Date: Mon, 31 Dec 2012 10:32:25 +0100 From: Hanno Böck <hanno@...eck.de> To: oss-security@...ts.openwall.com Subject: CVE request (maybe): magento before 18.104.22.168 Hi, http://www.magentocommerce.com/download/release_notes 22.214.171.124 changelog lists this: "Fixed: Security vulnerability in Zend_XmlRpc - http://framework.zend.com/security/advisory/ZF2012-01 " I don't know if we consider bundled libs issues as extra CVE. The original one is CVE-2012-3363. Also, Magento 126.96.36.199 has this: "Fixed: Several potential security vulnerabilities" Yeah, I like it if vendors are so verbose about their vulnerabilities... And here are some people defending the "security by obscurity standpoint of magento: http://www.magentocommerce.com/boards/viewthread/284896/#t397006 (I seriosly consider this is an issue that should be highlighted more - we recently had piwik devs arguing in a similar way for obsurity - free software doesn't protect you from dumb developers thinking that obscurity may be a good idea) -- Hanno Böck mail/jabber: hanno@...eck.de GPG: BBB51E42 http://www.hboeck.de/ Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.