[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE request (maybe): magento before 1.7.0.2
From: Hanno =?ISO-8859-1?B?QvZjaw==?= <hanno () hboeck ! de>
Date: 2012-12-31 9:32:25
Message-ID: 20121231103225.24f063f9 () melee
[Download RAW message or body]
Hi,
http://www.magentocommerce.com/download/release_notes
1.7.0.2 changelog lists this:
"Fixed: Security vulnerability in Zend_XmlRpc -
http://framework.zend.com/security/advisory/ZF2012-01 "
I don't know if we consider bundled libs issues as extra CVE. The
original one is CVE-2012-3363.
Also, Magento 1.7.0.1 has this:
"Fixed: Several potential security vulnerabilities"
Yeah, I like it if vendors are so verbose about their
vulnerabilities... And here are some people defending the "security by
obscurity standpoint of magento:
http://www.magentocommerce.com/boards/viewthread/284896/#t397006
(I seriosly consider this is an issue that should be highlighted more -
we recently had piwik devs arguing in a similar way for obsurity - free
software doesn't protect you from dumb developers thinking that
obscurity may be a good idea)
--
Hanno Böck mail/jabber: hanno@hboeck.de
GPG: BBB51E42 http://www.hboeck.de/
["signature.asc" (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic