Hello Salvatore, apologies for not replying earlier, I was away on holidays.
I was told by the CVE team that I have to use the online form to update information about the issues. On 10 November 2016 I have sent a request to update an existing CVE for the CVE-2016-9186. I have received an automated reply "CVE Request 260788 for Update Published CVE". I don't see any changes on the page https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9186 following my request to update though. I was not aware of 9187 and 9188, I can request update again but now I'm not even sure this form works. I also use this form to notify about publishing CVE. For example, the last issue I notified about was CVE-2016-8644 on the 21 November 2016 ( https://moodle.org/mod/forum/discuss.php?d=343277 ) but the page https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8644 still does not display any information about the issue. Please advise me what is the correct way to update information on CVEs and/or notify about the publishing. Below is the email that I have received from c...@mitre.org in the end of October in reply to my request to update information about CVE 2016-7919. Regards, Marina Glancy Marina, > > > > The new CVE web form can be used to submit this request as listed in the > notification below. Select the “Request an update to an existing CVE” > option. > > > > **********IMPORTANT NOTIFICATION*************** > > > > Please use the “CVE Request” web form to request CVE IDs from MITRE, > > request an update to a CVE, provide notification about a > > vulnerability publication, or submit comments: > > https://cveform.mitre.org/ > > > > Learn more at: > > https://cve.mitre.org/news/archives/2016/news.html# > august292016_FOCUS_ON:_New_Method_to_Request_CVE_IDs_ > Updates_and_More_from_MITRE_in_Effect > > > > *********************************************** > > > The CVE Team > [image: Moodle] <http://www.moodle.com> Marina Glancy Development Process Manager e: mar...@moodle.com p: +61 8 9467 4167 w: moodle.com <http://www.moodle.com> [image: Facebook] <https://www.facebook.com/moodle.lms/> [image: Twitter] <https://twitter.com/moodle> [image: Google+] <https://plus.google.com/+moodle/posts> On Sun, Jan 15, 2017 at 6:14 PM, Salvatore Bonaccorso <car...@debian.org> wrote: > Hi Dan, hi Marina, > > On Sun, Jan 15, 2017 at 09:31:05AM +0000, Dan Poltawski wrote: > > Hi, > > > > > > please see https://packetstormsecurity.com/files/139466/Moodle-CMS-3 > . > > 1.2-Cross-Site-Scripting-File-Upload.html > > > JFTR, regarding this one: I tried some weeks ago to contact Marina > > > Glancy to get more information abouth those CVEs from upstream point > > > of view, but got not reply unfortunately. Cc'ing for this bug as well > > > > (Upstream here with Marina) we have not reported on these 'security > issues' > > because do not believe any are security concerns. We replied to the > > original reporter explaining this/asking for clarification, they > published > > them as 'exploits' despite this and (as far as i'm aware) didn't respond > to > > our requests for clarification. This puts us in a difficult situation. > > > > The s_additionalhtmlhead setting is controlled with our RISK_XSS flag, > the > > 'add these tags' issue only seems to providing XSS to the user themselves > > (in the same way as a web inspector would do) and the others we do not > > understand the exploit. If there is something we are missing we would > > appreciate the bug created on https://tracker.moodle.org > > > > Note that new security releases (and CVE's) have just been published and > > will be published on https://moodle.org/security/ shortly. > > Thanks a lot for your feedback, this very much appreciated. According > to the above I have added a note to our CVE entries in the > security-tracker at > > https://security-tracker.debian.org/tracker/851405 > > to mention the above. Maybe those CVE might need to be rejected then > in case it turns out that the reports were invalid regarding beeing a > security issue. > > I will look forward for the new CVEs and add them later to our > tracking. > > > cheers and thanks for your work, > > Thanks, and the same 'thank you' to you! > > Regards, > Salvatore >