Your message dated Fri, 27 Sep 2024 17:19:00 +0000
with message-id <e1sueco-00fqfq...@fasolo.debian.org>
and subject line Bug#1082820: fixed in cups-filters 1.28.17-5
has caused the Debian Bug report #1082820,
regarding cups-filters: CVE-2024-47176
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1082820: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1082820
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: cups-filters
Version: 1.28.17-3
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for cups-filters.
CVE-2024-47176[0]:
| CUPS is a standards-based, open-source printing system, and `cups-
| browsed` contains network printing functionality including, but not
| limited to, auto-discovering print services and shared printers.
| `cups-browsed` binds to `INADDR_ANY:631`, causing it to trust any
| packet from any source, and can cause the `Get-Printer-Attributes`
| IPP request to an attacker controlled URL. Due to the service
| binding to `*:631 ( INADDR_ANY )`, multiple bugs in `cups-browsed`
| can be exploited in sequence to introduce a malicious printer to the
| system. This chain of exploits ultimately enables an attacker to
| execute arbitrary commands remotely on the target machine without
| authentication when a print job is started. This poses a significant
| security risk over the network. Notably, this vulnerability is
| particularly concerning as it can be exploited from the public
| internet, potentially exposing a vast number of systems to remote
| attacks if their CUPS services are enabled.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-47176
https://www.cve.org/CVERecord?id=CVE-2024-47176
[1]
https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8
[2]
https://github.com/OpenPrinting/cups-browsed/commit/1debe6b140c37e0aa928559add4abcc95ce54aa2
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: cups-filters
Source-Version: 1.28.17-5
Done: Thorsten Alteholz <deb...@alteholz.de>
We believe that the bug you reported is fixed in the latest version of
cups-filters, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1082...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thorsten Alteholz <deb...@alteholz.de> (supplier of updated cups-filters
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 26 Sep 2024 23:45:05 +0200
Source: cups-filters
Architecture: source
Version: 1.28.17-5
Distribution: unstable
Urgency: medium
Maintainer: Debian Printing Team <debian-printing@lists.debian.org>
Changed-By: Thorsten Alteholz <deb...@alteholz.de>
Closes: 1082820 1082827
Changes:
cups-filters (1.28.17-5) unstable; urgency=medium
.
* CVE-2024-47076 (Closes: #1082827)
cfGetPrinterAttributes5(): Validate response attributes before return
* CVE-2024-47176 (Closes: #1082820)
Default BrowseRemoteProtocols should not include "cups" protocol
Checksums-Sha1:
7de99a3d0be8ff22226c2caa7367f979443d2f40 3028 cups-filters_1.28.17-5.dsc
9a634c2b4ffdee0592a036d6a177620b9296f368 87272
cups-filters_1.28.17-5.debian.tar.xz
98f75ea17906994ef3965048a21a213ed41892cb 14940
cups-filters_1.28.17-5_amd64.buildinfo
Checksums-Sha256:
793f03ff6966dcbff5a5ac168caef371d0bd256c247f0de12b8499f9efefaa00 3028
cups-filters_1.28.17-5.dsc
017e50735002802f0ab45185610371a1b55d08b20e8af6936216d0350b97c82e 87272
cups-filters_1.28.17-5.debian.tar.xz
07c23eda9af0528efbe9b825fb63b19ec8a1381be8f319162c9e8f4f816800bf 14940
cups-filters_1.28.17-5_amd64.buildinfo
Files:
bdb1f8a14c9099fbf755b00eb6e483c0 3028 net optional cups-filters_1.28.17-5.dsc
4f4b6560c752e34a386bf0c79312032c 87272 net optional
cups-filters_1.28.17-5.debian.tar.xz
dcfec29c9b2a05d21d5203385cdea883 14940 net optional
cups-filters_1.28.17-5_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKnBAEBCgCRFiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmb25c1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcTHGRlYmlhbkBh
bHRlaG9sei5kZQAKCRCW/KwNOHtYR6ZAD/9EhhVqvD3NXxThg+lKYYTRTfyA5/Oo
fwp+jw/o58XeWSYuIdGQOc20/jNSK9alUp5p17RjWVOCymQ0v7O2PxS+162dz2cI
SCTH0rCeMtHEwB1ZGsQNWiaKq98FT6RtK5egPL4gP0ZmEOe4RQJM75z134jp90u2
kqQF0PwV/bDDOZYjEOUPowTeMnzZQvbPY81r/UIamlEqTMYTG5y2IeoeXcAKW1J9
7O8zlaEq/WqPSF8tfbIbJgk0+C8oUJpDT54bKCAtWtaFlmGwy2wm2inYl/L5IKEN
u3oa8PP6aihfVq6v3kHzR7J4bDjuF4oEd/ZS4ip3horw/uuHo9kkCDpeBYr5SaHg
be7lqEfoVWv6G4NhoEUS4DiUEcwbcExw/XkUGB5HCaPcppEAhl7ugauN+ZZFWIpy
hXmk5MXKR8mVXLKpCqfLME/8uSIvLkJQg/3R3r9rjzCY+9dMToMwlfhHVUERzYtI
mJ5hXMas2S8UJYYMs4H8uPUeCDcKK2nHUItJuQwbiwu14ipeVMzPr01juuuF8703
HFpRBYp8RiNZdOVPHdnPzcs1sjlre6aNUa1AFpnBd26nxxA2aFvwAcLtGyVODvZF
ql1cAsgoajtUseJvOP40QQi4gUBnQ+nAKhj+pSA2CXPEYJGxL0hm8Xwj4c2ohrFf
mcUhnobWDJjSHA==
=yFIK
-----END PGP SIGNATURE-----
pgpb16mpO9yMx.pgp
Description: PGP signature
--- End Message ---
