Bug severity and private data disclosure
I reported a bug involving private data disclosure, more precisely,
on some network, when printing a file with CUPS 1.6, the file is
printed on a wrong printer[*]. The bug severity was downgraded to
important (i.e. non-RC), despite the obvious security problem. The
given reason was that this kind of security problem is not mentioned
on:
http://www.debian.org/Bugs/Developer.en.html#severities
If Debian really minds about some forms of security bugs such as
private data disclosure, something should be done... Perhaps replace
allowing access to the accounts of users who use the package
by
allowing access to private data of users who use the package
(BTW, logging passwords in general log files would fall in the same
class of security bugs.)
[*] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=711848
--
Vincent Lefèvre <vincent@vinc17.net> - Web: <http://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
Reply to: