Announce-List".

Copyright 2008, The MITRE Corporation. CVE and the CVE logo are
registered trademarks of The MITRE Corporation.

For more information about CVE, visit the CVE Web site at
http://cve.mitre.org or send an email to cve@mitre.org. Learn more
about Making Security Measurable at
http://measurablesecurity.mitre.org.

CVE Announce - July 3, 2008 (opt-in newsletter from the CVE Web site)

Welcome to the latest edition of the CVE-Announce e-newsletter.
This email newsletter is designed to bring recent news about CVE,
such as new versions, upcoming conferences, new Web site features,
etc. right to your emailbox. Common Vulnerabilities and Exposures
(CVE) is the standard for information security vulnerability
names. CVE content results from the collaborative efforts of the
CVE Editorial Board, which is comprised of leading representatives
from the information security community. Details on subscribing
(and unsubscribing) to the email newsletter are at the end. Please
feel free to pass this newsletter on to interested colleagues.

Comments: cve@mitre.org

-------------------------------------------------------
CVE-Announce e-newsletter/July 3, 2008
-------------------------------------------------------

Contents:

1. Feature Story
2. UPCOMING EVENT
3. Also in this Issue
4. Details/Credits + Subscribing and Unsubscribing

FEATURE STORY:

MITRE Hosts CVE/'Making Security Measurable' Booth at "2008
Cyberspace Symposium" on June 16-19

MITRE hosted a Making Security Measurable booth at the U.S. Air
Force's "2008 Cyberspace Symposium" on June 16-19, 2008 at the
Best Westin Royal Plaza Hotel and Trade Center in Marlborough,
Massachusetts, USA.

Visit the CVE Calendar for information on this and other events.
Contact cve@mitre.org to have CVE present a briefing or
participate in a panel discussion about CVE, CCE, CPE, CAPEC, CWE,
CEE, CRF, OVAL, and/or Making Security Measurable at your event.

LINKS:

'2008 Cyberspace Symposium' -

https://www.paulrevereafa.org/CyberSymposium/index.asp

Making Security Measurable - http://measurablesecurity.mitre.org/

CVE Calendar - http://cve.mitre.org/news/calendar.html

-------------------------------------------------------------
UPCOMING EVENT:

MITRE Scheduled to Host CVE/'Making Security Measurable' Booth at
"2008 Cyberspace Symposium" on August 6-7

MITRE is scheduled to host a Making Security Measurable booth at
"Black Hat Briefings 2008" at Caesars Palace Las Vegas on August
6-7, 2008 in Las Vegas, Nevada, USA.

Visit us at Booth A and learn how information security data
standards facilitate both effective security process coordination
and the use of automation to assess, manage, and improve the
security posture of enterprise security information
infrastructures.

See the CVE Calendar on the CVE Web site for information on this
and other events.

LINKS:

"Black Hat Briefings 2008" -

http://www.blackhat.com/html/bh-usa-08/bh-us-08-main.html

Making Security Measurable - http://measurablesecurity.mitre.org/

CVE Calendar - http://cve.mitre.org/news/calendar.html

---------------------------------------------------------------
ALSO IN THIS ISSUE:

* IBM Internet Security Systems Product Now Registered as
Officially "CVE-Compatible"

* CVE/'Making Security Measurable' Briefing at "4th Annual GFIRST
Conference" on June 2-4

Read these stories and more news at http://cve.mitre.org/news

---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing

Managing Editor: David Mann, Information Security Technical
Center. Writer: Bob Roberge. The MITRE Corporation (www.mitre.org)
maintains CVE and provides impartial technical guidance to the CVE
Editorial Board on all matters related to ongoing development of
CVE.

To unsubscribe from the CVE-Announce e-newsletter, open a new
email message and copy the following text to the BODY of the
message "SIGNOFF CVE-Announce-list", then send the message to:
listserv@lists.mitre.org. To subscribe, send an email message to
listserv@lists.mitre.org with the following text in the BODY of
the message: "SUBSCRIBE CVE-Announce-List".

Copyright 2008, The MITRE Corporation. CVE and the CVE logo are
registered trademarks of The MITRE Corporation.

For more information about CVE, visit the CVE Web site at

http://cve.mitre.org or send an email to cve@mitre.org. Learn more
about Making Security Measurable at

http://measurablesecurity.mitre.org.

CVE Announce - June 11, 2008 (opt-in newsletter from the CVE Web site)

Welcome to the latest edition of the CVE-Announce e-newsletter.
This email newsletter is designed to bring recent news about CVE,
such as new versions, upcoming conferences, new Web site features,
etc. right to your emailbox. Common Vulnerabilities and Exposures
(CVE) is the standard for information security vulnerability
names. CVE content results from the collaborative efforts of the
CVE Editorial Board, which is comprised of leading representatives
from the information security community. Details on subscribing
(and unsubscribing) to the email newsletter are at the end. Please
feel free to pass this newsletter on to interested colleagues.

Comments: cve@mitre.org

-------------------------------------------------------
CVE-Announce e-newsletter/June 11, 2008
-------------------------------------------------------

Contents:

1. Feature Story
2. UPCOMING EVENT
3. Also in this Issue
4. Details/Credits + Subscribing and Unsubscribing

FEATURE STORY:

IBM Internet Security Systems Product Now Registered as Officially
"CVE-Compatible"

IBM Internet Security Systems's Proventia Enterprise Scanner has
achieved the final stage of MITRE's formal CVE Compatibility
Process and is now officially "CVE-Compatible." A total of 81
products to-date have been recognized as officially compatible.

The product is now eligible to use the CVE-Compatible
Product/Service logo, and a completed and reviewed "CVE
Compatibility Requirements Evaluation" questionnaire is posted for
each product as part of the organization's listing on the
CVE-Compatible Products and Services page on the CVE Web site. Use
of the official CVE-Compatible logo will allow system
administrators and other security professionals to look for the
logo when adopting vulnerability management products and services
for their enterprises and the compatibility process questionnaire
will help end-users compare how different products satisfy the CVE
compatibility requirements, and therefore which specific
implementations are best for their networks and systems.

For additional information about CVE compatibility and to review
all products and services listed, visit the CVE Compatibility
Process and CVE-Compatible Products and Services.

LINKS:

IBM Internet Security Systems - http://www.iss.net

CVE Compatibility Process -

http://cve.mitre.org/compatible/process.html

CVE-Compatible Products and Services -

http://cve.mitre.org/compatible/

-------------------------------------------------------------
UPCOMING EVENT:

MITRE Scheduled to Host 'Making Security Measurable' Booth at
"2008 Cyberspace Symposium" on June 16-19

MITRE is scheduled to host a Making Security Measurable booth at
the "2008 Cyberspace Symposium" on June 16-19, 2008 at the Best
Westin Royal Plaza Hotel and Trade Center in Marlborough,
Massachusetts, USA.

Visit the CVE Calendar on the CVE Web site for information on this
and other events.

LINKS:

'2008 Cyberspace Symposium' -

https://www.paulrevereafa.org/CyberSymposium/index.asp

Making Security Measurable - http://measurablesecurity.mitre.org/

CVE Calendar - http://cve.mitre.org/news/calendar.html

---------------------------------------------------------------
ALSO IN THIS ISSUE:

* Xi'an Jiaotong University Jump Network Technology Co., Ltd.
Makes Declaration of CVE Compatibility

* MITRE Presents 'Making Security Measurable' Briefing at "4th
Annual GFIRST Conference" on June 2-4

* MITRE Presents 'Making Security Measurable' Briefing and
Conducts a Half-Day Tutorial at "AusCERT 2008" on May 18-23

Read these stories and more news at http://cve.mitre.org/news

---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing

Managing Editor: David Mann, Information Security Technical
Center. Writer: Bob Roberge. The MITRE Corporation (www.mitre.org)
maintains CVE and provides impartial technical guidance to the CVE
Editorial Board on all matters related to ongoing development of
CVE.

To unsubscribe from the CVE-Announce e-newsletter, open a new
email message and copy the following text to the BODY of the
message "SIGNOFF CVE-Announce-list", then send the message to:
listserv@lists.mitre.org. To subscribe, send an email message to
listserv@lists.mitre.org with the following text in the BODY of
the message: "SUBSCRIBE CVE-Announce-List".

Copyright 2008, The MITRE Corporation. CVE and the CVE logo are
registered trademarks of The MITRE Corporation.

For more information about CVE, visit the CVE Web site at

http://cve.mitre.org or send an email to cve@mitre.org. Learn more
about Making Security Measurable at

http://measurablesecurity.mitre.org.

CVE Announce - May 27, 2008 (opt-in newsletter from the CVE Web site)

Welcome to the latest edition of the CVE-Announce e-newsletter.
This email newsletter is designed to bring recent news about CVE,
such as new versions, upcoming conferences, new Web site features,
etc. right to your emailbox. Common Vulnerabilities and Exposures
(CVE) is the standard for information security vulnerability
names. CVE content results from the collaborative efforts of the
CVE Editorial Board, which is comprised of leading representatives
from the information security community. Details on subscribing
(and unsubscribing) to the email newsletter are at the end. Please
feel free to pass this newsletter on to interested colleagues.

Comments: cve@mitre.org

-------------------------------------------------------
CVE-Announce e-newsletter/May 27, 2008
-------------------------------------------------------

Contents:

1. Feature Story
2. HOT TOPIC
3. Also in this Issue
4. Details/Credits + Subscribing and Unsubscribing

FEATURE STORY:

XML Schema for CVE List Added to CVE Downloads Page

An XML Schema Definition (.xsd) download for the CVE List is now
available on the CVE Downloads page. The schema, which was
contributed by the U.S. National Institute of Standards and
Technology (NIST), will assist those using CVE in XML format.

LINKS:

CVE List Downloads page -

http://cve.mitre.org/data/downloads/index.html

NIST - http://nvd.nist.gov

-------------------------------------------------------------
HOT TOPIC:

Tenable Network Security Inc. Posts Three CVE Compatibility
Questionnaires

Tenable Network Security Inc. has achieved the second phase of the
CVE Compatibility Process for three products by submitting a CVE
Compatibility Questionnaire for Passive Vulnerability Scanner, a
CVE Compatibility Questionnaire for Security Center, and a CVE
Compatibility Questionnaire for Nessus 3 Security Scanner. In
Phase 2 of the compatibility process the organization's completed
compatibility requirements evaluation questionnaire is posted on
the CVE Web site while it is evaluated by MITRE as the final step
towards the product or service being registered as "Officially
CVE-Compatible."

For additional information and to review the complete list of all
products and services participating in the compatibility program,
visit the CVE-Compatible Products and Services section.

LINKS:

Tenable Network Security Inc. - http://www.tenablesecurity.com

CVE Compatibility Process -

http://cve.mitre.org/compatible/process.html

CVE-Compatible Products and Services -

http://cve.mitre.org/compatible/

-------------------------------------------------------------
ALSO IN THIS ISSUE:

* FrSIRT Makes Declaration of CVE Compatibility

* MITRE Scheduled to Present 'Making Security Measurable' Briefing
and a Full-Day Tutorial at "AusCERT 2008" on May 18-23

* MITRE Scheduled to Present 'Making Security Measurable' Briefing
at "4th Annual GFIRST Conference" on June 2-4

* MITRE Scheduled to Host 'Making Security Measurable' Booth at
"2008 Cyberspace Symposium" on June 16-19

* MITRE Presents 'Making Security Measurable' Briefing at "2008
IEEE Conference on Technologies for Homeland" on May 12-13

Read these stories and more news at http://cve.mitre.org/news

---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing

Managing Editor: David Mann, Information Security Technical
Center. Writer: Bob Roberge. The MITRE Corporation (www.mitre.org)
maintains CVE and provides impartial technical guidance to the CVE
Editorial Board on all matters related to ongoing development of
CVE.

To unsubscribe from the CVE-Announce e-newsletter, open a new
email message and copy the following text to the BODY of the
message "SIGNOFF CVE-Announce-list", then send the message to:
listserv@lists.mitre.org. To subscribe, send an email message to
listserv@lists.mitre.org with the following text in the BODY of
the message: "SUBSCRIBE CVE-Announce-List".

Copyright 2008, The MITRE Corporation. CVE and the CVE logo are
registered trademarks of The MITRE Corporation.

For more information about CVE, visit the CVE Web site at

http://cve.mitre.org or send an email to cve@mitre.org. Learn more
about Making Security Measurable at

http://measurablesecurity.mitre.org.

CVE Announce - May 8, 2008 (opt-in newsletter from the CVE Web site)

Welcome to the latest edition of the CVE-Announce e-newsletter.
This email newsletter is designed to bring recent news about CVE,
such as new versions, upcoming conferences, new Web site features,
etc. right to your emailbox. Common Vulnerabilities and Exposures
(CVE) is the standard for information security vulnerability
names. CVE content results from the collaborative efforts of the
CVE Editorial Board, which is comprised of leading representatives
from the information security community. Details on subscribing
(and unsubscribing) to the email newsletter are at the end. Please
feel free to pass this newsletter on to interested colleagues.

Comments: cve@mitre.org

-------------------------------------------------------
CVE-Announce e-newsletter/May 8, 2008
-------------------------------------------------------

Contents:

1. Feature Story
2. Also in this Issue
3. Details/Credits + Subscribing and Unsubscribing

FEATURE STORY:

CVE Identifiers Used throughout "Microsoft Security Intelligence
Report"

CVE Identifiers were used to identify the security issues under
analyses in Microsoft Corporation.s recently released "Microsoft
Security Intelligence Report," Volume 4, (July through December
2007). The report provides an "in-depth perspective on the
changing threat landscape including software vulnerability
disclosures and exploits, malicious software (malware), and
potentially unwanted software."

CVE Identifiers were used to "normalize the data set" with each
exploit "matched with its corresponding vulnerability using Common
Vulnerabilities and Exposures (CVE) identifiers and Microsoft
security bulletins." "Each Microsoft security bulletin may address
multiple vulnerabilities, so the Microsoft security
bulletin-to-CVE translation isn.t a one-to-one correlation.
Researchers used information provided by the Microsoft Security
Response Center (MSRC), the CVE, the NVD, and SecurityPatch.org to
create a final MSRC-to-CVE mapping." Results of these mapping are
discussed throughout the report, summarized in a chart entitled
"Exploits in select Microsoft products by CVE identifier,
2006-2007," and reviewed in detail in "Appendix B: Exploit Counts
by Microsoft Security Bulletin and CVE ID."

The report also uses the U.S. National Institute of Standards and
Technology.s (NIST) U.S. National Vulnerability Database (NVD) and
the Forum of Incident Response and Security Teams. (FIRST) Common
Vulnerability Scoring System (CVSS).

NVD and CVE are sponsored by the National Cyber Security Division
of the U.S. Department of Homeland Security.

LINKS:

Microsoft Security Intelligence Report -

http://www.microsoft.com/security/portal/sir.aspx

CVE List - http://cve.mitre.org/cve

NVD - http://nvd.nist.gov

CVSS - http://www.first.org/cvss

-------------------------------------------------------------
ALSO IN THIS ISSUE:

* IBM Internet Security Systems Posts CVE Compatibility
Questionnaire

* Trustwave Makes Declaration of CVE Compatibility

* MITRE Presents 'Making Security Measurable' Briefing at "CSI
Security Exchange 2008" on April 27

* MITRE Presents 'Making Security Measurable' Briefing at "GOVSEC"
on April 24

Read these stories and more news at http://cve.mitre.org/news

---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing

Managing Editor: David Mann, Information Security Technical
Center. Writer: Bob Roberge. The MITRE Corporation (www.mitre.org)
maintains CVE and provides impartial technical guidance to the CVE
Editorial Board on all matters related to ongoing development of
CVE.

To unsubscribe from the CVE-Announce e-newsletter, open a new
email message and copy the following text to the BODY of the
message "SIGNOFF CVE-Announce-list", then send the message to:
listserv@lists.mitre.org. To subscribe, send an email message to
listserv@lists.mitre.org with the following text in the BODY of
the message: "SUBSCRIBE CVE-Announce-List".

Copyright 2008, The MITRE Corporation. CVE and the CVE logo are
registered trademarks of The MITRE Corporation.

For more information about CVE, visit the CVE Web site at

http://cve.mitre.org or send an email to cve@mitre.org. Learn more
about Making Security Measurable at

http://measurablesecurity.mitre.org.

CVE Announce - April 3, 2008 (opt-in newsletter from the CVE Web site)

Welcome to the latest edition of the CVE-Announce e-newsletter.
This email newsletter is designed to bring recent news about CVE,
such as new versions, upcoming conferences, new Web site features,
etc. right to your emailbox. Common Vulnerabilities and Exposures
(CVE) is the standard for information security vulnerability
names. CVE content results from the collaborative efforts of the
CVE Editorial Board, which is comprised of leading representatives
from the information security community. Details on subscribing
(and unsubscribing) to the email newsletter are at the end. Please
feel free to pass this newsletter on to interested colleagues.

Comments: cve@mitre.org

-------------------------------------------------------
CVE-Announce e-newsletter/April 3, 2008
-------------------------------------------------------

Contents:

1. Feature Story
2. Upcoming Event
3. Also in this Issue
4. Details/Credits + Subscribing and Unsubscribing

FEATURE STORY:

CVE List Reaches 30,000 CVE Identifiers

The CVE Web site now contains 30,000 unique information security
issues with publicly known names. CVE, which began in 1999 with
just 321 common names on the CVE List, is considered the
international standard for public software vulnerability names.
Information security professionals and product vendors from around
the world use CVE Identifiers (CVE-IDs) as a standard method for
identifying vulnerabilities, and for cross-linking among products,
services, and other repositories that use the identifiers.

The widespread adoption of CVE in enterprise security is
illustrated by the numerous CVE-Compatible Products and Services
in use throughout industry, government, and academia for
vulnerability management, vulnerability alerting, intrusion
detection, and patch management. Major OS vendors and other
organizations from around the world also include CVE-IDs in their
security alerts to ensure that the international community
benefits by having the identifiers as soon as a problem is
announced. CVE-IDs are also used to uniquely identify
vulnerabilities in public watch lists such as the SANS Top 20 Most
Critical Internet Security Vulnerabilities and OWASP Top 10 Web
Application Security Issues.

CVE has also inspired new efforts. MITRE.s Common Weakness
Enumeration (CWE) dictionary of software weakness types is based
in part on the CVE List, and its Open Vulnerability and Assessment
Language (OVAL) effort uses CVE-IDs for its standardized OVAL
Vulnerability Definitions that test systems for the presence of
CVEs. In addition, the U.S. National Vulnerability Database (NVD)
of CVE fix information that is synchronized with and based on the
CVE List recently expanded to include Security Content Automation
Protocol (SCAP) content. SCAP employs community standards to
enable "automated vulnerability management, measurement, and
policy compliance evaluation (e.g., FISMA compliance)," and CVE is
one of the six open standards SCAP uses for enumerating,
evaluating, and measuring the impact of software problems and
reporting results.

Each of the 30,000+ identifiers on the CVE List includes the
following: CVE Identifier number (i.e., "CVE-1999-0067");
indication of "entry" or "candidate" status; brief description of
the security vulnerability; and pertinent references such as
vulnerability reports and advisories or OVAL-ID. Visit the CVE
List page to download the complete list in various formats or to
look-up an individual identifier. Fix information and enhanced
searching of CVE is available from NVD.

LINKS:

CVE List - http://cve.mitre.org/cve

National Vulnerability Database (NVD) - http://nvd.nist.gov/

-------------------------------------------------------------
UPCOMING EVENT:

MITRE to Host 'Making Security Measurable' Booth at "RSA 2008,"
April 7-11

MITRE is scheduled to host a Making Security Measurable exhibitor
booth at "RSA 2008" on April 7-11, 2008 at the Moscone Center in
San Francisco, California, USA.

The conference will expose the CVE, CCE, CME, CPE, CWE, CAPEC,CEE,
CRF, OVAL, and Making Security Measurable efforts to information
security professionals from government and industry. Visit the CWE
Calendar for information on this and other events.

LINKS:

RSA 2008 - http://www.rsaconference.com/2008/US/Home.aspx

Making Security Measurable - http://measurablesecurity.mitre.org

CVE Calendar - http://cve.mitre.org/news/calendar.html

-------------------------------------------------------------
ALSO IN THIS ISSUE:

* MITRE Scheduled to Present 'Making Security Measurable' Briefing
at "GOVSEC" on April 24

* MITRE Scheduled to Present 'Making Security Measurable' Briefing
at "CSI Security Exchange 2008" on April 27

* MITRE Presents 'Making Security Measurable' Briefing at "SEPG
North America 2008" on March 18

Read these stories and more news at http://cve.mitre.org/news

---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing

Managing Editor: David Mann, Information Security Technical
Center. Writer: Bob Roberge. The MITRE Corporation (www.mitre.org)
maintains CVE and provides impartial technical guidance to the CVE
Editorial Board on all matters related to ongoing development of
CVE.

To unsubscribe from the CVE-Announce e-newsletter, open a new
email message and copy the following text to the BODY of the
message "SIGNOFF CVE-Announce-list", then send the message to:
listserv@lists.mitre.org. To subscribe, send an email message to
listserv@lists.mitre.org with the following text in the BODY of
the message: "SUBSCRIBE CVE-Announce-List".

Copyright 2008, The MITRE Corporation. CVE and the CVE logo are
registered trademarks of The MITRE Corporation.

For more information about CVE, visit the CVE Web site at

http://cve.mitre.org or send an email to cve@mitre.org. Learn more
about Making Security Measurable at

http://measurablesecurity.mitre.org.

CVE-Announce e-newsletter/March 24, 2008 (opt-in newsletter from the CVE Web site)

Welcome to the latest edition of the CVE-Announce e-newsletter.
This email newsletter is designed to bring recent news about CVE,
such as new versions, upcoming conferences, new Web site features,
etc. right to your emailbox. Common Vulnerabilities and Exposures
(CVE) is the standard for information security vulnerability
names. CVE content results from the collaborative efforts of the
CVE Editorial Board, which is comprised of leading representatives
from the information security community. Details on subscribing
(and unsubscribing) to the email newsletter are at the end. Please
feel free to pass this newsletter on to interested colleagues.

Comments: cve@mitre.org

-------------------------------------------------------
CVE-Announce e-newsletter/March 24, 2008
-------------------------------------------------------

Contents:

1. Feature Story
2. HOT TOPIC
3. Upcoming Event
4. Also in this Issue
5. Details/Credits + Subscribing and Unsubscribing

FEATURE STORY:

Two Products from Two Organizations Now Registered as Officially
"CVE-Compatible"

Two additional information security products have achieved the
final stage of MITRE's formal CVE Compatibility Process and are
now officially "CVE-Compatible." The products are now eligible to
use the CVE-Compatible Product/Service logo, and a completed and
reviewed "CVE Compatibility Requirements Evaluation" questionnaire
is posted for each product as part of the organization's listing
on the CVE-Compatible Products and Services page on the CVE Web
site. A total of 78 products to-date have been recognized as
officially compatible.

The following products are now registered as officially
"CVE-Compatible":

* Archer Technologies - Archer Threat Management

* GFI Software Ltd. - GFI LANguard Network Security Scanner

Use of the official CVE-Compatible logo will allow system
administrators and other security professionals to look for the
logo when adopting vulnerability management products and services
for their enterprises and the compatibility process questionnaire
will help end-users compare how different products satisfy the CVE
compatibility requirements, and therefore which specific
implementations are best for their networks and systems.

For additional information about CVE compatibility and to review
all products and services listed, visit the CVE Compatibility
Process and CVE-Compatible Products and Services.

LINKS:

Archer Technologies - http://www.archer-tech.com

GFI Software Ltd - http://www.gfi.com

CVE Compatibility Process -

http://cve.mitre.org/compatible/process.html

CVE-Compatible Products and Service -

http://cve.mitre.org/compatible/

-------------------------------------------------------------
HOT TOPIC:

CVE Mentioned in "Government Computer News" Article about SCAP

CVE was mentioned in a March 3, 2008 article entitled "SCAP
narrows security gap" in "Government Computer News." The main
topic of the article is the U.S. National Institute of Standards
and Technology's (NIST) Security Content Automation Protocol
(SCAP) program, which is "a suite of tools to help automate
vulnerability management and evaluate compliance with federal
information technology security requirements."

CVE is mentioned as one of the "more mature standards" of the six
SCAP includes: "The Common Vulnerabilities and Exposures Standard
from Mitre, which provides standard identifiers and a dictionary
for security vulnerabilities related to software flaws."

Three of the other standards the author references as mature are
Open Vulnerability and Assessment Language (OVAL), a standard XML
for security testing procedures and reporting; Extensible
Configuration Checklist Description Format (XCCDF), a standard for
specifying checklists and reporting results; and Common
Vulnerability Scoring System (CVSS), a standard for conveying and
scoring the impact of vulnerabilities. The author also notes the
two "less mature" standards SCAP uses: Common Configuration
Enumeration (CCE), standard identifiers and a dictionary for
system security configuration issues; and Common Platform
Enumeration (CPE), standard identifiers and a dictionary for
platform and product naming.

SCAP is an expansion of NIST's U.S. National Vulnerability
Database (NVD) that is based upon the CVE List. NVD, CVE, and OVAL
are all sponsored by the National Cyber Security Division of the
U.S. Department of Homeland Security.

LINKS:

Government Computer News article -

http://www.gcn.com/print/27_5/45909-1.html

SCAP - http://nvd.nist.gov/scap.cfm

CVE Web site - http://cve.mitre.org

-------------------------------------------------------------
UPCOMING EVENT:

MITRE to Host 'Making Security Measurable' Booth at "RSA 2008,"
April 7-11

MITRE is scheduled to host a Making Security Measurable exhibitor
booth at "RSA 2008" on April 7-11, 2008 at the Moscone Center in
San Francisco, California, USA.

The conference will expose the CVE, CCE, CME, CPE, CWE, CAPEC,CEE,
CRF, OVAL, and Making Security Measurable efforts to information
security professionals from government and industry. Visit the CWE
Calendar for information on this and other events.

LINKS:

RSA 2008 - http://www.rsaconference.com/2008/US/Home.aspx

Making Security Measurable - http://measurablesecurity.mitre.org

CVE Calendar - http://cve.mitre.org/news/calendar.html

-------------------------------------------------------------
ALSO IN THIS ISSUE:

* MITRE Presents 'Making Security Measurable' Briefing at "SEPG
North America 2008" on March 18

* MITRE Hosts 'Making Security Measurable' Booth at "InfoSec World
2008," March 10-11

Read these stories and more news at http://cve.mitre.org/news

---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing

Managing Editor: David Mann, Information Security Technical
Center. Writer: Bob Roberge. The MITRE Corporation (www.mitre.org)
maintains CVE and provides impartial technical guidance to the CVE
Editorial Board on all matters related to ongoing development of
CVE.

To unsubscribe from the CVE-Announce e-newsletter, open a new
email message and copy the following text to the BODY of the
message "SIGNOFF CVE-Announce-list", then send the message to:
listserv@lists.mitre.org. To subscribe, send an email message to
listserv@lists.mitre.org with the following text in the BODY of
the message: "SUBSCRIBE CVE-Announce-List".

Copyright 2008, The MITRE Corporation. CVE and the CVE logo are
registered trademarks of The MITRE Corporation.

For more information about CVE, visit the CVE Web site at

http://cve.mitre.org or send an email to cve@mitre.org.

CVE-Announce e-newsletter/February 27, 2008 (opt-in newsletter from the CVE Web site)

Welcome to the latest edition of the CVE-Announce e-newsletter.
This email newsletter is designed to bring recent news about CVE,
such as new versions, upcoming conferences, new Web site features,
etc. right to your emailbox. Common Vulnerabilities and Exposures
(CVE) is the standard for information security vulnerability
names. CVE content results from the collaborative efforts of the
CVE Editorial Board, which is comprised of leading representatives
from the information security community. Details on subscribing
(and unsubscribing) to the email newsletter are at the end. Please
feel free to pass this newsletter on to interested colleagues.

Comments: cve@mitre.org

-------------------------------------------------------
CVE-Announce e-newsletter/February 27, 2008
-------------------------------------------------------

Contents:

1. Feature Story
2. HOT TOPIC
3. Upcoming Event
4. Also in this Issue
5. Details/Credits + Subscribing and Unsubscribing

FEATURE STORY:

Four Products from Four Organizations Now Registered as Officially
"CVE-Compatible"

Four additional information security products have achieved the
final stage of MITRE's formal CVE Compatibility Process and are
now officially "CVE-Compatible." The products are now eligible to
use the CVE-Compatible Product/Service logo, and a completed and
reviewed "CVE Compatibility Requirements Evaluation" questionnaire
is posted for each product as part of the organization's listing
on the CVE-Compatible Products and Services page on the CVE Web
site. A total of 76 products to-date have been recognized as
officially compatible.

The following products are now registered as officially
"CVE-Compatible":

* AdventNet, Inc. - ManageEngine Security Manager Plus

* Assuria Limited - Assuria Auditor

* National Institute of Standards and Technology (NIST) -
National Vulnerability Database (NVD)

* SecureInfo Corporation - Risk Management System (RMS)

Use of the official CVE-Compatible logo will allow system
administrators and other security professionals to look for the
logo when adopting vulnerability management products and services
for their enterprises and the compatibility process questionnaire
will help end-users compare how different products satisfy the CVE
compatibility requirements, and therefore which specific
implementations are best for their networks and systems.

For additional information about CVE compatibility and to review
all products and services listed, visit the CVE Compatibility
Process and CVE-Compatible Products and Services.

LINKS:

AdventNet, Inc. - http://www.adventnet.com

Assuria Limited - http://www.assuria.com

National Institute of Standards and Technology (NIST) -

http://csrc.nist.gov

SecureInfo Corporation - http://www.secureinfo.com

CVE Compatibility Process -

http://cve.mitre.org/compatible/process.html

CVE-Compatible Products and Service -

http://cve.mitre.org/compatible/

-------------------------------------------------------------
HOT TOPIC:

CVE Mentioned in "SC Magazine" Article about Vulnerability
Management

CVE was mentioned in an article entitled "Vulnerability
management: weathering the storm" in the February 1, 2008 issue of
"SC Magazine." CVE is mentioned in a section entitled
"Vulnerabilities on the rise" when the author states: "Last year
gave rise to about 7,000 unique vulnerabilities, says Steve
Christey, principal information security engineer at MITRE, which
maintains the Common Vulnerabilities and Exposure (CVE) list, a
dictionary that provides the common names for publicly known
security vulnerabilities. Since 1999, MITRE has tracked some
28,000 vulnerabilities in packaged software. While the sheer
number of bugs is certainly cause for concern, flaws do have one
positive attribute: they provide a tangible way to assess risk,
say experts."

CVE is mentioned again when the author explains that "Each CVE
listing in the National Vulnerability Database, the U.S.
government repository of standards based vulnerability management
data, supports the Common Vulnerability Scoring System (CVSS), an
open framework that standardizes the severity of vulnerabilities
across heterogeneous platforms."

Also included is a quote about CVSS who states that "CVSS is a way
to provide a consistent risk metric. All of the vulnerability
scanning tools and all of the alerts will use their own definition
of risk, so a consumer of this information, if they're not using
CVSS, might get multiple interpretations of how significant a
single vulnerability is."

The article also mentions MITRE's Common Weakness Enumeration
(CWE) at http://cwe.mitre.org, which is based in part on CVE.

LINKS:

SC Magazine article -

http://www.scmagazineus.com/Vulnerability-management-weathering-the-storm/ar
ticle/105009/

CVE Web site - http://cve.mitre.org

-------------------------------------------------------------
HOT TOPIC:

MITRE to Host 'Making Security Measurable' Booth at "InfoSec World
2008," March 10-11

MITRE is scheduled to host a Making Security Measurable exhibitor
booth at "InfoSec World Conference & Expo 2008" on March 10-11,
2008 at the Rosen Shingle Creek Resort in Orlando, Florida, USA.

The conference will expose the CVE, CCE, CME, CPE, CWE, CAPEC,
CEE, CRF, OVAL, and Making Security Measurable efforts to
information security professionals from government and industry.
Visit the CVE Calendar for information on this and other events.

LINKS:

Infosec World 2008 -

http://www.misti.com/default.asp?page=65&Return=70&ProductID=5539

Making Security Measurable - http://measurablesecurity.mitre.org

CVE Calendar - http://cve.mitre.org/news/calendar.html

-------------------------------------------------------------
ALSO IN THIS ISSUE:

* Lenovo Security Technologies, Inc. Makes Declaration of CVE
Compatibility

Read these stories and more news at http://cve.mitre.org/news

---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing

Managing Editor: David Mann, Information Security Technical
Center. Writer: Bob Roberge. The MITRE Corporation (www.mitre.org)
maintains CVE and provides impartial technical guidance to the CVE
Editorial Board on all matters related to ongoing development of
CVE.

To unsubscribe from the CVE-Announce e-newsletter, open a new
email message and copy the following text to the BODY of the
message "SIGNOFF CVE-Announce-list", then send the message to:
listserv@lists.mitre.org. To subscribe, send an email message to
listserv@lists.mitre.org with the following text in the BODY of
the message: "SUBSCRIBE CVE-Announce-List".

Copyright 2008, The MITRE Corporation. CVE and the CVE logo are
registered trademarks of The MITRE Corporation.

For more information about CVE, visit the CVE Web site at

http://cve.mitre.org or send an email to cve@mitre.org.

CVE-Announce e-newsletter/January 18, 2008 (opt-in newsletter from the CVE Web site)

Welcome to the latest edition of the CVE-Announce e-newsletter.
This email newsletter is designed to bring recent news about CVE,
such as new versions, upcoming conferences, new Web site features,
etc. right to your emailbox. Common Vulnerabilities and Exposures
(CVE) is the standard for information security vulnerability
names. CVE content results from the collaborative efforts of the
CVE Editorial Board, which is comprised of leading representatives
from the information security community. Details on subscribing
(and unsubscribing) to the email newsletter are at the end. Please
feel free to pass this newsletter on to interested colleagues.

Comments: cve@mitre.org

-------------------------------------------------------
CVE-Announce e-newsletter/January 18, 2008
-------------------------------------------------------

Contents:

1. Feature Story
2. Also in this Issue
3. Details/Credits + Subscribing and Unsubscribing

FEATURE STORY:

MITRE Hosts "Making Security Measurable" Booth at 2008 Information
Assurance Workshop, January 28 - February 1

MITRE hosted a Making Security Measurable exhibitor booth at the
2008 Information Assurance Workshop on January 28 - February 1,
2008 at the Philadelphia Marriott Downtown in Philadelphia,
Pennsylvania, USA.

The conference exposed the CVE, CCE, CME, CPE, CWE, CAPEC, CEE,
CRF, OVAL, and Making Security Measurable efforts to information
security professionals from government and industry. Visit the CVE
Calendar for information on this and other events

LINKS:

CVE Calendar - http://cve.mitre.org/news/calendar.html

Making Security Measurable - http://measurablesecurity.mitre.org

-------------------------------------------------------------
ALSO IN THIS ISSUE:

* CVE Identifiers Included in Annual Update of "SANS Top Twenty"
List of Internet Security Threats

Read these stories and more news at http://cve.mitre.org/news

---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing

Managing Editor: David Mann, Information Security Technical
Center. Writer: Bob Roberge. The MITRE Corporation (www.mitre.org)
maintains CVE and provides impartial technical guidance to the CVE
Editorial Board on all matters related to ongoing development of
CVE.

To unsubscribe from the CVE-Announce e-newsletter, open a new
email message and copy the following text to the BODY of the
message "SIGNOFF CVE-Announce-list", then send the message to:
listserv@lists.mitre.org. To subscribe, send an email message to
listserv@lists.mitre.org with the following text in the BODY of
the message: "SUBSCRIBE CVE-Announce-List".

Copyright 2008, The MITRE Corporation. CVE and the CVE logo are
registered trademarks of The MITRE Corporation.

For more information about CVE, visit the CVE Web site at

http://cve.mitre.org or send an email to cve@mitre.org.

You have been added to the CVE-ANNOUNCE-LIST list

Fri, 11 Jan 2008 13:20:50

You have been added to the following mailing list by Janis Kenderdine
<fifer@MITRE.ORG>:

CVE-ANNOUNCE-LIST - Common Vulnerabilities and Exposures (CVE) Announcements

You have been automatically subscribed to the CVE-ANNOUNCE-LIST mailing
list because you requested the subscription via email, or you registered
for it at http://cve.mitre.org.

To unsubscribe from this mailing list, send email to
LISTSERV@LISTS.MITRE.ORG with the following text in the BODY of the
message:

signoff CVE-ANNOUNCE-LIST

More information on LISTSERV commands can be found in the LISTSERV
reference card, which you can retrieve by sending an "INFO REFCARD"
command to LISTSERV@LISTS.MITRE.ORG.

hello