[Pkg-electronics-devel] Bug#887488: Bug#887488: openocd: CVE-2018-5704 cross protocol scripting attack
Jonathan McDowell
noodles at earth.li
Wed Jan 17 12:55:46 UTC 2018
On Wed, Jan 17, 2018 at 10:50:44AM +0100, Guido Günther wrote:
> the following vulnerability was published for openocd.
>
> CVE-2018-5704[0]:
> | Open On-Chip Debugger (OpenOCD) 0.10.0 does not block attempts to use
> | HTTP POST for sending data to 127.0.0.1 port 4444, which allows remote
> | attackers to conduct cross-protocol scripting attacks, and consequently
> | execute arbitrary commands, via a crafted web site.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2018-5704
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5704
>
> Please adjust the affected versions in the BTS as needed.
I see Salvatore has marked this as affecting 0.10.0-3, I'm not sure
there's any reason to believe 0.9.0-1 isn't affected as well but I will
need to check later today. Upstream still seem to be discussing the best
fix but I think at least:
http://openocd.zylin.com/#/c/4335/
and
http://openocd.zylin.com/#/c/4331/
seem appropriate pending anything more complete.
J.
--
Revd Jonathan McDowell, ULC | I've got a trigger inside.
More information about the Pkg-electronics-devel
mailing list