Your message dated Fri, 09 Feb 2018 23:47:09 +0000 with message-id <e1ekinp-0004pe...@fasolo.debian.org> and subject line Bug#887488: fixed in openocd 0.9.0-1+deb8u1 has caused the Debian Bug report #887488, regarding openocd: CVE-2018-5704 cross protocol scripting attack to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 887488: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887488 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: openocd X-Debbugs-CC: t...@security.debian.org secure-testing-t...@lists.alioth.debian.org Severity: grave Tags: important Hi, the following vulnerability was published for openocd. CVE-2018-5704[0]: | Open On-Chip Debugger (OpenOCD) 0.10.0 does not block attempts to use | HTTP POST for sending data to 127.0.0.1 port 4444, which allows remote | attackers to conduct cross-protocol scripting attacks, and consequently | execute arbitrary commands, via a crafted web site. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-5704 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5704 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: openocd Source-Version: 0.9.0-1+deb8u1 We believe that the bug you reported is fixed in the latest version of openocd, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 887...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Jonathan McDowell <nood...@earth.li> (supplier of updated openocd package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 18 Jan 2018 14:05:10 +0000 Source: openocd Binary: openocd Architecture: source amd64 Version: 0.9.0-1+deb8u1 Distribution: stretch-security Urgency: high Maintainer: Uwe Hermann <u...@debian.org> Changed-By: Jonathan McDowell <nood...@earth.li> Description: openocd - Open on-chip JTAG debug solution for ARM and MIPS systems Closes: 887488 Changes: openocd (0.9.0-1+deb8u1) stretch-security; urgency=high . * Update debian/gbp.conf to deal with stretch * Pull "bindto" command from upstream * Bind to localhost by default * Prevent some forms of Cross Protocol Scripting attacks (CVE-2018-5704) (Closes: #887488) Checksums-Sha1: 6e102d7ec65e63b3532efc88f6c5a27f3005d743 2079 openocd_0.9.0-1+deb8u1.dsc f57cb48ae09baac7dc6e3961f134317fb1dec290 4970346 openocd_0.9.0.orig.tar.gz 72a0629202620240f46f7a2da0003bf01c24a49b 16008 openocd_0.9.0-1+deb8u1.debian.tar.xz c2b495c301df9bb73c65b33d9b3f2e1c08d6339a 2613754 openocd-dbgsym_0.9.0-1+deb8u1_amd64.deb fa5cb2f27380d300b7bf3aa3779015363e19c30b 8973 openocd_0.9.0-1+deb8u1_amd64.buildinfo 8777f2982f08d8c8509dd3127709ff25014ca1ac 2269242 openocd_0.9.0-1+deb8u1_amd64.deb Checksums-Sha256: 325cd472ae912193f6d6930d8d22259986766c478b49670d01654f60503c52f6 2079 openocd_0.9.0-1+deb8u1.dsc 840ed225216f49f5c07bda8b2cbb5c8384bb4d8724335dcccf26787fa0650513 4970346 openocd_0.9.0.orig.tar.gz 499217f240a4250c57152f7be53f3df714c48eea10b4c65c3b9d6104a14be580 16008 openocd_0.9.0-1+deb8u1.debian.tar.xz 4a8dc913181516f490ca72446bf2fd170e7379a35877d458ec2d29f8c3faee20 2613754 openocd-dbgsym_0.9.0-1+deb8u1_amd64.deb 29cf813309e7642cde5f2307617a86c0beb1557be54ff8ca6cff731764c79b6a 8973 openocd_0.9.0-1+deb8u1_amd64.buildinfo 102d6ffa807be4654648a0b6209ee51cc0c646b50d4f3c3bab739c7ae895252a 2269242 openocd_0.9.0-1+deb8u1_amd64.deb Files: 676cddf173dd6f3f9343908d230493dd 2079 embedded extra openocd_0.9.0-1+deb8u1.dsc 7973c2c0132b1bb9fb1d12b4534418f4 4970346 embedded extra openocd_0.9.0.orig.tar.gz b258cc4bc8915eee7e671e5e1a3fb58b 16008 embedded extra openocd_0.9.0-1+deb8u1.debian.tar.xz 47515c006a0adca581b3000f53ac538b 2613754 debug extra openocd-dbgsym_0.9.0-1+deb8u1_amd64.deb dbf77caa0aeef22c79d8328ac30283b8 8973 embedded extra openocd_0.9.0-1+deb8u1_amd64.buildinfo 1d1b1bec9dc0f391f8ca9a36471dfd06 2269242 embedded extra openocd_0.9.0-1+deb8u1_amd64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERUuPEyEc/2gMWDpQ/xYvxc8/utEFAlpkpIIACgkQ/xYvxc8/ utFReRAAk4qQVAejSrz3yyKoHR/PGY2tNUv7HUXH84y9S+pFSmh5bKrr9kPZa5xN 0pxZH6qex7kYaNLf41qP87t9Laalfk8Nq6RuNePErsiG1KSDsqc4blj4uxM+EARb OnpVUxgdUUqeT6KVDbOV1vhborqqXwLfTq9ApKqJWyI01v1V17a2GXTgshKDQc9u XZrkDix/0/O9OwthTSTT581uLVr7Mk/0EYTcM5uF7zVCqM6RMhLmGp3OM+uiJtCf /lDl9F3FXi2P+yW+CxaLfGzDNoXR1TCnQf8NMH/UV93C7fc7EqCrzbx4B2zOY8rq Pg/+MG5eLnbHiJxtJu8aMSllW9LFQukI7lKg5bnt1EgW1r/j443RJbpPRpj/sGoR dD0CFOXBJDC7tcnm6O2Z7pONw7Zz8Ddo7FSxRFSWJsod90wO2hAmLN9hFJiMbIhH ugnqZfdgClUFyftPk8q39kIbN9MWd9nJR7U0+AxHM4syarYFgkGmkRHbQvURjvYh cT0kyz5Su/qEuaF1oHpbfu3yDHGwz2pBQC+mwVZkPcx1Ad0lwiBj1Ij4fhB88JQE hWtF/II28aWEc2+3k+1Hty6e6UiA9e+z0NWKuNn2WouULHV/XXWwT0IowdlBocld R/N8TxDJEobhEkvjFRYNzqVvl0aPi8BMcrrrfK/B7flUEo34yuQ= =GT7i -----END PGP SIGNATURE-----
--- End Message ---
