Greatings security team, One of the pages in the Fedora PackageDB displays all the bugs that a Fedora package contains. Until Saturday, last week the displayed information contained the id and summary of private bugs. Someone reported this as a security issue and I modified the list to only show public bugs. However, this is less than ideal from a developer perspective as maintainers use the list to keep track of what bugs are opened against their packages (or packages that they're thinking of taking on). I'm thinking of changing this to display the bug ids, a link, and a summary of "Private Bug" instead. This will let leak the fact that a private bug exists against the package and also the relative newness of the bug (via the size of the bug id) but no other information. FESCo discussed this and thought it sounded fine but wanted me to run the idea past the security team in case there were arguments against this that they hadn't considered. The FESCo ticket is at: https://fedorahosted.org/fesco/ticket/561 The meeting logs have their reasoning: http://meetbot.fedoraproject.org/teams/fesco/fesco.2011-02-16-17.30.log.html Search for #topic #561 If you have feedback, it's probably best to add it to the fesco ticket as I don't know how many fesco members are subscribed here. -Toshio
Attachment:
pgprNB0uLiHsr.pgp
Description: PGP signature
-- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
