CVE-2007-659[01] (was: r7801 - in data: . CVE)

To: debian-security-tracker@lists.debian.org
Subject: CVE-2007-659[01] (was: r7801 - in data: . CVE)
From: Stefan Fritsch <sf@sfritsch.de>
Date: Thu, 3 Jan 2008 22:44:03 +0100
Message-id: <[🔎] 200801032244.03548.sf@sfritsch.de>
In-reply-to: <E1JAWwj-0006ze-VL@alioth.debian.org>
References: <E1JAWwj-0006ze-VL@alioth.debian.org>

On Thursday 03 January 2008, jmm-guest@alioth.debian.org wrote:
>  CVE-2007-6590 (Mozilla 1.9 M8 and earlier, Mozilla Firefox 2, SeaMonkey 1.1.5, ...)
> -       - iceape <unfixed> (medium)
> -       - iceweasel <unfixed> (medium)
> -       TODO: check mozilla derivatives/xulrunner
> +       - iceape <unfixed> (low)
> +       [etch] - iceape <no-dsa> (Minor issue, new certificate manager in Firefox 3 et al will address this)
> +       - iceweasel <unfixed> (low)
> +       [etch] - iceweasel <no-dsa> (Minor issue, new certificate manager in Firefox 3 et al will address this)
> +       - xulrunner <unfixed> (low)
> +       [etch] - xulrunner <no-dsa> (Minor issue, new certificate manager in Firefox 3 et al will address this)
> 


I don't agree with this. An attacker can trick a user to accept a
certificate for '*' which then allows to do MITM attacks for any
websites. This should not be `low`.

Cheers,
Stefan

Reply to:

Follow-Ups:
- Re: CVE-2007-659[01]
  - From: Florian Weimer <fweimer@bfk.de>

Prev by Date: Re: [Secure-testing-commits] r7799 - data/CVE
Next by Date: Re: CVE-2007-659[01]
Previous by thread: Re: [Secure-testing-commits] r7799 - data/CVE
Next by thread: Re: CVE-2007-659[01]
Index(es):
- Date
- Thread