Date: Thu, 03 Jan 2013 13:14:30 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Hanno Böck <hanno@...eck.de> Subject: Re: CVE request (maybe): magento before 188.8.131.52 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/31/2012 02:32 AM, Hanno Böck wrote: > Hi, > > > http://www.magentocommerce.com/download/release_notes 184.108.40.206 > changelog lists this: "Fixed: Security vulnerability in Zend_XmlRpc > - http://framework.zend.com/security/advisory/ZF2012-01 " > > I don't know if we consider bundled libs issues as extra CVE. The > original one is CVE-2012-3363. > > > Also, Magento 220.127.116.11 has this: "Fixed: Several potential security > vulnerabilities" > > Yeah, I like it if vendors are so verbose about their > vulnerabilities... And here are some people defending the "security > by obscurity standpoint of magento: > http://www.magentocommerce.com/boards/viewthread/284896/#t397006 > > (I seriosly consider this is an issue that should be highlighted > more - we recently had piwik devs arguing in a similar way for > obsurity - free software doesn't protect you from dumb developers > thinking that obscurity may be a good idea) Honestly I'm not going to waste any time on tracking these down, it would take hours to go through the above mentioned 1.8 meg diff file that contains these security flaws. So with this in mind: http://www.magentocommerce.com/download/release_notes Release Notes - Magento 18.104.22.168 (Jun 20, 2012) Fixed: Several potential security vulnerabilities Please use CVE-2012-6091 for these issues. But here's a hint: it would only take a few hours to hunt down the flaws. And according to the argument "these sites handle large volumes of money" it would be worth an attackers time to read the diff file, so this obscurity argument only hurts the users/admins since they will have to waste time figuring out if they need to apply this patch or not or if there is a workaround, or what they should do to see if they have already been attacked/etc. Feel free to post a copy of this on their forums. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJQ5eamAAoJEBYNRVNeJnmTeecQAJDK6zWT3prklzbLpAks6OwW Pe3G1kZWO7ABgm9S5LWJYXQdi4LByD7aXK4N5sowTUAEtefnfQrF3GKDGeiIX+sm 5rVn1NFqwD6Q+SiK9mkBg0FWxUUBY0y0Q7AcahH4VTifsrCce+rQWG9p79cQQm1H alBBF5fvQh1pT5kA9/rAIyO8ZeYJ08ziqDBZGlif4Eyonj1XPT5Q2hKcQ+UL27Lc rLynXkrvzCqmBUYO5cjHf57VfX9ePowQcDTouNXUf6tMAhSvrh2t4Neb9NKheRI1 JDXF9z72qovUXXtX8eV8S00kHEGE14B25mS4mQjWBEqetGy72MpK8EcHsy26XOgr 1PwcSNpbI3Leu57H8DdrrB8eNPdccbBiHOS0IfLccOsVJIGhVXUJGTV7lfc2PW85 HcGFStMwWoUOvj00uaes+m7Jjk4yDB2g0SUPJ7AJvKJDQFGRJYiPiJhdqcnqx+lG nbVvddnXh4uGNB9IPN8gK/cYjcYffs4/teI52vyhcFFQPwXcsWtnUgEqyUBrYQWL Sp+PQsXkZPGulhUSuoQZhItaeziJd0F7ldvR9HbuChbaP/q9xC/6V4ug5CaiECjG pNGS7ix8c9I4AuX8KA61PpZVBlAHN/h3TZ4UXA1njJPyiMYdYtwrCMk+7VryPil5 uDfS/UySiC/aA3hvUNL6 =tvfI -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.