Bug 46625

Summary: cups: Multiple issues (4.3)
Product: UCS Reporter: Philipp Hahn <hahn>
Component: Security updatesAssignee: Philipp Hahn <hahn>
Status: CLOSED FIXED QA Contact: Arvid Requate <requate>
Severity: normal    
Priority: P3 CC: requate
Version: UCS 4.3   
Target Milestone: UCS 4.3-0-errata   
Hardware: All   
OS: Linux   
What kind of report is it?: Security Issue What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) NVD

Description Philipp Hahn univentionstaff 2018-03-13 16:50:36 CET 
New Debian cups 2.2.1-8+deb9u1A~4.3.0.201803130703 fixes:
This update addresses the following issue:
* CVE-2017-18190: Prevent an issue where remote attackers could execute
  arbitrary IPP commands by sending POST requests to the CUPS daemon in
  conjunction with DNS rebinding. This was caused by a whitelisted
  "localhost.localdomain" entry.

A localhost.localdomain whitelist entry in valid_host() in scheduler/client.c in CUPS before 2.2.2 allows remote attackers to execute arbitrary IPP commands by sending POST requests to the CUPS daemon in conjunction with DNS rebinding. The localhost.localdomain name is often resolved via a DNS server (neither the OS nor the web browser is responsible for ensuring that localhost.localdomain is 127.0.0.1).
Comment 1 Philipp Hahn univentionstaff 2018-03-13 17:38:39 CET 
[4.3-0] bdc053edc4 Bug #46625: cups_2.2.1-8+deb9u1A~4.3.0.201803130703
Comment 2 Quality Assurance univentionstaff 2018-05-04 16:43:13 CEST 
--- mirror/ftp/4.3/unmaintained/4.3-0/source/cups_2.2.1-8A~4.3.0.201803121724.dsc
+++ apt/ucs_4.3-0-errata4.3-0/source/cups_2.2.1-8+deb9u1A~4.3.0.201803131634.dsc
@@ -1,4 +1,4 @@
-2.2.1-8A~4.3.0.201803121724 [Mon, 12 Mar 2018 17:24:41 +0100] Univention builddaemon <buildd@univention.de>:
+2.2.1-8+deb9u1A~4.3.0.201803131634 [Tue, 13 Mar 2018 16:34:20 +0100] Univention builddaemon <buildd@univention.de>:
 
   * UCS auto build. The following patches have been applied to the original source package
     00-autostart-setting
@@ -9,6 +9,13 @@
     15_postponed-univention-lpadmin-systemd
     20_no-on-demand-systemd-service
 
+2.2.1-8+deb9u1 [Thu, 22 Feb 2018 17:51:44 +0100] Didier Raboud <odyx@debian.org>:
+
+  * CVE-2017-18190: Prevent an issue where remote attackers could execute
+    arbitrary IPP commands by sending POST requests to the CUPS daemon in
+    conjunction with DNS rebinding. This was caused by a whitelisted
+    "localhost.localdomain" entry.
+
 2.2.1-8 [Tue, 31 Jan 2017 08:00:49 +0100] Didier Raboud <odyx@debian.org>:
 
   [ JP Guillonneau ]
Comment 3 Arvid Requate univentionstaff 2018-05-14 19:00:51 CEST 
* All UCS specific patches merged and applied during rebuilt
* Comparison to previously shipped version ok
* Binary package update Ok
* Advisory Ok
Comment 4 Arvid Requate univentionstaff 2018-05-16 17:04:04 CEST 
<http://errata.software-univention.de/ucs/4.3/46.html>