Your message dated Thu, 18 Jan 2018 19:35:15 +0000 with message-id <e1ecfxz-000g0b...@fasolo.debian.org> and subject line Bug#887488: fixed in openocd 0.10.0-4 has caused the Debian Bug report #887488, regarding openocd: CVE-2018-5704 cross protocol scripting attack to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 887488: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887488 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: openocd X-Debbugs-CC: t...@security.debian.org secure-testing-t...@lists.alioth.debian.org Severity: grave Tags: important Hi, the following vulnerability was published for openocd. CVE-2018-5704[0]: | Open On-Chip Debugger (OpenOCD) 0.10.0 does not block attempts to use | HTTP POST for sending data to 127.0.0.1 port 4444, which allows remote | attackers to conduct cross-protocol scripting attacks, and consequently | execute arbitrary commands, via a crafted web site. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-5704 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5704 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: openocd Source-Version: 0.10.0-4 We believe that the bug you reported is fixed in the latest version of openocd, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 887...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Jonathan McDowell <nood...@earth.li> (supplier of updated openocd package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 18 Jan 2018 19:19:47 +0000 Source: openocd Binary: openocd Architecture: source amd64 Version: 0.10.0-4 Distribution: sid Urgency: high Maintainer: Debian Electronics Packaging Team <pkg-electronics-de...@lists.alioth.debian.org> Changed-By: Jonathan McDowell <nood...@earth.li> Description: openocd - Open on-chip JTAG debug solution for ARM and MIPS systems Closes: 887488 Changes: openocd (0.10.0-4) unstable; urgency=high . * Bind to localhost by default * Prevent some forms of Cross Protocol Scripting attacks (CVE-2018-5704) (Closes: #887488) Checksums-Sha1: 14a425a8cb92ed3f2ba08d31c086ac3f402b124e 2063 openocd_0.10.0-4.dsc 9cf3862782d6102db455c52ff146d337fb6a6e9e 19808 openocd_0.10.0-4.debian.tar.xz a84a2a9bd3c66772632ce86a9bf169737256d122 2855268 openocd-dbgsym_0.10.0-4_amd64.deb dab3d3b0a2e1bfaa0fd434dabd3b90de4fe26353 8720 openocd_0.10.0-4_amd64.buildinfo c779841a48bbf6739d8a06e39f6e4247c80433eb 2454552 openocd_0.10.0-4_amd64.deb Checksums-Sha256: 3c21fb8da7fdf9785926697908bd5074932fe4f69e030b41aca59880784848bd 2063 openocd_0.10.0-4.dsc e2fd7be99a0a8ccc1444cf90562bcdfead3056b03132d9ebd84e1b80832800d5 19808 openocd_0.10.0-4.debian.tar.xz 7617ebbf547e3b26a1e7bbbccec3911f634345731cd6a0555dac1ae3db4c2696 2855268 openocd-dbgsym_0.10.0-4_amd64.deb 994a3e826ec27407350f51ce0973a34e1b6d9f68cff2eb629aedcb18ea0b066f 8720 openocd_0.10.0-4_amd64.buildinfo 00f03d246087d24ccc5c24bebd8d50a397b798463fa092ed55d08597e7d2943d 2454552 openocd_0.10.0-4_amd64.deb Files: e82243fa3300f67b263d56eef323b001 2063 embedded optional openocd_0.10.0-4.dsc 377009b0326b627b61ece1a226030bea 19808 embedded optional openocd_0.10.0-4.debian.tar.xz 48302ac2cc0d44e324a8dbba8e393ea4 2855268 debug optional openocd-dbgsym_0.10.0-4_amd64.deb a432ddc826d3d7949a49c50e517b5777 8720 embedded optional openocd_0.10.0-4_amd64.buildinfo 15f2fc24c1e3fc4e7f88054c55c8a422 2454552 embedded optional openocd_0.10.0-4_amd64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERUuPEyEc/2gMWDpQ/xYvxc8/utEFAlpg9MYACgkQ/xYvxc8/ utGsNA/+O9PCQQqjwPoNIaZS52kBrjYHf9RZodg/y9C6bJ+F0J0WPCgWn4TKdX4o Xsr1uu8nmHViGC4gj5l4DLa8C1/5ZohBccKVfNyAL5Z/rsHofWTPulxraQ8nWJIU /lk9CByPxqJLfUVMZYwfjGhWmRvb3yJ989yIuP0VEmTn4letyxkl+vB9jTcrea9k fG6OcA2mm6H5KkROKiOJsqFDW3hrH9jUfutLz2t/Dac7j+pQJCVqR/EMj++wbvCa hkEjqGUhM66grgz8Y1YKAbUmkxWNLGsBsL2OISho37FER4vjNJ6s/FpTDJvZrSqa ttf/IoCWOD+og3OrdwEhi9V4JjPLwpt8xn9Sibz5J99adOLfgu9Ns6D+8X8IQmRU qbQVOB5R9G5y1st6YJlPVe40CO7Rlb2BG0VbK65f8+rqL7A+5cfVTpvEje+mFbFO EZYxm78GyYH9xJOC1h/LU5ESyHTMMztPZ70kGqCMOcB2SvMpT07jL/W/0TElvliH LEAlY45vscJBVtGnMHUNFUHx8qqjBssEhOx7t6Vf7KI5O801BxkjAnqajmlQc7V4 ackf5AT+6xTQDg4C38q5ArYpVYstyfoZLWfR9oKOkC7LzsTwwoXELLiSFqBriBwU sggsGwX0snpcUOigjGwUgkMAHAvbAwCnhlceMyA87qMUQ0Izi3E= =4u9v -----END PGP SIGNATURE-----
--- End Message ---
