oss-sec mailing list archives
CVE request (maybe): magento before 1.7.0.2
From: Hanno Böck <hanno () hboeck de>
Date: Mon, 31 Dec 2012 10:32:25 +0100
Hi, http://www.magentocommerce.com/download/release_notes 1.7.0.2 changelog lists this: "Fixed: Security vulnerability in Zend_XmlRpc - http://framework.zend.com/security/advisory/ZF2012-01 " I don't know if we consider bundled libs issues as extra CVE. The original one is CVE-2012-3363. Also, Magento 1.7.0.1 has this: "Fixed: Several potential security vulnerabilities" Yeah, I like it if vendors are so verbose about their vulnerabilities... And here are some people defending the "security by obscurity standpoint of magento: http://www.magentocommerce.com/boards/viewthread/284896/#t397006 (I seriosly consider this is an issue that should be highlighted more - we recently had piwik devs arguing in a similar way for obsurity - free software doesn't protect you from dumb developers thinking that obscurity may be a good idea) -- Hanno Böck mail/jabber: hanno () hboeck de GPG: BBB51E42 http://www.hboeck.de/
Attachment:
signature.asc
Description:
Current thread:
- CVE request (maybe): magento before 1.7.0.2 Hanno Böck (Dec 31)