This email newsletter is designed to bring recent news about CVE,
such as new versions, upcoming conferences, new Web site features,
etc. right to your emailbox. Common Vulnerabilities and Exposures
(CVE) is the standard for information security vulnerability
names. CVE content results from the collaborative efforts of the
CVE Editorial Board, which is comprised of leading representatives
from the information security community. Details on subscribing
(and unsubscribing) to the email newsletter are at the end. Please
feel free to pass this newsletter on to interested colleagues.
Comments: cve@mitre.org
-------------------------------------------------------
CVE-Announce e-newsletter/August 27, 2008
-------------------------------------------------------
Contents:
1. Feature Story
2. HOT TOPIC
3. Also in this Issue
4. Details/Credits + Subscribing and Unsubscribing
FEATURE STORY:
CVE Included as Topic at "Security Automation Conference 2008,"
September 23-25
CVE will be included as a topic at the U.S. National Institute of
Standards and Technology's (NIST) "Security Automation Conference
& Workshop 2008" on September 23-25, 2008 in Gaithersburg,
Maryland, USA. The CVE Team is also scheduled to contribute to the
CVE-related workshops.
NIST's Security Content Automation Protocol (SCAP) employs
existing community standards to enable "automated vulnerability
management, measurement, and policy compliance evaluation (e.g.,
FISMA compliance)," and CVE is one of the six open standards SCAP
uses for enumerating, evaluating, and measuring the impact of
software problems and reporting results. The other five standards
are Open Vulnerability and Assessment Language (OVAL), a standard
XML for security testing procedures and reporting; Common
Configuration Enumeration (CCE), standard identifiers and a
dictionary for system security configuration issues; Common
Platform Enumeration (CPE), standard identifiers and a dictionary
for platform and product naming; Extensible Configuration
Checklist Description Format (XCCDF), a standard for specifying
checklists and reporting results; and Common Vulnerability Scoring
System (CVSS), a standard for conveying and scoring the impact of
vulnerabilities.
Visit the CVE Calendar for information on this and other events.
LINKS:
Security Automation Conference 2008 -
http://www.nist.gov/public_affairs/confpage/080923.htm
SCAP - http://nvd.nist.gov/scap.cfm
CVE Calendar - http://cve.mitre.org/news/calendar.html
-------------------------------------------------------------
HOT TOPIC:
Adoption of CVE by Oracle Announced on Oracle's Global Product
Security Blog
On July 15, 2008 Oracle began including CVE Identifiers in its
quarterly Critical Patch Update (CPU) documentation and is now a
CVE Candidate Numbering Authority, joining other major software
companies (Cisco, Red Hat, Debian, HP, FreeBSD, Ubuntu Linux,
Microsoft, and Apple) already independently issuing CVE-IDs for
their products.
Oracle promoted their adoption of CVE-IDs in a July 15, 2008
posting on their "Oracle Global Product Security Blog" about the
July CPU in which the author states: "As mentioned earlier in this
blog, this CPU is also characterized by the adoption of the Common
Vulnerabilities and Exposure (CVE) system. As explained on the CVE
program web site, "CVE Identifiers (also called "CVE-IDs," "CVE
names," "CVE numbers," and "CVEs") are unique, common identifiers
for publicly known information security vulnerabilities." Starting
with the July 2008 Critical Patch Update, Oracle will use these
CVE identifiers to identify the vulnerabilities fixed in each new
CPU, and will no longer use the proprietary numbering convention
that was previously used in the CPU risk matrices. As a result,
each new vulnerability fixed in the CPU will be assigned a unique
CVE Identifier. This change was made possible because Oracle
became a 'Candidate Naming Authority' under the CVE program. Note
that while the CPU documentation is the only authoritative source
of information about vulnerabilities in Oracle products, and as
such should remain the primary source of information about such
vulnerabilities, the use of unique CVE identifiers should result
in simplifying how Oracle vulnerabilities are identified in
external security reports such as those produced by security
researchers and vulnerability management systems. The use in the
CPU documentation of CVE identifiers, along with the publication
of the Common Vulnerability Scoring System (CVSS) base scores, is
further evidence of Oracle's customer focus in its vulnerability
disclosure practices."
Oracle's "July 2008 Critical Patch Update" was released on July
15, 2008.
LINKS:
Oracle Global Product Security Blog -
http://blogs.oracle.com/security/2008/07/july_2008_critical_patch_updat.html
Oracle's July 2008 Critical Patch Update -
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuj
ul2008.html
Common Vulnerability Scoring System (CVSS) -
http://www.first.org/cvss/
Organizations Including CVE-IDs -
http://cve.mitre.org/compatible/alerts_announcements.html
CVE List - http://cve.mitre.org/cve
---------------------------------------------------------------
ALSO IN THIS ISSUE:
* Catbird Networks Inc. Posts CVE Compatibility Questionnaire
* TMC y Cia Posts CVE Compatibility Questionnaire
* Openware Posts CVE Compatibility Questionnaire
* Beijing Venus Information Security Technology, Inc. Makes
Declaration of CVE Compatibility
* CVE Participates in 'Making Security Measurable Booth' at "Black
Hat Briefings 2008"
* CVE Mentioned in Article about Oracle Patch Update on
"InternetNews.com"
* CVE Mentioned in Article about Oracle Patch Update on
"Government Computer News"
Read these stories and more news at http://cve.mitre.org/news
---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing
Managing Editor: David Mann, Information Security Technical
Center. Writer: Bob Roberge. The MITRE Corporation (www.mitre.org)
maintains CVE and provides impartial technical guidance to the CVE
Editorial Board on all matters related to ongoing development of
CVE.
To unsubscribe from the CVE-Announce e-newsletter, open a new
email message and copy the following text to the BODY of the
message "SIGNOFF CVE-Announce-list", then send the message to:
listserv@lists.mitre.org. To subscribe, send an email message to
listserv@lists.mitre.org with the following text in the BODY of
the message: "SUBSCRIBE CVE-Announce-List".
Copyright 2008, The MITRE Corporation. CVE and the CVE logo are
registered trademarks of The MITRE Corporation.
For more information about CVE, visit the CVE Web site at
http://cve.mitre.org or send an email to cve@mitre.org. Learn more
about Making Security Measurable at
http://measurablesecurity.mitre.org.
