Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 31 Dec 2012 10:32:25 +0100
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Subject: CVE request (maybe): magento before 1.7.0.2

Hi,


http://www.magentocommerce.com/download/release_notes
1.7.0.2 changelog lists this:
"Fixed: Security vulnerability in Zend_XmlRpc -
http://framework.zend.com/security/advisory/ZF2012-01 "

I don't know if we consider bundled libs issues as extra CVE. The
original one is CVE-2012-3363.


Also, Magento 1.7.0.1 has this:
"Fixed: Several potential security vulnerabilities"

Yeah, I like it if vendors are so verbose about their
vulnerabilities... And here are some people defending the "security by
obscurity standpoint of magento:
http://www.magentocommerce.com/boards/viewthread/284896/#t397006

(I seriosly consider this is an issue that should be highlighted more -
we recently had piwik devs arguing in a similar way for obsurity - free
software doesn't protect you from dumb developers thinking that
obscurity may be a good idea)


-- 
Hanno Böck		mail/jabber: hanno@...eck.de
GPG: BBB51E42		http://www.hboeck.de/

Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.