Univention Bugzilla – Bug 37267
cups: Multiple issues (ES 3.1)
Last modified: 2016-11-28 14:47:58 CET
Cross-site scripting in the web interface (CVE-2014-2856, CVE-2014-5031, CVE-2014-5030, CVE-2014-5029)
CVE-2014-9679: buffer overflow in cupsRasterReadPixels
Fixed in upstream Debian package version 1.4.4-7+squeeze7
Fixed in upstream Debian package version 1.4.4-7+squeeze8: * Improper Update of Reference Count (CVE-2015-1158) * Cross-Site Scripting (CVE-2015-1159)
imported 1.4.4-7+squeeze10 from squeeze-lts and built in extsec3.1 disabled patches (already upstream) 23_CVE-2011-2896_CVE-2011-3170.patch.DISABLED 30_CVE-2013-6474_CVE-2013-6475_CVE-2013-6476.patch.DISABLED 40_CVE-2015-3258-CVE-2015-3279.debian-src.patch.DISABLED 41_CVE-2015-3258-CVE-2015-3279.dpatch.patch.DISABLED new patches: cups-disable-test.patch -> test fail in pbuilder, see patches/cups/4.0-0-0-ucs/1.5.3-5+deb7u1/cups-disable-test.patch disable-config-split.patch -> reverted all "split config" changes, this would require a modification of univention-printserver (provide proper templates for cupsd.conf and cups-files.conf) Tested * installation/update * basic printer tests (create, modifiy, print)
I guess this is a duplicate of Bug #39402, sorry. If that's true then we need to revert the packages. I found this while checking the yaml against the changelog and against the previous patches (3.1-0-0-ucs/1.4.4-7-extsec3.1)
yes, your are right removed cups * removed cups 1.4.4-7+squeeze10 from extsec3.1 * cherry picked cups 1.4.4-7 to extsec3.1 * copied cups 1.4.4-7.101.201511181626 from mirror/ftp/3.1/maintained/component/extsec3.1 back to apt/ucs_3.1-0-extsec3.1
ok