Security Bugs are listed as references but are still hidden.

RESOLVED INVALID

Status

()

RESOLVED INVALID
12 years ago
7 years ago

People

(Reporter: cso, Assigned: dveditz)

Tracking

Details

(URL)

(Reporter)

Description

12 years ago
The security releases for the 1.5.0.7 releases have been made public, but the bugs they reference have not. 

The URL field has an example, and bug 346090 is a bug referenced from that.

Comment 1

12 years ago
(In reply to comment #0)
> The security releases for the 1.5.0.7 releases have been made public, but the
> bugs they reference have not. 

I assume some days are needed that most browsers have been updated, or there's more info in a bug about other still unfixed stuff. You always can have a look into the code to see what has been changed ;-) 

Assignee: nobody → dveditz
Component: www.mozilla.org → Bugzilla: Other b.m.o Issues
OS: Windows XP → All
QA Contact: www-mozilla-org → myk
Hardware: PC → All
Yes, I believe this is intentional to ensure that people have a chance to upgrade before the vulnerabilities are disclosed.
(Reporter)

Comment 3

12 years ago
(In reply to comment #2)
> Yes, I believe this is intentional to ensure that people have a chance to
> upgrade before the vulnerabilities are disclosed.

It seems a bit weird to actually link the bugs in public, then.
(In reply to comment #3)
> (In reply to comment #2)
> > Yes, I believe this is intentional to ensure that people have a chance to
> > upgrade before the vulnerabilities are disclosed.
> 
> It seems a bit weird to actually link the bugs in public, then.

Disclosing the fact that there are vulnerabilities and their nature (the advisories) is much different than exposing testcases and other specific details about the vulnerabilities (the bugs).
(Reporter)

Comment 5

12 years ago
(In reply to comment #4)
> Disclosing the fact that there are vulnerabilities and their nature (the
> advisories) is much different than exposing testcases and other specific
> details about the vulnerabilities (the bugs).

I don't dispute that, and in fact I agree with it.

However, the bugs are linked in public but are hidden which seems a bit weird to me - particularly since there isn't a note on the page that says that they are not visible.

(Assignee)

Comment 6

12 years ago
The URLs are both links and references. They may not be visible immediately, but they are permanent and help people ensure they are talking about the same thing.

We'll open them as appropriate. If you have a suggestion or complaint about it a bug isn't really the best way to go. Try one of the newsgroups, or if you just want to let someone know and aren't after a discussion you can mail security@mozilla.org
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → INVALID
(Reporter)

Comment 7

12 years ago
(In reply to comment #6)
> We'll open them as appropriate. If you have a suggestion or complaint about it
> a bug isn't really the best way to go.

A public reference to a bug implies to me that it should be visible - hence that is a bug in my opinion.

Component: Bugzilla: Other b.m.o Issues → General
Product: mozilla.org → bugzilla.mozilla.org
You need to log in before you can comment on or make changes to this bug.