United States (change)
Shortcuts: Downloads Fedora Red Hat Network
Q: What is the CVE project?
The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of standardized names for vulnerabilities and security exposures. See http://cve.mitre.org
Q: What is Red Hat doing with the CVE project?
We believe that giving our users accurate and complete information about security issues is of extreme importance. By including CVE names when we discuss security issues in our services and products we can help users cross reference vulnerabilities and spend less time investigating and categorizing security events.
Red Hat has a representative on the CVE editorial board and declared CVE compatibility in April 2002.
Q: Which Red Hat services use CVE names?
Red Hat has added CVE names to all the security advisories (RHSA) we have released since November 2001. These can be found on our web site as well as in the email notifications sent to our security mailing lists and Red Hat Network. In addition our Apache newsletter, Apache Week, covers Apache security issues with associated CVE names.
In addition, Red Hat has audited all security advisories since January 2000 and has assigned or created CVE entries where appropriate.
Users who wish to search for a particular CVE name can use the standard search engine on all redhat.com web pages. A search can be made for a specific CVE name (for example "CVE-2001-0852").
Q: Why does the CVE web site tell me a name you referenced is not found?
In many cases the security issues our advisories address are not public knowledge and therefore do not already have an assigned CVE name. In these cases we work with Mitre to reserve the CVE names we need in advance, however it then may take a short time for the details to appear on the CVE web site after the issue is public.
Q: What is the difference between a CVE entry and a candidate?
CVE candidates are those vulnerabilities or exposures under consideration for acceptance into CVE. Prior to the 19th October 2005, candidates were assigned names with the prefix CAN- to distinguish them from official CVE entries. From the 19th October 2005, the CAN- prefix is no longer in use, although you may still see it referenced in older Red Hat publications and advisories.
A CVE name is an encoding of the year that the name was assigned and a unique number N for the Nth name assigned that year, e.g. CVE-2002-0067.
Q: Who else uses CVE names?
Many organisations use CVE names as part of their security services, more details can be found from the CVE web site. In January 2002, the National Institute of Standards and Technology (NIST) issued a draft recommendation that government organizations adopt CVE standard solutions throughout their security infrastructure.
We hope that our commitment to the CVE project will encourage other open source vendors to become more actively engaged in this initiative.
Q: Where can I go to find more information?
The CVE web site has a large set of information about the project, naming, and the various processes. Visit http://cve.mitre.org.
Updates on the latest open source news and tools.