[TYPO3-dev] Why are several bugs not accessible on bugs.typo3.org?
Marcus Krause
marcus#exp2010 at t3sec.info
Tue Aug 17 18:57:55 CEST 2010
Hi!
Alexander Bigga - Software schrieb am 08/17/2010 03:41 PM Uhr:
> Hi Xavier,
>
> thanks for your reply.
>
> On Tue, Aug 17, 2010 at 15:27:57 +0200, you wrote:
>
>> The special english grammar is that we use "Fixed bug #number:
>> <description of the bug>" :-)
>
> ;-) Ok. The description is sensless than. Ok.
>
>> Security team should think about it (possibly still hiding some notes?)
>>
>>> Same happens with resolved bugs from the t3blog extension e.g. #12890
>> Same reason.
>
> ?? The bug #12890 was reported by myself and was visible for weeks? Why is it
> now a security issue?
>
> Is the whole t3blog a security issue? Its gone completely from the
> bugtracker.
>
> I don't find it "secure" or helpful, if there are bugs mentioned and you
> cannot understand what has been fixed.
I'm member of the TYPO3 Security Team. The private flag is normally set
when issues on TYPO3 Core or TYPO3 Extensions have a security impact.
This is done to protect our users as long as there's no official
fix/bulletin published.
When done, they should become public. If this is not the case, the issue
might contain Proof of Concept code and the "administrator" has chosen
to keep it private instead of removing "Proof of Concept" code that is
not intended to be published.
To my knowledge, the TYPO3 Security Team was not involved in fixing bug
#12890 (aka. it's not a vulnerability).
-> You might want to contact the extension maintainer and ask why bugs
regularly (?) get the private flag!
Regards,
Marcus.
--
Member TYPO3 Security Team
Blog on TYPO3 Security: http://secure.t3sec.info/blog/
More information about the TYPO3-dev
mailing list