Welcome to the latest issue of the CVE-Announce e-newsletter. This email
newsletter is designed to bring recent news about CVE, such as new versions,
upcoming conferences, new Web site features, etc. right to your email box.
Common Vulnerabilities and Exposures (CVE) is the standard for information
security vulnerability names. CVE content results from the collaborative
efforts of the CVE Editorial Board, which is comprised of leading
representatives from the information security community. Details on
subscribing (and unsubscribing) to the email newsletter are at the end.
Please feel free to pass this newsletter on to interested colleagues.
Comments: cve@mitre.org
-------------------------------------------------------
CVE-Announce e-newsletter/July 19, 2013
-------------------------------------------------------
Contents:
1. Feature Story
2. Upcoming Event
3. Hot Topic
4. Also in this Issue
5. Details/Credits + Subscribing and Unsubscribing
FEATURE STORY:
CVE-ID Syntax Change Voting Results
Voting on the CVE Identifier (CVE-ID) Syntax Change is now complete and the
CVE Editorial Board has determined that the new CVE-ID syntax taking effect
on January 1, 2014 will be variable length arbitrary digits.
This announcement is being made now so that users will have enough time to
change their processes and software to handle the new ID syntax.
NEW CVE-ID SYNTAX
The new CVE-ID Syntax is "CVE prefix + Year + Arbitrary Digits" and will
begin at four (4) fixed digits and expand with arbitrary digits only when
needed in a calendar year, for example, CVE-YYYY-NNNN with 4 digits, and if
needed CVE-YYYY-NNNNN with 5 digits, and so on. The year, or YYYY, indicates
the year the CVE-ID is issued to a CVE Numbering Authority (CNA) or when the
issue is first disclosed to the public.
This syntax selection also means there will be no changes needed to
previously assigned CVE-IDs, which all include 4 digits.
Examples of the New CVE-ID Syntax with 4, 5, and 7 digits are included
below:
CVE-2014-0001
CVE-2014-12345
CVE-2014-7654321
See the "CVE-ID Syntax Change Infographic" at
https://cve.mitre.org/cve/identifiers/cve-ids.html for an infographic
explaining the current (i.e., "old") CVE-ID Syntax versus the New CVE-ID
Syntax.
BACKGROUND
As initially announced in the January 24, 2013 article "Call for Public
Feedback on Upcoming CVE ID Syntax Change," due to the increasing volume of
public vulnerability reports, the CVE Editorial Board determined that the
Common Vulnerabilities and Exposures (CVE) project needed to change the
syntax of its standard vulnerability identifiers so that the CVE List can
track more than 10,000 vulnerabilities in a single year. The current syntax
of four fixed digits, CVE-YYYY-NNNN, only supports a maximum of 9,999 unique
identifiers per year.
The initial plan called for a period of public feedback, followed by a
formal vote by members of the CVE Editorial Board. However, as explained in
the May 3, 2013 article "Status Update on the CVE ID Syntax Change," two
rounds of voting were required as the initial vote held by the Board in
April 2013 resulted in a tie. The initial vote was among three proposed
options, with the tie occurring between Option A that extended the available
numbering space to 6 digits, and Option B that extended the available
numbering space to an arbitrary number of digits (learn more about the
original three options at
https://cve.mitre.org/data/board/archives/2013-01/msg00011.html). After
discussion with the CVE Editorial Board, MITRE proposed dropping Option C
from consideration and holding a second vote with only two options, the
current Option B and a slightly modified Option A that extended the
available numbering space to 8 digits (learn more about the final two
options at https://cve.mitre.org/data/board/archives/2013-04/msg00074.html).
The second vote was held in May 2013 and resulted in "Option B, CVE prefix +
Year + Arbitrary Digits" winning the vote by receiving 15 of the 18 votes
cast.
Detailed discussions and votes by the CVE Editorial Board are included in
the "CVE Editorial Board Discussion Archive - June 2013," "CVE Editorial
Board Discussion Archive - April 2013," and "CVE Editorial Board Discussion
Archive - May 2013" discussion archives.
ADDITIONAL STATUS UPDATES
Additional information about the upcoming CVE-ID Syntax Change will be
posted on the CVE Web site in the coming months. In the meantime, please
address any comments or concerns to cve-id-change@mitre.org.
LINKS:
CVE Identifier (CVE-ID) Syntax Change page -
https://cve.mitre.org/cve/identifiers/syntaxchange.html
"CVE-ID Old Versus New Syntax Change Infographic" -
https://cve.mitre.org/cve/identifiers/cve-ids.html
CVE Editorial Board - https://cve.mitre.org/community/board/
CVE List - https://cve.mitre.org/cve/
CVE Numbering Authority (CNA) - https://cve.mitre.org/cve/cna.html
"Status Update on the CVE ID Syntax Change," May 3rd article -
https://cve.mitre.org/news/index.html#may032013a
"Call for Public Feedback on Upcoming CVE ID Syntax Change," January 24th
article -https://cve.mitre.org/news/index.html#jan242013a
CVE Editorial Board Discussion List Archives -
https://cve.mitre.org/community/board/archive.html#board_mail_list_archive
CVE Identifier (CVE-ID) Syntax Change FAQs -
https://cve.mitre.org/about/faqs.html#f
---------------------------------------------------------------
HOT TOPC:
CVE-ID Syntax Change Infographic Now Available
An infographic explaining the Current (i.e., "old") CVE-ID Syntax versus the
New CVE-ID Syntax being implemented on January 1, 2014 is now available at
https://cve.mitre.org/cve/identifiers/cve-ids.html.
Please feel-free to re-post the "CVE-ID Syntax Change Infographic" on your
website(s) and on social media as you wish, provided none of the information
is altered. Preferably the image would also link back to the
https://cve.mitre.org/cve/identifiers/syntaxchange.html page on the CVE Web
site.
The infographic is available for download in the following formats:
PNG - https://cve.mitre.org/cve/images/cve-ids.png
GIF - https://cve.mitre.org/cve/images/cve-ids.gif
EPS - https://cve.mitre.org/cve/images/cve-ids.eps
Please send any questions about the infographic to cve-id-change@mitre.org.
LINKS:
Infographic html - https://cve.mitre.org/cve/identifiers/cve-ids.html
News page article - https://cve.mitre.org/news/index.html#jul172013b
Infographic re-posting information -
https://cve.mitre.org/about/faqs.html#f9
---------------------------------------------------------------
UPCOMING EVENTS:
Briefing and Booth at "Black Hat Briefings 2013"
CVE Technical Lead Steven M. Christey will co-present a briefing with Open
Source Vulnerability Database (OSVDB) content manager Brian Martin entitled
"Buying into the Bias: Why Vulnerability Statistics Suck" on July 31, 2013
at "Black Hat Briefings 2013" at Caesar's Palace in Las Vegas, Nevada, USA.
In addition, MITRE will host a "Strengthening Cyber Defense" booth that
includes CVE at "Black Hat Briefings 2013" on July 27-August 1, 2013.
Attendees will learn how information security data standards facilitate both
effective security process coordination and the use of automation to assess,
manage, and improve the security posture of enterprise security information
infrastructures.
Members of the CVE Team will be in attendance so please stop by Booth 242
and say hello!
Visit the CVE Calendar for information on these and other events.
LINKS:
Black Hat Briefings 2013 - http://www.blackhat.com/us-13/
"Buying into the Bias: Why Vulnerability Statistics Suck" briefing -
https://www.blackhat.com/us-13/briefings.html#Martin
Strengthening Cyber Defense - http://www.mitre.org/work/cybersecurity/
CVE Calendar - https://cve.mitre.org/news/calendar.html
---------------------------------------------------------------
ALSO IN THIS ISSUE:
* CVE Mentioned in Article about Unreliable Vulnerability Data and
Statistics on "DarkReading.com"
* CVE Mentioned in Article about Self-Defending Networks on
"NetworkWorld.com"
* CVE Mentioned in Article about the OWASP Top 10 Security Flaws for 2013 on
"NetworkWorld.com"
* CVE Mentioned in Article about Security Automation on
"GovernmentComputerNews.com"
* CVE Compatibility Main Topic of Press Release by High-Tech Bridge SA
Read these stories and more news at https://cve.mitre.org/news
---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing
Managing Editor: Steve Boyle, Information Security Technical Center. Writer:
Bob Roberge. The MITRE Corporation (www.mitre.org) maintains CVE and
provides impartial technical guidance to the CVE Editorial Board on all
matters related to ongoing development of CVE.
To unsubscribe from the CVE-Announce e-newsletter, open a new email message
and copy the following text to the BODY of the message "SIGNOFF
CVE-Announce-list", then send the message to: listserv@lists.mitre.org. To
subscribe, send an email message to listserv@lists.mitre.org with the
following text in the BODY of the message: "SUBSCRIBE CVE-Announce-List".
Copyright 2013, The MITRE Corporation. CVE and the CVE logo are registered
trademarks of The MITRE Corporation.
For more information about CVE, visit the CVE Web site at
https://cve.mitre.org or send an email to cve@mitre.org.
Learn more about Making Security Measurable at
http://measurablesecurity.mitre.org and Strengthening Cyber Defense at
http://www.mitre.org/work/cybersecurity/cyber_standards.html.
Friday, July 19, 2013
Subscribe to:
Comments (Atom)
