Patch Announcement: March 2017

Tuesday, March 21, 2017

CVE Announce - March 21, 2017 (opt-in newsletter from the CVE website)

Welcome to the latest issue of the CVE-Announce e-newsletter. This email newsletter is
designed to bring recent news about CVE, such as new website features, new CNAs, CVE in
the news, etc. right to your email box. Common Vulnerabilities and Exposures (CVE) is
the standard for cybersecurity vulnerability names. The CVE Board provides oversight and
input into CVE's strategic direction, ensuring CVE meets the vulnerability
identification needs of the technology community. CVE Numbering Authorities (CNAs) are
major OS vendors, security researchers, and research organizations that assign CVE
Identifiers (CVE IDs) to newly discovered issues without directly involving MITRE in the
details of the specific vulnerabilities, and include the CVE IDs in the first public
disclosure of the vulnerabilities. Details on subscribing (and unsubscribing) to the
email newsletter are at the end. Please feel free to pass this newsletter on to
interested colleagues.

Comments: cve@mitre.org

-------------------------------------------------------
CVE-Announce e-newsletter/March 21, 2017
-------------------------------------------------------

Contents:

1. Three Organizations Added as CVE Numbering Authorities (CNAs)
2. New CVE Blog Post: "Now you can easily comment on CVE Blog posts using our new
"CVE-CWE-CAPEC" page on LinkedIn"
3. CVE Launches "@CVEannounce" Twitter Feed
4. FOCUS ON: The Significance and Meaning of a CVE Identifier Marked as "RESERVED"
5. Details/Credits + Subscribing and Unsubscribing

FEATURE STORY:

Three Organizations Added as CVE Numbering Authorities (CNAs)

Three additional organizations are now CVE Numbering Authorities (CNAs): Netgear, Inc.
for Netgear issues only; Flexera Software LLC for all Flexera products and
vulnerabilities discovered by Secunia Research that are not covered by another CNA; and
Qihoo 360 Technology Co., Ltd. for 360 Safeguard, 360 Mobile Safe, and 360 Safe Router
issues only.

CNAs are OS and product vendors, developers, security researchers, and research
organizations that assign CVE IDs to newly discovered issues without directly involving
MITRE in the details of the specific vulnerabilities, and include the CVE IDs in the
first public disclosure of the vulnerabilities.

CNAs are the main method for requesting a CVE ID. The following 52 organizations
currently participate as CNAs: Adobe; Apache; Apple; BlackBerry; Brocade; Canonical;
CERT/CC; Check Point; Cisco; Debian GNU/Linux; Dell EMC; Distributed Weakness Filing
Project; Drupal.org; F5; Flexera Software; Fortinet; FreeBSD; Google; HackerOne; HP;
Hewlett Packard Enterprise; Huawei; IBM; ICS-CERT; Intel; ISC; JPCERT/CC; Juniper;
KrCERT/CC; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE
(primary CNA); Mozilla; Netgear; Nvidia; Objective Development; OpenSSL; Oracle; Puppet;
Qihoo 360; Rapid 7; Red Hat; Silicon Graphics; Symantec; Talos; TIBCO; VMware; and
Yandex.

For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID
on the CVE website at https://cve.mitre.org/cve/request_id.html.

LINKS:

Netgear -
http://www.netgear.com/about/security/

Flexera Software -
https://www.flexerasoftware.com/

Qihoo 360 -
http://security.360.cn/

CNAs -
https://cve.mitre.org/cve/cna.html

Request a CVE ID from a CNA -
https://cve.mitre.org/cve/request_id.html

CVE News page articles -
https://cve.mitre.org/news/archives/2017/news.html#March142017_Flexera_Software_and_Netg
ear_Added_as_CVE_Numbering_Authorities_CNAs

https://cve.mitre.org/news/archives/2017/news.html#march092017_Qihoo_360_Added_as_CVE_Nu
mbering_Authority_CNA

---------------------------------------------------------------
New CVE Blog Post: "Now you can easily comment on CVE Blog posts using our new
"CVE-CWE-CAPEC" page on LinkedIn"

We have created a CVE-CWE-CAPEC page on LinkedIn as an easy way for you to comment on
and share CVE Blog posts at https://www.linkedin.com/company/11033649.

Current and past CVE Blog content will be available there. Feel free to leave comments
on any of the older posts. Please use this new page to comment on, ask questions about,
and share our newest posts as we move forward. We will also be posting news items on the
LinkedIn page that may be of interest to you. Feel free to comment on, ask questions
about, and share these posts as well.

As you probably noted from the title of our new LinkedIn page above, it's not solely
about CVE. We also hope to encourage discussion about issues and topics related to
Common Weakness Enumeration (CWE) and Common Attack Pattern Enumeration and
Classification (CAPEC). As with CVE, both CWE and CAPEC are community-driven
standardization projects addressing common needs among IT and cybersecurity
professionals, and we encourage you to visit their websites to check them out.

Finally, if you have any suggestions about what you want to see as future posts on the
new LinkedIn page, please let us know by commenting on any of the posts already
available there, or by contacting us directly at cve@mitre.org, cwe@mitre.org, or
capec@mitre.org.

Our new CVE-CWE-CAPEC page is available on LinkedIn at
https://www.linkedin.com/company/11033649.

Please stop by and say hello. We look forward to hearing from you.

LINKS:

CVE Blog post -
https://cve.mitre.org/blog/index.html#march092017_Now_you_can_easily_comment_on_CVE_Blog
_posts_using_our_new_CVE_CWE_CAPEC_page_on_LinkedIn

CVE -
https://cve.mitre.org/

CWE -
https://cwe.mitre.org/

CAPEC -
https://capec.mitre.org/

CVE-CWE-CAPEC LinkedIn page -
https://www.linkedin.com/company/11033649

---------------------------------------------------------------
CVE Launches "@CVEannounce" Twitter Feed

Please follow our second Twitter account at https://twitter.com/CVEannounce/ to get the
latest CVE news and announcements.

To get regular updates of the newest CVE IDs, please also follow us at
https://twitter.com/CVEnew/.

LINKS:

CVE Updates and Feeds -
https://cve.mitre.org/cve/data_updates.html

CVE News page article -
https://cve.mitre.org/news/archives/2017/news.html#March162017_CVE_Launches_@CVEannounce
_Twitter_Feed

----------------------------------------------------------------
FOCUS ON: The Significance and Meaning of a CVE Identifier Marked as "RESERVED"

A CVE Identifier (CVE ID) is marked as "RESERVED" when it has been reserved for use by a
vendor or security researcher but the details of it are not yet populated by the
requester.

A CVE ID can change from the RESERVED state to being populated at any time based on a
number of factors both internal and external to MITRE.

An example of an internal factor could include the bulk assignment of CVE IDs to a CVE
Numbering Authority (CNA). These CVE IDs are marked as RESERVED upon allocation to a
CNA, before they are assigned to a specific vulnerability. An example of an external
factor could include a vulnerability that have not yet been publicly disclosed, such as
when the affected product vendor is still developing a mitigation.

It is also important to note that when a CVE ID is marked as RESERVED, it will not yet
be available in the U.S. National Vulnerability Database (NVD). NVD is based-upon and
fed by the CVE List.

However, once the CVE ID is populated with details and published on the CVE List on the
CVE website, it will become available in NVD. As one of the final steps in the overall
process, the NVD Common Vulnerability Scoring System (CVSS) scores for the CVE ID are
assigned by the NIST NVD team.

Visit the CVE Identifiers section of the FAQs page at
https://cve.mitre.org/about/faqs.html#pc_cve_identifiers for answers to other questions
about CVE IDs. You may also contact us at cve@mitre.org with any comments or concerns.

LINKS:

CVE Identifier -
https://cve.mitre.org/about/faqs.html#what_is_cve_identifier

CNAs -
https://cve.mitre.org/cve/cna.html

CVE List -
https://cve.mitre.org/cve/index.html

NVD -
http://nvd.nist.gov/home.cfm

CVSS calculator for CVE IDs -
https://nvd.nist.gov/cvss.cfm

CVE News page article -
https://cve.mitre.org/news/archives/2017/news.html#March162017_FOCUS_ON_The_Significance
_and_Meaning_of_a_CVE_Identifier_Marked_as_RESERVED

---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing

Managing Editor: Dan Adinolfi, Cyber Security Technical Center. Writer: Bob Roberge. The
MITRE Corporation (www.mitre.org) maintains CVE and provides impartial technical
guidance to the CVE Board and CVE Numbering Authorities on all matters related to
ongoing development of CVE.

To unsubscribe from the CVE-Announce e-newsletter, open a new email message and copy the
following text to the BODY of the message "SIGNOFF CVE-Announce-List", then send the
message to: listserv@lists.mitre.org. To subscribe, send an email message to
listserv@lists.mitre.org with the following text in the BODY of the message: "SUBSCRIBE
CVE-Announce-List".

Copyright 2017, The MITRE Corporation. CVE and the CVE logo are registered trademarks of
The MITRE Corporation. CVE is sponsored by US-CERT (www.us-cert.gov) in the office of
Cybersecurity and Communications (www.dhs.gov/office-cybersecurity-and-communications)
at the U.S. Department of Homeland Security (www.dhs.gov).

For more information about CVE, visit the CVE website at https://cve.mitre.org or send
an email to cve@mitre.org.

Wednesday, March 8, 2017

CVE Announce - TIME CHANGE FOR TODAY's CVE WEB FORM OUTAGE on WEDNESDAY, MARCH 8, 2017

SPECIAL ANNOUNCEMENT

-------------------------------------------------------
CVE-Announce e-newsletter/March 8, 2017
-------------------------------------------------------

UPDATED NOTICE: CVE Request Web Form - Outage Rescheduled to 9:30 p.m. - 11:30 p.m. EDT
on March 8

The previously announced scheduled maintenance outage time for today has changed. The
CVE Request Web Form will now be temporarily unavailable from 9:30 p.m. until 11:30 p.m.
Eastern time, Wednesday, March 8, 2017. Please disregard the times stated in the
previous announcement.

This temporary outage affects requests to MITRE only. All other CVE Numbering
Authorities (CNAs) can still be contacted during this time to request CVE IDs.
We apologize for any inconvenience.

Please contact us with any comments or concerns at cve@mitre.org.

LINKS:

CVE List -
https://cve.mitre.org/cve/cve.html

CVE Request web form -
https://cveform.mitre.org/

Request CVE IDs from CNAs page -
https://cve.mitre.org/cve/request_id.html

CVE News page article -
https://cve.mitre.org/news/archives/2017/news.html#March082017_UPDATED_NOTICE:_CVE_Reque
st_Web_Form_Outage_Rescheduled_to_9:30_p.m._11:30_p.m._EDT_on_March_8

---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing

Managing Editor: Dan Adinolfi, Cyber Security Technical Center. Writer: Bob Roberge. The
MITRE Corporation (www.mitre.org) maintains CVE and provides impartial technical
guidance to the CVE Board and CVE Numbering Authorities on all matters related to
ongoing development of CVE.

To unsubscribe from the CVE-Announce e-newsletter, open a new email message and copy the
following text to the BODY of the message "SIGNOFF CVE-Announce-List", then send the
message to: listserv@lists.mitre.org. To subscribe, send an email message to
listserv@lists.mitre.org with the following text in the BODY of the message: "SUBSCRIBE
CVE-Announce-List".

Copyright 2017, The MITRE Corporation. CVE and the CVE logo are registered trademarks of
The MITRE Corporation. CVE is sponsored by US-CERT (www.us-cert.gov) in the office of
Cybersecurity and Communications (www.dhs.gov/office-cybersecurity-and-communications)
at the U.S. Department of Homeland Security (www.dhs.gov).

For more information about CVE, visit the CVE website at https://cve.mitre.org or send
an email to cve@mitre.org.

Patch Announcement

Tuesday, March 21, 2017

CVE Announce - March 21, 2017 (opt-in newsletter from the CVE website)

Wednesday, March 8, 2017

CVE Announce - TIME CHANGE FOR TODAY's CVE WEB FORM OUTAGE on WEDNESDAY, MARCH 8, 2017

Tuesday, March 7, 2017

CVE Announce - March 7, 2017 (opt-in newsletter from the CVE website)

Blog Archive

About Me