It’s not really a bug as much as XDebug being over-enthusiastic with its reporting. The worst I’d call it is some lazy (but harmless) code from way back; the @ suppresses the warning about the missing index, XDebug displays it.
Still, I may as well fix that, so 4.2.8 will have:
if (!current_user_can('list_users') &&
array_key_exists('author', $query->query_vars) &&
(4.3.0 will have something a little nicer )
Note the check for an integer author query var: it breaks filtering by author name otherwise.