On Thursday 03 January 2008, [EMAIL PROTECTED] wrote: > CVE-2007-6590 (Mozilla 1.9 M8 and earlier, Mozilla Firefox 2, SeaMonkey > 1.1.5, ...) > - - iceape <unfixed> (medium) > - - iceweasel <unfixed> (medium) > - TODO: check mozilla derivatives/xulrunner > + - iceape <unfixed> (low) > + [etch] - iceape <no-dsa> (Minor issue, new certificate manager in > Firefox 3 et al will address this) > + - iceweasel <unfixed> (low) > + [etch] - iceweasel <no-dsa> (Minor issue, new certificate manager in > Firefox 3 et al will address this) > + - xulrunner <unfixed> (low) > + [etch] - xulrunner <no-dsa> (Minor issue, new certificate manager in > Firefox 3 et al will address this) >
I don't agree with this. An attacker can trick a user to accept a certificate for '*' which then allows to do MITM attacks for any websites. This should not be `low`. Cheers, Stefan
