> > There is something I've always wondered... How do CVE items in > CVE's database have their status changed? In my time of working with > vulnerabilities, I have only seen a few items graduate from > Status="Candidate" to Status="..." (is it "Confirmed"?). This along with much other information is covered here: http://cve.mitre.org/about/ > Another question. How does one submit information or corrections > to the cve.mitre.org folks? You can mail cve@xxxxxxxxx with your corrections. Please keep in mind that they are swamped with the volume of security issues, so your correction will take some time. > Also -- What makes the CVE maintainers notice a given advisory and > maybe skip another? The Fedora Legacy advisory FLSA:186277 mentioned > in CVE-2006-0058's references is referring to an obsolete advisory, as > Legacy had to re-release sendmail with an updated advisory. > > * The original Legacy advisory for this issue is at > <http://www.securityfocus.com/archive/1/archive/1/428656/100/0/threaded> > (also at <http://www.securityfocus.com/archive/1/428656/100/0/threaded>) > > * The updated Legacy advisory is at > <http://www.securityfocus.com/archive/1/430308/100/300/threaded> > > Do we need to renumber the advisory so it will get attention by the CVE > folks? Or make a special effort to send mail to the CVE people letting > them know that the reference in CVE-2006-0058 needs updating? If so, who > do we write? You can mail them telling them where the new advisory is (once again though, this will take time to be updated as this would be a low priority task). This is one of the problems with using a mailing list to publish your advisories. Once it's published, it's read only. -- JB
