状态更新CVE ID语法变化

2015年,1月13日,我们到达了出版日期为新的CVE-ID语法。我们出版的92新语法id: 48个5位数,和44个6位数,其中包括70个正常条目和22个附加条目拒绝或保留状态。我们发表了CVE条目通过CVE CVE - 2014 - 10001 - 2014 - 10039(5位序列号),通过CVE CVE - 2014 - 100001 - 2014 - 100038(6位序列号)。两个月后,到目前为止,我们还没有见过或收到任何报告的任何重大错误发生由于语法变化。我们已经看到一些公共bug修复相关ID解析的时间期限。我们已经反馈,变长id排序造成一些小烦恼由于可变长度,虽然这是一个记录和公开讨论问题时采用的语法。我们已收到,看到的,或者意识到各种问题的过程我们已经分配新的id之后,所以我们认为它是有用的为我们所做的以及为什么的更多细节。1。因为有许多不同的沟通渠道或过程涉及的交换CVE ID,并可能有不同的ID-processing代码为每个流/过程,我们认为,这是重要的锻炼ID语法改变为这些不同的频道,这样消费者就可以验证他们的ID语法变化彻底处理。2。 We published valid CVE entries for CVE-2014-10001 through CVE-2014-10039 (with 5-digit sequence numbers) and CVE-2014-100001 through CVE-2014-100038 (6-digit sequence numbers). This satisfied the CVENEW and CVE download communication streams. For this set of IDs, we selected issues that were public in 2014 but had not yet received a CVE-ID due to prioritization according to our "CVE Data Sources and Coverage" list [1]. We defined and used a semi-automated process that randomly determined which issues received 5- or 6-digit IDs, and which references received the first valid 5-digit and 6-digit IDs, namely CVE-2014-10001 and CVE-2014-100001. 3. Since REJECTED or RESERVED IDs are often treated differently from regular entries, we issued some new-syntax IDs with these characteristics. The REJECTed IDs include IDs that would normally be rejected, such as the inadvertent use of multiple 5-digit IDs in a public advisory during 2014, or their use in the ID-Syntax test data. The RESERVED IDs will show up in vulnerability advisories in external data sources, which are also likely to have different processing code. 4. We chose to include 6-digit IDs in addition to 5-digit IDs for several reasons. Near the end of 2014, there was evidence that some implementers were making a 5-digit assumption, or making other, similarly incorrect assumptions. We wanted to guard against having a series of tools emerge that might solve "CVE-10K" but still be subject to a "CVE-100K" problem due to incorrect implementations. 5. Note that we have exceeded over 9,705 4-digit CVE-2014-xxxx IDs so far. There is still a gap with the 5-digit CVE-2014-10000 IDs, but this gap will slowly be closed as additional CVE IDs continue to be assigned to older issues published in 2014. This gap is for 2014 only, and it is due to our commitment to easing the transition to the new syntax IDs by releasing other real-world IDs that can ensure compliance with the new syntax. Within a matter of weeks, we will have one additional, limited release of 5-digit and 6-digit IDs, which will be useful for exercising any functionality that performs change detection. We do not plan to make any formal announcements when we execute these steps. After the release of this additional set of 5-digit and 6-digit IDS, we believe our work regarding the syntax change will be complete, bringing over 2 years of community discussion and effort to a close. We hope that this clarifies any questions or concerns that people have had. MITRE has been committed to making the transition for the new ID syntax as smooth and transparent as possible, for consumers and vendors. As always, we welcome everybody's thoughts and feedback. - Steve Christey Coley