Re: CVE Request for illumos distributions

[Marcus Meissner <meissner () suse de>]

On Sun, Jan 04, 2015 at 09:53:26AM -0800, Alan Coopersmith wrote:
> On 01/ 3/15 10:26 PM, gremlin () gremlin ru wrote:
> > On 2015-01-04 15:06:51 +1100, Dave Horsfall wrote:
> >
> >  >> | Use CVE-2014-9491.
> >  >> Shouldn't we be using CVE-2015-XXXX by now?
> >  > I'd rather see CVE-2015-XXXXX - look how close we came...
> >  > Is there a CVE for that?
> >
> > First CVE ID in 2015 is CVE-2015-0001; once we get to CVE-2015-9999,
> > the next ID will be CVE-2015-10000.
>
> Except that https://cve.mitre.org/cve/identifiers/syntaxchange.html
> says they won't wait that long, and will issue a 5 digit CVE ID in
> the next couple of weeks.
>
> (Even without that, CVE ID's aren't strictly issued in order, as blocks
>  of id's go out to each numbering authority for them to assign as needed.)

main part of this page:
 IMPORTANT: The variable length arbitrary digits will begin at four (4)
 fixed digits and expand with arbitrary digits only when needed in a
 calendar year, for example, CVE-YYYY-NNNN and if needed CVE-YYYY-NNNNN,
 CVE-YYYY-NNNNNNN, and so on. This also means there will be no changes
 needed to previously assigned CVE-IDs, which all include 4 digits.

The rule is:

- 4 digits until 9999
- 5 digits until 99999
- 6 digits until 999999
- 7 digits starting with 1000000

2014 CVEs can still get assigned by the rules, so they will slowly creep
up a bit still. But in general new issues will now get 2015 CVEs.

Ciao, Marcus