Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package cups for openSUSE:Factory checked in at 2026-04-21 12:42:21 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/cups (Old) and /work/SRC/openSUSE:Factory/.cups.new.11940 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cups" Tue Apr 21 12:42:21 2026 rev:181 rq:1348156 version:2.4.17 Changes: -------- --- /work/SRC/openSUSE:Factory/cups/cups.changes 2026-01-26 10:43:48.107439284 +0100 +++ /work/SRC/openSUSE:Factory/.cups.new.11940/cups.changes 2026-04-21 12:42:45.569289184 +0200 @@ -1,0 +2,68 @@ +Mon Apr 20 07:53:23 UTC 2026 - Johannes Meixner <[email protected]> + +- Version upgrade to 2.4.17: + See https://github.com/openprinting/cups/releases + The new release 2.4.17 contains the following security fixes: + * CVE-2026-27447: The scheduler treated local user + and group names as case-insensitive (bsc#1261572) + * CVE-2026-34978: The RSS notifier could write outside + the scheduler's RSS directory (bsc#1261571) + * CVE-2026-34980: The scheduler did not filter control + characters from option values (bsc#1261569) + * CVE-2026-34979: The scheduler did not always allocate + enough memory for a job's options string (bsc#1261570) + * CVE-2026-34990: The scheduler incorrectly allowed + local certificates over the loopback interface (bsc#1261568) + * CVE-2026-39314: Fixed the range check for + job password strings (bsc#1261743) + * CVE-2026-39316: Fixed a printer subscription bug + in the scheduler (bsc#1261742) + * CVE-2026-NNNNN: Fixed a SNMP string conversion bug + in the backends. + The last CVE number is requested from Github for several + days now, the number will be corrected once we have one, + but we decided to make a release to share the other fixes + ("we" means the CUPS upstream maintainers). +- The release includes other fixes as well, listed in CHANGES.md. + Issues are those at https://github.com/OpenPrinting/cups/issues + Detailed list (from CHANGES.md): + * The scheduler followed symbolic links when cleaning out + its temporary directory (Issue #1448) + * Updated `cupsFileGetConf` and `cupsFilePutConf` to escape + more characters. + * Updated man page `cancel` (Issue #984) + * Updated `cupsRasterReadHeader` to validate more of the + page header values (Issue #1501) + * Fixed an issue with the class/printer CGI name checking. + * Fixed infinite loop in `http_write()` on busy print servers + (Issue #827) + * Fixed potential TLS blocking issues (Issue #1128) + * Fixed a job history bug in the scheduler (Issue #1440) + * Fixed notifier logging bug that would result in nul bytes + getting into the log (Issue #1450) + * Fixed possible use-after-free in `cupsdReadClient()` + (Issue #1454) + * Fixed a document format bug in the IPP backend (Issue #1457) + * Fixed DRAIN_OUTPUT race condition (Issue #1461) + * Fixed a bug when then `ippFindXxx` and `ippSetXxx` functions + were mixed. + * Fixed the mapping of supply type keywords to SNMP names. + * Fixed a bug in the IPP backend when SNMP was disabled. + * Fixed a crash bug in the rastertoepson filter. + * Fixed a bug in cgiCheckVariables. + * Fixed handling read/write errors with OpenSSL (Issue #1506) + * Fixed handling rehandshake error in `_httpTLSRead` + (Issue #1508) + * Fixed a debug printf bug on Windows (Issue #1529) + * Fixed a recursion issue with encoding of nested collections + (Issue #1539) + * Fixed parsing of the `LimitRequestBody`, `MaxLogSize`, + and `MaxRequestSize` directives in "cupsd.conf" (Issue #1540) + * Fixed a parsing bug in `ipptool` (Issue #1542) + * Fixed blank line detection in the `rastertolabel` filter + (Issue #1545) + * Fixed `httpPeek` edge case on compressed streams + Issues are those at https://github.com/OpenPrinting/cups/issues +- Adapted downgrade-autoconf-requirement.patch for CUPS 2.4.17 + +------------------------------------------------------------------- Old: ---- cups-2.4.16-source.tar.gz cups-2.4.16-source.tar.gz.sig New: ---- cups-2.4.17-source.tar.gz cups-2.4.17-source.tar.gz.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cups.spec ++++++ --- /var/tmp/diff_new_pack.CRQadg/_old 2026-04-21 12:42:48.045392060 +0200 +++ /var/tmp/diff_new_pack.CRQadg/_new 2026-04-21 12:42:48.053392393 +0200 @@ -40,18 +40,18 @@ # "zypper vcmp 2.3.b99 2.3.0" shows "2.3.b99 is older than 2.3.0" and # "zypper vcmp 2.2.99 2.3b6" show "2.2.99 is older than 2.3b6" so that # version upgrades from 2.2.x via 2.3.b* to 2.3.0 work: -Version: 2.4.16 +Version: 2.4.17 Release: 0 Summary: The Common UNIX Printing System License: Apache-2.0 Group: Hardware/Printing URL: https://openprinting.github.io/cups # To get Source0 go to https://github.com/OpenPrinting/cups/releases or use e.g. -# wget --no-check-certificate -O cups-2.4.16-source.tar.gz https://github.com/OpenPrinting/cups/releases/download/v2.4.16/cups-2.4.16-source.tar.gz -Source0: https://github.com/OpenPrinting/cups/releases/download/v2.4.16/cups-2.4.16-source.tar.gz +# wget --no-check-certificate -O cups-2.4.17-source.tar.gz https://github.com/OpenPrinting/cups/releases/download/v2.4.17/cups-2.4.17-source.tar.gz +Source0: https://github.com/OpenPrinting/cups/releases/download/v2.4.17/cups-2.4.17-source.tar.gz # To get Source1 go to https://github.com/OpenPrinting/cups/releases or use e.g. -# wget --no-check-certificate -O cups-2.4.16-source.tar.gz.sig https://github.com/OpenPrinting/cups/releases/download/v2.4.16/cups-2.4.16-source.tar.gz.sig -Source1: https://github.com/OpenPrinting/cups/releases/download/v2.4.16/cups-2.4.16-source.tar.gz.sig +# wget --no-check-certificate -O cups-2.4.17-source.tar.gz.sig https://github.com/OpenPrinting/cups/releases/download/v2.4.17/cups-2.4.17-source.tar.gz.sig +Source1: https://github.com/OpenPrinting/cups/releases/download/v2.4.17/cups-2.4.17-source.tar.gz.sig # To make Source2 use e.g. # gpg --keyserver keys.openpgp.org --recv-keys 7082A0A50A2E92640F3880E0E4522DCC9B246FF7 # gpg --export --armor 7082A0A50A2E92640F3880E0E4522DCC9B246FF7 >cups.keyring @@ -61,7 +61,7 @@ # To manually verify Source0 with Source1 and Source2 do e.g. # gpg --import cups.keyring # gpg --list-keys | grep -1 'Zdenek Dohnal' -# gpg --verify cups-2.4.16-source.tar.gz.sig cups-2.4.16-source.tar.gz +# gpg --verify cups-2.4.17-source.tar.gz.sig cups-2.4.17-source.tar.gz Source102: Postscript.ppd.gz Source105: Postscript-level1.ppd.gz Source106: Postscript-level2.ppd.gz ++++++ cups-2.4.16-source.tar.gz -> cups-2.4.17-source.tar.gz ++++++ /work/SRC/openSUSE:Factory/cups/cups-2.4.16-source.tar.gz /work/SRC/openSUSE:Factory/.cups.new.11940/cups-2.4.17-source.tar.gz differ: char 5, line 1 ++++++ downgrade-autoconf-requirement.patch ++++++ --- /var/tmp/diff_new_pack.CRQadg/_old 2026-04-21 12:42:48.421407683 +0200 +++ /var/tmp/diff_new_pack.CRQadg/_new 2026-04-21 12:42:48.457409179 +0200 @@ -1,5 +1,5 @@ ---- configure.ac.orig 2025-12-04 09:13:12.000000000 +0100 -+++ configure.ac 2026-01-21 09:36:54.702856497 +0100 +--- configure.ac.orig 2026-04-17 14:22:45.000000000 +0200 ++++ configure.ac 2026-04-20 09:52:33.879146909 +0200 @@ -9,8 +9,8 @@ dnl Licensed under Apache License v2.0. dnl information. dnl @@ -10,5 +10,5 @@ +AC_PREREQ([2.69]) dnl Package name and version... - AC_INIT([CUPS],[2.4.16],[https://github.com/openprinting/cups/issues],[cups],[https://openprinting.github.io/cups]) + AC_INIT([CUPS],[2.4.17],[https://github.com/openprinting/cups/issues],[cups],[https://openprinting.github.io/cups])
