First Last Prev Next    This bug is not in your last search results.
Bug 37267 - cups: Multiple issues (ES 3.1)
cups: Multiple issues (ES 3.1)
Status: CLOSED INVALID
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 3.2
Other Linux
: P4 normal (vote)
: UCS 3.1-ES
Assigned To: Felix Botner
Arvid Requate
:
Depends on: 35402
Blocks:
  Show dependency treegraph
 
Reported: 2014-12-09 16:24 CET by Moritz Muehlenhoff
Modified: 2016-11-28 14:47 CET (History)
3 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:
requate: Patch_Available+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Moritz Muehlenhoff univentionstaff 2014-12-09 16:24:39 CET 
Cross-site scripting in the web interface (CVE-2014-2856, CVE-2014-5031, CVE-2014-5030, CVE-2014-5029)
Comment 1 Arvid Requate univentionstaff 2015-02-16 17:21:56 CET 
CVE-2014-9679: buffer overflow in cupsRasterReadPixels
Comment 2 Arvid Requate univentionstaff 2015-05-06 17:12:53 CEST 
Fixed in upstream Debian package version 1.4.4-7+squeeze7
Comment 3 Arvid Requate univentionstaff 2015-06-17 16:28:58 CEST 
Fixed in upstream Debian package version 1.4.4-7+squeeze8:

* Improper Update of Reference Count (CVE-2015-1158)
* Cross-Site Scripting (CVE-2015-1159)
Comment 4 Felix Botner univentionstaff 2016-06-02 15:03:26 CEST 
imported 1.4.4-7+squeeze10 from squeeze-lts and built in extsec3.1

disabled patches (already upstream)
23_CVE-2011-2896_CVE-2011-3170.patch.DISABLED
30_CVE-2013-6474_CVE-2013-6475_CVE-2013-6476.patch.DISABLED
40_CVE-2015-3258-CVE-2015-3279.debian-src.patch.DISABLED
41_CVE-2015-3258-CVE-2015-3279.dpatch.patch.DISABLED

new patches:
cups-disable-test.patch -> test fail in pbuilder, see 
   patches/cups/4.0-0-0-ucs/1.5.3-5+deb7u1/cups-disable-test.patch
disable-config-split.patch -> reverted all "split config" changes, this would 
   require a modification of univention-printserver (provide proper templates
   for cupsd.conf and cups-files.conf)

Tested
 * installation/update
 * basic printer tests (create, modifiy, print)
Comment 5 Arvid Requate univentionstaff 2016-06-08 22:07:56 CEST 
I guess this is a duplicate of Bug #39402, sorry. If that's true then we need to revert the packages. I found this while checking the yaml against the changelog and against the previous patches (3.1-0-0-ucs/1.4.4-7-extsec3.1)
Comment 6 Felix Botner univentionstaff 2016-06-13 12:21:32 CEST 
yes, your are right
removed cups

* removed cups 1.4.4-7+squeeze10 from extsec3.1
* cherry picked cups 1.4.4-7 to extsec3.1
* copied cups 1.4.4-7.101.201511181626 from
  mirror/ftp/3.1/maintained/component/extsec3.1 
  back to apt/ucs_3.1-0-extsec3.1
Comment 7 Arvid Requate univentionstaff 2016-11-21 18:52:14 CET 
ok
First Last Prev Next    This bug is not in your last search results.