Your message dated Sat, 10 Feb 2018 21:08:21 +0000 with message-id <e1ekcnh-000csl...@fasolo.debian.org> and subject line Bug#887488: fixed in openocd 0.8.0-4+deb7u1 has caused the Debian Bug report #887488, regarding openocd: CVE-2018-5704 cross protocol scripting attack to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 887488: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887488 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: openocd X-Debbugs-CC: t...@security.debian.org secure-testing-t...@lists.alioth.debian.org Severity: grave Tags: important Hi, the following vulnerability was published for openocd. CVE-2018-5704[0]: | Open On-Chip Debugger (OpenOCD) 0.10.0 does not block attempts to use | HTTP POST for sending data to 127.0.0.1 port 4444, which allows remote | attackers to conduct cross-protocol scripting attacks, and consequently | execute arbitrary commands, via a crafted web site. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-5704 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5704 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: openocd Source-Version: 0.8.0-4+deb7u1 We believe that the bug you reported is fixed in the latest version of openocd, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 887...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Jonathan McDowell <nood...@earth.li> (supplier of updated openocd package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 21 Jan 2018 18:50:16 +0000 Source: openocd Binary: openocd Architecture: source amd64 Version: 0.8.0-4+deb7u1 Distribution: jessie-security Urgency: high Maintainer: Uwe Hermann <u...@debian.org> Changed-By: Jonathan McDowell <nood...@earth.li> Description: openocd - Open on-chip JTAG debug solution for ARM and MIPS systems Closes: 887488 Changes: openocd (0.8.0-4+deb7u1) jessie-security; urgency=high . * Pull "bindto" command from upstream * Bind to localhost by default * Prevent some forms of Cross Protocol Scripting attacks (CVE-2018-5704) (Closes: #887488) Checksums-Sha1: ea25ea54912a0107bbe5151008613c35de388324 1988 openocd_0.8.0-4+deb7u1.dsc 10bf9eeb54e03083cb1a101785b2d69fbdf18f31 3768447 openocd_0.8.0.orig.tar.bz2 8bf26a7464d5206efed3f4acb864fd886dfc4b15 14188 openocd_0.8.0-4+deb7u1.debian.tar.xz b9dbbd8017407c36a3bf33cf61e6fe2980eecbf3 2216734 openocd_0.8.0-4+deb7u1_amd64.deb Checksums-Sha256: a7e7dec7f5b5bbc46b74dd49403ee2f30657c85cd69fba5c803b273d9e0d0222 1988 openocd_0.8.0-4+deb7u1.dsc 5b076c324400ef0198ce6e21616e17f7a1a12f749362821ce0b03ec62c3cd32f 3768447 openocd_0.8.0.orig.tar.bz2 f5c76d8bbb3c8974bc53394f38a7e2b429794a2d99311585b67343bc2c785faa 14188 openocd_0.8.0-4+deb7u1.debian.tar.xz 5220c3dcd7173f6ba6829a804c9370452e2c70719bb43d94b765104819910879 2216734 openocd_0.8.0-4+deb7u1_amd64.deb Files: 8211174dd0bb672a2085832a37a8ac6a 1988 embedded extra openocd_0.8.0-4+deb7u1.dsc 6d83c34763a5f1d1ac7ad83c5a11f4fb 3768447 embedded extra openocd_0.8.0.orig.tar.bz2 1fd0c3d4532b423d96c4580d2fabf003 14188 embedded extra openocd_0.8.0-4+deb7u1.debian.tar.xz fe33dfe9a4319b57c9227753d0173c43 2216734 embedded extra openocd_0.8.0-4+deb7u1_amd64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERUuPEyEc/2gMWDpQ/xYvxc8/utEFAlplDFsACgkQ/xYvxc8/ utFk+RAAmWFNG31N4NMIG9bPZq1UMN1SfrnDC7WQxYTvVSvHKozjMtB/Ardc1L+Q Fp1XnVC2p+9wSt3hcL6KTA8Z2kMdnPsHcwMxJa4urlj5h6TjYLyoa0kWZlNKzscy MnVHUU2a6t6GpA46U5zZ+aH36hUg+akgPvAbUWQsPrQyn+r2Q9YdOhEajUwBhvE2 Ir3jwGdr7qBUl5YpwjSH0C9HFokiEYtLudCBHnWhzEZSTBOFGd0Xe9vpv9u7ZUay RoKu/iXr4CO8wvmPPPSA9ghi5M7kVsuj1EoxF1NtdEy0XfGAyHmtSx7RyfHNGpKi UEvMa3Z+NjeFw+wSTlZ8XwGJxp7kb3zqRd00dI0yn+roUIRicGMgEJhsDUYUcQnH 4aHAeNR5wAYlP6Vn6YqJ4wUDF8Yn590H3qpBX5YP9Nkx7AhCtlaTFmQXBfXCSZjY CBBsNC1hgu4kjZHdNqIKHGy8rG28XVjUWYCEnpEkGCLutrelCEX/zRNE/++36kcn hq0M7Ma4wE1fjE0gSKNSTa4GrBlAb69/bUHoYlSleO1vgkh32yJ2Wlm/Y/U4ZdU7 qBtLQNPCp9jSZrfbHWjzr79QBTN7h7EHKfO+RO2Rwad6eWdlGMbRBJeenC4Q+R3n nbcvEJPXSY5O3jU88FtJNSQj9Sl8EeV21jiIbzKdywKIqawhjF0= =OuC7 -----END PGP SIGNATURE-----
--- End Message ---
