[TYPO3-dev] Why are several bugs not accessible on bugs.typo3.org?
Helmut Hummel
helmut at typo3.org
Tue Aug 17 23:10:35 CEST 2010
Hi,
On 17.08.10 18:57, Marcus Krause wrote:
>
> I'm member of the TYPO3 Security Team.
Me too :)
> The private flag is normally set
> when issues on TYPO3 Core or TYPO3 Extensions have a security impact.
> This is done to protect our users as long as there's no official
> fix/bulletin published.
> When done, they should become public. If this is not the case, the issue
> might contain Proof of Concept code and the "administrator" has chosen
> to keep it private instead of removing "Proof of Concept" code that is
> not intended to be published.
Indeed. However it may also happen, that making it public was forgotten.
In case of #14412, there's no exploit code present, only a description
what should be and what was changed in the end. This information can
also be easily obtained by a svn diff.
Thus I decided to make it public.
> To my knowledge, the TYPO3 Security Team was not involved in fixing bug
> #12890 (aka. it's not a vulnerability).
Well I can't say if this is a security issue, because I also get an
"access denied".
I also was not aware of the fact, that there are multiple levels of
private states in Mantis.
> -> You might want to contact the extension maintainer and ask why bugs
> regularly (?) get the private flag!
It might also be that there's something broken.
Regards Helmut
More information about the TYPO3-dev
mailing list