From: CVE Announce List (cvemitre.org)
Date: Fri Jul 13 2007 - 18:38:19 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Welcome to the latest edition of the CVE-Announce e-newsletter. This
email newsletter is designed to bring recent news about CVE, such as new
versions, upcoming conferences, new Web site features, etc. right to
your emailbox. Common Vulnerabilities and Exposures (CVE) is the
standard for information security vulnerability names. CVE content
results from the collaborative efforts of the CVE Editorial Board, which
is comprised of leading representatives from the information security
community. Details on subscribing (and unsubscribing) to the email
newsletter are at the end. Please feel free to pass this newsletter on
to interested colleagues.

Comments: cvemitre.org

-------------------------------------------------------
CVE-Announce e-newsletter/July 13, 2007
-------------------------------------------------------

Contents:

1. Feature Story
2. HOT TOPIC #1
3. HOT TOPIC #2
4. Also in this Issue
5. Details/Credits + Subscribing and Unsubscribing

FEATURE STORY:

CVE List Surpasses 25,000+ CVE Identifiers

The CVE Web site now contains 25,064 unique information security issues
with publicly known names. CVE, which began in 1999 with just 321 common
names on the CVE List, is considered the international standard for
public software vulnerability names. Information security professionals
and product vendors from around the world use CVE Identifiers (CVE-IDs)
as a standard method for identifying vulnerabilities, and for
cross-linking among products, services, and other repositories that use
the identifiers.

The widespread adoption of CVE in enterprise security is illustrated by
the numerous CVE-Compatible Products and Services in use throughout
industry, government, and academia for vulnerability management,
vulnerability alerting, intrusion detection, and patch management. Major
OS vendors and other organizations from around the world also include
CVE-IDs in their security alerts to ensure that the international
community benefits by having the identifiers as soon as a problem is
announced. CVE-IDs are also used to uniquely identify vulnerabilities in
public watch lists such as the SANS Top 20 Most Critical Internet
Security Vulnerabilities and OWASP Top 10 Web Application Security
Issues.

CVE has also inspired new efforts. MITRE's Common Weakness Enumeration
(CWE) dictionary of software weakness types is based in part on the CVE
List, and its Open Vulnerability and Assessment Language (OVAL) effort
uses CVE-IDs for its standardized OVAL Vulnerability Definitions that
test systems for the presence of CVEs. In addition, the U.S. National
Vulnerability Database (NVD) of CVE fix information that is synchronized
with and based on the CVE List recently expanded to include Security
Content Automation Protocol (SCAP) content. SCAP employs community
standards to enable "automated vulnerability management, measurement,
and policy compliance evaluation (e.g., FISMA compliance)," and CVE is
one of the six open standards SCAP uses for enumerating, evaluating, and
measuring the impact of software problems and reporting results.

Each of the 25,000+ identifiers on the CVE List includes the following:
CVE Identifier number (i.e., "CVE-1999-0067"); indication of "entry" or
"candidate" status; brief description of the security vulnerability; and
pertinent references such as vulnerability reports and advisories or
OVAL-ID. Visit the CVE List page to download the complete list in
various formats or to look-up an individual identifier. Fix information
and enhanced searching of CVE is available from NVD.

LINKS:

CVE List - http://cve.mitre.org/cve

National Vulnerability Database (NVD) - http://nvd.nist.gov/

-------------------------------------------------------------
HOT TOPIC #1:

Opsware, Inc. Makes Three Declarations of CVE Compatibility

Opsware, Inc. declared that its Internet community portal and
subscription service, Opsware Network; its data center automation
product, Server Automation System; and its data center automation
product, Network Automation System are CVE-Compatible. For additional
information about these and other CVE-compatible products, visit the
CVE-Compatible Products and Services page.

LINKS:

Opsware, Inc. - http://www.opsware.com

CVE-Compatible Products and Services section -
http://cve.mitre.org/compatible/

-------------------------------------------------------------
HOT TOPIC #2:

Updated "Common Configuration Enumeration (CCE) List" Posted in CCE
Section of CVE Web Site

Version 4.0 of the CCE List has been posted in the "Common Configuration
Enumeration (CCE)" section of the CVE Web site. The updated draft
focuses on security-related configuration issues for Windows 2000,
Windows XP, Windows Server 2003, Windows Vista, Internet Explorer 7, and
Office 2007.

CCE provides unique identifiers to system configurations in order to
facilitate fast and accurate correlation of configuration data across
multiple information sources and tools. As an example, CCE Identifiers
could be used to associate checks in configuration assessment tools with
statements in configuration best-practice documents such as the Center
for Internet Security (CIS) benchmark documents.

Participation by the information security community is an important
element in the success of CCE. We encourage you or your organization to
contribute by joining the CCE Working Group or by commenting on the
current draft of the CCE List. Please send any feedback on the list or
other comments to ccemitre.org.

LINK:

CCE List - http://cce.mitre.org

-------------------------------------------------------------
ALSO IN THIS ISSUE:

* CVE Included in Booth at "Black Hat Briefings 2007" on August 1-2

* CVE Participates on Discussion Panel at "GFIRST Conference 2007"

Read these stories and more news at http://cve.mitre.org/news

---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing

Managing Editor: Steve Christey, Information Security Technical Center.
Writer: Bob Roberge. The MITRE Corporation (www.mitre.org) maintains CVE
and provides impartial technical guidance to the CVE Editorial Board on
all matters related to ongoing development of CVE.

To unsubscribe from the CVE-Announce e-newsletter, open a new email
message and copy the following text to the BODY of the message "SIGNOFF
CVE-Announce-list", then send the message to: listservlists.mitre.org.
To subscribe, send an email message to listservlists.mitre.org with the
following text in the BODY of the message: "SUBSCRIBE
CVE-Announce-List".

Copyright 2007, The MITRE Corporation. CVE and the CVE logo are
registered trademarks of The MITRE Corporation.

For more information about CVE, visit the CVE Web site at
http://cve.mitre.org or send an email to cvemitre.org.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]