[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE request (maybe): magento before 1.7.0.2
From:       Hanno =?ISO-8859-1?B?QvZjaw==?= <hanno () hboeck ! de>
Date:       2012-12-31 9:32:25
Message-ID: 20121231103225.24f063f9 () melee
[Download RAW message or body]


Hi,


http://www.magentocommerce.com/download/release_notes
1.7.0.2 changelog lists this:
"Fixed: Security vulnerability in Zend_XmlRpc -
http://framework.zend.com/security/advisory/ZF2012-01 "

I don't know if we consider bundled libs issues as extra CVE. The
original one is CVE-2012-3363.


Also, Magento 1.7.0.1 has this:
"Fixed: Several potential security vulnerabilities"

Yeah, I like it if vendors are so verbose about their
vulnerabilities... And here are some people defending the "security by
obscurity standpoint of magento:
http://www.magentocommerce.com/boards/viewthread/284896/#t397006

(I seriosly consider this is an issue that should be highlighted more -
we recently had piwik devs arguing in a similar way for obsurity - free
software doesn't protect you from dumb developers thinking that
obscurity may be a good idea)


-- 
Hanno Böck		mail/jabber: hanno@hboeck.de
GPG: BBB51E42		http://www.hboeck.de/

["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]