Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 19 Oct 2011 15:19:12 +0200
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Subject: CVE request: piwik before 1.6

Okay, this one is a bit more complicated.

Seems piwik decided to jump in to the projects that try to hide
security issues instead of being transparent. The Changelog for piwik
1.6 lists the names of people disclosing security issues, but it
doesn't give any hint of the issues itself.

Cite from http://piwik.org/blog/2011/10/piwik-1-6/:
"Security: we would like to thank the following people for their
responsible disclosure: Alexandru Pitis, Alexander Schmid, Secure
Business Austria, Krzysztof Kotowicz, David Vieira-Kurz, Szymon
Gruszecki, Mateusz Goik, Mauro Gentile."

Although they have a section on their webpage with security advisories,
there's none for 1.6. (reminds me of clamav, they've been doing that
for years)

Regarding CVEs, i suggest adding one for every name, e.g.
"Unknown security vulnerability in piwik before 1.6 discovered by
Alexandru Pitis" etc., until we know more about it.


If anyone knows any piwik devs, please tell them that it'd be a good
idea to get back to a transparent handling of security issues.

-- 
Hanno Böck		mail/jabber: hanno@...eck.de
GPG: BBB51E42		http://www.hboeck.de/

Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.