Bug 112079

Summary: redhat bugzilla emails security bugs as cleartext
Product: [Community] Bugzilla Reporter: Need Real Name <phr-redhat>
Component: Bugzilla GeneralAssignee: David Lawrence <dkl>
Status: CLOSED NOTABUG QA Contact: David Lawrence <dkl>
Severity: medium Docs Contact:
Priority: high    
Version: 3.2CC: mjc, sundaram
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/bugzilla/easy_enter_bug.cgi
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-02-14 20:03:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Need Real Name 2003-12-14 03:25:20 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1)
Gecko/20030225

Description of problem:
I don't know if I have the correct version numbers in this bug report.
I'm talking about the Bugzilla instance actually running at
bugzilla.redhat.com.  I don't happen to run Bugzilla myself.

I just submitted bug 112078 to bugzilla.redhat.com which was marked as
a security bug.  Bugzilla then emailed me the bug report as plaintext.
 I don't think that's a good idea in the case of security bugs, since
someone intercepting the email could use the info from the bug report
to make another exploit.  This pretty much defeats the purpose of
enabling SSL in the bug reporting web form.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Discover a security bug in a Redhat distro
2. Report it to bugzilla.redhat.com with the usual forms,
   selecting "security related" as the severity


Actual Results:  Reporter gets a plaintext copy of your bug report

Expected Results:  Reporter should just get an email acknowledgement
giving the bug number and URL to access it in the bugzilla system, but
not giving the specifics.  Another idea is to send the bug report
under GPG encryption.  Also, of course, the distro's security
maintainers should get all security bugs in encrypted form, since
those are the obvious mailboxes for attackers to monitor.

Additional info:

Comment 1 Need Real Name 2003-12-14 03:28:30 UTC
Security bugs should also not be displayed on the public Redhat
Bugzilla web site, except to the reporter and Redhat security
maintainers!  Sheesh!!!!

Comment 2 Need Real Name 2003-12-14 09:43:36 UTC
I see now that someone has manually marked 112078 as unviewable to the
public.  That's good, but there was a period of vulnerability, plus
there was the plaintext email.  The defaults should be changed so that
security bugs are publicly unviewable until someone marks them
viewable, and when they are unviewable the email status updates should
just say there was an update (without giving details) and send the url.  

Comment 3 Mark J. Cox 2003-12-16 09:58:56 UTC
Security issues found in Red Hat products that the submitter does not
intend to be public should not be entered into bugzilla; our advisories
state that people should contact us via secalert and
encrypt sensitive emails.  More details are also given on our site in
how to
report security issues to us:

http://www.redhat.com/solutions/security/news/contact.html

I'm changing this bug to be a RFE which is that the bugzilla site
should state somewhere that bugzilla is not intended to be used to
report new, non-public security issues to us, and point people at that
URL.

Comment 4 Need Real Name 2003-12-16 10:08:18 UTC
Until the enhancement actually gets coded, the link to the security
contact page should be incorporated into the regular bug submission
form, with a warning saying sensitive stuff should be submitted using
the other mechanism.  Just having it in the advisories is too much
stuff for reporters to remember even if they read the advisories.  I'm
used to what mozilla.org does, which is they simply have a check box
in the submission form saying it's a security bug and should not be
exposed to public view.  Unless Red Hat's bugzilla is way out of sync
with Mozilla's, maybe the simplest way for Red Hat to do this
enhancement is merge or sync to the Mozilla code.

Comment 5 David Lawrence 2003-12-16 15:25:41 UTC
Our code is not *way* out of sync but it is a few minor versions
behind since it is based on a different database backend and can't be
synced up  regularly without some hand-holding. I will look at their
current code and see about incorporating there security bug changes
into ours in the meantime. Also I will add a blurb about reporting
security problems in a  different place to the add bug pages.


Comment 6 Rahul Sundaram 2006-02-14 20:03:34 UTC

I am closing this bug report as there has not been any activity on this for a
while and there has been various changes made to bugzilla in the meantime. If
the issue still exists, kindly reopen it. Thank you.