From: CVE Announce List (cvemitre.org)
Date: Mon Jul 24 2006 - 12:41:20 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Welcome to the latest edition of the CVE-Announce e-newsletter. This
email newsletter is designed to bring recent news about CVE, such as new
versions, upcoming conferences, new Web site features, etc. right to
your emailbox. Common Vulnerabilities and Exposures (CVE) is the
standard for information security vulnerability names. CVE content
results from the collaborative efforts of the CVE Editorial Board, which
is comprised of leading representatives from the information security
community. Details on subscribing (and unsubscribing) to the email
newsletter are at the end. Please feel free to pass this newsletter on
to interested colleagues.

Comments: cvemitre.org

-------------------------------------------------------
CVE-Announce e-newsletter/July 24, 2006
-------------------------------------------------------

Contents:

1. Feature Story
2. Upcoming Event
3. IMPORTANT ANNOUNCEMENT
4. Also in this Issue
5. Details/Credits + Subscribing and Unsubscribing

FEATURE STORY:

Third Draft of Common Weakness Enumeration (CWE) Now Available

The third draft of CWE has been posted on the CWE List page on the CVE
Web site. Changes include (1) additional descriptions and mitigations
for about 150 of the items; (2) adding language specific indicators for
those that are tied to language or platform like C, C++, Java, or .NET;
(3) minor revisions and updates to many other items; and (4) addition of
a first cut at a CWE_ID field that is meant be a unique non-variant
identifier for the CWE content.

CWE is a community-developed formal list of common software weaknesses.
The intention of CWE is to serve as a common language for describing
software security weaknesses in architecture, design, or code; as a
standard measuring stick for software security tools targeting these
weaknesses; and to provide a common baseline standard for weakness
identification, mitigation, and prevention efforts. Broad community
adoption of CWE will help shape and mature the code security assessment
industry and also dramatically accelerate the use and utility of
software assurance capabilities for organizations in reviewing the
software systems they acquire or develop.

Our next step in building CWE involves gathering data about weaknesses
from fourteen tool and knowledge sources and then merging this new data
into the current list to create a fourth draft. We welcome any comments
about CWE at cwemitre.org.

LINKS:

CWE List - http://cve.mitre.org/cwe/index.html

About CWE - http://cve.mitre.org/cwe/about/index.html

CWE Process - http://cve.mitre.org/cwe/about/process.html

CWE Community - http://cve.mitre.org/cwe/community/index.html

CWE Sources - http://cve.mitre.org/cwe/about/sources.html

------------------------------------------------------------
UPCOMING EVENT:

CVE to Host Booth at "Black Hat Briefings 2006"

MITRE is scheduled to host a CVE/CWE/OVAL/CME exhibitor-meeting booth at
"Black Hat Briefings 2006" on August 2nd - 3rd, 2006 at Caesars Palace
in Las Vegas, Nevada, USA. The event will expose CVE, CWE, OVAL and CME
to a diverse audience of information security-focused attendees from
around the world.

LINK:

CVE Calendar - http://cve.mitre.org/news/calendar.html

-----------------------------------------------------------------
IMPORTANT ANNOUNCEMENT:

Download Options for CVE List to be Modified on July 19th

On July 19, 2006 downloads of the CVE List will no longer be available
with the old-style "CAN" prefix. The CVE naming scheme was modified on
October 19, 2005 to replace the "CAN" prefix with a "CVE" prefix in all
CVE names. Downloads using only the "CVE" prefix will continue to be
offered in three options: (1) a single list combining both CVE names
with "entry" and "candidate" status, (2) entries only, and (3)
candidates only. Each option is available in multiple formats: XML,
HTML, Text, and comma separated. The "CAN" prefix downloads were
continued for eight months to support the transition from the old
format.

CVE information is also available from external resources including CVE
Change Logs, a free tool from CERIAS/Purdue University that records
changes to the CVE List, and the U.S. National Vulnerability Database
(NVD), which is based upon CVE names and offers a variety of search and
download options.

LINKS:

CVE Downloads - http://cve.mitre.org/cve/downloads

CVE Change Logs - https://cassandra.cerias.purdue.edu/CVE_changes/

U.S. National Vulnerability Database (NVD) - http://nvd.nist.gov/

-----------------------------------------------------------------
ALSO IN THIS ISSUE:

* CVE Main Topic of Article in "IEEE Distributed Systems Online"

* Secunia Makes Five Declarations of CVE Compatibility

* CVE Editorial Board Holds Teleconference

* Rede Nacional de Ensino e Pesquisa References CVE Identifiers in
   Security Advisories

* CWE Main Topic of Briefing at NIST's "Static Analysis Summit"

Read these stories and more news at http://cve.mitre.org/news

---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing

Managing Editor: Steve Christey, Information Security Technical Center.
Writer: Bob Roberge. The MITRE Corporation (www.mitre.org) maintains CVE
and provides impartial technical guidance to the CVE Editorial Board on
all matters related to ongoing development of CVE.

To unsubscribe from the CVE-Announce e-newsletter, open a new email
message and copy the following text to the BODY of the message "SIGNOFF
CVE-Announce-list", then send the message to: listservlists.mitre.org.
To subscribe, send an email message to listservlists.mitre.org with the
following text in the BODY of the message: "SUBSCRIBE
CVE-Announce-List".

Copyright 2006, The MITRE Corporation. CVE and the CVE logo are
registered trademarks of The MITRE Corporation.

For more information about CVE, visit the CVE Web site at
http://cve.mitre.org or send an email to cvemitre.org.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]