tag 887488 pending
thanks
Hello,
Bug #887488 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:
https://anonscm.debian.org/cgit/pkg-electronics/openocd.git/commit/?id=ca095a1
---
commit ca095a1fcbf9bc80d4bae493c2833e615b54b51f
Author: Jonathan McDowell <nood...@earth.li>
Date: Thu Jan 18 09:40:26 2018 +0000
Prevent some forms of Cross Protocol Scripting attacks (Closes: #887488)
OpenOCD does not detect when a browser attempts to send data to it using
HTTP POST, allowing for a cross-protocol scripting attack. This is
mitigated by detecting a POST or Host: "command", neither of which are
valid but will come as part of the HTTP POST, and terminating the
telnet connection if they are seen. (CVE-2018-570)
diff --git a/debian/changelog b/debian/changelog
index 2d45901..f451a14 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,8 @@
-openocd (0.10.0-4) UNRELEASED; urgency=medium
+openocd (0.10.0-4) UNRELEASED; urgency=high
* Bind to localhost by default
+ * Prevent some forms of Cross Protocol Scripting attacks (CVE-2018-5704)
+ (Closes: #887488)
-- Jonathan McDowell <nood...@earth.li> Thu, 18 Jan 2018 09:27:37 +0000
