Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <3cdc67a2-9858-5328-1d42-baa61d0ba97d@redhat.com>
Date: Tue, 30 May 2017 09:29:08 -0600
From: "kseifried@...hat.com" <kseifried@...hat.com>
To: oss-security@...ts.openwall.com, Hanno Böck
 <hanno@...eck.de>
Subject: Re: Qualys Security Advisory - CVE-2017-1000367 in
 Sudo's get_process_ttyname() for Linux



On 05/30/2017 09:25 AM, Hanno Böck wrote:
> On Tue, 30 May 2017 08:16:29 -0700
> Qualys Security Advisory <qsa@...lys.com> wrote:
> 
>> Qualys Security Advisory
>>
>> CVE-2017-1000367 in Sudo's get_process_ttyname() for Linux
> 
> Did Mitre really just add multiple new digits to CVEs or is this a typo?
> 
> AFAIR they introduced 5-digit-CVEs relatively recently, going to
> 7-digit without any public announcement seems unlikely.

We did this 3 years ago:

https://cve.mitre.org/cve/identifiers/syntaxchange.html

Examples

Examples of identifiers in the new CVE ID syntax are included below.
There is no limit on the number of arbitrary digits. Leading 0’s will
only be used in IDs 1 to 999, as shown in column one below.

IDs with 4 digits	IDs with 5 digits	IDs with 6 digits	IDs with 7 digits
CVE-2014-0001	CVE-2014-10000	CVE-2014-100000	CVE-2014-1000000
CVE-2014-3127	CVE-2014-54321	CVE-2014-456132	CVE-2014-7654321
CVE-2014-9999	CVE-2014-99999	CVE-2014-999999	CVE-2014-9999999
NOTE: Some of the CVE ID examples above have not yet been assigned.

The DWF CNA has the block CVE-YEAR-1000000 through CVE-YEAR-1999999 so
yes, these are legitimate. E.g.:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000001




-- 

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@...hat.com

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.