[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] Qualys Security Advisory - CVE-2017-1000367 in Sudo's get_process_ttyname() for L
From: "kseifried () redhat ! com" <kseifried () redhat ! com>
Date: 2017-05-30 15:29:08
Message-ID: 3cdc67a2-9858-5328-1d42-baa61d0ba97d () redhat ! com
[Download RAW message or body]
On 05/30/2017 09:25 AM, Hanno Böck wrote:
> On Tue, 30 May 2017 08:16:29 -0700
> Qualys Security Advisory <qsa@qualys.com> wrote:
>
>> Qualys Security Advisory
>>
>> CVE-2017-1000367 in Sudo's get_process_ttyname() for Linux
>
> Did Mitre really just add multiple new digits to CVEs or is this a typo?
>
> AFAIR they introduced 5-digit-CVEs relatively recently, going to
> 7-digit without any public announcement seems unlikely.
We did this 3 years ago:
https://cve.mitre.org/cve/identifiers/syntaxchange.html
Examples
Examples of identifiers in the new CVE ID syntax are included below.
There is no limit on the number of arbitrary digits. Leading 0's will
only be used in IDs 1 to 999, as shown in column one below.
IDs with 4 digits IDs with 5 digits IDs with 6 digits IDs with 7 digits
CVE-2014-0001 CVE-2014-10000 CVE-2014-100000 CVE-2014-1000000
CVE-2014-3127 CVE-2014-54321 CVE-2014-456132 CVE-2014-7654321
CVE-2014-9999 CVE-2014-99999 CVE-2014-999999 CVE-2014-9999999
NOTE: Some of the CVE ID examples above have not yet been assigned.
The DWF CNA has the block CVE-YEAR-1000000 through CVE-YEAR-1999999 so
yes, these are legitimate. E.g.:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000001
--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic