During the review of bug 492688, I just realized that the evaluation for the MITM attack is wrong. The function of the MITM is obtain the passwords, and passwords have an evaluation as 3. Most of MITM bugs in our bugzilla have 4 as evaluation. I'm asking to discuss this and in any cases, add the MITM in the reference table at: http://www.gentoo.org/security/en/vulnerability-policy.xml#doc_chap3
(In reply to Agostino Sarubbo from comment #0) > During the review of bug 492688, I just realized that the evaluation for the > MITM attack is wrong. > The evaluation in bug 492688 is correct. The CVE "allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate". This is Others (4) on the evaluation table. > The function of the MITM is obtain the passwords, and passwords have an > evaluation as 3. > Obtaining passwords is not the SOLE function of a MITM attack. The attacker may just want other sensitive information: credit card numbers, personal data, system information for other attacks, etc. Leaking a password is merely one impact that a MITM attack _could_ have. > Most of MITM bugs in our bugzilla have 4 as evaluation. > > > I'm asking to discuss this and in any cases, add the MITM in the reference > table at: > http://www.gentoo.org/security/en/vulnerability-policy.xml#doc_chap3 MITM is an _attack_ vector, not the _impact_ of a vulnerability or attack. The table in the vulnerability policy lists the possible impacts of a vulnerability or attack. This is how our bugs are rated/evaluated: based on the impact. As such, MITM is covered by the table: a MITM attack typically involves an information disclosure (4). If the information being disclosed is user credentials, then it may be possible for a global service compromise (3).
