Описание
Security update for cups
This update for cups fixes the following issues:
- CVE-2017-18190: Removed localhost.localdomain from list of trustworthy hosts in scheduler/client.c to avoid arbitrary IPP command execution in conjunction with DNS rebinding. (bsc#1081557)
Список пакетов
SUSE Linux Enterprise Desktop 12 SP2
cups-1.7.5-20.3.1
cups-client-1.7.5-20.3.1
cups-libs-1.7.5-20.3.1
cups-libs-32bit-1.7.5-20.3.1
SUSE Linux Enterprise Desktop 12 SP3
cups-1.7.5-20.3.1
cups-client-1.7.5-20.3.1
cups-libs-1.7.5-20.3.1
cups-libs-32bit-1.7.5-20.3.1
SUSE Linux Enterprise Server 12 SP1-LTSS
cups-1.7.5-20.3.1
cups-client-1.7.5-20.3.1
cups-libs-1.7.5-20.3.1
cups-libs-32bit-1.7.5-20.3.1
SUSE Linux Enterprise Server 12 SP2
cups-1.7.5-20.3.1
cups-client-1.7.5-20.3.1
cups-libs-1.7.5-20.3.1
cups-libs-32bit-1.7.5-20.3.1
SUSE Linux Enterprise Server 12 SP3
cups-1.7.5-20.3.1
cups-client-1.7.5-20.3.1
cups-libs-1.7.5-20.3.1
cups-libs-32bit-1.7.5-20.3.1
SUSE Linux Enterprise Server 12-LTSS
cups-1.7.5-20.3.1
cups-client-1.7.5-20.3.1
cups-libs-1.7.5-20.3.1
cups-libs-32bit-1.7.5-20.3.1
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2
cups-1.7.5-20.3.1
cups-client-1.7.5-20.3.1
cups-libs-1.7.5-20.3.1
SUSE Linux Enterprise Server for SAP Applications 12 SP1
cups-1.7.5-20.3.1
cups-client-1.7.5-20.3.1
cups-libs-1.7.5-20.3.1
cups-libs-32bit-1.7.5-20.3.1
SUSE Linux Enterprise Server for SAP Applications 12 SP2
cups-1.7.5-20.3.1
cups-client-1.7.5-20.3.1
cups-libs-1.7.5-20.3.1
cups-libs-32bit-1.7.5-20.3.1
SUSE Linux Enterprise Server for SAP Applications 12 SP3
cups-1.7.5-20.3.1
cups-client-1.7.5-20.3.1
cups-libs-1.7.5-20.3.1
cups-libs-32bit-1.7.5-20.3.1
SUSE Linux Enterprise Software Development Kit 12 SP2
cups-ddk-1.7.5-20.3.1
cups-devel-1.7.5-20.3.1
SUSE Linux Enterprise Software Development Kit 12 SP3
cups-ddk-1.7.5-20.3.1
cups-devel-1.7.5-20.3.1
SUSE OpenStack Cloud 6
cups-1.7.5-20.3.1
cups-client-1.7.5-20.3.1
cups-libs-1.7.5-20.3.1
cups-libs-32bit-1.7.5-20.3.1
Ссылки
- Link for SUSE-SU-2018:0604-1
- E-Mail link for SUSE-SU-2018:0604-1
- SUSE Security Ratings
- SUSE Bug 1081557
- SUSE CVE CVE-2017-18190 page
Описание
A localhost.localdomain whitelist entry in valid_host() in scheduler/client.c in CUPS before 2.2.2 allows remote attackers to execute arbitrary IPP commands by sending POST requests to the CUPS daemon in conjunction with DNS rebinding. The localhost.localdomain name is often resolved via a DNS server (neither the OS nor the web browser is responsible for ensuring that localhost.localdomain is 127.0.0.1).
Затронутые продукты
SUSE Linux Enterprise Desktop 12 SP2:cups-1.7.5-20.3.1
SUSE Linux Enterprise Desktop 12 SP2:cups-client-1.7.5-20.3.1
SUSE Linux Enterprise Desktop 12 SP2:cups-libs-1.7.5-20.3.1
SUSE Linux Enterprise Desktop 12 SP2:cups-libs-32bit-1.7.5-20.3.1
Ссылки
- CVE-2017-18190
- SUSE Bug 1081557