oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE request (maybe): magento before 1.7.0.2

From: Hanno Böck <hanno () hboeck de>
Date: Mon, 31 Dec 2012 10:32:25 +0100
Hi,


http://www.magentocommerce.com/download/release_notes
1.7.0.2 changelog lists this:
"Fixed: Security vulnerability in Zend_XmlRpc -
http://framework.zend.com/security/advisory/ZF2012-01 "

I don't know if we consider bundled libs issues as extra CVE. The
original one is CVE-2012-3363.


Also, Magento 1.7.0.1 has this:
"Fixed: Several potential security vulnerabilities"

Yeah, I like it if vendors are so verbose about their
vulnerabilities... And here are some people defending the "security by
obscurity standpoint of magento:
http://www.magentocommerce.com/boards/viewthread/284896/#t397006

(I seriosly consider this is an issue that should be highlighted more -
we recently had piwik devs arguing in a similar way for obsurity - free
software doesn't protect you from dumb developers thinking that
obscurity may be a good idea)


-- 
Hanno Böck              mail/jabber: hanno () hboeck de
GPG: BBB51E42           http://www.hboeck.de/

Attachment: signature.asc
Description:

Previous By Date Next
Previous By Thread Next

Current thread: