Package: openocd | Debian Sources

Package: openocd / 0.9.0-1+deb8u1

Metadata

Package	Version	Patches format
openocd	0.9.0-1+deb8u1	3.0 (quilt)

Patch series

view the series file

Patch	File delta	Description
add bindto.patch \| (download)	doc/openocd.texi \| 5 5 + 0 - 0 ! src/server/server.c \| 46 44 + 2 - 0 ! 2 files changed, 49 insertions(+), 2 deletions(-)	---
bind localhost only.patch \| (download)	doc/openocd.texi \| 2 1 + 1 - 0 ! src/server/server.c \| 2 1 + 1 - 0 ! 2 files changed, 2 insertions(+), 2 deletions(-)	[patch] server: bind to ipv4 localhost by default Since OpenOCD basically allows to perform arbitrary actions on behalf of the running user, it makes sense to restrict the exposure by default. If you need network connectivity and your environment is safe enough, use "bindto 0.0.0.0" to switch to the old behaviour.
css fix.patch \| (download)	src/server/startup.tcl \| 11 11 + 0 - 0 ! 1 file changed, 11 insertions(+)	[patch] cve-2018-5704: prevent some forms of cross protocol scripting attacks OpenOCD can be targeted by a Cross Protocol Scripting attack from a web browser running malicious code, such as the following PoC: var x = new XMLHttpRequest(); x.open("POST", "http://127.0.0.1:4444", true); x.send("exec xcalc\r\n"); This mitigation should provide some protection from browser-based attacks and is based on the corresponding fix in Redis: https://github.com/antirez/redis/blob/8075572207b5aebb1385c4f233f5302544439325/src/networking.c#L1758

Patch

File delta

Description

add bindto.patch | (download)

doc/openocd.texi | 5 5 + 0 - 0 !
src/server/server.c | 46 44 + 2 - 0 !
2 files changed, 49 insertions(+), 2 deletions(-)

---

bind localhost only.patch | (download)

doc/openocd.texi | 2 1 + 1 - 0 !
src/server/server.c | 2 1 + 1 - 0 !
2 files changed, 2 insertions(+), 2 deletions(-)

 [patch] server: bind to ipv4 localhost by default

Since OpenOCD basically allows to perform arbitrary actions on behalf of
the running user, it makes sense to restrict the exposure by default.

If you need network connectivity and your environment is safe enough,
use "bindto 0.0.0.0" to switch to the old behaviour.

css fix.patch | (download)

src/server/startup.tcl | 11 11 + 0 - 0 !
1 file changed, 11 insertions(+)

 [patch] cve-2018-5704: prevent some forms of cross protocol scripting attacks

OpenOCD can be targeted by a Cross Protocol Scripting attack from
a web browser running malicious code, such as the following PoC:

var x = new XMLHttpRequest();
x.open("POST", "http://127.0.0.1:4444", true);
x.send("exec xcalc\r\n");

This mitigation should provide some protection from browser-based
attacks and is based on the corresponding fix in Redis:

https://github.com/antirez/redis/blob/8075572207b5aebb1385c4f233f5302544439325/src/networking.c#L1758