Your message dated Sat, 07 Oct 2023 22:34:43 +0000
with message-id <e1qpfsh-00dwxh...@fasolo.debian.org>
and subject line Bug#1052419: fixed in cups 2.4.7-1
has caused the Debian Bug report #1052419,
regarding cups-daemon: NEWS.Debian is only tech-gibberish
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1052419: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1052419
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: cups-daemon
Version: 2.4.2-6
Severity: normal

Dear Maintainer,

While doing a routing update on my Debian/sid laptop today, i was greeted with
the following:

> cups (2.4.2-6) unstable; urgency=low
> 
>   In case this is not a fresh installation of cups, please double check
>   whether your cupsd.conf really does contain the limitiation for
>   "CUPS-Get-Document" (see patch 0015-CVE-2023-32360.patch)
> 
>  -- Thorsten Alteholz <deb...@alteholz.de>  Tue, 19 Sep 2023 21:20:27 +0200

wth?

NEWS.Debian is a user-facing interface for telling them important news.
(That's why they are shown in the first place).
As such, I think that the users ought to understand what this means.
I'm fine with the first two lines, but then it goes downhill.
Which "limitation of CUPS-Get-Document"? which patch?

I think we cannot expect our users to do a 'apt-get source cupsd' to hunt down a
patchfile and then understand the implications of what it does.
Even if they are smart enough to just head over to
<https://salsa.debian.org/printing-team/cups/-/blob/605d5df62adecb8941b9b3b25d5b0e92c0df752e/debian/patches/0015-CVE-2023-32360.patch>
to inspect the patch.
And then infer from the subject of the patch, that they might also hunt down
CVE-2023-32360 to see what this is all about.

*maybe* (but hey, i know that this is hard to write) something like this is 
better:
> This release addresses a security issue (CVE-2023-32360) which allows
> unauthorized users to fetch documents over local or remote networks.
> Since this is a configuration fix, it might be that it does not reach you if 
> you
> are updating 'cups-daemon' (rather than doing a fresh installation).
> Please double check your /etc/cups/cupds.conf file, whether it limits the 
> access
> to CUPS-Get-Document with something like the following
> >  <Limit CUPS-Get-Document>
> >    AuthType Default
> >    Require user @OWNER @SYSTEM
> >    Order deny,allow
> >   </Limit>
> (The important line is the 'AuthType Default' in this section)


(sidenote: since the NEWS.Debian file is shown only on upgrade, i think it is
safe to assume that "this is not a fresh installation of cups".)

Thanks for maintaining cups, probably one of the most installed packages
(outside of essential) in Debian (that's why I think it is even more important
to get the NEWS right)

cheers


-- System Information:
Debian Release: trixie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.5.0-1-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages cups-daemon depends on:
ii  adduser                    3.137
ii  bc                         1.07.1-3+b1
ii  init-system-helpers        1.65.2
ii  libavahi-client3           0.8-11
ii  libavahi-common3           0.8-11
ii  libc6                      2.37-10
ii  libcups2                   2.4.2-6
ii  libdbus-1-3                1.14.10-1
ii  libgssapi-krb5-2           1.20.1-4
ii  libpam0g                   1.5.2-7
ii  libpaper1                  1.1.29
ii  libsystemd0                254.4-1
ii  procps                     2:4.0.3-1
ii  ssl-cert                   1.1.2
ii  sysvinit-utils [lsb-base]  3.08-1

Versions of packages cups-daemon recommends:
ii  avahi-daemon  0.8-11
ii  colord        1.4.6-3
ii  cups-browsed  1.28.17-3
ii  ipp-usb       0.9.23-1+b6

Versions of packages cups-daemon suggests:
ii  cups                                       2.4.2-6
ii  cups-bsd                                   2.4.2-6
ii  cups-client                                2.4.2-6
ii  cups-common                                2.4.2-6
ii  cups-filters                               1.28.17-3
pn  cups-pdf                                   <none>
ii  cups-ppdc                                  2.4.2-6
ii  cups-server-common                         2.4.2-6
ii  foomatic-db-compressed-ppds [foomatic-db]  20230202-1
ii  ghostscript                                10.02.0~dfsg-2
ii  poppler-utils                              22.12.0-2+b1
pn  smbclient                                  <none>
ii  udev                                       254.4-1

-- no debconf information

--- End Message ---
--- Begin Message ---
Source: cups
Source-Version: 2.4.7-1
Done: Thorsten Alteholz <deb...@alteholz.de>

We believe that the bug you reported is fixed in the latest version of
cups, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1052...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thorsten Alteholz <deb...@alteholz.de> (supplier of updated cups package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 06 Oct 2023 20:16:49 +0200
Source: cups
Architecture: source
Version: 2.4.7-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Printing Team <debian-printing@lists.debian.org>
Changed-By: Thorsten Alteholz <deb...@alteholz.de>
Closes: 954974 971625 998004 1008053 1009146 1009147 1039983 1041466 1043331 
1043470 1052419
Changes:
 cups (2.4.7-1) unstable; urgency=medium
 .
   * Update to new upstream version 2.4.7.
     (Closes: #1039983   this should have been fixed in 2.4.3)
     (Closes: #1041466   this should have been fixed in 2.4.3)
     (Closes: #1043331   this should have been fixed in 2.4.3)
     (Closes: #998004    this should have been fixed in 2.4.3)
     (Closes: #1008053   this should have been fixed in 2.4.3)
     (Closes: #1009146   this should have been fixed in 2.4.3)
     (Closes: #1009147   this should have been fixed in 2.4.3)
   * debian/watch: update watch file (Closes: #1043470)
                   (thanks a lot to t3b4in+2gxh764v647us@cs.email)
   * debian/rules: switch on testing again
   * debian/control: bump standard to 4.6.2 (no changes)
   * debian/cups-daemon.NEWS: reword last entry (Closes: #1052419)
                              (thanks to IOhannes m zmoelnig)
   * debian/local/apparmor-profile: add drop-in for cups-pdf as well
                                    (Closes: #954974)
   * Provide a cups.pc file. (Closes: #971625)
     (thanks a lot to Helmut Grohne for the patch)
   * update debian/*.lintian-overrides and use new syntax
Checksums-Sha1:
 cbc8bfafbffcdf91c3485d969c8d09bb95bf3c2f 3357 cups_2.4.7-1.dsc
 9c6155dfa367eee9a88ad08cf83b1dc6c446309f 8134809 cups_2.4.7.orig.tar.gz
 a2b411cdcf336ac0ba9b3f6d17377cc963bf7d26 228 cups_2.4.7.orig.tar.gz.asc
 925bced67d126a6dc1ce3586de2b58327c417240 383284 cups_2.4.7-1.debian.tar.xz
 01d9093d9e634e5bf609546ada19e8a41b4625b7 13522 cups_2.4.7-1_amd64.buildinfo
Checksums-Sha256:
 28a4e4dcbecb7ee3ddb8ba6883e09add5556f73e45bd6536e04b552bbffad8ef 3357 
cups_2.4.7-1.dsc
 dd54228dd903526428ce7e37961afaed230ad310788141da75cebaa08362cf6c 8134809 
cups_2.4.7.orig.tar.gz
 4a5f7d06dd1255248c0718111b86c8c40e56990c9c7ec497f4190d933e0691a4 228 
cups_2.4.7.orig.tar.gz.asc
 8609ef2edd3f5142fb1dd3f6ae7a323b1a952a4a49cb3ae04aa7f31ef4f1bc75 383284 
cups_2.4.7-1.debian.tar.xz
 75374e7a994ed757e71eeafba5daed63bd4966122c0ace02bfa7b025a85736b6 13522 
cups_2.4.7-1_amd64.buildinfo
Files:
 d127d7414d397282312dabf9ea7b3c69 3357 net optional cups_2.4.7-1.dsc
 e0a5ddbf53dfad41da26fc1ef60b2256 8134809 net optional cups_2.4.7.orig.tar.gz
 aa1ef89b6837bf5742d0517c61dbe8d7 228 net optional cups_2.4.7.orig.tar.gz.asc
 176916b932730693d819bc6d68995d4f 383284 net optional cups_2.4.7-1.debian.tar.xz
 a151a50a14e07b7ec61bc6a7ec6bc882 13522 net optional 
cups_2.4.7-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKnBAEBCgCRFiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmUh3MZfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcTHGRlYmlhbkBh
bHRlaG9sei5kZQAKCRCW/KwNOHtYRwtaD/0RKUaUqgm//CZEZfRxvp7sra300U5U
sBCUcEwjL4NsLKks14EQpqt17zVsWQ34TWTA6wQ2m1zrp/z8hG5MiZQbna0yG1Ye
8cG7XK7EBkQZdimu+nsmBspMrfnuUpGEt4VOi8yN4qkVP2SvT/NV7bQd5L5d7upx
pOWNykuBFQDynanE4ZiFflG1IsbZVZAuaDMdV9jB5b2wzCCkE0r+eQBv+MaqlbpV
MWjw+1U411L3BKJmsj1GJSfb4LS4qjLpyhLC6LeLnM+RLR2P9D0/O12Z7FAo40yo
xR06k1s44lxjSXxvMlGqZkD3rleBrdTK5GJbz5/BKmXtBirg1hz0A4SxDChJNV3N
KBd8zruJ9WUxD+d13QMykmGpi/HAoVoP7jo27WVhAQPT3wlr6SiytqUIBE1EzU9T
jnFge8dezve7SP/QAKL5vDMXtNJq0qt/xrgwqrDpB/0J0XIfpy9qdtGxillU40/v
bSrC/jUtabcrttocXquzLVlHip375tNp+oTFK4Vki9xUKRzHaHsVUSg6EdDdzTnO
oGq0jbZOCnRnCA1GEG+ZSoI2flBHDT2hyvGo7F6LXl8+i6c3KyyyUyB3WtFpRdLo
aqB9wIIGtAKOhtogUD001XYEXC0mGpHsJdcfJUvD4nAR4qwrCJWJqfqBr25TDpRA
3ZOL1n51WHWuIQ==
=uG+d
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to