Welcome to the latest issue of the CVE-Announce e-newsletter. This email newsletter is
designed to bring recent news about CVE, such as new versions, upcoming conferences,
new Web site features, etc. right to your email box. Common Vulnerabilities and
Exposures (CVE) is the standard for information security vulnerability names. CVE
content results from the collaborative efforts of the CVE Editorial Board, which is
comprised of leading representatives from the information security community. Details
on subscribing (and unsubscribing) to the email newsletter are at the end. Please feel
free to pass this newsletter on to interested colleagues.
Comments: cve@mitre.org
-------------------------------------------------------
CVE-Announce e-newsletter/January 24, 2014
-------------------------------------------------------
Contents:
1. New CVE-ID Format in Effect as of January 1, 2014
2. CVE Now Available in CVRF Format
3. "CVE Data Sources and Product Coverage" Page Added to CVE Web Site
4. Compatibility Program Updates
5. Also in this Issue
6. Details/Credits + Subscribing and Unsubscribing
FEATURE STORY:
New CVE-ID Format in Effect as of January 1, 2014
The new syntax for CVE Identifiers (CVE-IDs) took effect on January 1, 2014. The new
CVE-ID syntax is variable length and includes:
CVE prefix + Year + Arbitrary Digits
IMPORTANT: The variable length arbitrary digits will begin at four (4) fixed digits
and expand with arbitrary digits only when needed in a calendar year, for example,
CVE-YYYY-NNNN and if needed CVE-YYYY-NNNNN, CVE-YYYY-NNNNNNN, and so on. This also
means there will be no changes needed to previously assigned CVE-IDs, which all
include 4 digits.
Visit the "CVE-ID Syntax Change" page for additional information, and send any
comments or concerns to cve-id-change@mitre.org.
LINKS:
CVE-ID Syntax Change page - https://cve.mitre.org/cve/identifiers/syntaxchange.html
Syntax Change Infographic - https://cve.mitre.org/cve/identifiers/cve-ids.html
Syntax Change FAQs - https://cve.mitre.org/about/faqs.html#f
---------------------------------------------------------------
CVE Now Available in CVRF Format
The CVE List is now publishing CVE content using the Common Vulnerability Reporting
Framework (CVRF). Developed by the Industry Consortium for Advancement of Security on
the Internet (ICASI), CVRF is an XML-based standard that enables software
vulnerability information to be shared in a machine-parsable format between
vulnerability information providers and consumers.
CVRF is currently used by major vendors, including Red Hat, Inc., Microsoft
Corporation, Cisco Systems, Inc., and Oracle Corporation, which issue their security
advisories in CVRF format.
Having vulnerability information in a single, standardized format speeds up
information exchange and digestion, while also enabling automation.
Visit the "Download CVE" page to access CVE content in CVRF format, or the "CVE Usage
of CVRF" page to learn more.
LINKS:
MITRE News Release -
http://www.mitre.org/news/press-releases/cve-vulnerability-dictionary-to-adopt-the-com
mon-vulnerability-reporting
CVRF - http://www.icasi.org/cvrf
Download CVE page - https://cve.mitre.org/data/downloads/index.html
CVE Usage of CVR page - https://cve.mitre.org/cve/cvrf.html
---------------------------------------------------------------
"CVE Data Sources and Product Coverage" Page Added to CVE Web Site
A new "CVE Data Sources and Product Coverage" page has been added to the CVE List
section of the CVE Web site. The page details the sources that provide data to help
MITRE build the CVE List, and the "must have" product coverage as determined by the
CVE Editorial Board.
The previous "CVE Data Sources" page, for sources used from 1999 through 2013, has
been archived at https://cve.mitre.org/cve/data_sources.html.
LINKS:
CVE Data Sources and Product Coverage page -
https://cve.mitre.org/cve/data_sources_product_coverage.html
CVE Data Sources (Archived) page - https://cve.mitre.org/cve/data_sources.html
---------------------------------------------------------------
CVE Compatibility Program Updates
Four additional information security products from three organizations have achieved
the final stage of MITRE's formal CVE Compatibility Process and are now officially
"CVE-Compatible." The product is now eligible to use the CVE-Compatible
Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements
Evaluation" questionnaire is posted for the product as part of the organization's
listing on the CVE-Compatible Products and Services page on the CVE Web site. A total
of 159 products to-date have been recognized as officially compatible.
The following 4 products are now registered as officially "CVE-Compatible":
Beijing Topsec Co., Ltd. -
* TopScanner
Cr0security -
* Cr0security Penetration Testing and Consultant Services
* Cr0security Certified Security Testing (CCST)
NetentSec, Inc. -
* NetentSec Next Generation Firewall
Use of the official CVE-Compatible logo will allow system administrators and other
security professionals to look for the logo when adopting vulnerability management
products and services for their enterprises and the compatibility process
questionnaire will help end-users compare how different products and services satisfy
the CVE compatibility requirements, and therefore which specific implementations are
best for their networks and systems.
In addition, two organizations have made Declarations to Be CVE-Compatible for two
products: Hillstone Networks declared that its Hillstone Networks Intrusion Protection
System is CVE-Compatible, and ADTsys Cloud Security service will be CVE-Compatible.
For additional information about CVE compatibility and to review all products and
services listed, visit the CVE Compatibility Process and CVE-Compatible Products and
Services pages on the CVE Web site.
LINKS:
TopScanner - https://cve.mitre.org/compatible/questionnaires/159.html
Cr0security Penetration Testing and Consultant Services -
https://cve.mitre.org/compatible/questionnaires/156.html
Cr0security Certified Security Testing -
https://cve.mitre.org/compatible/questionnaires/157.html
NetentSec Next Generation Firewall -
https://cve.mitre.org/compatible/questionnaires/158.html
ADTsys Cloud Security service - https://cve.mitre.org/compatible/organizations.html#a
Hillstone Networks Intrusion Protection System -
https://cve.mitre.org/compatible/organizations.html#h
CVE Compatibility Process - https://cve.mitre.org/compatible/process.html
CVE Compatibility Requirements - https://cve.mitre.org/compatible/requirements.html
CVE-Compatible Products and Services - https://cve.mitre.org/compatible/
Make a Declaration - https://cve.mitre.org/compatible/make_a_declaration.html
---------------------------------------------------------------
ALSO IN THIS ISSUE:
* New CVE Editorial Board Member for Microsoft Corporation
* New CVE Editorial Board Member for Cisco Systems, Inc.
* New CVE Editorial Board Member for National Institute of Standards and Technology
Read these stories and more news at https://cve.mitre.org/news
---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing
Managing Editor: Steve Boyle, Information Security Technical Center. Writer: Bob
Roberge. The MITRE Corporation (www.mitre.org) maintains CVE and provides impartial
technical guidance to the CVE Editorial Board on all matters related to ongoing
development of CVE.
To unsubscribe from the CVE-Announce e-newsletter, open a new email message and copy
the following text to the BODY of the message "SIGNOFF CVE-Announce-list", then send
the message to: listserv@lists.mitre.org. To subscribe, send an email message to
listserv@lists.mitre.org with the following text in the BODY of the message:
"SUBSCRIBE CVE-Announce-List".
Copyright 2014, The MITRE Corporation. CVE and the CVE logo are registered trademarks
of The MITRE Corporation.
For more information about CVE, visit the CVE Web site at https://cve.mitre.org or
send an email to cve@mitre.org.
Learn more about Making Security Measurable at http://measurablesecurity.mitre.org and
Strengthening Cyber Defense at
http://www.mitre.org/work/cybersecurity/cyber_standards.html.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment