| Summary: | cups new security issues fixed upstream in 2.0.3 (including CVE-2015-1158 and CVE-2015-1159) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | davidwhodgins, herman.viaene, sysadmin-bugs |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/647497/ | ||
| Whiteboard: | has_procedure MGA4-64-OK advisory | ||
| Source RPM: | cups-2.0.2-4.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2015-06-09 02:05:17 CEST
David Walser
2015-06-09 02:05:23 CEST
Whiteboard:
(none) =>
MGA5TOO, MGA4TOO Debian-LTS issued an advisory for CUPS: http://lwn.net/Vulnerabilities/647613/ It lists CVE-2015-1158 and CVE-2015-1159. It's not clear where those CVEs came from, or what, if any, relationship they have to the issues fixed in 2.0.3. (In reply to David Walser from comment #1) > Debian-LTS issued an advisory for CUPS: > http://lwn.net/Vulnerabilities/647613/ > > It lists CVE-2015-1158 and CVE-2015-1159. It's not clear where those CVEs > came from, or what, if any, relationship they have to the issues fixed in > 2.0.3. Debian and Ubuntu have issued advisories for these today: https://www.debian.org/security/2015/dsa-3283 http://www.ubuntu.com/usn/usn-2629-1/ According to Ubuntu, both CVEs are associated with the first security bug fixed upstream in 2.0.3: http://www.cups.org/str.php?L4609 They've also indicated this as a high-severity issue. Summary:
cups new security issues fixed upstream in 2.0.3 =>
cups new security issues fixed upstream in 2.0.3 (including CVE-2015-1158 and CVE-2015-1159) Patches for both STR#4609 and STR#4602 committed into Mageia 4 and Cauldron SVN. Patched packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated cups packages fix security vulnerabilities: It was discovered that CUPS incorrectly handled reference counting when handling localized strings. A remote attacker could use this issue to escalate permissions, upload a replacement CUPS configuration file, and execute arbitrary code (CVE-2015-1158). It was discovered that the CUPS templating engine contained a cross-site scripting issue. A remote attacker could use this issue to bypass default configuration settings (CVE-2015-1159). It was discovered that the CUPS server can get stuck in an infinite loop when a user queues a malformed gzip file. When this happens the CUPS server will be unable to service any further requests (STR#4602). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1158 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1159 http://www.cups.org/str.php?L4609 http://www.cups.org/str.php?L4602 http://www.ubuntu.com/usn/usn-2629-1/ ======================== Updated packages in core/updates_testing: ======================== cups-1.7.0-7.5.mga4 cups-common-1.7.0-7.5.mga4 libcups2-devel-1.7.0-7.5.mga4 libcups2-1.7.0-7.5.mga4 cups-filesystem-1.7.0-7.5.mga4 from cups-1.7.0-7.5.mga4.src.rpm Version:
Cauldron =>
4 MGA4-64 on HP Probook 6555b No installation issues testing from Comment 4 ref http://www.cups.org/str.php?L4602 Deleted printer from MCC, installed it again. Printed a small file: OK Downloaded the gziphang.dat from the ref above and followed the lp command. Printed again the small file, ensuring that printing was not blocked by the testcase: works OK. CC:
(none) =>
herman.viaene Advisory added to svn. Currently, the qa team is validating updates if they work on either arch. Can someone from the sysadmin team please push the cups update. Keywords:
(none) =>
validated_update An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0247.html Status:
NEW =>
RESOLVED |