Описание
ELSA-2009-1595: cups security update (MODERATE)
[1:1.3.7-11:.4]
- Applied patch to fix CVE-2009-3553 (bug #530111, STR #3200).
- Applied patch to fix CVE-2009-2820 (bug #529833, STR #3367, STR #3401).
Обновленные пакеты
Oracle Linux 5
Oracle Linux ia64
cups
1.3.7-11.el5_4.4
cups-devel
1.3.7-11.el5_4.4
cups-libs
1.3.7-11.el5_4.4
cups-lpd
1.3.7-11.el5_4.4
Oracle Linux x86_64
cups
1.3.7-11.el5_4.4
cups-devel
1.3.7-11.el5_4.4
cups-libs
1.3.7-11.el5_4.4
cups-lpd
1.3.7-11.el5_4.4
Oracle Linux i386
cups
1.3.7-11.el5_4.4
cups-devel
1.3.7-11.el5_4.4
cups-libs
1.3.7-11.el5_4.4
cups-lpd
1.3.7-11.el5_4.4
Связанные CVE
Связанные уязвимости
Use-after-free vulnerability in the abstract file-descriptor handling interface in the cupsdDoSelect function in scheduler/select.c in the scheduler in cupsd in CUPS 1.3.7 and 1.3.10 allows remote attackers to cause a denial of service (daemon crash or hang) via a client disconnection during listing of a large number of print jobs, related to improperly maintaining a reference count. NOTE: some of these details are obtained from third party information.
Use-after-free vulnerability in the abstract file-descriptor handling interface in the cupsdDoSelect function in scheduler/select.c in the scheduler in cupsd in CUPS 1.3.7 and 1.3.10 allows remote attackers to cause a denial of service (daemon crash or hang) via a client disconnection during listing of a large number of print jobs, related to improperly maintaining a reference count. NOTE: some of these details are obtained from third party information.
Use-after-free vulnerability in the abstract file-descriptor handling interface in the cupsdDoSelect function in scheduler/select.c in the scheduler in cupsd in CUPS 1.3.7 and 1.3.10 allows remote attackers to cause a denial of service (daemon crash or hang) via a client disconnection during listing of a large number of print jobs, related to improperly maintaining a reference count. NOTE: some of these details are obtained from third party information.
Use-after-free vulnerability in the abstract file-descriptor handling ...
The web interface in CUPS before 1.4.2, as used on Apple Mac OS X before 10.6.2 and other platforms, does not properly handle (1) HTTP headers and (2) HTML templates, which allows remote attackers to conduct cross-site scripting (XSS) attacks and HTTP response splitting attacks via vectors related to (a) the product's web interface, (b) the configuration of the print system, and (c) the titles of printed jobs, as demonstrated by an XSS attack that uses the kerberos parameter to the admin program, and leverages attribute injection and HTTP Parameter Pollution (HPP) issues.