Red Hat and CVE compatibility

Updated -

Q: What is the CVE project?

The Common Vulnerabilities and Exposures (CVE) project, maintained by The MITRE Corporation, is a list of standardized names for vulnerabilities and security exposures. Refer to http://cve.mitre.org for further information.

Q: What is Red Hat doing with the CVE project?

We believe that giving our users accurate and complete information about security issues is extremely important. By including CVE names when we discuss security issues in our services and products, we can help users cross-reference vulnerabilities so they spend less time investigating and categorizing security events.

Red Hat has a representative on the CVE Editorial Board and declared CVE compatibility in April 2002.

Q: Which Red Hat services use CVE names?

We have added CVE names to all Red Hat Security Advisories (RHSA) released since November 2001. These are found on our website, email notifications sent to our security mailing lists, and also on the Red Hat Network.

Red Hat has audited all security advisories since January 2000 and assigned or created CVE entries where appropriate.

Use the per CVE pages to find out information about a given CVE name.

Q: Why does the CVE website tell me a name you referenced is not found?

In many cases, the security issues our advisories address are not public knowledge prior to an advisory being released, and as such, do not already have assigned CVE names. For these situations, we work with MITRE to reserve the CVE names we need in advance; however, it can then take a short period of time for the CVE names to appear on the CVE website once the issues become public.

Q: What is the difference between a CVE entry and a candidate?

CVE candidates are those vulnerabilities or exposures under consideration for acceptance into CVE. Prior to the 19th October 2005, candidates were assigned names with the CAN- prefix to distinguish them from official CVE entries. The CAN- prefix was no longer used after the 19th October 2005, although it may be referenced in older Red Hat publications and advisories.

A CVE name is an encoding of the year the name was assigned in, and a unique number, N, for the Nth number of names assigned that year. For example, CVE-2002-0067 was assigned a unique number in 2002, and was the 67th name assigned that year.

Q: Who else uses CVE names?

Many organizations use CVE names as part of their security services. More details can be found on the CVE website. In January 2002, the National Institute of Standards and Technology (NIST) issued a draft recommendation that government organizations adopt CVE standard solutions throughout their security infrastructure.

We hope our commitment to the CVE project will encourage other open source vendors to become more actively engaged in this initiative.

Q: Where can I go to find more information?

Refer to the CVE website for information about the CVE project, naming, and various processes: http://cve.mitre.org.

Comments