Issue reporting on a year-old SharePoint CVE

quest · September 24, 2020, 6:18pm

I got a request for reporting this CVE from over a year ago. It appears there was Patches for Windows content created for this, but now I cannot report on either the superseded fixlets nor the CVE they fixed in the current site version 3621. I would like to know why these things are missing from the current site content, and ideally it would be great to have them added if possible.

Microsoft page about CVE-2019-0604 with KBs listed:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604

These KBs had patches published (& superseded):
https://forum.bigfix.com/search?q=KB4462211
https://forum.bigfix.com/search?q=KB4461630
https://forum.bigfix.com/search?q=KB4462143
https://forum.bigfix.com/search?q=kb4462184

These KBs did not have patches published:
https://forum.bigfix.com/search?q=KB4462202
https://forum.bigfix.com/search?q=KB4462199

bma · September 24, 2020, 11:44pm

All of those have been in a superseded state for more than year. Fixlets that have been superseded for more than a year are purposefully removed from the Patches for Windows site.

Regarding KB4462202 and KB4462199, I’m not sure if those were just not posted in the forum announcement or missed altogether. But similar to the others, they were superseded with the Sharepoint releases the next month .

4462199 was replaced by 4464518 (https://support.microsoft.com/en-us/help/4464518) on April 9, 2019
4462202 was replaced by 4464511 (https://support.microsoft.com/en-us/help/4464518) on April 9, 2019

quest · September 25, 2020, 6:11pm

That’s interesting. I wonder if it’s possible to have those CVEs from superseded fixlets from over a year ago reportable via another way.