UbuntuUpdates.org

Package "libcups2t64"

Name: libcups2t64

Description:

Common UNIX Printing System(tm) - Core library
Latest version: 2.4.16-1ubuntu1.2
Release: resolute (26.04)
Level: updates
Repository: main
Head package: cups
Homepage: https://github.com/OpenPrinting/cups/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "libcups2t64"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "libcups2t64" in Resolute

Repository Area Version
base main 2.4.16-1ubuntu1
security main 2.4.16-1ubuntu1.2

Changelog

Version: 2.4.16-1ubuntu1.2 2026-06-08 20:07:46 UTC

  cups (2.4.16-1ubuntu1.2) resolute-security; urgency=medium

  * SECURITY UPDATE: authorization bypass vulnerability
    - debian/patches/CVE-2026-27447-1.patch: The scheduler treated local user
      and group names as case-insensitive. in scheduler/auth.c.
    - debian/patches/CVE-2026-27447-2.patch: Fix cupsd crash if user does not
      exist on server in scheduler/auth.c.
    - debian/patches/CVE-2026-27447-3.patch: Fix unauthenticated print policies
      (Issue #1557) in scheduler/auth.c.
    - CVE-2026-27447
  * SECURITY UPDATE: RSS notifier path traversal issue
    - debian/patches/CVE-2026-34978.patch: Fix RSS notifier. in notifier/rss.c,
      scheduler/ipp.c.
    - CVE-2026-34978
  * SECURITY UPDATE: heap overflow in building filter option strings
    - debian/patches/CVE-2026-34979-1.patch: Expand allocation of options
      string. in scheduler/job.c.
    - debian/patches/CVE-2026-34979-2.patch: Fix get_options regression (Issue
      #1532) in scheduler/job.c, test/5.5-lp.sh.
    - CVE-2026-34979
  * SECURITY UPDATE: embedded newline issue in print jobs
    - debian/patches/CVE-2026-34980-1.patch: Filter out control characters from
      option values. in scheduler/job.c.
    - debian/patches/CVE-2026-34980-2.patch: Fix filter PPD keyword processing
      (Issue #1562) in scheduler/job.c.
    - CVE-2026-34980
  * SECURITY UPDATE: incorrectly accepts local certificates over the
    loopback interface
    - debian/patches/CVE-2026-34990-1.patch: Don't allow local certificates over
      the loopback interface, drop support for writing to plain files. in
      cups/auth.c, scheduler/auth.c, scheduler/client.c, scheduler/ipp.c,
      scheduler/job.c, test/4.2-cups-printer-ops.test, test/5.1-lpadmin.sh.
    - debian/patches/CVE-2026-34990-2.patch: Fix builds against GSSAPI
      (Kerberos) in cups/auth.c.
    - CVE-2026-34990
  * SECURITY UPDATE: integer underflow in _ppdCreateFromIPP()
    - debian/patches/CVE-2026-39314.patch: Range check job-password-supported.
      in cups/ppd-cache.c.
    - CVE-2026-39314
  * SECURITY UPDATE: use-after-free when temp printers are deleted
    - debian/patches/CVE-2026-39316.patch: Expire per-printer subscriptions
      before deleting. in scheduler/printers.c.
    - CVE-2026-39316
  * SECURITY UPDATE: OOB read via SNMP response
    - debian/patches/CVE-2026-41079.patch: Limit num_bytes for SNMP string
      values. in cups/snmp-private.h, cups/snmp.c.
    - CVE-2026-41079
  * Miscellaneous additional fixes:
    - debian/patches/misc-fix-1.patch: Improve page header validation in
      cupsRasterReadHeader in cups/raster-error.c, cups/raster-stream.c.
    - debian/patches/misc-fix-2.patch: Protect against a driver reporting a
      supply type with a trailing '-'. in scheduler/printers.c.
    - debian/patches/misc-fix-3.patch: Range check cupsBytesPerLine in
      rastertoepson. in filter/rastertoepson.c.
    - debian/patches/misc-fix-4.patch: Sanity check HWResolution when writing
      Apple Raster. in cups/raster-stream.c.
    - debian/patches/misc-fix-5.patch: Protect against deep collection values
      (Issue #1539) in cups/cups-private.h, cups/dest-options.c, cups/encode.c.
    - debian/patches/misc-fix-6.patch: Update processing of LimitRequestBody,
      MaxLogSize, and MaxRequestSize to support full range of file sizes in
      scheduler/conf.c, scheduler/conf.h.
    - debian/patches/misc-fix-6-2.patch: Fix builds on systems that don't define
      OFF_MAX in scheduler/conf.c.
    - debian/patches/misc-fix-7.patch: Fix blank line detection in rastertolabel
      in filter/rastertolabel.c.
    - debian/patches/misc-fix-8.patch: Add buffer size check from CUPS 2.5.x to
      _ippFileReadToken (Issue #1542) in cups/ipp-file.c.
    - debian/patches/misc-fix-9.patch: Fix regression in
      cupsRasterRead/WriteHeader. in cups/raster-stream.c.
  * debian/tests/utils/test-drivers: disable most tests since the security
    update no longer accepts writing to files. Needs to be adapted. Taken
    from 2.4.18-1.

 -- Marc Deslauriers <email address hidden> Fri, 05 Jun 2026 09:14:36 -0400
CVE-2026-27447 OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, CUPS daemon (cupsd
CVE-2026-34978 OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, the RSS notifier a
CVE-2026-34979 OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, there is a heap-ba
CVE-2026-34980 OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, in a network-expos
CVE-2026-34990 OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, a local unprivileg
CVE-2026-39314 OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, an integer underfl
CVE-2026-39316 OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, a use-after-free v
CVE-2026-41079 OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. Prior to 2.4.17, a network-adjacent attacker can


About   -   Send Feedback to @ubuntu_updates