Package: cups-daemon Version: 1.7.4-1 Severity: serious Justification: Information leak and possible security vulnerability Tags: security
Hi, installing (not upgrading!) the cups-daemon package on a machine using systemd as PID 1 creates the /etc/cups/cupsd-systemd-listen.conf file like this: [Socket] # This file was generated by CUPS and _WILL_ be deleted or overwritten by it! # It has to be kept in sync with the Port and Listen stanzas in /etc/cups/cupsd.conf # It is by default symlinked as cups-listen.conf in the # /etc/systemd/system/cups.socket.d/ directory. Remove the symlink # and write your own file there if you don't want this. See systemd.socket(5). # Matches the default 'Listen localhost:631' from cupsd.conf.default ListenStream=0.0.0.0:631 ListenStream=[::]:631 As this file gets symlinked from the /etc/systemd/system/cups.socket.d/ directory, this means that systemd will listen on *all* interfaces and hand the incoming connections to CUPS. Admittedly, CUPS still enforces it's own access limitations set in /etc/cups/cupsd.conf, but only after initially accepting the connection. It will then respond with a HTTP 403 (Forbidden) error page, confirming that there is indeed a CUPS daemon running and leaking (at least) its version number and the system locale. Best regards Alexander Kurtz
signature.asc
Description: This is a digitally signed message part