131695 - Leak of secured information when marking bugs as duplicate

Status: RESOLVED DUPLICATE of bug 93508

(Bugzilla :: Email Notifications, defect)

Description

[Thomas Thurman]

In our Bugzilla installation, we had a bug "A" that was only visible 
internally. It was later found that it was a duplicate of "B", which was 
visible to clients. When "A" was marked as a duplicate, the client was emailed 
notification that "B" was a duplicate, despite not being able to see "B".

Shouldn't there be some way of preventing this? I realise that this is quite a 
rare case, since duplicate bugs usually have the same visibility, but in some 
cases there's information in the comments or description which is confidential 
to one group or another.

Comment 1

[Thomas Thurman]

Sorry. Let's try that first paragraph again.

In our Bugzilla installation, we had a bug "A" that was only visible 
internally. It was later found that it was a duplicate of "B", which was 
visible to clients. When "A" was marked as a duplicate, the client was emailed 
notification that "A" was a duplicate of "B", despite not being able to see "A".

Comment 2

[Andreas Franke (gone)]

This may be dependent on bug 7415 ("Allow private comments to bugs. ...").

Comment 3

[Dave Miller [:justdave]]

Changing default owner of Email Notifications component to JayPee, a.k.a.
J. Paul Reed (preed@sigkill.com).  Jake will be offline for a few months.

Comment 4

[Matthew Tuck [:CodeMachine]]

Private comments would definitely be a nice solution here.  In the meantime,
perhaps a warning should be issued mentioning the fact it doen't have the same
groupset.

Comment 5

[Bradley Baetz (:bbaetz)]

Dupe of bug 93508?

Comment 6

[Dave Miller [:justdave]]

All 2.18 bugs that haven't been touched in over 60 days and aren't flagged as
blockers are getting pushed out to 2.20

Comment 7

[Dave Miller [:justdave]]

*** This bug has been marked as a duplicate of 93508 ***