[TYPO3-dev] Why are several bugs not accessible on bugs.typo3.org?

Helmut Hummel helmut at typo3.org
Tue Aug 17 23:10:35 CEST 2010


Hi,

On 17.08.10 18:57, Marcus Krause wrote:
> 
> I'm member of the TYPO3 Security Team. 

Me too :)

> The private flag is normally set
> when issues on TYPO3 Core or TYPO3 Extensions have a security impact.
> This is done to protect our users as long as there's no official
> fix/bulletin published.
> When done, they should become public. If this is not the case, the issue
> might contain Proof of Concept code and the "administrator" has chosen
> to keep it private instead of removing "Proof of Concept" code that is
> not intended to be published.

Indeed. However it may also happen, that making it public was forgotten.

In case of #14412, there's no exploit code present, only a description
what should be and what was changed in the end. This information can
also be easily obtained by a svn diff.

Thus I decided to make it public.

> To my knowledge, the TYPO3 Security Team was not involved in fixing bug
> #12890 (aka. it's not a vulnerability).

Well I can't say if this is a security issue, because I also get an
"access denied".

I also was not aware of the fact, that there are multiple levels of
private states in Mantis.

> -> You might want to contact the extension maintainer and ask why bugs
> regularly (?) get the private flag!

It might also be that there's something broken.

Regards Helmut




More information about the TYPO3-dev mailing list