Re: Code Red Vulnerability (CAN-2001-0500)
Stuart Staniford asked:
>It would be somewhat nice to refer to the vulnerability by its CVE
>name, but it's still a candidate at present. Is there any ETA for
>when it might be approved?
CAN-2001-0500 should become CVE-2001-0500 in the next CVE version. It
has enough votes. It probably didn't make it into the last version
because I didn't ACCEPT any candidates that had only been proposed to
the Board within the previous 2 months or so.
After the new round of candidates will come out (brace yourselves for
~200 tomorrow...) I will be working on creating a new CVE version,
which will come out in mid-February. This new version should exceed
While it's theoretically risky to call this CVE-2001-0500 right now, I
think it's a very good bet. If you include a link to the CVE web site
the CVE web site will bring you to the right record, even if it's
still a CAN for some unexpected reason.
The transition of the name from CAN to CVE, and its impact on making
candidate numbers "obsolete" in written communications (not to mention
voluminous databases), is one reason why I'd like to make the one-time
change to the CVE naming scheme as alluded to in various conversations
in the past. I'm still thinking about how to do this right, and
*when* to do it. But a name that doesn't change from candidate to
entry would provide additional stability that would avoid these types