Bug 22649

Summary: cups new security issue CVE-2017-18190
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, sysadmin-bugs
Version: 5Keywords: advisory, has_procedure, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5-64-OK
Source RPM: cups-2.0.4-1.3.mga5.src.rpm CVE:
Status comment:

Description David Walser 2018-02-24 18:42:54 CET 
Ubuntu has issued an advisory on February 20:
https://usn.ubuntu.com/usn/usn-3577-1/

The issue was fixed upstream in 2.2.2, so Mageia 6 is not affected.

Patched package uploaded for Mageia 5.

Advisory:
========================

Updated cups packages fix security vulnerability:

Jann Horn discovered that CUPS permitted HTTP requests with the Host header set
to "localhost.localdomain" from the loopback interface. If a user were tricked
in to opening a specially crafted website in their web browser, an attacker
could potentially exploit this to obtain sensitive information or control
printers, via a DNS rebinding attack (CVE-2017-18190).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18190
https://usn.ubuntu.com/usn/usn-3577-1/
========================

Updated packages in core/updates_testing:
========================
cups-2.0.4-1.4.mga5
cups-common-2.0.4-1.4.mga5
libcups2-devel-2.0.4-1.4.mga5
libcups2-2.0.4-1.4.mga5
cups-filesystem-2.0.4-1.4.mga5

from cups-2.0.4-1.4.mga5.src.rpm
Comment 1 Thomas Andrews 2018-02-24 21:57:07 CET 
On real hardware, x86_64 server kernel.

Packages installed cleanly. Loaded an image file into The GIMP, and printed it on an Officejet 6110 printer. 

Looks good for 64-bit to me.

Whiteboard: (none) => MGA5-64-OK
CC: (none) => andrewsfarm

Comment 2 claire robinson 2018-02-26 18:03:52 CET 
Validating. Advisory uploaded.

Keywords: (none) => advisory, has_procedure, validated_update
CC: (none) => sysadmin-bugs

Comment 3 Mageia Robot 2018-02-27 00:41:50 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0147.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED