From: CVE Announce List (cvemitre.org)
Date: Wed Oct 05 2005 - 13:55:04 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Welcome to the latest edition of the CVE-Announce e-newsletter. This
email newsletter is designed to bring recent news about CVE, such as new
versions, upcoming conferences, new Web site features, etc. right to
your emailbox. Common Vulnerabilities and Exposures (CVE) is the
standard for information security vulnerability names. CVE content
results from the collaborative efforts of the CVE Editorial Board, which
is comprised of leading representatives from the information security
community. Details on subscribing (and unsubscribing) to the email
newsletter are at the end. Please feel free to pass this newsletter on
to interested colleagues.

Comments: cvemitre.org

-------------------------------------------------------
CVE-Announce e-newsletter/October 5, 2005
-------------------------------------------------------

Contents:

1. Feature Story
2. Hot Topic
2. UPCOMING EVENT!
4. Also in this Issue
5. Details/Credits + Subscribing and Unsubscribing

FEATURE STORY:

CVE Mentioned in Article about 'Common Malware Enumeration' in Virus
Bulletin

The success of CVE as a standard was mentioned in an article entitled
"The Common Malware Enumeration Initiative" in the September 2005 issue
of "Virus Bulletin." The article announces the formation of the Common
Malware Enumeration (CME) initiative--headed by US-CERT and MITRE along
with numerous members of the anti-virus community--that aims to provide
single, common identifiers to new virus threats (i.e., malware) to
reduce public confusion during malware outbreaks. CME is "not an attempt
to solve the challenges involved with naming schemes for viruses and
other forms of malware, but instead aims to facilitate the adoption of a
shared, neutral indexing capability for malware."

CVE is mentioned by the authors of the article as follows: "CME is
fashioned similarly to the Common Vulnerabilities and Exposures (CVE)
initiative (http://cve.mitre.org), which is also operated by MITRE in
support of US-CERT. As experience with CVE shows, once all parties have
adopted a neutral, shared identification method, effective information
sharing can happen faster and with more accuracy."

CME, US-CERT, and CVE are sponsored by the U.S Department of Homeland
Security at http://www.dhs.gov/.

LINKS:

'Virus Bulletin' article -
http://www.virusbtn.com/magazine/this_month/index.xml

Common Malware Enumeration (CME) Web site - http://cme.mitre.org

US-CERT - http://www.us-cert.gov

CVE Web site - http://cve.mitre.org

-------------------------------------------------------------
CVE List to Be Renumbered on October 19th

Beginning October 19, 2005, there will be a one-time-only modification
to the CVE List numbering scheme. This one-time change, to enhance the
usability of CVE names, is a direct result of feedback from users. An
initial announcement was made on April 21, 2005.

The CVE List numbering scheme is being modified to eliminate the CAN
prefix in CVE names. Under the current system, the "CAN-yyyy-nnnn"
identifier is eventually changed to a "CVE-yyyy-nnnn" identifier, which
can result in maintenance problems and confusion. The new numbering
system will have the CVE prefix from the outset followed by 8 numerals
and a status line designating whether the name has "Candidate," "Entry,"
or "Deprecated" status. Each name will continue to include a brief
description and references. Under the new scheme, when new CVE versions
are released only the status line will be updated.

For example, CVE name CVE-1999-0067 will include the following:

          CVE Name: CVE-1999-0067
          Status: Entry
          Description: CGI phf program allows remote command
                       execution through shell metacharacters.
          References:
                       - CERT:CA-96.06.cgi_example_code
                       - XF:http-cgi-phf
                       - BID:629
                       - OSVDB:136

Previously assigned CVE numbers will remain the same except for the
prefix being updated and the addition of the status, e.g., CAN-2005-0386
will be changed to CVE-2005-0386 with "Candidate" status. Links to CANs
in older advisories and news media articles will be redirected on the
CVE Web site to pages with the appropriate renumbered names. We have
updated the CVE Compatibility Requirements document to conform to the
modification and are in the process of contacting compatible vendors
directly to discuss the expected impact.

LINKS:

Renumbering Q&A - http://cve.mitre.org/cve/renumber.html

CVE Compatibility Requirements document -
http://cve.mitre.org/compatible/requirements.html

CVE List - http://cve.mitre.org/cve

-------------------------------------------------------------
UPCOMING EVENT!

MITRE to Host CVE/OVAL Booth at "FIAC 2005"

MITRE is scheduled to host a CVE/OVAL exhibitor booth a "Federal
Information Assurance Conference (FIAC) 2005," October 25-26, 2005, at
the Inn and Conference Center, University of Maryland University
College, in Adelphi, Maryland, USA. The conference will expose CVE and
OVAL to network and systems administrators, security practitioners,
acquisition and procurement officials, systems security officers,
federal managers, accreditors, and certifiers from numerous agencies of
the U.S. federal government.

In addition, organizations with CVE-Compatible Products and Services
(http://cve.mitre.org/compatible/) will also be exhibiting.

LINK:

http://cve.mitre.org/news/calendar.html

-------------------------------------------------------------
ALSO IN THIS ISSUE:

* Application Security, Inc. Makes Declaration of CVE Compatibility

* Computer Associates Posts CVE Compatibility Questionnaire

* Adobe References CVE Names in Security Advisories

* MITRE Hosts CVE/OVAL Booth at "IT Security World 2005," September
   28th-29th

Read these stories and more news at http://cve.mitre.org/news

---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing

Managing Editor: Steve Christey, Information Security Technical Center.
Writer: Bob Roberge, Corporate Communications. The MITRE Corporation
(www.mitre.org) maintains CVE and provides impartial technical guidance
to the CVE Editorial Board on all matters related to ongoing development
of CVE.

To unsubscribe from the CVE-Announce e-newsletter, open a new email
message and copy the following text to the BODY of the message "SIGNOFF
CVE-Announce-list", then send the message to: listservlists.mitre.org.
To subscribe, send an email message to listservlists.mitre.org with the
following text in the BODY of the message: "SUBSCRIBE
CVE-Announce-List".

Copyright 2005, The MITRE Corporation. CVE and the CVE logo are
registered trademarks of The MITRE Corporation.

For more information about CVE, visit the CVE Web site at
http://cve.mitre.org or send an email to cvemitre.org.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]