Closed Bug 859682 Opened 11 years ago Closed 11 years ago

Dependency tree bug list link reveals information user cannot otherwise see

Categories

(Bugzilla :: Dependency Views, defect)

Product:
Bugzilla
Component:
Dependency Views
Type:
defect
Priority:
Not set
Severity:
minor

Tracking

()

Status:
RESOLVED DUPLICATE of bug 370883

People

(Reporter: mail, Unassigned)

Details

I have four bugs. Bug One depends on Bug Two which depends on Bug Three which depends on Bug Four. Bug Two and Bug Three are private. If I view the dependency tree for Bug One, the 'View as bug list' contains a link to Bug Four. This should not be because the user is unaware that Bug Two depends on Bug Three.

An example of this is at the tip:
https://landfill.bugzilla.org/bugzilla-tip/showdependencytree.cgi?id=20901&hide_resolved=1

The bug list link contains Bug Four.
IMO, that's not really a security bug. You still cannot know what the security bugs are about. I agree that once a bug you cannot see is found, the recursion should stop at this point.
Severity: normal → minor
And actually, this bug is known for years and is public.
Group: bugzilla-security
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.