mailing list archives
Re: CVE request (maybe): magento before 220.127.116.11
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 03 Jan 2013 13:14:30 -0700
-----BEGIN PGP SIGNED MESSAGE-----
On 12/31/2012 02:32 AM, Hanno Böck wrote:
changelog lists this: "Fixed: Security vulnerability in Zend_XmlRpc
- http://framework.zend.com/security/advisory/ZF2012-01 "
I don't know if we consider bundled libs issues as extra CVE. The
original one is CVE-2012-3363.
Also, Magento 18.104.22.168 has this: "Fixed: Several potential security
Yeah, I like it if vendors are so verbose about their
vulnerabilities... And here are some people defending the "security
by obscurity standpoint of magento:
(I seriosly consider this is an issue that should be highlighted
more - we recently had piwik devs arguing in a similar way for
obsurity - free software doesn't protect you from dumb developers
thinking that obscurity may be a good idea)
Honestly I'm not going to waste any time on tracking these down, it
would take hours to go through the above mentioned 1.8 meg diff file
that contains these security flaws. So with this in mind:
Release Notes - Magento 22.214.171.124 (Jun 20, 2012)
Fixed: Several potential security vulnerabilities
Please use CVE-2012-6091 for these issues.
But here's a hint: it would only take a few hours to hunt down the
flaws. And according to the argument "these sites handle large volumes
of money" it would be worth an attackers time to read the diff file,
so this obscurity argument only hurts the users/admins since they will
have to waste time figuring out if they need to apply this patch or
not or if there is a workaround, or what they should do to see if they
have already been attacked/etc.
Feel free to post a copy of this on their forums.
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
-----END PGP SIGNATURE-----
- Re: CVE request (maybe): magento before 126.96.36.199 Kurt Seifried (Jan 03)