oss-sec mailing list archives
CVE request: piwik before 1.6
From: Hanno Böck <hanno () hboeck de>
Date: Wed, 19 Oct 2011 15:19:12 +0200
Okay, this one is a bit more complicated. Seems piwik decided to jump in to the projects that try to hide security issues instead of being transparent. The Changelog for piwik 1.6 lists the names of people disclosing security issues, but it doesn't give any hint of the issues itself. Cite from http://piwik.org/blog/2011/10/piwik-1-6/: "Security: we would like to thank the following people for their responsible disclosure: Alexandru Pitis, Alexander Schmid, Secure Business Austria, Krzysztof Kotowicz, David Vieira-Kurz, Szymon Gruszecki, Mateusz Goik, Mauro Gentile." Although they have a section on their webpage with security advisories, there's none for 1.6. (reminds me of clamav, they've been doing that for years) Regarding CVEs, i suggest adding one for every name, e.g. "Unknown security vulnerability in piwik before 1.6 discovered by Alexandru Pitis" etc., until we know more about it. If anyone knows any piwik devs, please tell them that it'd be a good idea to get back to a transparent handling of security issues. -- Hanno Böck mail/jabber: hanno () hboeck de GPG: BBB51E42 http://www.hboeck.de/
Attachment:
signature.asc
Description:
Current thread:
- CVE request: piwik before 1.6 Hanno Böck (Oct 19)
- Re: CVE request: piwik before 1.6 Steven M. Christey (Oct 19)
- Re: CVE request: piwik before 1.6 Anthon Pang (Oct 19)
- Re: CVE request: piwik before 1.6 Anthon Pang (Oct 19)
- Re: CVE request: piwik before 1.6 Josh Bressers (Oct 20)
- Re: CVE request: piwik before 1.6 Henri Salo (Oct 27)
- Re: CVE request: piwik before 1.6 Josh Bressers (Oct 20)
- <Possible follow-ups>
- Re: CVE request: piwik before 1.6 Henri Salo (Oct 28)
- Re: CVE request: piwik before 1.6 Steven M. Christey (Oct 19)