CVE Home

Get CVE -- View, Search, Download the CVE list
CVE Home
About CVE
News and Events
Press View
Compatible Products
Editorial Board
Advisory Council
Free Newsletters
Contact Us
Alphabetical Index

NOTE:

The CVE naming scheme was modified on October 19, 2005 .

See below for more information.

CVE Renumbering Q&A

The questions and answers below apply to users, vendors, and anyone interested in the upcoming modifications to the CVE List numbering scheme. You may also contact cve@mitre.org with any other questions or concerns about the modification.

How was the CVE List being renumbered?

The CVE List numbering scheme was modified to replace the "CAN" prefix with a "CVE" prefix in CVE names.

Under the old system, the "CAN-yyyy-nnnn" identifier is eventually changed to a "CVE-yyyy-nnnn" identifier. The new numbering system will have the CVE prefix from the outset followed by 8 numerals and a status line designating whether the name has "Candidate," "Entry," or "Deprecated" status. Under the new scheme, when new CVE versions are released only the status line of a CVE name will be updated.

Each CVE name will continue to include a brief description and references .

When did this change occur? When was it first announced?

This one-time-only modification to the CVE List numbering scheme occurred on October 19, 2005.

We made an initial announcement about the renumbering on September 22, 2004 in a news article about CVE's 5-Year Anniversary in a section about future plans. A formal announcement was made on the CVE Web site on April 21, 2005. A second announcement was made on the CVE Web site on September 21, 2005. We made the initial announcement six months in advance in order to give early notice of the changeover to users and vendors.

What do the new CVE names look like?

CVE names (also called "CVE numbers", "CVE-IDs", and "CVEs") will now have the CVE prefix from the outset followed by 8 numerals and a status line signifying Candidate, Entry, or Deprecated status. Each name , including CVE names with candidate status (also called "candidates," "candidate numbers," or "CANs"), will also include a brief description of the issue and any associated references.

For example, CVE name CVE-1999-0067 will include the following:

CVE Name: CVE-1999-0067
Status: Entry
Description: CGI phf program allows remote command execution through shell metacharacters.
References: • CERT:CA-96.06.cgi_example_code
• XF:http-cgi-phf
• BID:629
• OSVDB:136

When new CVE versions are released only the status line will be updated.

What will happen to previously assigned CVE names?

Previously assigned CVE numbers will remain the same except for the prefix being updated and the addition of the status. For example, CAN-2005-0386 will be changed to CVE-2005-0386 with "Candidate" status.

Back to top

Why did CVE make this change?

This one-time only modification to the CVE naming scheme is a direct result of feedback from users and was made to enhance the usability of CVE names. Under the old system the "CAN-yyyy-nnnn" identifier is eventually changed to a "CVE-yyyy-nnnn" identifier, which resulted in maintenance problems and confusion with the more than 12,000 CVE names currently available on the CVE Web site. This modification directly addresses those issues.

I have an older CVE name with a CAN prefix, will I still be able to find the listing for it on the CVE Web site?

Yes. Typing in "CAN-xxxx-yyyy" on the CVE Web site will retrieve the page for the appropriate "CVE-xxxx-yyyy" name instead.

My organization is a CVE-compatible vendor, how does this affect the status of the compatibility declarations for our product(s) and/or service(s)?

Compatible vendors have been contacted directly to discuss the expected impact. Please contact cve@mitre.org with any other questions or concerns.

Was the Compatibility Requirements Document updated? What portions of the document were changed?

Yes, the CVE Compatibility Requirements document has been updated to conform to the modification. The changes detail how organizations should handle the inclusion of CVE names with "candidate" status when including them in their products or services (see Section 6. Candidate Name Usage ). Please contact cve@mitre.org with any other questions or concerns.

When did CVE's Candidate Numbering Authorities (CNAs) begin using the new CVE numbers?

CNAs began using the modified numbering scheme on October 19, 2005. From that point forward all newly assigned CVE names will have a CVE prefix (e.g., CVE-xxxx-yyyy) and "Candidate" status.

I am a researcher, how will this modification to the CVE numbering scheme affect me?

When the changeover occurs you will need to reference any older CVE Candidate Numbers using the revised name. For example, CAN-2005-0386 would instead be referred to as CVE-2005-0386 with "Candidate" status.

How will links to CVE names still listed as CANs in older security advisories and news publications by affected by the modification?

Links to CANs in older advisories and news media articles will be redirected on the CVE Web site to pages with the appropriate renumbered names.

I have a question not listed here. Can I contact CVE to address my concern?

Yes. Please feel free to contact cve@mitre.org with any other questions or concerns about the modification to the CVE List numbering scheme.

Back to top

For more information, please email cve@mitre.org

Page last updated: Monday, 17-Oct-2005 16:55:37 EDT