oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Qualys Security Advisory - CVE-2017-1000367 in Sudo's get_process_ttyname() for Linux

From: "kseifried () redhat com" <kseifried () redhat com>
Date: Tue, 30 May 2017 09:29:08 -0600


On 05/30/2017 09:25 AM, Hanno Böck wrote:

On Tue, 30 May 2017 08:16:29 -0700
Qualys Security Advisory <qsa () qualys com> wrote:


Qualys Security Advisory

CVE-2017-1000367 in Sudo's get_process_ttyname() for Linux


Did Mitre really just add multiple new digits to CVEs or is this a typo?

AFAIR they introduced 5-digit-CVEs relatively recently, going to
7-digit without any public announcement seems unlikely.


We did this 3 years ago:

https://cve.mitre.org/cve/identifiers/syntaxchange.html

Examples

Examples of identifiers in the new CVE ID syntax are included below.
There is no limit on the number of arbitrary digits. Leading 0’s will
only be used in IDs 1 to 999, as shown in column one below.

IDs with 4 digits       IDs with 5 digits       IDs with 6 digits       IDs with 7 digits
CVE-2014-0001   CVE-2014-10000  CVE-2014-100000 CVE-2014-1000000
CVE-2014-3127   CVE-2014-54321  CVE-2014-456132 CVE-2014-7654321
CVE-2014-9999   CVE-2014-99999  CVE-2014-999999 CVE-2014-9999999
NOTE: Some of the CVE ID examples above have not yet been assigned.

The DWF CNA has the block CVE-YEAR-1000000 through CVE-YEAR-1999999 so
yes, these are legitimate. E.g.:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000001




-- 

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert () redhat com
Previous By Date Next
Previous By Thread Next

Current thread: