Univention Bugzilla – Bug 48772
cups: Multiple issues (4.3)
Last modified: 2019-02-27 13:29:07 CET
New Debian cups 2.2.1-8+deb9u3A~4.3.3.201902261122 fixes: This update addresses the following issues: * Invalid usernames handled in scheduler/ipp.c:add_job() allow remote attackers to cause a denial of service (CVE-2017-18248) * Predictable session cookie breaks CSRF protection (CVE-2018-4700)
--- mirror/ftp/4.3/unmaintained/4.3-2/source/cups_2.2.1-8+deb9u2A~4.3.0.201807161612.dsc +++ apt/ucs_4.3-0-errata4.3-3/source/cups_2.2.1-8+deb9u3A~4.3.3.201902261122.dsc @@ -1,4 +1,4 @@ -2.2.1-8+deb9u2A~4.3.0.201807161612 [Mon, 16 Jul 2018 16:12:15 +0200] Univention builddaemon <buildd@univention.de>: +2.2.1-8+deb9u3A~4.3.3.201902261122 [Tue, 26 Feb 2019 11:41:42 +0100] Univention builddaemon <buildd@univention.de>: * UCS auto build. The following patches have been applied to the original source package 00-autostart-setting @@ -8,6 +8,13 @@ 11_cups-disable-test 15_postponed-univention-lpadmin-systemd 20_no-on-demand-systemd-service + +2.2.1-8+deb9u3 [Fri, 14 Dec 2018 13:58:47 +0100] Didier Raboud <odyx@debian.org>: + + * Backport upstream fixes for: + - CVE-2017-18248: DBUS notifications could crash the scheduler + - CVE-2018-4700: Linux session cookies used a predictable random + number seed (Closes: #915909) 2.2.1-8+deb9u2 [Wed, 11 Jul 2018 11:29:27 +0200] Didier Raboud <odyx@debian.org>: <http://10.200.17.11/4.3-3/#7989811750548183774>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.3-3] d908bbc61d Bug #48772: cups 2.2.1-8+deb9u3A~4.3.3.201902261122 doc/errata/staging/cups.yaml | 15 +++++++++++++++ 1 file changed, 15 insertions(+)
<http://errata.software-univention.de/ucs/4.3/431.html>