Patch Announcement: 2013

Friday, November 8, 2013

CVE Announce Special: Format of CVE-IDs Changing on January 1, 2014

Friday, October 4, 2013

CVE Announce - October 7, 2013 (opt-in newsletter from the CVE Web site)

Friday, July 19, 2013

CVE Announce - July 19, 2013 (opt-in newsletter from the CVE Web site)

Welcome to the latest issue of the CVE-Announce e-newsletter. This email
newsletter is designed to bring recent news about CVE, such as new versions,
upcoming conferences, new Web site features, etc. right to your email box.
Common Vulnerabilities and Exposures (CVE) is the standard for information
security vulnerability names. CVE content results from the collaborative
efforts of the CVE Editorial Board, which is comprised of leading
representatives from the information security community. Details on
subscribing (and unsubscribing) to the email newsletter are at the end.
Please feel free to pass this newsletter on to interested colleagues.

Comments: cve@mitre.org

-------------------------------------------------------
CVE-Announce e-newsletter/July 19, 2013
-------------------------------------------------------

Contents:

1. Feature Story
2. Upcoming Event
3. Hot Topic
4. Also in this Issue
5. Details/Credits + Subscribing and Unsubscribing

FEATURE STORY:

CVE-ID Syntax Change Voting Results

Voting on the CVE Identifier (CVE-ID) Syntax Change is now complete and the
CVE Editorial Board has determined that the new CVE-ID syntax taking effect
on January 1, 2014 will be variable length arbitrary digits.

This announcement is being made now so that users will have enough time to
change their processes and software to handle the new ID syntax.

NEW CVE-ID SYNTAX

The new CVE-ID Syntax is "CVE prefix + Year + Arbitrary Digits" and will
begin at four (4) fixed digits and expand with arbitrary digits only when
needed in a calendar year, for example, CVE-YYYY-NNNN with 4 digits, and if
needed CVE-YYYY-NNNNN with 5 digits, and so on. The year, or YYYY, indicates
the year the CVE-ID is issued to a CVE Numbering Authority (CNA) or when the
issue is first disclosed to the public.

This syntax selection also means there will be no changes needed to
previously assigned CVE-IDs, which all include 4 digits.

Examples of the New CVE-ID Syntax with 4, 5, and 7 digits are included
below:
CVE-2014-0001
CVE-2014-12345
CVE-2014-7654321

See the "CVE-ID Syntax Change Infographic" at
https://cve.mitre.org/cve/identifiers/cve-ids.html for an infographic
explaining the current (i.e., "old") CVE-ID Syntax versus the New CVE-ID
Syntax.

BACKGROUND

As initially announced in the January 24, 2013 article "Call for Public
Feedback on Upcoming CVE ID Syntax Change," due to the increasing volume of
public vulnerability reports, the CVE Editorial Board determined that the
Common Vulnerabilities and Exposures (CVE) project needed to change the
syntax of its standard vulnerability identifiers so that the CVE List can
track more than 10,000 vulnerabilities in a single year. The current syntax
of four fixed digits, CVE-YYYY-NNNN, only supports a maximum of 9,999 unique
identifiers per year.

The initial plan called for a period of public feedback, followed by a
formal vote by members of the CVE Editorial Board. However, as explained in
the May 3, 2013 article "Status Update on the CVE ID Syntax Change," two
rounds of voting were required as the initial vote held by the Board in
April 2013 resulted in a tie. The initial vote was among three proposed
options, with the tie occurring between Option A that extended the available
numbering space to 6 digits, and Option B that extended the available
numbering space to an arbitrary number of digits (learn more about the
original three options at
https://cve.mitre.org/data/board/archives/2013-01/msg00011.html). After
discussion with the CVE Editorial Board, MITRE proposed dropping Option C
from consideration and holding a second vote with only two options, the
current Option B and a slightly modified Option A that extended the
available numbering space to 8 digits (learn more about the final two
options at https://cve.mitre.org/data/board/archives/2013-04/msg00074.html).
The second vote was held in May 2013 and resulted in "Option B, CVE prefix +
Year + Arbitrary Digits" winning the vote by receiving 15 of the 18 votes
cast.

Detailed discussions and votes by the CVE Editorial Board are included in
the "CVE Editorial Board Discussion Archive - June 2013," "CVE Editorial
Board Discussion Archive - April 2013," and "CVE Editorial Board Discussion
Archive - May 2013" discussion archives.

ADDITIONAL STATUS UPDATES

Additional information about the upcoming CVE-ID Syntax Change will be
posted on the CVE Web site in the coming months. In the meantime, please
address any comments or concerns to cve-id-change@mitre.org.

LINKS:

CVE Identifier (CVE-ID) Syntax Change page -
https://cve.mitre.org/cve/identifiers/syntaxchange.html

"CVE-ID Old Versus New Syntax Change Infographic" -
https://cve.mitre.org/cve/identifiers/cve-ids.html

CVE Editorial Board - https://cve.mitre.org/community/board/

CVE List - https://cve.mitre.org/cve/

CVE Numbering Authority (CNA) - https://cve.mitre.org/cve/cna.html

"Status Update on the CVE ID Syntax Change," May 3rd article -
https://cve.mitre.org/news/index.html#may032013a

"Call for Public Feedback on Upcoming CVE ID Syntax Change," January 24th
article -https://cve.mitre.org/news/index.html#jan242013a

CVE Editorial Board Discussion List Archives -
https://cve.mitre.org/community/board/archive.html#board_mail_list_archive

CVE Identifier (CVE-ID) Syntax Change FAQs -
https://cve.mitre.org/about/faqs.html#f

---------------------------------------------------------------
HOT TOPC:

CVE-ID Syntax Change Infographic Now Available

An infographic explaining the Current (i.e., "old") CVE-ID Syntax versus the
New CVE-ID Syntax being implemented on January 1, 2014 is now available at
https://cve.mitre.org/cve/identifiers/cve-ids.html.

Please feel-free to re-post the "CVE-ID Syntax Change Infographic" on your
website(s) and on social media as you wish, provided none of the information
is altered. Preferably the image would also link back to the
https://cve.mitre.org/cve/identifiers/syntaxchange.html page on the CVE Web
site.

The infographic is available for download in the following formats:

PNG - https://cve.mitre.org/cve/images/cve-ids.png
GIF - https://cve.mitre.org/cve/images/cve-ids.gif
EPS - https://cve.mitre.org/cve/images/cve-ids.eps

Please send any questions about the infographic to cve-id-change@mitre.org.

LINKS:

Infographic html - https://cve.mitre.org/cve/identifiers/cve-ids.html

News page article - https://cve.mitre.org/news/index.html#jul172013b

Infographic re-posting information -
https://cve.mitre.org/about/faqs.html#f9

---------------------------------------------------------------
UPCOMING EVENTS:

Briefing and Booth at "Black Hat Briefings 2013"

CVE Technical Lead Steven M. Christey will co-present a briefing with Open
Source Vulnerability Database (OSVDB) content manager Brian Martin entitled
"Buying into the Bias: Why Vulnerability Statistics Suck" on July 31, 2013
at "Black Hat Briefings 2013" at Caesar's Palace in Las Vegas, Nevada, USA.

In addition, MITRE will host a "Strengthening Cyber Defense" booth that
includes CVE at "Black Hat Briefings 2013" on July 27-August 1, 2013.
Attendees will learn how information security data standards facilitate both
effective security process coordination and the use of automation to assess,
manage, and improve the security posture of enterprise security information
infrastructures.

Members of the CVE Team will be in attendance so please stop by Booth 242
and say hello!

Visit the CVE Calendar for information on these and other events.

LINKS:

Black Hat Briefings 2013 - http://www.blackhat.com/us-13/

"Buying into the Bias: Why Vulnerability Statistics Suck" briefing -
https://www.blackhat.com/us-13/briefings.html#Martin

Strengthening Cyber Defense - http://www.mitre.org/work/cybersecurity/

CVE Calendar - https://cve.mitre.org/news/calendar.html

---------------------------------------------------------------
ALSO IN THIS ISSUE:

* CVE Mentioned in Article about Unreliable Vulnerability Data and
Statistics on "DarkReading.com"

* CVE Mentioned in Article about Self-Defending Networks on
"NetworkWorld.com"

* CVE Mentioned in Article about the OWASP Top 10 Security Flaws for 2013 on
"NetworkWorld.com"

* CVE Mentioned in Article about Security Automation on
"GovernmentComputerNews.com"

* CVE Compatibility Main Topic of Press Release by High-Tech Bridge SA

Read these stories and more news at https://cve.mitre.org/news

---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing

Managing Editor: Steve Boyle, Information Security Technical Center. Writer:
Bob Roberge. The MITRE Corporation (www.mitre.org) maintains CVE and
provides impartial technical guidance to the CVE Editorial Board on all
matters related to ongoing development of CVE.

To unsubscribe from the CVE-Announce e-newsletter, open a new email message
and copy the following text to the BODY of the message "SIGNOFF
CVE-Announce-list", then send the message to: listserv@lists.mitre.org. To
subscribe, send an email message to listserv@lists.mitre.org with the
following text in the BODY of the message: "SUBSCRIBE CVE-Announce-List".

Copyright 2013, The MITRE Corporation. CVE and the CVE logo are registered
trademarks of The MITRE Corporation.

For more information about CVE, visit the CVE Web site at
https://cve.mitre.org or send an email to cve@mitre.org.

Learn more about Making Security Measurable at
http://measurablesecurity.mitre.org and Strengthening Cyber Defense at
http://www.mitre.org/work/cybersecurity/cyber_standards.html.

Friday, June 28, 2013

CVE Announce - June 28, 2013 (opt-in newsletter from the CVE Web site)

Thursday, May 9, 2013

CVE Announce - May 9, 2013 (opt-in newsletter from the CVE Web site)

Thursday, March 21, 2013

CVE Announce - March 21, 2013 (opt-in newsletter from the CVE Web site)

Welcome to the latest issue of the CVE-Announce e-newsletter. This email
newsletter is designed to bring recent news about CVE, such as new versions,
upcoming conferences, new Web site features, etc. right to your email box.
Common Vulnerabilities and Exposures (CVE) is the standard for information
security vulnerability names. CVE content results from the collaborative
efforts of the CVE Editorial Board, which is comprised of leading
representatives from the information security community. Details on
subscribing (and unsubscribing) to the email newsletter are at the end.
Please feel free to pass this newsletter on to interested colleagues.

Comments: cve@mitre.org

-------------------------------------------------------
CVE-Announce e-newsletter/March 21, 2013
-------------------------------------------------------

Contents:

1. Feature Story
2. Upcoming Events
3. Hot Topic
4. Also in this Issue
5. Details/Credits + Subscribing and Unsubscribing

FEATURE STORY:

CVE List Surpasses 55,000 CVE Identifiers!

The CVE Web site now contains 55,027 unique information security issues with
publicly known names. CVE, which began in 1999 with just 321 common names on
the CVE List, is considered the international standard for public software
vulnerability names. Information security professionals and product vendors
from around the world use CVE Identifiers (CVE-IDs) as a standard method for
identifying vulnerabilities, and for cross-linking among products, services,
and other repositories that use the identifiers.

The widespread adoption of CVE in enterprise security is illustrated by the
numerous CVE-Compatible Products and Services in use throughout industry,
government, and academia for vulnerability management, vulnerability
alerting, intrusion detection, and patch management. Major OS vendors and
other organizations from around the world also include CVE-IDs in their
security alerts to ensure that the international community benefits by
having the identifiers as soon as a problem is announced. In addition,
CVE-IDs have been used to identify vulnerabilities in the SANS Top Cyber
Security Risks threat list since its inception in 2000.

CVE has also inspired new efforts. MITRE's Common Weakness Enumeration (CWE)
dictionary of software weakness types is based in part on the CVE List, and
its Open Vulnerability and Assessment Language (OVAL) effort uses CVE-IDs
for its standardized OVAL Vulnerability Definitions that test systems for
the presence of CVEs. In addition, the U.S. National Vulnerability Database
(NVD) of CVE fix information that is synchronized with and based on the CVE
List also includes Security Content Automation Protocol (SCAP) content. SCAP
employs community standards to enable "automated vulnerability management,
measurement, and policy compliance evaluation (e.g., FISMA compliance)," and
CVE is one of the existing open standards SCAP uses for enumerating,
evaluating, and measuring the impact of software problems and reporting
results.

And in 2011, the International Telecommunication Union's (ITU-T)
Cybersecurity Rapporteur Group, which is the telecom/information system
standards body within the treaty-based 150-year-old intergovernmental
organization, adopted CVE as a part of its new "Global Cybersecurity
Information Exchange techniques (X.CYBEX)" by issuing Recommendation ITU-T
X.1520 Common Vulnerabilities and Exposures (CVE), that is based upon CVE's
current Compatibility Requirements, and any future changes to the document
will be reflected in subsequent updates to X.CVE.

Each of the 55,000+ identifiers on the CVE List includes the following: CVE
Identifier number (read about the upcoming CVE Identifier Syntax Change at
http://cve.mitre.org/news/index.html#jan242013a); brief description of the
security vulnerability; and pertinent references such as vulnerability
reports and advisories or OVAL-ID. Visit the CVE List page to download the
complete list in various formats or to look-up an individual identifier. Fix
information and enhanced searching of CVE is available from NVD.

LINKS:

CVE List - http://cve.mitre.org/cve/

About CVE Identifiers - http://cve.mitre.org/cve/identifiers/index.html

Upcoming CVE-IDs Syntax Change -
http://cve.mitre.org/data/board/archives/2013-01/msg00011.html

CVE-Compatible Products and Services - http://cve.mitre.org/compatible/

CVE Compatibility Requirements -
http://cve.mitre.org/compatible/requirements.html

Security Alerts including CVE-IDs -
http://cve.mitre.org/compatible/alerts_announcements.html

NVD - http://nvd.nist.gov/

SCAP - http://scap.nist.gov/

CWE - http://cwe.mitre.org/

OVAL - http://oval.mitre.org/

ITU-T X.1520 Recommendation for CVE -
http://www.itu.int/rec/T-REC-X.1520-201104-I/en

---------------------------------------------------------------
UPCOMING EVENTS:

Outreach Events for April

* MITRE Information Assurance Sr. Luis Nunez will be a guest speaker on the
topic of Industry Collaboration in a webinar entitled "Automating Security
Compliance & Operations to Protect Critical Infrastructure" on April 9, 2013
from 1:00 pm - 2:00 pm, Eastern Daylight Time. Senior Director of Systems
Engineering, Federal, at Juniper Networks Tim LeMaster will also be a
speaker, and Bob Ackerman, SIGNAL Magazine Editor-in-Chief will be the
moderator. The event is sponsored by Juniper Networks. Discussion topics for
the webinar will include: why automation is essential to protect critical
network and computing infrastructures, cost-effective strategies for
improved secure information-sharing, how to start simplifying network
operations, and how network automation and orchestration are essential for
seamless workflow management. For more information and to register visit
http://www.afcea.org/signal/webinar.

* MITRE will host a booth about "Strengthening Cyber Defense" that includes
CVE at "InfoSec World Conference & Expo 2013" at Walt Disney World Swan and
Dolphin in Orlando, Florida, USA, on April 15-17, 2013. Attendees will learn
how information security data standards facilitate both effective security
process coordination and the use of automation to assess, manage, and
improve the security posture of enterprise security information
infrastructures. Members of the CVE Team will be in attendance. Please stop
by Booth 313 and say hello!

Visit the CVE Calendar for information on these and other events.

LINKS:

Webinar Registration page -
https://event.on24.com/eventRegistration/EventLobbyServlet?target=registrati
on.jsp&eventid=598489&sessionid=1&key=EB68744E7CDB8DD0384D9892F386CF5B&partn
erref=signal1&sourcepage=register

InfoSec World 2013 - http://www.misti.com/infosecworld

Strengthening Cyber Defense - http://www.mitre.org/work/cybersecurity/

CVE Calendar - http://cve.mitre.org/news/calendar.html

---------------------------------------------------------------
HOT TOPIC:

CVE Editor's Commentary Page Updated

One new item has been added to the CVE-Specific section of the CVE Editor's
Commentary page in the CVE List section of the CVE Web site:
"'Context-dependent' and 'User-assisted' Terminology in CVE".

Other recent additions include: "CVE and 'weak' crypto," "CVE abstraction
choices and the Linux kernel," and "CVE Guidance for Libraries and
Resource-Consumption DoS."

The CVE Editor's Commentary page includes opinion and commentary about
vulnerabilities, software assurance, and related topics by CVE List Editor
Steve Christey. Posts are either Community Issues or CVE-Specific.

LINKS:

CVE Editor's Commentary page - http://cve.mitre.org/cve/edcommentary.html

"'Context-dependent' and 'User-assisted' Terminology in CVE" -
http://www.attrition.org/pipermail/vim/2013-March/002647.html

"CVE and 'weak' crypto" -
http://www.openwall.com/lists/oss-security/2013/03/12/5

"CVE abstraction choices and the Linux kernel" -
http://www.openwall.com/lists/oss-security/2013/03/08/6

"CVE Guidance for Libraries and Resource-Consumption DoS" -
http://www.openwall.com/lists/oss-security/2013/02/21/2

---------------------------------------------------------------
ALSO IN THIS ISSUE:

* CVE Editorial Board Meeting Minutes Now Available

Read these stories and more news at http://cve.mitre.org/news

---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing

Managing Editor: Steve Boyle, Information Security Technical Center. Writer:
Bob Roberge. The MITRE Corporation (www.mitre.org) maintains CVE and
provides impartial technical guidance to the CVE Editorial Board on all
matters related to ongoing development of CVE.

To unsubscribe from the CVE-Announce e-newsletter, open a new email message
and copy the following text to the BODY of the message "SIGNOFF
CVE-Announce-list", then send the message to: listserv@lists.mitre.org. To
subscribe, send an email message to listserv@lists.mitre.org with the
following text in the BODY of the message: "SUBSCRIBE CVE-Announce-List".

Copyright 2013, The MITRE Corporation. CVE and the CVE logo are registered
trademarks of The MITRE Corporation.

For more information about CVE, visit the CVE Web site at
http://cve.mitre.org or send an email to cve@mitre.org.

Learn more about Making Security Measurable at
http://measurablesecurity.mitre.org and Strengthening Cyber Defense at
http://www.mitre.org/work/cybersecurity/cyber_standards.html.

Thursday, March 14, 2013

CVE Announce - March 14, 2013 (opt-in newsletter from the CVE Web site)

Wednesday, March 6, 2013

CVE Announce - March 7, 2013 (opt-in newsletter from the CVE Web site)

Monday, February 18, 2013

CVE Announce - February 18, 2013 (opt-in newsletter from the CVE Web site)

Tuesday, January 22, 2013

CVE ID Syntax Change - Call for Public Feedback

CVE ID Syntax Change - Call for Public Feedback
-----------------------------------------------
January 22, 2013

Due to the increasing volume of public vulnerability reports, the
Common Vulnerabilities and Exposures (CVE) project will change the
syntax of its standard vulnerability identifiers so that CVE can track
more than 10,000 vulnerabilities in a single year. The current
syntax, CVE-YYYY-NNNN, only supports a maximum of 9,999 unique
identifiers per year.

Since a change in the ID syntax will affect many parties including end
users and vendors, the CVE project is soliciting feedback from the
public before making this change.

The public feedback period will continue through the RSA Conference in
February 2013, where attendees will be able to speak with CVE
personnel from MITRE and members of the CVE Editorial Board. After a
formal Editorial Board vote, the final selection will be made and the
public will be notified, probably in March 2013.

The syntax change is scheduled to go into effect on January 1, 2014,
so that people will have enough time to change their processes and
software to handle the new ID syntax.

With guidance from the CVE Editorial Board, we have identified three
options for a new ID syntax, summarized as follows:

*) Option A (Year + 6 digits, with leading 0's)

Examples: CVE-2014-000001, CVE-2014-009999, CVE-2014-123456

*) Option B (Year + arbitrary digits, no leading 0's except IDs 1 to 999)

Examples: CVE-2014-0001, CVE-2014-54321, CVE-2014-123456

*) Option C (Year + arbitrary digits + check digit)

Examples: CVE-2014-1-8, CVE-2014-9999-3, CVE-2014-123456-5

One of these options will be selected as the new syntax for CVE
identifiers. More details are available at the end of this message.

If you wish to comment on any of these options, you can:

*) Email your commeent to to cve-id-change@mitre.org, which is
monitored by CVE team members at MITRE.

*) Post to a new, public discussion list that is focused on the CVE ID
change. To subscribe, send email to listserv@lists.mitre.org . In
the body of the email, type:

subscribe CVE-ID-SYNTAX-DISCUSS-LIST

*) Reply on any of the public mailing lists to which this announcement
has been posted.

Due to the high volume of replies that we expect to receive, we will
not be able to respond to every email message; however, we will
publish a summary of responses.

Thank you to the entire community for supporting CVE, and we look
forward to your feedback.

Regards,
The CVE Project

------------------------------------------------------------
Option A: Year + 6 digits, with leading 0's
------------------------------------------------------------

Example identifiers:

CVE-2014-000001, CVE-2014-000999, CVE-2014-001234, CVE-2014-009999,
CVE-2014-010000, CVE-2014-054321, CVE-2014-099999,
CVE-2014-100000, CVE-2014-123456, CVE-2014-999999

Strengths:

This CVE ID syntax will seem familiar to consumers who are used to
the old-style syntax from 1999 through 2013, since there are 6
digits instead of 4. This might make adoption easier and minimize
confusion.

The syntax would avoid some ID parsing problems that could occur
with the other schemes, such as inadvertent truncation or
fixed-length assumptions that would cause the wrong ID to be
extracted. It would also support the use of multiple consecutive
IDs that can be easily sorted and displayed without special logic.
The fixed length might be a desirable property to some consumers or
CVE-processing implementers; the other options have variable-length
IDs.

Some CVE-processing software that automatically extracts or
publishes CVE identifiers might not need to be changed, if it
already assumes that more than 4 digits could be used.

There will be enough IDs to support up to 1 million vulnerabilities
per year. This is effectively future-proof for CVE, because CVE's
scope is expected to remain largely restricted to vulnerabilities
that have been analyzed by humans. If more than 1 million IDs are
required, this would represent such a large paradigm shift in
vulnerability disclosure and tracking that the entire industry would
not be able to manage the volume using today's practices.

Limitations:

Immediately upon the first publication of an ID using this syntax,
many CVE programs that assume the old-style syntax would stop
functioning correctly.

The larger number of digits could increase the risk of typos,
especially with the leading zeroes. Some consumers might
intentionally remove leading zeroes, assuming the old-style 4-digit
number.

---------------------------------------------------------------------
Option B: Year + arbitrary digits, no leading 0's except IDs 1 to 999
---------------------------------------------------------------------

Note: in this option, extra digits would not be added until at least
10,000 IDs are needed. When necessary, only one additional digit is
added. For IDs 1 through 999, leading 0's would be used to expand the
number to use 4 digits.

Example identifiers:

CVE-2014-0001, CVE-2014-0999, CVE-2014-1234, CVE-2014-9999,
CVE-2014-10000, CVE-2014-54321, CVE-2014-99999,
CVE-2014-100000, CVE-2014-123456, CVE-2014-999999, CVE-2014-1234567

Strengths:

This CVE ID syntax will seem familiar to consumers who are used to
the old-style syntax from 1999 through 2013; the numeric portion
will just contain extra digits. This might make adoption easier and
minimize confusion.

The initial change to 5 digits would support up to 100,000
identifiers in a single year; 6 digits would support up to 1 million
identifiers per year.

Some CVE-processing software that automatically extracts or
publishes CVE identifiers might not need to be changed, if it
already assumes that more than 4 digits could be used.

The ID syntax will not have an obvious change until 10,000
identifiers are needed, which might give extra time to CVE users to
adjust to a syntax change. (Note that CVE might not require 10,000
identifiers this year.)

Limitations:

The ID does not have a fixed length, and ID parsing errors are
likely. Some CVE programs would incorrectly truncate the wrong IDs
because of the assumption of 4 digits, which would cause confusion
and incorrect mappings. For example, CVE-2014-123456 might be
truncated as CVE-2014-1234, which would identify a completely
different vulnerability.

This syntax is less "future-proof" than others. If a change is
needed from 5 digits to 6, some CVE-processing software might break
because of built-in assumptions about 5 digits. Thus, for this
option, there would be two different periods of transition of the
CVE ID syntax: the transition to 5 digits, and the transition to 6
digits. However, the second transition would be less severe, since
it would only affect implementations that were not correctly fixed
in the first transition. Option C would only have one transition,
and Option A would only have one transition unless there is a
radical change in vulnerability disclosure practices that would
require more than 1 million IDs a year.

Because there is no apparent change to the syntax until 10,000 IDs
are needed, this might prevent some CVE implementers from making
changes until it is too late and the change has already happened.

------------------------------------------------------------
Option C: Year + arbitrary digits + check digit
------------------------------------------------------------

Note: the ID would consist of the year, a hyphen, a sequence number of
1 or more digits, another hyphen, and a single check digit calculated
using the Luhn Check Digit Algorithm, which is used in other
identification schemes such as credit card numbers. This syntax is
similar to that used by the Common Configuration Enumeration (CCE);
see http://cce.mitre.org/about/faqs.html#B2 for more information.

Example identifiers:

CVE-2014-1-8, CVE-2014-999-3, CVE-2014-1234-3, CVE-2014-9999-3,
CVE-2014-10000-8, CVE-2014-54321-5, CVE-2014-123456-5,
CVE-2014-999999-5, CVE-2014-1234567-4

Strengths:

This ID syntax supports arbitrary numbers of vulnerabilities, and as
a result, it is future-proof. The trailing hyphen and check digit
serve as an unambiguous boundary that clearly decomposes the ID into
three distinct parts, regardless of length. CVE implementations
that conform to this syntax would not need to be changed when the
number of digits changes.

The check digit would be useful for automatically detecting typos in
identifiers. Because of the widespread use of CVE, identifier typos
cause significant confusion and maintenance costs to resolve,
although the frequency with which this occurs is not clear. Since
there is a trend towards large-scale automation for managing
vulnerabilities, the check digit would be very useful as part of a
data integrity check of CVE IDs during computer-to-computer
interaction.

Limitations:

Immediately upon the first publication of an ID using this syntax,
many CVE programs that assume the old-style syntax would stop
functioning correctly.

This ID syntax is the most radical change to the old-style syntax.
It could cause confusion among CVE consumers who are unaware of the
syntax change, since "CVE-2014-1-1" would appear to be a malformed
ID compared to the old-style ID.

Compared to other options, this ID would be more difficult to use in
human-to-human communications.

Parties who are familiar with the old-style ID syntax might
inadvertently omit the check digit. This could increase
implementation costs or reduce usability for implementations that
assume that IDs have the check digit.

Friday, January 18, 2013

CVE Announce - January 18, 2013 (opt-in newsletter from the CVE Web site)

Patch Announcement