Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-ID is truncated to 4 digits #153

Closed
usiusi360 opened this issue Aug 20, 2016 · 2 comments
Closed

CVE-ID is truncated to 4 digits #153

usiusi360 opened this issue Aug 20, 2016 · 2 comments
Labels
bug

Comments

@usiusi360
Copy link
Contributor

CVE-2016-1000110 is detected as CVE-2016-1000 in Vuls.

ChangeLog for: python-2.6.6-66.el6_8.x86_64, python-libs-2.6.6-66.el6_8.x86_64

  • Tue Aug 9 21:00:00 2016 Charalampos Stratakis [email protected] - 2.6.6-66
  • Fix for CVE-2016-1000110 HTTPoxy attack
    Resolves: rhbz#1359161

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000110
https://access.redhat.com/security/cve/cve-2016-1000110

It's cut down by fixing 4 digits by a cord.
https://github.com/future-architect/vuls/blob/master/scan/redhat.go#L870

After 2014, CVE-ID syntax is the variable length.

https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures

Changes to CVE-ID Syntax
In order to support CVE ID's beyond CVE-YEAR-9999 (aka the CVE10k problem) a change was made to the CVE syntax in 2014 and took effect on Jan 13, 2015 [5]

The new CVE-ID syntax is variable length and includes:

CVE prefix + Year + Arbitrary Digits

NOTE: The variable length arbitrary digits will begin at four (4) fixed digits and expand with arbitrary digits only when needed in a calendar year, for example, CVE-YYYY-NNNN and if needed CVE-YYYY-NNNNN, CVE-YYYY-NNNNNNN, and so on. This also means there will be no changes needed to previously assigned CVE-IDs, which all include a minimum of 4 digits.
@usiusi360
Copy link
Contributor Author

https://cve.mitre.org/cve/identifiers/syntaxchange.html#new

There is no limit on the number of arbitrary digits.

@usiusi360 usiusi360 changed the title CVE-ID is truncated to four digits CVE-ID is truncated to 4 digits Aug 20, 2016
@usiusi360 usiusi360 mentioned this issue Aug 20, 2016
Merged
kotakanbe added a commit that referenced this issue Aug 23, 2016
@kotakanbe
Add testcases for #153
d8dc365
kotakanbe added a commit that referenced this issue Aug 23, 2016
@kotakanbe
Merge pull request #156 from future-architect/add-testcase-153
a224f0b 
Add testcases for #153
@kotakanbe
Copy link
Member

Thanks for Reporting and sending PR :)

@kotakanbe kotakanbe added the bug label Aug 23, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kotakanbe @usiusi360