From: CVE Announce List (cvemitre.org)
Date: Tue Sep 26 2006 - 18:42:43 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Welcome to the latest edition of the CVE-Announce e-newsletter. This
email newsletter is designed to bring recent news about CVE, such as new
versions, upcoming conferences, new Web site features, etc. right to
your emailbox. Common Vulnerabilities and Exposures (CVE) is the
standard for information security vulnerability names. CVE content
results from the collaborative efforts of the CVE Editorial Board, which
is comprised of leading representatives from the information security
community. Details on subscribing (and unsubscribing) to the email
newsletter are at the end. Please feel free to pass this newsletter on
to interested colleagues.

Comments: cvemitre.org

-------------------------------------------------------
CVE-Announce e-newsletter/September 26, 2006
-------------------------------------------------------

Contents:

1. Feature Story
2. HOT TOPIC
3. Also in this Issue
4. Details/Credits + Subscribing and Unsubscribing

FEATURE STORY:

Four Organizations Make Declarations of CVE Compatibility

Apple Computer, Inc. has declared that its security updates for Apple
products, Apple Product Security, are CVE-compatible; RUS-CERT at the
University of Stuttgart declared that its security advisories and
archives, Security Announcement Service RUS-CERT, are CVE-compatible;
Application Security, Inc. declared that its database vulnerability
assessment tools, AppRadar for DB2 and AppRadar for Sybase, are
CVE-compatible; and Beijing Netpower Technologies Inc. declared that its
vulnerability assessment and remediation tool, Netpower Network Security
Assessment System, is CVE-Compatible.

"CVE-compatible" means that a product or service uses CVE names in a way
that allows it to cross-link with other repositories that also use CVE
names, as documented in the CVE compatibility requirements. Each item
listed on the CVE Web site includes a link to the organization's
homepage, the product or service name, type of product, link to the
product homepage, and a notation of the specific point in the CVE
Compatibility Process each product or service has reached. Many
organizations have multiple products and services listed. For additional
usability, they are also listed by product type, product name,
organization, and country. Product types include vulnerability
databases; security archives and advisories; vulnerability assessment
and remediation; intrusion detection, management, monitoring, and
response; incident management; data and event correlation; educational
materials; and firewalls.

There are now 65 products and services registered as Officially
CVE-Compatible and 260 declarations to be compatible from a total of 155
organizations. Visit the CVE-Compatible Products and Services page to
find out more about these and other compatible products and services.

LINKS:

Apple Computer, Inc. - http://www.apple.com

RUS-CERT at the University of Stuttgart - http://cert.uni-stuttgart.de

Application Security, Inc. - http://www.appsecinc.com

Beijing Netpower Technologies Inc. - http://www.netpower.com.cn

CVE-Compatible Products & Services - http://cve.mitre.org/compatible/

------------------------------------------------------------
HOT TOPIC:

"Common Configuration Enumeration" Added to CVE Web Site

A "Common Configuration Enumeration (CCE)" section has been added to the
GET CVE page on the CVE Web site. CCE is the part of the CVE Initiative
that focuses on security configuration issues and exposures.

CCE provides unique identifiers to system configurations in order to
facilitate fast and accurate correlation of configuration data across
multiple information sources and tools. As an example, CCE Identifiers
could be used to associate checks in configuration assessment tools with
statements in configuration best-practice documents such as the Center
for Internet Security (CIS) benchmark documents.

A very preliminary draft of the CCE List is available now for public
review and comment. This preliminary draft is intended as a
proof-of-concept and focuses on security-related configuration issues
for Windows 2000, Windows XP, and Windows Server 2003. The draft should
not be considered final and will be modified over time. In particular,
the CCE IDs themselves are not final and will likely change
significantly in future versions. Currently, each entry on the list
includes the following: CCE Identifier number, description, logical
parameters, technical mechanisms, and any references. Refer to the CCE
List page for more information.

The new section includes the CCE List; a CCE Status section detailing
the status of the current version; a description of How to Participate
for organizations and individuals interested in contributing; and a Join
the CCE Working Group section for those interested in actively
participating in this new community initiative.

LINKS:

CCE section - http://cve.mitre.org/cce/

-------------------------------------------------------------
ALSO IN THIS ISSUE:

* NVD's Public Forum Allows Vendors to Comment on the CVE
   Vulnerabilities Discovered in their Products

Read these stories and more news at http://cve.mitre.org/news

---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing

Managing Editor: Steve Christey, Information Security Technical Center.
Writer: Bob Roberge. The MITRE Corporation (www.mitre.org) maintains CVE
and provides impartial technical guidance to the CVE Editorial Board on
all matters related to ongoing development of CVE.

To unsubscribe from the CVE-Announce e-newsletter, open a new email
message and copy the following text to the BODY of the message "SIGNOFF
CVE-Announce-list", then send the message to: listservlists.mitre.org.
To subscribe, send an email message to listservlists.mitre.org with the
following text in the BODY of the message: "SUBSCRIBE
CVE-Announce-List".

Copyright 2006, The MITRE Corporation. CVE and the CVE logo are
registered trademarks of The MITRE Corporation.

For more information about CVE, visit the CVE Web site at
http://cve.mitre.org or send an email to cvemitre.org.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]