Red Hat Bugzilla – Bug 112079
redhat bugzilla emails security bugs as cleartext
Last modified: 2008-09-16 14:38:01 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1)
Description of problem:
I don't know if I have the correct version numbers in this bug report.
I'm talking about the Bugzilla instance actually running at
bugzilla.redhat.com. I don't happen to run Bugzilla myself.
I just submitted bug 112078 to bugzilla.redhat.com which was marked as
a security bug. Bugzilla then emailed me the bug report as plaintext.
I don't think that's a good idea in the case of security bugs, since
someone intercepting the email could use the info from the bug report
to make another exploit. This pretty much defeats the purpose of
enabling SSL in the bug reporting web form.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Discover a security bug in a Redhat distro
2. Report it to bugzilla.redhat.com with the usual forms,
selecting "security related" as the severity
Actual Results: Reporter gets a plaintext copy of your bug report
Expected Results: Reporter should just get an email acknowledgement
giving the bug number and URL to access it in the bugzilla system, but
not giving the specifics. Another idea is to send the bug report
under GPG encryption. Also, of course, the distro's security
maintainers should get all security bugs in encrypted form, since
those are the obvious mailboxes for attackers to monitor.
Security bugs should also not be displayed on the public Redhat
Bugzilla web site, except to the reporter and Redhat security
I see now that someone has manually marked 112078 as unviewable to the
public. That's good, but there was a period of vulnerability, plus
there was the plaintext email. The defaults should be changed so that
security bugs are publicly unviewable until someone marks them
viewable, and when they are unviewable the email status updates should
just say there was an update (without giving details) and send the url.
Security issues found in Red Hat products that the submitter does not
intend to be public should not be entered into bugzilla; our advisories
state that people should contact us via email@example.com and
encrypt sensitive emails. More details are also given on our site in
report security issues to us:
I'm changing this bug to be a RFE which is that the bugzilla site
should state somewhere that bugzilla is not intended to be used to
report new, non-public security issues to us, and point people at that
Until the enhancement actually gets coded, the link to the security
contact page should be incorporated into the regular bug submission
form, with a warning saying sensitive stuff should be submitted using
the other mechanism. Just having it in the advisories is too much
stuff for reporters to remember even if they read the advisories. I'm
used to what mozilla.org does, which is they simply have a check box
in the submission form saying it's a security bug and should not be
exposed to public view. Unless Red Hat's bugzilla is way out of sync
with Mozilla's, maybe the simplest way for Red Hat to do this
enhancement is merge or sync to the Mozilla code.
Our code is not *way* out of sync but it is a few minor versions
behind since it is based on a different database backend and can't be
synced up regularly without some hand-holding. I will look at their
current code and see about incorporating there security bug changes
into ours in the meantime. Also I will add a blurb about reporting
security problems in a different place to the add bug pages.
I am closing this bug report as there has not been any activity on this for a
while and there has been various changes made to bugzilla in the meantime. If
the issue still exists, kindly reopen it. Thank you.