Login
Newsletter
Werbung

Sicherheit: Ausführen beliebiger Kommandos in openocd
Aktuelle Meldungen Distributionen
Name: Ausführen beliebiger Kommandos in openocd
ID: DSA-4093-1
Distribution: Debian
Plattformen: Debian jessie, Debian stretch
Datum: Mo, 22. Januar 2018, 07:14
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5704
Applikationen: OpenOCD

Originalnachricht

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4093-1 security@debian.org
https://www.debian.org/security/
January 21, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : openocd
CVE ID : CVE-2018-5704
Debian Bug : 887488

Josef Gajdusek discovered that OpenOCD, a JTAG debugger for ARM and MIPS,
was vulnerable to Cross Protocol Scripting attacks. An attacker could
craft a HTML page that, when visited by a victim running OpenOCD, could
execute arbitrary commands on the victims host.

This fix also sets the OpenOCD default binding to localhost, instead of
every network interfaces. This can be changed with the added "bindto"
command argument.

For the oldstable distribution (jessie), this problem has been fixed
in version 0.8.0-4+deb7u1.

For the stable distribution (stretch), this problem has been fixed in
version 0.9.0-1+deb8u1.

We recommend that you upgrade your openocd packages.

For the detailed security status of openocd please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openocd

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEayzFlnvRveqeWJspbsLe9o/+N3QFAlplTRkACgkQbsLe9o/+
N3SoCQ//YBD0bq5cBK382flGHmfA5mu7unG6aUxd9+bDCvoKqbZdmgModuh/nBG/
qF/0kUOInDN0gYXFAoXFKKn2aIjOQ3SHc6miyu5XA+I/Ie4TVDtpndajW6rqvrNd
Ylt8fxRexRctY1MXWMB9Jv+uP+8MU/18abMGxFdltBZOLQM6DsKyS0AKlbd08zBu
ykdgg4X9qRm44fPU4KyPCWroAhAfUkRWdg8YFweRLY6uOetkwoUR0MKbw3zZjMyA
3qQ+ejjoC6/vFZ0Nmy3QRHabqLSiR/ierLx/n0ZC4xiGfQBYiPpOyyN8bQtkzGf8
csFvDh77PxUeaA1RC8tlY3cR/vvB+GaODRmxKzQPrsUf0HoWxHTfGT1/MbcKuuxP
s8Vn5Plwg/v7H9KJYOUbNyzNq/xt/sxcZdTXDF049vaagmEwQnM0iXG5D6quLQkS
iXn2qzHw0Xv73yA6msdxu/v5d8i/6ly+qzkf/qUNE1Vc1WTfWw41qb6VxLB6W/3A
fVBIp3Jpykj+QlDFhgYTenuaPim86G8JjvsZDb2x9k0ThJQQs4SD8ikhwoYrhlnm
JsHe/uFjDyLWUZxRumPS16pZMrMjDKO93NiR17R8u/KV1jPWkwq/2D6WSIyJfiT8
sYUEV1rhsYSD82sP6+vpMJF89LOeHpl+YI0SLL91Oixw0RypB9k=
=8CD/
-----END PGP SIGNATURE-----
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten
Werbung