CVE-2007-659[01] (was: r7801 - in data: . CVE)
On Thursday 03 January 2008, jmm-guest@alioth.debian.org wrote:
> CVE-2007-6590 (Mozilla 1.9 M8 and earlier, Mozilla Firefox 2, SeaMonkey 1.1.5, ...)
> - - iceape <unfixed> (medium)
> - - iceweasel <unfixed> (medium)
> - TODO: check mozilla derivatives/xulrunner
> + - iceape <unfixed> (low)
> + [etch] - iceape <no-dsa> (Minor issue, new certificate manager in Firefox 3 et al will address this)
> + - iceweasel <unfixed> (low)
> + [etch] - iceweasel <no-dsa> (Minor issue, new certificate manager in Firefox 3 et al will address this)
> + - xulrunner <unfixed> (low)
> + [etch] - xulrunner <no-dsa> (Minor issue, new certificate manager in Firefox 3 et al will address this)
>
I don't agree with this. An attacker can trick a user to accept a
certificate for '*' which then allows to do MITM attacks for any
websites. This should not be `low`.
Cheers,
Stefan
Reply to: