Univention Bugzilla – Bug 56701
CUPS "AuthType" not set for CUPS-Get-Document operation
Last modified: 2023-10-05 13:13:31 CEST
While upgrading to UCS 5.0-5 errata829 a cups update to 2.2.10-6+deb10u9 addressing CVE-2023-32360 (ref #56679) was installed. "apt-listchanges" informed me, that the important part includes setting the AuthType directive > Please double check your /etc/cups/cupds.conf file, whether it limits the access to CUPS-Get-Document with something like the following > <Limit CUPS-Get-Document> > AuthType Default > Require user @OWNER @SYSTEM > Order deny,allow > </Limit> > (The important line is the 'AuthType Default' in this section) I checked with my install, but UCR-templates do not set this directive. I think UCS should follow upstream fix automatically and leave it to the user, to "downgrade" security on his own.