The default bug view has changed. See this FAQ.

Dependency tree bug list link reveals information user cannot otherwise see

RESOLVED DUPLICATE of bug 370883

Status

()

Bugzilla
Dependency Views
--
minor
RESOLVED DUPLICATE of bug 370883
4 years ago
4 years ago

People

(Reporter: Simon Green, Unassigned)

Tracking

Details

(Reporter)

Description

4 years ago
I have four bugs. Bug One depends on Bug Two which depends on Bug Three which depends on Bug Four. Bug Two and Bug Three are private. If I view the dependency tree for Bug One, the 'View as bug list' contains a link to Bug Four. This should not be because the user is unaware that Bug Two depends on Bug Three.

An example of this is at the tip:
https://landfill.bugzilla.org/bugzilla-tip/showdependencytree.cgi?id=20901&hide_resolved=1

The bug list link contains Bug Four.

Comment 1

4 years ago
IMO, that's not really a security bug. You still cannot know what the security bugs are about. I agree that once a bug you cannot see is found, the recursion should stop at this point.
Severity: normal → minor

Comment 2

4 years ago
And actually, this bug is known for years and is public.
Group: bugzilla-security
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 370883
You need to log in before you can comment on or make changes to this bug.