Welcome to the latest issue of the CVE-Announce e-newsletter. This email newsletter is designed to bring recent news about CVE, such as new versions, upcoming conferences, new Web site features, etc. right to your email box. Common Vulnerabilities and Exposures (CVE) is the standard for information security vulnerability names. CVE content results from the collaborative efforts of the CVE Editorial Board, which is comprised of leading representatives from the information security community. Details on subscribing (and unsubscribing) to the email newsletter are at the end. Please feel free to pass this newsletter on to interested colleagues.
Comments: cve@mitre.org
-------------------------------------------------------
CVE-Announce e-newsletter/November 21, 2014
-------------------------------------------------------
Contents:
1. FINAL NOTICE: CVE-ID in New Numbering Format with 5 Digits to Be Assigned Within Weeks
2. Technical Guidance & Test Data Available for Updating to the New CVE-ID Format
3. WPScan Makes Declaration of CVE Compatibility
4. Also in this Issue
5. Details/Credits + Subscribing and Unsubscribing
FEATURE STORY:
FINAL NOTICE: CVE-ID in New Numbering Format with 5 Digits to Be Assigned Within Weeks
The total number of CVE-IDs assigned in 2014 has surpassed 9,000, indicating that a CVE-ID number in the new CVE-ID numbering format with 5 digits (e.g., CVE-2014-XXXXX) will be issued before the middle-to-end of December 2014.
However, if not issued before the end of December, a CVE-ID with 5 digits will definitely be issued no later than Tuesday, January 13, 2015 (read our press release). The new format provides for arbitrary digits at the end as needed (e.g., CVE-2014-XXXXXX with 6 digits at the end, CVE-2014-XXXXXXX with 7 digits at the end, and so on), but we expect to only reach CVE-ID numbers with 5 digits at the end this calendar year.
Please report any problems, or anticipated problems, that you encounter with CVE-IDs issued in the new format to cve-id-change@mitre.org.
LINKS:
CVE-ID numbering format change -
https://cve.mitre.org/cve/identifiers/syntaxchange.html
Press Release -
http://www.mitre.org/news/press-releases/leading-software-vendors-and-cybersecurity-organizations-among-early-adopters-of
CVE News page article -
https://cve.mitre.org/news/index.html#november202014_FINAL_NOTICE_CVE_ID_in_New_Numbering_Format_with_5_Digits_to_Be_Assigned_Within_Weeks
---------------------------------------------------------------
Technical Guidance & Test Data Available for Updating to the New CVE-ID Format
The format for CVE-IDs changed in January 2014, and CVE-IDs which previously could only have four fixed digits at the end, e.g., "CVE-2014-0160", can now accommodate five, six, or more digits at the end. The deadline when a 5-digit CVE-ID will be issued is rapidly approaching. Organizations that do not update to the new CVE-ID format risk the possibility that their products and services could break or report inaccurate vulnerability identifiers, which could significantly impact users' vulnerability management practices.
To make it easy to update, the CVE Web site provides free technical guidance and CVE test data for developers and consumers to use to verify that their products and services will work correctly. In addition, for those who use National Vulnerability Database (NVD) data, NIST provides test data in NVD format at http://nvd.nist.gov/cve-id-syntax-change.
Comments or concerns about this guidance, and/or the test data, is welcome at cve-id-change@mitre.org.
LINKS:
CVE-ID numbering format change -
https://cve.mitre.org/cve/identifiers/syntaxchange.html
Technical guidance -
https://cve.mitre.org/cve/identifiers/tech-guidance.html
Test data -
https://cve.mitre.org/cve/identifiers/tech-guidance.html#test_data
---------------------------------------------------------------
WPScan Makes Declaration of CVE Compatibility
WPScan declared that its WPScan Vulnerability Database is CVE-Compatible.
For additional information about this and other CVE-Compatible products, visit the CVE-Compatible Products and Services section.
LINKS:
WPScan –
https://wpvulndb.com/
CVE-Compatible Products and Services –
https://cve.mitre.org/compatible/
Process - https://cve.mitre.org/compatible/process.html
Make a Declaration -
https://cve.mitre.org/compatible/make_a_declaration.html
CVE News page article -
https://cve.mitre.org/news/index.html#november202014_WPScan_Makes_Declaration_of_CVE_Compatibility
---------------------------------------------------------------
ALSO IN THIS ISSUE:
* CVE Mentioned in Article about Increase in Web Browser Vulnerabilities in 2014 on ZDNet.com
* CVE Mentioned throughout Article about Microsoft's November Patch Tuesday on eWeek.com
* CVE Mentioned in Article about a Vulnerability Undetected for 19 Years on NewsFactor.com
* CVE Identifier "CVE-2014-3704" Cited in Numerous Security Advisories and News Media References about Drupal SQL Injection Vulnerability
* CVE Identifier "CVE-2014-8346" Cited in Numerous Security Advisories and News Media References about Zero-Day Samsung Remote Lock Vulnerability
Read these stories and more news at http://cve.mitre.org/news
---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing
Managing Editor: Steve Boyle, Cyber Security Technical Center. Writer: Bob Roberge. The MITRE Corporation (www.mitre.org) maintains CVE and provides impartial technical guidance to the CVE Editorial Board on all matters related to ongoing development of CVE.
To unsubscribe from the CVE-Announce e-newsletter, open a new email message and copy the following text to the BODY of the message "SIGNOFF CVE-Announce-list", then send the message to: listserv@lists.mitre.org. To subscribe, send an email message to listserv@lists.mitre.org with the following text in the BODY of the message: "SUBSCRIBE CVE-Announce-List".
Copyright 2014, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. CVE is sponsored by US-CERT (www.us-cert.gov) in the office of Cybersecurity and Communications (www.dhs.gov/office-cybersecurity-and-communications) at the U.S. Department of Homeland Security (www.dhs.gov).
For more information about CVE, visit the CVE Web site at https://cve.mitre.org or send an email to cve@mitre.org.
Learn more about Making Security Measurable at http://measurablesecurity.mitre.org and Strengthening Cyber Defense at http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-resources/standards.
