Patch Announcement: March 2013

Thursday, March 21, 2013

CVE Announce - March 21, 2013 (opt-in newsletter from the CVE Web site)

Welcome to the latest issue of the CVE-Announce e-newsletter. This email
newsletter is designed to bring recent news about CVE, such as new versions,
upcoming conferences, new Web site features, etc. right to your email box.
Common Vulnerabilities and Exposures (CVE) is the standard for information
security vulnerability names. CVE content results from the collaborative
efforts of the CVE Editorial Board, which is comprised of leading
representatives from the information security community. Details on
subscribing (and unsubscribing) to the email newsletter are at the end.
Please feel free to pass this newsletter on to interested colleagues.

Comments: cve@mitre.org

-------------------------------------------------------
CVE-Announce e-newsletter/March 21, 2013
-------------------------------------------------------

Contents:

1. Feature Story
2. Upcoming Events
3. Hot Topic
4. Also in this Issue
5. Details/Credits + Subscribing and Unsubscribing

FEATURE STORY:

CVE List Surpasses 55,000 CVE Identifiers!

The CVE Web site now contains 55,027 unique information security issues with
publicly known names. CVE, which began in 1999 with just 321 common names on
the CVE List, is considered the international standard for public software
vulnerability names. Information security professionals and product vendors
from around the world use CVE Identifiers (CVE-IDs) as a standard method for
identifying vulnerabilities, and for cross-linking among products, services,
and other repositories that use the identifiers.

The widespread adoption of CVE in enterprise security is illustrated by the
numerous CVE-Compatible Products and Services in use throughout industry,
government, and academia for vulnerability management, vulnerability
alerting, intrusion detection, and patch management. Major OS vendors and
other organizations from around the world also include CVE-IDs in their
security alerts to ensure that the international community benefits by
having the identifiers as soon as a problem is announced. In addition,
CVE-IDs have been used to identify vulnerabilities in the SANS Top Cyber
Security Risks threat list since its inception in 2000.

CVE has also inspired new efforts. MITRE's Common Weakness Enumeration (CWE)
dictionary of software weakness types is based in part on the CVE List, and
its Open Vulnerability and Assessment Language (OVAL) effort uses CVE-IDs
for its standardized OVAL Vulnerability Definitions that test systems for
the presence of CVEs. In addition, the U.S. National Vulnerability Database
(NVD) of CVE fix information that is synchronized with and based on the CVE
List also includes Security Content Automation Protocol (SCAP) content. SCAP
employs community standards to enable "automated vulnerability management,
measurement, and policy compliance evaluation (e.g., FISMA compliance)," and
CVE is one of the existing open standards SCAP uses for enumerating,
evaluating, and measuring the impact of software problems and reporting
results.

And in 2011, the International Telecommunication Union's (ITU-T)
Cybersecurity Rapporteur Group, which is the telecom/information system
standards body within the treaty-based 150-year-old intergovernmental
organization, adopted CVE as a part of its new "Global Cybersecurity
Information Exchange techniques (X.CYBEX)" by issuing Recommendation ITU-T
X.1520 Common Vulnerabilities and Exposures (CVE), that is based upon CVE's
current Compatibility Requirements, and any future changes to the document
will be reflected in subsequent updates to X.CVE.

Each of the 55,000+ identifiers on the CVE List includes the following: CVE
Identifier number (read about the upcoming CVE Identifier Syntax Change at
http://cve.mitre.org/news/index.html#jan242013a); brief description of the
security vulnerability; and pertinent references such as vulnerability
reports and advisories or OVAL-ID. Visit the CVE List page to download the
complete list in various formats or to look-up an individual identifier. Fix
information and enhanced searching of CVE is available from NVD.

LINKS:

CVE List - http://cve.mitre.org/cve/

About CVE Identifiers - http://cve.mitre.org/cve/identifiers/index.html

Upcoming CVE-IDs Syntax Change -
http://cve.mitre.org/data/board/archives/2013-01/msg00011.html

CVE-Compatible Products and Services - http://cve.mitre.org/compatible/

CVE Compatibility Requirements -
http://cve.mitre.org/compatible/requirements.html

Security Alerts including CVE-IDs -
http://cve.mitre.org/compatible/alerts_announcements.html

NVD - http://nvd.nist.gov/

SCAP - http://scap.nist.gov/

CWE - http://cwe.mitre.org/

OVAL - http://oval.mitre.org/

ITU-T X.1520 Recommendation for CVE -
http://www.itu.int/rec/T-REC-X.1520-201104-I/en

---------------------------------------------------------------
UPCOMING EVENTS:

Outreach Events for April

* MITRE Information Assurance Sr. Luis Nunez will be a guest speaker on the
topic of Industry Collaboration in a webinar entitled "Automating Security
Compliance & Operations to Protect Critical Infrastructure" on April 9, 2013
from 1:00 pm - 2:00 pm, Eastern Daylight Time. Senior Director of Systems
Engineering, Federal, at Juniper Networks Tim LeMaster will also be a
speaker, and Bob Ackerman, SIGNAL Magazine Editor-in-Chief will be the
moderator. The event is sponsored by Juniper Networks. Discussion topics for
the webinar will include: why automation is essential to protect critical
network and computing infrastructures, cost-effective strategies for
improved secure information-sharing, how to start simplifying network
operations, and how network automation and orchestration are essential for
seamless workflow management. For more information and to register visit
http://www.afcea.org/signal/webinar.

* MITRE will host a booth about "Strengthening Cyber Defense" that includes
CVE at "InfoSec World Conference & Expo 2013" at Walt Disney World Swan and
Dolphin in Orlando, Florida, USA, on April 15-17, 2013. Attendees will learn
how information security data standards facilitate both effective security
process coordination and the use of automation to assess, manage, and
improve the security posture of enterprise security information
infrastructures. Members of the CVE Team will be in attendance. Please stop
by Booth 313 and say hello!

Visit the CVE Calendar for information on these and other events.

LINKS:

Webinar Registration page -
https://event.on24.com/eventRegistration/EventLobbyServlet?target=registrati
on.jsp&eventid=598489&sessionid=1&key=EB68744E7CDB8DD0384D9892F386CF5B&partn
erref=signal1&sourcepage=register

InfoSec World 2013 - http://www.misti.com/infosecworld

Strengthening Cyber Defense - http://www.mitre.org/work/cybersecurity/

CVE Calendar - http://cve.mitre.org/news/calendar.html

---------------------------------------------------------------
HOT TOPIC:

CVE Editor's Commentary Page Updated

One new item has been added to the CVE-Specific section of the CVE Editor's
Commentary page in the CVE List section of the CVE Web site:
"'Context-dependent' and 'User-assisted' Terminology in CVE".

Other recent additions include: "CVE and 'weak' crypto," "CVE abstraction
choices and the Linux kernel," and "CVE Guidance for Libraries and
Resource-Consumption DoS."

The CVE Editor's Commentary page includes opinion and commentary about
vulnerabilities, software assurance, and related topics by CVE List Editor
Steve Christey. Posts are either Community Issues or CVE-Specific.

LINKS:

CVE Editor's Commentary page - http://cve.mitre.org/cve/edcommentary.html

"'Context-dependent' and 'User-assisted' Terminology in CVE" -
http://www.attrition.org/pipermail/vim/2013-March/002647.html

"CVE and 'weak' crypto" -
http://www.openwall.com/lists/oss-security/2013/03/12/5

"CVE abstraction choices and the Linux kernel" -
http://www.openwall.com/lists/oss-security/2013/03/08/6

"CVE Guidance for Libraries and Resource-Consumption DoS" -
http://www.openwall.com/lists/oss-security/2013/02/21/2

---------------------------------------------------------------
ALSO IN THIS ISSUE:

* CVE Editorial Board Meeting Minutes Now Available

Read these stories and more news at http://cve.mitre.org/news

---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing

Managing Editor: Steve Boyle, Information Security Technical Center. Writer:
Bob Roberge. The MITRE Corporation (www.mitre.org) maintains CVE and
provides impartial technical guidance to the CVE Editorial Board on all
matters related to ongoing development of CVE.

To unsubscribe from the CVE-Announce e-newsletter, open a new email message
and copy the following text to the BODY of the message "SIGNOFF
CVE-Announce-list", then send the message to: listserv@lists.mitre.org. To
subscribe, send an email message to listserv@lists.mitre.org with the
following text in the BODY of the message: "SUBSCRIBE CVE-Announce-List".

Copyright 2013, The MITRE Corporation. CVE and the CVE logo are registered
trademarks of The MITRE Corporation.

For more information about CVE, visit the CVE Web site at
http://cve.mitre.org or send an email to cve@mitre.org.

Learn more about Making Security Measurable at
http://measurablesecurity.mitre.org and Strengthening Cyber Defense at
http://www.mitre.org/work/cybersecurity/cyber_standards.html.

Patch Announcement

Thursday, March 21, 2013

CVE Announce - March 21, 2013 (opt-in newsletter from the CVE Web site)

Thursday, March 14, 2013

CVE Announce - March 14, 2013 (opt-in newsletter from the CVE Web site)

Wednesday, March 6, 2013

CVE Announce - March 7, 2013 (opt-in newsletter from the CVE Web site)

Blog Archive

About Me