Closed
Bug 323969
Opened 18 years ago
Closed 18 years ago
Collect Sensitive Host info and make it public via Bugzilla
Categories
(Bugzilla :: Administration, task)
Bugzilla
Administration
Tracking
()
RESOLVED
INVALID
People
(Reporter: malitzke, Unassigned)
References
Details
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8b4) Gecko/20050913 SeaMonkey/1.0a Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8b4) Gecko/20050913 SeaMonkey/1.0a This is not a Bugzilla technical problem per se; but well-intentioned misuse of Bugzilla and underlying database features. One major Bugzilla user organization encourages users, when filing bugs or seeking help to submit a host of info: e.g. `uname -a`, compiler (gcc-4.0.2), glibc (glibc-2.3.5), kde (kde-3.5), ipv6, CFLAGS="....", CXXFLAGS=....", OS-headers="2.6.11.3", graphics-card="Savage4", python-2.x.y, etc, etc. I am not a security expert (just a 20 year plus UNIX user) but consider making such detailed info available on the Internet plays potentially into the hands of criminal elements. I have exhausted my powers of persuasion (via their Bugzilla) to get a review started. I do no want to embarass them publicly by disclosing their name here. I hope the Mozilla (Bugzilla) organization would issue a general security alert to Bugzilla administrators to reconsider their policy on colletcting and disseminating sensitive information. Reproducible: Sometimes Steps to Reproduce: 1.Not all users fall into the trap. 2. 3. Actual Results: not applicable Expected Results: not applicable I am at your disposal to help. However I would prefer to do so via direct communication. I have read and agree with your security policy. This is, strictly speaking, not a problem of the Bugzilla Organization. I am just hoping you would look into problem, as I perceive it. I looked at the CERT site and did no find anything resembling this as a potential hazard. If you believe that it belongs in a more general category under CERT please advise.
Comment 1•18 years ago
|
||
I don't think this is anything we have any power to do anything about. Organizations each have their own privacy policies, and if you don't like theirs, then don't submit things to them. If you can't convince an organization to change their privacy policy there's not really much you can do but have a public discussion about it. I don't think the government will do anything as long as they have a privacy policy posted and they aren't violating their own policy. And there's nobody else to go to on this sort of thing except the government and the public. (I'm not sure where we fit in this picture, we're not a government)
Group: webtools-security
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago
Resolution: --- → INVALID
Comment 2•18 years ago
|
||
*** Bug 323971 has been marked as a duplicate of this bug. ***
You need to log in
before you can comment on or make changes to this bug.
Description
•