Bug 112079
Summary: | redhat bugzilla emails security bugs as cleartext | ||
---|---|---|---|
Product: | [Community] Bugzilla | Reporter: | Need Real Name <phr-redhat> |
Component: | Bugzilla General | Assignee: | David Lawrence <dkl> |
Status: | CLOSED NOTABUG | QA Contact: | David Lawrence <dkl> |
Severity: | medium | Docs Contact: | |
Priority: | high | ||
Version: | 3.2 | CC: | mjc, sundaram |
Target Milestone: | --- | Keywords: | FutureFeature |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/bugzilla/easy_enter_bug.cgi | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Enhancement | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2006-02-14 20:03:34 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Need Real Name
2003-12-14 03:25:20 UTC
Security bugs should also not be displayed on the public Redhat Bugzilla web site, except to the reporter and Redhat security maintainers! Sheesh!!!! I see now that someone has manually marked 112078 as unviewable to the public. That's good, but there was a period of vulnerability, plus there was the plaintext email. The defaults should be changed so that security bugs are publicly unviewable until someone marks them viewable, and when they are unviewable the email status updates should just say there was an update (without giving details) and send the url. Security issues found in Red Hat products that the submitter does not intend to be public should not be entered into bugzilla; our advisories state that people should contact us via secalert and encrypt sensitive emails. More details are also given on our site in how to report security issues to us: http://www.redhat.com/solutions/security/news/contact.html I'm changing this bug to be a RFE which is that the bugzilla site should state somewhere that bugzilla is not intended to be used to report new, non-public security issues to us, and point people at that URL. Until the enhancement actually gets coded, the link to the security contact page should be incorporated into the regular bug submission form, with a warning saying sensitive stuff should be submitted using the other mechanism. Just having it in the advisories is too much stuff for reporters to remember even if they read the advisories. I'm used to what mozilla.org does, which is they simply have a check box in the submission form saying it's a security bug and should not be exposed to public view. Unless Red Hat's bugzilla is way out of sync with Mozilla's, maybe the simplest way for Red Hat to do this enhancement is merge or sync to the Mozilla code. Our code is not *way* out of sync but it is a few minor versions behind since it is based on a different database backend and can't be synced up regularly without some hand-holding. I will look at their current code and see about incorporating there security bug changes into ours in the meantime. Also I will add a blurb about reporting security problems in a different place to the add bug pages. I am closing this bug report as there has not been any activity on this for a while and there has been various changes made to bugzilla in the meantime. If the issue still exists, kindly reopen it. Thank you. |