On Tue, 1 Oct 2024, Murray, Ronald-1 (A&F) wrote:
Perhaps you should simply reassign the bug to the cups-browsed package instead?
No, in the Debian bug tracker you assign a bug to a source package and there is no source package "cups-browsed" in Debian. There is a binary package "cups-browsed" that is built from source package "cups-filters" and this was already fixed on 29.09.
All I know is that our security people notified me about this vulnerability, and had me shut down the cups services.
This is not a good sign for your security people.
As for your apparent inability to understand that CVE-2024-47176 applies to at least some part of the cups system, it certainly says that it does in the link I provided.
Before you write such stuff, I would recommend to become familiar with the Debian security tracker. All relevant bugs about the recent CUPS CVEs have been filed and all upstream patches have been applied to the corresponding Debian packages.
And the cups-browsed service does indeed bind to `*:631 ( INADDR_ANY )`:
Yes, this is intentionally and changing it won't help much. But this would be something you need to discuss with upstream.
Thorsten
