Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian....@packages.debian.org
Usertags: pu
After uploading the fix for CVE-2023-4504 and CVE-2023-32360 to Buster I
got some complaints:
- the mentioned filename of the cupsd configuration contained a typo
and several users were unsure what to do now ...
- ... especially as the contents of debian/NEWS was also shown on
computers where only cups client was installed.
So this upload fixes the typo and removes debian/NEWS again, so that the
text is only shown when cups-daemon will be updated.
I know it is rather late for this, but maybe this makes things easier for
our users.
Thorsten
diff -Nru cups-2.4.2/debian/changelog cups-2.4.2/debian/changelog
--- cups-2.4.2/debian/changelog 2023-09-29 21:20:27.000000000 +0200
+++ cups-2.4.2/debian/changelog 2023-10-05 16:35:27.000000000 +0200
@@ -1,3 +1,11 @@
+cups (2.4.2-3+deb12u4) bookworm; urgency=medium
+
+ * remove debian/NEWS again to avoid too much information when only
+ the client part is installed
+ * fix typo in config filename
+
+ -- Thorsten Alteholz <deb...@alteholz.de> Thu, 05 Oct 2023 16:35:27 +0200
+
cups (2.4.2-3+deb12u3) bookworm; urgency=medium
* move debian/NEWS.Debian to debian/NEWS
diff -Nru cups-2.4.2/debian/cups-daemon.NEWS cups-2.4.2/debian/cups-daemon.NEWS
--- cups-2.4.2/debian/cups-daemon.NEWS 2023-09-29 21:20:27.000000000 +0200
+++ cups-2.4.2/debian/cups-daemon.NEWS 2023-10-05 16:35:27.000000000 +0200
@@ -4,7 +4,7 @@
unauthorized users to fetch documents over local or remote networks.
Since this is a configuration fix, it might be that it does not reach you if
you
are updating 'cups-daemon' (rather than doing a fresh installation).
- Please double check your /etc/cups/cupds.conf file, whether it limits the
access
+ Please double check your /etc/cups/cupsd.conf file, whether it limits the
access
to CUPS-Get-Document with something like the following
> <Limit CUPS-Get-Document>
> AuthType Default
diff -Nru cups-2.4.2/debian/NEWS cups-2.4.2/debian/NEWS
--- cups-2.4.2/debian/NEWS 2023-09-29 21:20:27.000000000 +0200
+++ cups-2.4.2/debian/NEWS 1970-01-01 01:00:00.000000000 +0100
@@ -1,16 +0,0 @@
-cups (2.4.2-3+deb12u3) bookworm; urgency=medium
-
- This release addresses a security issue (CVE-2023-32360) which allows
- unauthorized users to fetch documents over local or remote networks.
- Since this is a configuration fix, it might be that it does not reach you if
you
- are updating 'cups-daemon' (rather than doing a fresh installation).
- Please double check your /etc/cups/cupds.conf file, whether it limits the
access
- to CUPS-Get-Document with something like the following
- > <Limit CUPS-Get-Document>
- > AuthType Default
- > Require user @OWNER @SYSTEM
- > Order deny,allow
- > </Limit>
- (The important line is the 'AuthType Default' in this section)
-
- -- Thorsten Alteholz <deb...@alteholz.de> Tue, 19 Sep 2023 21:20:27 +0200