Updates to rel notes

release-notes/2.1/2.1.7/2.1.7.md

@@ -47,6 +47,12 @@ See [.NET Core Supported OS Lifecycle Policy](https://github.com/dotnet/core/blo
 * ### [CVE-2019-0545: .NET Core Information Disclosure Vulnerability](https://github.com/dotnet/Announcements/issues/XX)
     **Executive summary**
 
+    Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core 2.1 and 2.2. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
+
+    Microsoft is aware of an information disclosure vulnerability exists in .NET Framework and .NET Core which allows bypassing Cross-origin Resource Sharing (CORS) configurations. An attacker who successfully exploited the vulnerability could retrieve content, that is normally restricted, from a web application.
+
+    The security update addresses the vulnerability by enforcing CORS configuration to prevent its bypass.
+
 * ### [CVE-2019-0548: ASP.NET Core Denial Of Service Vulnerability](https://github.com/dotnet/Announcements/issues/XX)
     **Executive summary**
 

release-notes/2.2/2.2.1/2.2.1.md

@@ -46,6 +46,13 @@ See [.NET Core Supported OS Lifecycle Policy](https://github.com/dotnet/core/blo
 
 * ### [CVE-2019-0545: .NET Core Information Disclosure Vulnerability](https://github.com/dotnet/Announcements/issues/XX)
     **Executive summary**
+    
+    Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core 2.1 and 2.2. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
+
+    Microsoft is aware of an information disclosure vulnerability exists in .NET Framework and .NET Core which allows bypassing Cross-origin Resource Sharing (CORS) configurations. An attacker who successfully exploited the vulnerability could retrieve content, that is normally restricted, from a web application.
+
+    The security update addresses the vulnerability by enforcing CORS configuration to prevent its bypass.
+
 * ### [CVE-2019-0548: ASP.NET Core Denial Of Service Vulnerability](https://github.com/dotnet/Announcements/issues/XX)
     **Executive summary**
 
@@ -75,23 +82,6 @@ See [.NET Core Supported OS Lifecycle Policy](https://github.com/dotnet/core/blo
     Microsoft.AspNetCore.App | 2.2.0<br/>2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6 | 2.2.1 <br/> 2.1.7
     Microsoft.AspNetCore.All  | 2.2.0<br/>2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6 | 2.2.1 <br/> 2.1.7
 
-* ### [CVE-2018-8416: .NET Core Tampering Vulnerability](https://github.com/dotnet/Announcements/issues/XX)
-    **Executive summary**
-    
-    Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core 2.1. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
-
-    Microsoft is aware of a tampering vulnerability exists when .NET Core improperly handles specially crafted files. An attacker who successfully exploited this vulnerability could write arbitrary files and directories to certain locations on a vulnerable system. However, an attacker would have limited control over the destination of the files and directories.
-
-    To exploit the vulnerability, an attacker must send a specially crafted file to a vulnerable system
-
-    The update addresses the vulnerability by correcting how .NET Core handles these files.
-    
-    **Package and Binary updates**
-    
-    Package name | Vulnerable versions | Secure versions
-    ------------ | ------------------- | -------------------------
-    System.IO.Compression.ZipFile | 4.0.0, 4.0.1, 4.3.0 | 4.3.1
-
 ## Packages updated as part of this release:
 
 Package name | Version