Closed
Bug 743067
Opened 13 years ago
Closed 12 years ago
Security review of Dragnet (DLL Directory)
Categories
(mozilla.org :: Security Assurance: Review Request, task)
mozilla.org
Security Assurance: Review Request
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: brandon, Assigned: mgoodwin)
Details
(Whiteboard: [completed secreview])
* This application is a database containing DLL file information based on crashes we have collected. It is editable only by those who are part of the Mozilla LDAP directory.
* This app supports login and essentially two roles: a non-logged in user can only read; a logged in user can create new DLLs, leave comments, and edit existing DLL information.
* The worst thing that can happen with this app is that the data could be compromised. Part of our mission here is that we want to provide a list of DLLs that has integrity, so people searching Google can find information about DLLs. This information, were it to be compromised by malware authors (and they will try), would potentially harm any number of user computers.
* There is not a specific admin page. Any user that is logged in has access to all pages of the application at this time.
* This is a Q2 goal.
Please answer the questions from this wiki location in a comment in this bug
https://wiki.mozilla.org/Security/Reviews/Review_Request_Form#Questions_to_Address_within_Request_Body
assigned back to :brandon until we can get the information needed
Assignee: nobody → bsavage
Reporter | ||
Comment 3•13 years ago
|
||
The answers to these questions were in fact the opening description of this bug. Please let me know what specific additional information you need.
Sorry for the confusion, but it does not appear that they were all answered so if you can put them as an inline reply that would be helpful.
Who is/are the point of contact(s) for this review?
Please provide a short description of the feature / application (e.g. problem solved, use cases, etc.):
Please provide links to additional information (e.g. feature page, wiki) if available and not yet included in feature description:
Does this request block another bug? If so, please indicate the bug number This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review?
Please answer the following few questions: (Note: If you are asked to describe anything, 1-2 sentences shall suffice.)
Does this feature or code change affect Firefox, Thunderbird or any product or service the Mozilla ships to end users?
Are there any portions of the project that interact with 3rd party services?
Will your application/service collect user data? If so, please describe
If you feel something is missing here or you would like to provide other kind of feedback, feel free to do so here (no limits on size):
Desired Date of review (if known from https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html) and whom to invite.
Reporter | ||
Comment 5•12 years ago
|
||
(In reply to Curtis Koenig [:curtisk] from comment #4)
> Sorry for the confusion, but it does not appear that they were all answered
> so if you can put them as an inline reply that would be helpful.
>
> Who is/are the point of contact(s) for this review?
Brandon Savage, Laura Thomson
> Please provide a short description of the feature / application (e.g.
> problem solved, use cases, etc.):
* This application is a database containing DLL file information based on crashes we have collected. It is editable only by those who are part of the Mozilla LDAP directory.
> Please provide links to additional information (e.g. feature page, wiki) if
> available and not yet included in feature description:
There are no additional pages for this app.
> Does this request block another bug? If so, please indicate the bug number
> This review will be scheduled amongst other requested reviews. What is the
> urgency or needed completion date of this review?
This request doesn't block a specific bug but does block ship of this app in Q2, which is a goal.
> Please answer the following few questions: (Note: If you are asked to
> describe anything, 1-2 sentences shall suffice.)
>
> Does this feature or code change affect Firefox, Thunderbird or any product
> or service the Mozilla ships to end users?
No.
> Are there any portions of the project that interact with 3rd party services?
In the future this app will draw data from Bugzilla and Socorro, but presently does not. It will not interact with them on anything but a read-only level.
> Will your application/service collect user data? If so, please describe
This application will not collect user data beyond what is already stored in LDAP. Users who have an LDAP account will be able to leave comments, which may include their personal details. All comments and data will be publicly visible.
> If you feel something is missing here or you would like to provide other
> kind of feedback, feel free to do so here (no limits on size):
>
> Desired Date of review (if known from
> https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html)
> and whom to invite.
Updated•12 years ago
|
Updated•12 years ago
|
Assignee: curtisk → nobody
Keywords: sec-review-needed
Whiteboard: [pending secreview] → [pending secreview][triage needed 2012.05.02]
Updated•12 years ago
|
Assignee: nobody → mgoodwin
Status: NEW → ASSIGNED
Whiteboard: [pending secreview][triage needed 2012.05.02] → [pending secreview][start mm/dd/yyyy][target mm/dd/yyyy]
Reporter | ||
Comment 6•12 years ago
|
||
Any update on when this will be completed?
Assignee | ||
Updated•12 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Whiteboard: [pending secreview][start mm/dd/yyyy][target mm/dd/yyyy] → [completed secreview]
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•