Package "cups-daemon"
Name: |
cups-daemon
|
Description: |
Common UNIX Printing System(tm) - daemon
|
Latest version: |
2.1.3-4ubuntu0.11 |
Release: |
xenial (16.04) |
Level: |
security |
Repository: |
main |
Head package: |
cups |
Homepage: |
http://www.cups.org |
Links
Download "cups-daemon"
Other versions of "cups-daemon" in Xenial
Changelog
cups (2.1.3-4ubuntu0.11) xenial-security; urgency=medium
* SECURITY UPDATE: information disclosure via OOB read
- debian/patches/CVE-2019-2228.patch: fix ippSetValueTag validation of
default language in cups/ipp.c.
- CVE-2019-2228
* SECURITY UPDATE: heap-based buffer overflow
- debian/patches/CVE-2020-3898.patch: properly handle invalid
resolution names in cups/ppd.c, ppdc/ppdc-source.cxx.
- CVE-2020-3898
-- Marc Deslauriers <email address hidden> Fri, 24 Apr 2020 10:48:53 -0400
|
Source diff to previous version |
CVE-2019-2228 |
In array_find of array.c, there is a possible out-of-bounds read due to an incorrect bounds check. This could lead to local information disclosure in |
CVE-2020-3898 |
heap based buffer overflow in libcups's ppdFindOption() in ppd-mark.c |
|
cups (2.1.3-4ubuntu0.10) xenial-security; urgency=medium
* SECURITY UPDATE: Stack buffer overflow in SNMP ASN.1 decoder
- debian/patches/CVE-2019-86xx.patch: update cups/snmp.c to check for
buffer overflow when decoding various ASN.1 elements.
- CVE-2019-8675
- CVE-2019-8696
* SECURITY UPDATE: Buffer overflow in IPP
- debian/patches/CVE-2019-86xx.patch: update cups/ipp.c to avoid
buffer overflow due to tag type confusion
* SECURITY UPDATE: Denial of service and memory disclosure in scheduler
- debian/patches/CVE-2019-86xx.patch: update scheduler/client.c to
avoid a denial of service and possible memory disclosure if the
client unexpectedly closes the connection
-- Alex Murray <email address hidden> Fri, 16 Aug 2019 17:40:11 +0930
|
Source diff to previous version |
CVE-2019-8675 |
stack-buffer-overflow in libcups's asn1_get_type function |
CVE-2019-8696 |
stack-buffer-overflow in libcups's asn1_get_packed function |
|
cups (2.1.3-4ubuntu0.6) xenial-security; urgency=medium
* SECURITY UPDATE: predictable session cookies
- debian/patches/CVE-2018-4700.patch: use better seed in cgi-bin/var.c.
- CVE-2018-4700
-- Marc Deslauriers <email address hidden> Fri, 16 Nov 2018 14:06:39 -0500
|
Source diff to previous version |
CVE-2018-4700 |
Linux session cookies used a predictable random number seed |
|
cups (2.1.3-4ubuntu0.5) xenial-security; urgency=medium
* SECURITY UPDATE: scheduler crash via DBUS notifications
- debian/patches/CVE-2017-18248.patch: validate requesting-user-name in
scheduler/ipp.c.
- CVE-2017-18248
* SECURITY UPDATE: privilege escalation in dnssd backend
- debian/patches/CVE-2018-418x.patch: don't allow PassEnv and SetEnv to
override standard variables in man/cups-files.conf.man.in,
man/cupsd.conf.man.in, scheduler/conf.c.
- CVE-2018-4180
* SECURITY UPDATE: local file read via Include directive
- debian/patches/CVE-2018-418x.patch: remove Include directive handling
in scheduler/conf.c.
- CVE-2018-4181
* SECURITY UPDATE: AppArmor sandbox bypass
- debian/local/apparmor-profile: also confine
/usr/lib/cups/backend/mdns.
- CVE-2018-6553
-- Marc Deslauriers <email address hidden> Fri, 22 Jun 2018 13:45:28 -0400
|
Source diff to previous version |
CVE-2017-18248 |
The add_job function in scheduler/ipp.c in CUPS before 2.2.6, when D-Bus support is enabled, can be crashed by remote attackers by sending print jobs |
CVE-2018-4180 |
Local Privilege Escalation to Root in dnssd Backend (CUPS_SERVERBIN) |
CVE-2018-4181 |
Limited Local File Reads as Root via cupsd.conf Include Directive |
CVE-2018-6553 |
AppArmor profile issue in cups |
|
cups (2.1.3-4ubuntu0.4) xenial-security; urgency=medium
* SECURITY UPDATE: Incorrect whitelist permits DNS rebinding attacks
- debian/patches/CVE-2017-18190.patch: Don't treat "localhost.localdomain"
as an allowed replacement for localhost, since it isn't
- CVE-2017-18190
-- Chris Coulson <email address hidden> Mon, 19 Feb 2018 17:37:01 +0000
|
CVE-2017-18190 |
A localhost.localdomain whitelist entry in valid_host() in scheduler/client.c in CUPS before 2.2.2 allows remote attackers to execute arbitrary IPP c |
|
About
-
Send Feedback to @ubuntu_updates