이 콘텐츠는 선택한 언어로 제공되지 않습니다.

8.40. cups


Updated cups packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links associated with each description below.
CUPS provides a portable printing layer for Linux, UNIX, and similar operating systems.

Security Fixes

CVE-2014-2856
A cross-site scripting (XSS) flaw was found in the CUPS web interface. An attacker could use this flaw to perform a cross-site scripting attack against users of the CUPS web interface.
CVE-2014-3537CVE-2014-5029CVE-2014-5030CVE-2014-5031
It was discovered that CUPS allowed certain users to create symbolic links in certain directories under /var/cache/cups/. A local user with the lp group privileges could use this flaw to read the contents of arbitrary files on the system or, potentially, escalate their privileges on the system.
The CVE-2014-3537 issue was discovered by Francisco Alonso of Red Hat Product Security.

Bug Fixes

BZ#769292
When the system was suspended during polling a configured BrowsePoll server, resuming the system left the cups-polld process awaiting a response even though the connection had been dropped causing discovered printers to disappear. Now, an HTTP timeout is used so the request can be retried. As a result, printers that use BrowsePoll now remain available in the described scenario.
BZ#852846
A problem with HTTP multipart handling in the CUPS scheduler caused some browsers to not work correctly when attempting to add a printer using the web interface. This has been fixed by applying a patch from a later version, and all browsers now work as expected when adding printers.
BZ#855431
When a discovered remote queue was determined to no longer be available, the local queue was deleted. A logic error in the CUPS scheduler caused problems in this situation when there was a job queued for such a destination. This bug has been fixed so that jobs are not started for removed queues.
BZ#884851
CUPS maintains a cache of frequently used string values. Previously, when a returned string value was modified, the cache lost its consistency, which led to increased memory usage. Instances where this happened have been corrected to treat the returned values as read-only.
BZ#971079
A missing check has been added, preventing the scheduler from terminating when logging a message about not being able to determine a job's file type.
BZ#978387
A fix for incorrect handling of collection attributes in the Internet Printing Protocol (IPP) version 2.0 replies has been applied.
BZ#984883
The CUPS scheduler did not use the fsync() function when modifying its state files, such as printers.conf, which could lead to truncated CUPS configuration files in the event of power loss. A new cupsd.conf directive, SyncOnClose, has been added to enable the use of fsync() on such files. The directive is enabled by default.
BZ#986495
The default environment variables for jobs were set before the CUPS configuration file was read, leading to the SetEnv directive in the cupsd.conf file having no effect. The variables are now set after reading the configuration, and SetEnv works correctly.
BZ#988598
Older versions of the RPM Package Manager (RPM) were unable to build the cups packages due to a newer syntax being used in the spec file. More portable syntax is now used, allowing older versions to build CUPS as expected.
BZ#1011076
A spelling typo in one of the example options for the cupsctl command has been fixed in the cupsctl(8) man page.
BZ#1012482
The cron script shipped with CUPS had incorrect permissions, allowing world-readability on the script. This file is now given permissions 0700, removing group- and world-readability permissions.
BZ#1040293
The Generic Security Services (GSS) credentials were cached under certain circumstances. This behavior is incorrect because sending the cached copy could result in a denial due to an apparent replay attack. A patch has been applied to prevent replaying the GSS credentials.
BZ#1104483
A logic error in the code handling the web interface made it not possible to change the Make and Model field for a queue in the web interface. A patch has been applied to fix this bug and the field can now be changed as expected.
BZ#1110045
The CUPS scheduler did not check whether the client connection had data available to read before reading. This behavior led to a 10 second timeout in some instances. The scheduler now checks for data availability before reading, avoiding the timeout.
BZ#1120419
The Common Gateway Interface (CGI) scripts were not executed correctly by the CUPS scheduler, causing requests to such scripts to fail. Parameter handling for the CGI scripts has been fixed by applying a patch and the scripts can now be executed properly.
All cups users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the cupsd daemon will be restarted automatically.
Red Hat logoGithubRedditYoutubeTwitter

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

Red Hat을 사용하는 고객은 신뢰할 수 있는 콘텐츠가 포함된 제품과 서비스를 통해 혁신하고 목표를 달성할 수 있습니다.

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat은 코드, 문서, 웹 속성에서 문제가 있는 언어를 교체하기 위해 최선을 다하고 있습니다. 자세한 내용은 다음을 참조하세요.Red Hat 블로그.

Red Hat 소개

Red Hat은 기업이 핵심 데이터 센터에서 네트워크 에지에 이르기까지 플랫폼과 환경 전반에서 더 쉽게 작업할 수 있도록 강화된 솔루션을 제공합니다.

© 2024 Red Hat, Inc.