Your message dated Tue, 1 Oct 2024 17:41:43 +0000 (UTC)
with message-id
<alpine.deb.2.21.2410011739580.17...@postfach.intern.alteholz.me>
and subject line Re: cups: CVE-2024-47176 reports severe vulnerability in CUPS
has caused the Debian Bug report #1083067,
regarding cups: CVE-2024-47176 reports severe vulnerability in CUPS
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1083067: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1083067
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: cups
Version: 2.4.10-1
Severity: grave
Tags: security
Justification: user security hole
X-Debbugs-Cc: Debian Security Team
t...@security.debian.org<mailto:t...@security.debian.org>
>From https://nvd.nist.gov/vuln/detail/CVE-2024-47176:
CUPS is a standards-based, open-source printing system, and
`cups-browsed` contains network printing functionality including, but
not limited to, auto-discovering print services and shared
printers. `cups-browsed` binds to `INADDR_ANY:631`, causing it to
trust any packet from any source, and can cause the
`Get-Printer-Attributes` IPP request to an attacker controlled
URL. Due to the service binding to `*:631 ( INADDR_ANY )`, multiple
bugs in `cups-browsed` can be exploited in sequence to introduce a
malicious printer to the system. This chain of exploits ultimately
enables an attacker to execute arbitrary commands remotely on the
target machine without authentication when a print job is
started. This poses a significant security risk over the
network. Notably, this vulnerability is particularly concerning as it
can be exploited from the public internet, potentially exposing a vast
number of systems to remote attacks if their CUPS services are
enabled.
-- System Information:
Debian Release: trixie/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 6.10.11-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages cups depends on:
ii cups-client 2.4.10-1
ii cups-common 2.4.10-1
ii cups-core-drivers 2.4.10-1
ii cups-daemon 2.4.10-1
ii cups-filters 1.28.17-4.1+b1
ii cups-ppdc 2.4.10-1
ii cups-server-common 2.4.10-1
ii debconf [debconf-2.0] 1.5.87
ii ghostscript 10.04.0~dfsg-1
ii libavahi-client3 0.8-13+b2
ii libavahi-common3 0.8-13+b2
ii libc6 2.40-2
ii libcups2t64 2.4.10-1
ii libgcc-s1 14.2.0-3
ii libstdc++6 14.2.0-3
ii libusb-1.0-0 2:1.0.27-1
ii poppler-utils 24.08.0-2
ii procps 2:4.0.4-5
Versions of packages cups recommends:
ii avahi-daemon 0.8-13+b2
ii colord 1.4.7-1+b1
Versions of packages cups suggests:
ii cups-bsd 2.4.10-1
ii foomatic-db 20230202-1
ii printer-driver-cups-pdf [cups-pdf] 3.0.1-18
ii smbclient 2:4.21.0+dfsg-1
ii udev 256.6-1
-- debconf information:
cupsys/backend: lpd, socket, usb, snmp, dnssd
cupsys/raw-print: true
--
Ron Murray
Systems Administrator,
Enterprise Messaging/Security,
Massachusetts Department of Revenue
(617) 655-3296<tel:(617)%20887-5594>
PGP Fingerprint: 5A26 A211 68D9 E5AA 176A 1AA3 7A89 5E0B
040A<x-apple-data-detectors://2> 7431
**********************************************************************
This email and any attachments may contain information that has been classified
as Confidential or Restricted if indicated as such. It is intended exclusively
for the use of the individual(s) to whom it is addressed. If inappropriately
disclosed, this information could seriously damage the mission, safety or
integrity of an agency, its staff, or its constituents. This information may be
protected by federal and state laws or regulations. Retransmission or
forwarding of this email must only be done after receiving explicit written
approval from the original sender of the email. The data must only be stored in
encrypted format.
If you are not the intended recipient, you may not use, copy, distribute, or
forward this message or contents to anyone. If you have received this email in
error, please notify the sender immediately and delete the email from your
email system.
--- End Message ---
--- Begin Message ---
Hi,
I am sorry, but I am not sure what makes you think that the Debian package cups
is affected by CVE-2024-47176.
At least your provided link does not show anything at all in this regard.
So I am closing this bug again.
Thorsten
--- End Message ---
