From: CVE Announce List (cvemitre.org)
Date: Wed Sep 13 2006 - 12:21:22 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Welcome to the latest edition of the CVE-Announce e-newsletter. This
email newsletter is designed to bring recent news about CVE, such as new
versions, upcoming conferences, new Web site features, etc. right to
your emailbox. Common Vulnerabilities and Exposures (CVE) is the
standard for information security vulnerability names. CVE content
results from the collaborative efforts of the CVE Editorial Board, which
is comprised of leading representatives from the information security
community. Details on subscribing (and unsubscribing) to the email
newsletter are at the end. Please feel free to pass this newsletter on
to interested colleagues.

Comments: cvemitre.org

-------------------------------------------------------
CVE-Announce e-newsletter/September 13, 2006
-------------------------------------------------------

Contents:

1. Feature Story
2. HOT TOPIC
3. Upcoming Events
4. Also in this Issue
5. Details/Credits + Subscribing and Unsubscribing

FEATURE STORY:

NVD's Public Forum Allows Vendors to Comment on the CVE Vulnerabilities
Discovered in their Products

The U.S National Vulnerability Database (NVD), which is built primarily
upon CVE identifiers, has announced a new service that provides the
software industry with "an open forum to comment upon the set of CVE
vulnerabilities discovered in their products. Software vendors have the
deepest knowledge about their products and thus are uniquely positioned
to comment on their vulnerabilities."

According to Peter Mell, the U.S. National Institute of Standards and
Technology's (NIST) NVD Program Manager, the "...set of 'official vendor
statements' [that provides the comments] are available as an XML feed
from the NVD download page, http://nvd.nist.gov/download.cfm. We
encourage other vulnerability databases and services to incorporate
these vendor statements alongside their CVE vulnerability descriptions.
The statements are also available on the respective NVD vulnerability
summary pages (e.g., http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4124).

"Software development organizations can submit official statements by
contacting NVD staff (nvdnist.gov). The capability exists both for
organizations to manually submit statements and for organizations to log
into NVD to issue and modify statements themselves. We recommend the log
in capability for organizations that are affected by more than a few CVE
vulnerabilities.

"We would like to thank Red Hat, particularly Mark Cox, for coming up
with the idea for this service. They recognized that the software
industry needed an open forum in which they could comment on the CVE
vulnerabilities in their products. They approached NVD with this idea
and we started a pilot program in which Red Hat provided over 100
official statements regarding the CVE vulnerabilities. Each of these
statements added valuable details that were not always available from
third-party security advisories.

"Organizations can use the service in a variety of ways. For example,
they can provide configuration and remediation guidance, clarify
vulnerability applicability, provide deeper vulnerability analysis,
dispute third party vulnerability information, and explain vulnerability
impact.

"It is [NVD's] hope that the software industry will actively participate
in this open forum and that the 'official vendor statements' will be
propagated throughout the 300+ products and services that use the CVE
vulnerability naming standard (http://cve.mitre.org)."

NIST and Red Hat, Inc. (www.redhat.com) are members of the CVE Editorial
Board. NVD and Red Hat's Apache Week Web Server are listed on the
CVE-Compatible Products and Services page, and the Red Hat Security
Advisories are listed as officially CVE-Compatible. In addition, NVD and
CVE are both sponsored by the U.S Department of Homeland Security.

LINKS:

U.S National Vulnerability Database (NVD) - http://nvd.nist.gov

'Official Vendor Statements' download - http://nvd.nist.gov/download.cfm

CVE-Compatible Products & Services - http://cve.mitre.org/compatible/

CVE List - http://cve.mitre.org/cve

------------------------------------------------------------
HOT TOPIC:

"Common Configuration Enumeration" Added to CVE Web Site

A "Common Configuration Enumeration (CCE)" section has been added to the
GET CVE page on the CVE Web site. CCE is the part of the CVE Initiative
that focuses on security configuration issues and exposures.

CCE provides unique identifiers to system configurations in order to
facilitate fast and accurate correlation of configuration data across
multiple information sources and tools. As an example, CCE Identifiers
could be used to associate checks in configuration assessment tools with
statements in configuration best-practice documents such as the Center
for Internet Security (CIS) benchmark documents.

A very preliminary draft of the CCE List is available now for public
review and comment. This preliminary draft is intended as a
proof-of-concept and focuses on security-related configuration issues
for Windows 2000, Windows XP, and Windows Server 2003. The draft should
not be considered final and will be modified over time. In particular,
the CCE IDs themselves are not final and will likely change
significantly in future versions. Currently, each entry on the list
includes the following: CCE Identifier number, description, logical
parameters, technical mechanisms, and any references. Refer to the CCE
List page for more information.

The new section includes the CCE List; a CCE Status section detailing
the status of the current version; a description of How to Participate
for organizations and individuals interested in contributing; and a Join
the CCE Working Group section for those interested in actively
participating in this new community initiative.

LINKS:

CCE section - http://cve.mitre.org/cce/

-----------------------------------------------------------------
Two Upcoming Events in September

CVE is scheduled to participate in two events in September, the "5th
Annual Cyber Security Executive Summit" and the "IT Security World
Conference & Expo 2006":

* CVE and CWE to present briefing at "5th Annual Cyber Security
   Executive Summit"

CVE is scheduled to present a briefing about CVE and CWE at the "5th
Annual Cyber Security Executive Summit" for the financial services
sector on September 13-14, 2006 at the Metropolitan Pavilion in New York
City, New York, USA. Common Weakness Enumeration (CWE) is a
community-developed formal list of common software weaknesses that is
based in part on CVE's 19,000+ identifiers.

* CVE to Host Booth at "IT Security World Conference & Expo 2006"

CVE is scheduled to co-host an exhibitor booth at "IT Security World
Conference & Expo 2006" September 25th - 26th, 2006 in San Francisco,
California, USA. The conference will expose CVE, CCE, CWE, OVAL, and CME
to security professionals from industry, government, and academia
charged with developing and running their organizations' information
security programs. Organizations listed on the CVE-Compatible Products
and Services section at http://cve.mitre.org/compatible/ are also
exhibiting.

Refer to the CVE Calendar page for event urls. Contact cvemitre.org to
have CVE present a briefing or participate in a panel discussion about
CVE, CCE, CWE, OVAL, CME, and/or other vulnerability management topics
at your event.

LINKS:

CVE Calendar - http://cve.mitre.org/news/calendar.html

CCE- http://cce.mitre.org

CWE - http://cwe.mitre.org

OVAL - http://oval.mitre.org

CME - http://cme.mitre.org

-------------------------------------------------------------
ALSO IN THIS ISSUE:

* 585 CVE Names with Candidate Status Added to CVE List in August

* Photos of CVE Booth at "Black Hat 2006"

Read these stories and more news at http://cve.mitre.org/news

---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing

Managing Editor: Steve Christey, Information Security Technical Center.
Writer: Bob Roberge. The MITRE Corporation (www.mitre.org) maintains CVE
and provides impartial technical guidance to the CVE Editorial Board on
all matters related to ongoing development of CVE.

To unsubscribe from the CVE-Announce e-newsletter, open a new email
message and copy the following text to the BODY of the message "SIGNOFF
CVE-Announce-list", then send the message to: listservlists.mitre.org.
To subscribe, send an email message to listservlists.mitre.org with the
following text in the BODY of the message: "SUBSCRIBE
CVE-Announce-List".

Copyright 2006, The MITRE Corporation. CVE and the CVE logo are
registered trademarks of The MITRE Corporation.

For more information about CVE, visit the CVE Web site at
http://cve.mitre.org or send an email to cvemitre.org.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]