Subject: Why is firefox-2.0.0.7 marked as insecure?
To: NetBSD current-users <current-users@netbsd.org>
From: M Graff <explorer@flame.org>
List: current-users
Date: 10/02/2007 12:46:30
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===> Checking for vulnerabilities in firefox-2.0.0.7
Package firefox-2.0.0.7 has a remote-information-exposure vulnerability,
see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2894
ERROR: Define ALLOW_VULNERABLE_PACKAGES in mk.conf or IGNORE_URLS in
audit-packages.conf(5) if this package is absolutely essential.

The version that URL refers to is ancient:

Description
Mozilla Firefox 1.5.0.4, Mozilla Suite 1.7.13, Mozilla SeaMonkey 1.0.2,
and Netscape 8.1 and earlier allows user-assisted remote attackers to
read arbitrary files by tricking a user into typing the characters of
the target filename in a text box and using the OnKeyDown, OnKeyPress,
and OnKeyUp Javascript keystroke events to change the focus and cause
those characters to be inserted into a file upload input control, which
can then upload the file when the user submits the form.

Is 2.0.0.7 still insecure, or is this a mistake in an overly-zealous match?

- --Michael
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFHAoP2uzMQWQwZDN0RAguLAJ9P8ATHZ0614EWNUbvan4TkcHw/yQCeKalV
mAzFbv+I2v+j79DFUxoFsEc=
=EfzO
-----END PGP SIGNATURE-----